Professional Documents
Culture Documents
A Secure and Efficient Conditional Anonymous Scheme For Permissionless Blockchains
A Secure and Efficient Conditional Anonymous Scheme For Permissionless Blockchains
A Secure and Efficient Conditional Anonymous Scheme For Permissionless Blockchains
*
Corresponding Author: Jun Shen; E-mail: demon_sj@126.com
DOI: 10.53106/160792642021112206002
1216 Journal of Internet Technology Volume 22 (2021) No.6
It can be proved that co-CDH problem is hard under ‧ One - time KeyGen(( A, B), r) → (P, R): A probabilistic
bilinear map groups. polynomial-time algorithm which, on input the long-
2.2 Bilinear Ring Signatures term public key and a random number
R
r ←⎯ ⎯[1, l − 1] , outputs an one-time address public
Definition 3 (Bilinear Ring Signatures). A bilinear
key P and a public imformation R.
ring signature scheme is consisted of four algorithms
‧ KeyRecovery( P, R, (a, b)) → ( x) : A probabilistic
[25], Σ = (Setup, KeyGen, RingSign, RingVerity), which
polynomial-time algorithm which, on input an one-
are defined as follows.
time public key, public imformation R, and the
‧ Setup(1λ ) → ( param) : A probabilistic polynomial - corresponding long-term private key, outputs the
time algorithm which, on input the security one-time private key x.
parameter λ ∈ » , outputs a set of security Definition 5 (Linkable ring signatures). A linkable
parameters param = (G1 , G 2 , GT , g1 , g 2 , e, ψ ). ring signature [26-27] is consisted of five algorithms,
‧ KeyGen(n, param) → ({xi , Pi }) : A probabilistic Σ = (Setup, KeyGen, RingSign, RingVerity, Link), which
polynomial-time algorithm which, on input a size of are defined as follows.
the ring group n and the set of security parameters ‧ Setup(1λ ) → ( param) : A probabilistic polynomial -
param, outputs n pairs of public/secret-key pair time algorithm which, on input the security
( Pi , xi ) for all i ∈ [1, n] . parameter λ ∈ » , outputs a set of security
‧ RingSign( sks , m, U pk ) → (σ ) : A probabilistic poly- parameters param.
‧ KeyGen(n, param) → ({ski , pki }) : A probabilistic
nomial-time algorithm which, on input the signer’s
secret key xs for s ∈ [1, n] , a message m and a set of polynomial-time algorithm which, on input a size of
the ring group n and the set of security parameters
users’ public keys U pk = {P1 , ..., Pn } , outputs a ring param, outputs n pairs of public/secret-key pair
signature σ = σ 1 , ..., σ n ∈ G 2 , in which σ s ← ( pki , ski ) where i[1, n] .
‧ RingSign( sk s , m, U pk ) → ( I , σ ) : A probabilistic
∏P
( h /ψ (
i≠s
i
ai
))1/ xx , σ i ← g 2σ i ∈ G 2 for all i ≠ s,
polynomial-time algorithm which, on input the
h ← H1 (m) ∈ G 2 and ai ← R » p . signer’s secret key sk s , a message m and a set of
users’ public keys U pk = { pk1 , pk2 , ... . pkn ), in
‧ RingVerify = (σ , m, U pk ) → (1/ 0) : A probabilistic
which pks ∈U pk , outputs a ring signature σ and a
polynomial-time algorithm which, on input a ring
signature σ , a message and a set of users’ public tag I.
keys U pk , outputs 1/0 by checking the equation ‧ RingVerify = (σ , I , m, U pk ) → (1/ 0) : A probabilistic
n polynomial-time algorithm which, on input a ring
e( g1 , h) = ∏ e( Pi , σ i ). signature σ , a tag I, a message m and a set of users’
i =1 public keys U pk , outputs 1/0.
2.3 CryptoNote Technology ‧ Link = ((σ1, I1 ), (σ 2 , I2 )) → (Link / ⊥): A probabilistic
CryptoNote [7] is a scheme applied in Monero to polynomial-time algorithm which, on input two ring
hide the actual addresses of payers and payees using signatures and corresponding tags, output Link / ⊥ .
one-time address technology and linkable ring
signature. The former protects the privacy of the 3 The System Model and Definitions
payee’s identity, while the latter hides the payer’s
identity. The formal definition is given as follows: In this section, we describe the system model, threat
Definition 4 (One-time address technology). An one- model and security model of our scheme.
time address scheme is consisted of three algorithms,
Σ = (Setup, Long - term KeyGen, One - time KeyGen, 3.1 The System Model
Key Recovery), which are defined as follows. As shown in Figure 1, in order to achieve
λ
‧ Setup(1 ) → ( param) : A probabilistic polynomial - traceability of anonymous users in the permissionless
time algorithm which, on input the security blockchain, our model introduces an additional
parameter λ ∈ » , outputs a set of security supervision blockchain. Specifically, such a model
involves five entities: the payer of a transaction
parameters param.
(Payer), the miner in the blockchain system (Miner),
‧ Long - term KeyGen( param) → (a, b)( A, B) : A pro-
the supervision authority (SA), the anonymous
babilistic polynomial-time algorithm which, on input permissionless blockchain (AP-blockchain) and the
security parameters param, outputs long-term supervision blockchain (S-blockchain).
address public/private key ((a, b)( A, B )) .
A Secure and Efficient Conditional Anonymous Scheme for Permissionless Blockchains 1219
AP-blockchain S-blockchian
Package
Trancastions
Supervision
Ring Signature Payer/Signer Trace Authority
money more than once; (3) spend a sum of money in ( P0 , P1 ) , the system first generates a challenge number
excess of the actual amount. A secure and efficient b ∈{0, 1} which is a random hidden bit. Next, the
conditional anonymous scheme for permissionless
oracle Spend( ski1 ) for i = {0, 1, b} generates the three
blockchains satisfies validity if for any PPT adversary
A, signatures σ 0 , σ 1 , σ b with respect to x0 , x1 , xb on
(U , m) where U = {P0 , P1} . Finally, D outputs b′ .
⎡ ( param) ← Initialize(1λ ); ⎤
⎢ ⎥ Definition 9 (Traceability). Traceability means that
⎢ ( P, x) ← KeyGen( param);⎥ SA can always find the actual payer or signer in a
⎢ Verify ( Padder , K , Aux) ⎥ transaction successfully. A secure and efficient
⎢ ⎥ conditional anonymous scheme for permissionless
⎢(Tx, σ , : ← AddrGen( param); ⎥
blockchains is traceability if for any PPT adversay A ,
Pr ⎢ = 1.
U, I,V ) (m, U ) ← A ( Padder , U ); ⎥
⎢ ⎥
⎢ =1 ⎡ ( param) ← Initialize(1λ ); ⎤
(Tx, σ , V , U ) ← Spend ⎥ ⎢ ⎥
⎢ ⎥ (Tx′, σ , V , U ) ← Spend
⎢ ( param, m, ( xx , Ps ), U ,) ⎥ ⎢ ⎥
⎢ ⎥ Pr Ps = Ps : ( param, m( xs , Ps ), U , R, Paddr );⎥ = 1.
⎢ ′
⎣ R, Paddr ⎦ ⎢ ⎥
⎢ Verify(Tx, σ , U , I , V ) = 1; ⎥
Definition 7 (Unforgeability). Unforgeability means ⎢ Ps′ ← Trace(Tx, σ , I , r ) ⎥
that an adversary is not able to forge the signature and ⎣ ⎦
label of a transaction, without knowing the private key
corresponding to a public key in the ring group. A
secure and efficient conditional anonymous scheme for
4 The Proposed Secure and Efficient
permissionless blockchains is unforgeability if for any Conditional Anonymous Scheme
PPT adversary A
We first overview the proposed secure and efficient
⎡ ( param) ← Initialize(1λ );⎤ conditional anonymous scheme for permissionless
⎢ ⎥
⎢ (Tx′, V ′, U , σ ′) ← ⎥ ≤ negl(λ ).
blockchains, and then we present it in more details.
Pr A Wins :
⎢ A KeyGen , AddrGen , Spend ⎥ 4.1 The High-level Description
⎢ ⎥
⎢⎣ ( param) ⎥⎦ We present a secure and efficient conditional
anonymous scheme for permissionless blockchains in
A outputs a new tuple (Tx′, σ ′, V ′, U ) with the help which users’ identities are conditional anonymity.
of oracles KeyGen, AddrGen, Spend, and A wins the Under normal circumstances, the identity of user is not
game if this output satisfies the following conditions: discovered, just as in the classic anonymous
‧ Verify(Tx′, σ ′, V ′, U ) = accept. blockchain such as Monero, but the identity also can be
‧ PAdv ∉U or PAdv ∈U but she doesn’t own the revealed when there is a problem with the transaction.
Specifically, we achieve this through double-chain
corresponding private key.
structure, one-time address technology and bilinear
Definition 8 (Anonymity). A secure and efficient
ring signature. Considering a scenario where Payer
conditional anonymous scheme for permissionless
wants to transfer money form one of her accounts to a
blockchains is anonymity if for any PPT adversay A ,
payee anonymously. As shown in Figure 2, first, Payer
it holds that
generates a one-time address for payee and a Aux of
this address based on payee’s long-term address to
⎡ ( param) ← Initialize(1λ ); ⎤
⎢ ⎥ esure that the payee can recover the correspongding
⎢ ( P0 , x0 ), ( P1 , x1 ) ← ⎥ private key at a later time. Subsequently, Payer
⎢ KeyGen( param); ⎥ generates a transaction using bilinear ring signature
⎢ ⎥ 1 and publishes it to trading pool. Miner packages
Pr ⎢b = b′ : (σ x0 , σ x1 ) ← Spend ⎥ − ≤ negl(λ ). transactions from the trading pool, then verifies the
⎢ ⎥ 2
⎢ (m, ( P0 , x0 ), ( P1 , x1 )); ⎥ legality of transactions with SA. If the transaction is
⎢ b ← {0,1} ⎥ correctly composed by a honest Payer, then the
⎢ ⎥ transaction will eventually be packaged into AP-
⎣⎢ b′ ← Dσ b , σ 0 , σ1 ( P0 , P1 ) ⎥⎦ blockchain by Miner, and the corresponding identity
information will be packaged into S-blockchain by SA.
In which D is an adversary modeled as a PPT Finally, SA may trace users’ identities once finding that
algorithm. P0 , P1 are the two chosen public keys, where there are problems with some transactions.
( P0 , x0 ), ( P1 , x1 ) are generated by KeyGen(param).
Before D starts the game with the two public keys
A Secure and Efficient Conditional Anonymous Scheme for Permissionless Blockchains 1221
AP-Blockchain S-Blockchain
5.Package
Transaction anonymous
transactions
Number V q Transactions 5.Package Transaction
Inputs: identities
One-time addr Aux information Block number
One-time addr Aux
Miner Transaction number
ⅡⅡ
Outputs:
One-time addr Aux
One-time addr Aux 2.Transaction
ⅡⅡ generation
Transactions (spend)
1.choose
Ⅱ
6.Trace
Figure 1. The secure and efficient conditional anonymous scheme for permissionless blockchains
- Pick secure hash functions H1 :{0, 1}* → G 2 , calculates h ← H1{m} ∈ G 2 and sets the bilinear
H 2 : G1 × G1 → » p . ring signature as:
1
- Return parameters param = (G1 , G 2 , p, e, ψ , g1 , ⎧
⎪⎛ h ⎞ xx
g 2 , H1 , H 2 ). i = s,
⎪⎜ ⎟
‧ KeyGen( param) → (r , R), ( ski , pki ) : On input σ i = ⎨⎜ ψ
⎜
⎪⎝
∏i≠s
Piωi ⎟⎟
⎠
param, the blockchain system generates key pairs as ⎪
follows: ⎩ g 2ωi i ≠ s.
- SA selects private key r ∈R » p , calculates public
- Payer chooses a random number q ∈R [1, n] ,
key R = g1r . produces V:
- User selects ai ∈R » p , bi ∈R » p and generates
⎧⎛ ⎞
long-term key pair ( ski , pki ) = (ai , bi )( g1ai , g1bi ) ⎪ψ
⎪⎜
V = ⎨⎝ i ≠ s
∏
Piωi ⎟ q = s,
⎠
-Output key pairs of SA and users ((r , R), ( ski , pki )) . ⎪ ωq
‧ AddrGen( param, pkt ) → ( Pt , K , Aux) : On input ⎪⎩ ψ ( Pq ) q ≠ s.
1222 Journal of Internet Technology Volume 22 (2021) No.6
- Payer calculates I = EncR (Sig xs ( R, V ), Px ), where that the probability of forging V and passing the
Sig represents a digital signature. verification are negligible.
Given a forger A against the unforgeability of V in
- Output the signature σ = (U , I , V , q(σ1 , …, σ n ))
the proposed scheme. We then construct a simulator B
‧ Verify(Tx, σ ) → (1/ 0) : On input a transaction Tx that challenges the co-CDH problem by interacting
and signature σ , Miner executes as follows: with A , on input instance ( g1 , g1a , h) . The co-CDH
- Miner calculates h → H1 (m), and verifies
adversary B sumulates the game for A as follows.
following two equations: ‧ Setup. The challenger builds a system to challenge
co-CDH problem on input a security parameter λ ,
e( g1 , V ) = ∏ e( P , σ ),
i≠q
i i in which there is a polynomial time adversary B to
attack the co-CDH problem. Simultaneously, there is
e( g1 , h) = e( g1 , V ) ⋅ e( Pq , σ q ). a random oracle Os queried by polynomial times,
If these two equations are satisfied, Miner sends which is used to generate the bilinear ring signature.
transactions to SA. ‧ Query. In order to use the ability of adversary A to
- SA decrypts Aux and I, gets messages overcome hard problem, adversary B trains A , that
a is, as the challenger of A , adversary B provides
( Awx1 , Awx2 ) = ( Bi , R H 2 ( K , Bi )
) and ( I1 , I 2 ) = A with the knowledge required for attack. First,
( Sig xx ( R, h), Ps ). adversary B picks two public-private key pairs
- SA verifies ( P1 , x1 )( P2 , x2 ) and message m to oracle . Then
r adversary B sends σ = (σ 1 , σ 2 ) to A which is
⎛ Paddr ⎞
⎜ Aux ⎟ = Awx2 , ( R, h) = VerI 2 ( I1 ). generated by . Finally, adversary A returns the
⎝ 1⎠ forged V to B .
Ver denotes the verification algorithm of the ‧ Forgery. In order to attack the co-CDH problem, the
digital signature. challenger generates a challenge co-CDH tuple
- SA signs transactions and returns them to Miner. ( g1 , g1a , h) for adversary B , in which g1 ∈ G1 ,
- SA packages ( Ps , I , V ) on S-blockchain, and g 2 ∈ G 2 . The adversary B chooses two public -
Miner packages Tx on AP-blockchain. private key pairs ( P1 , x1 )( P2 , x2 ) = ( g1a , a )( g1a , b),
‧ Line & Trace(σ ) → (( As , Bs ) / ⊥) : On input the and sends it to oracle . Then the oracle returns
signature σ of a transaction, SA executes as follows: the bilinear ring signature σ = (σ 1 , σ 2 ). The
- SA uses its own private key to get the one-time adversary picks one of the signatures, replaces it
address Ps included in σ . by h and send the new signature σ = (σ 1 , h) to
- SA outputs Link if Ps has appeared before by adversary A. The adversary B sends V to the
finding out from S-blockchain then proceeds to challenger which is generated by . Suppose that
the next step, or ⊥ otherwise. the non-negligible advantage of adversary A to
- SA outputs Payer’s long-term address ( As , Bs ) by forge V successfully is Pr [A Wins ] . The advantage
decrypting Aux of Ps . for the challenger to successfully challenge co-CDH
This completes the description of the secure and problem is as follows.
efficient conditional anonymous scheme for
co −CDH 1
permissionless blockchains. Through the specific steps Advchallenger (λ ) = Pr[A Wins ]
described above, transactions generated by honest 8
Payers will eventually be packaged into AP-blockchain, The 1/8 in the above formula is owing to the fact
and the corresponding identity information will be that the challenge can only successfully attack co-CDH
packaged on S-blockchain. problem when the following situations occur. First,
only when the oracle chooses a as the ring signature
4.3 Security Analysis
private key, the adversary B can construct an attack
In this subsection, we describe the details of the algorithm based on the returned result. There is 1/2
security proofs of unforgeability, anonymity and probability is introduced. Secondly, the adversary B
traceability of the proposed scheme. replaces one of the signatures by h. Only when the
Theorem 1. Our scheme is unforgeable under the co- 1
CDH assumption. ⎛ H ( m) ⎞ a
adversary B picks the signature σ 1 = ⎜ bω2 ⎟
, the
Proof. The unforgeability proof of bilinear ring ψ g
⎝ 1 ⎠
signature has been given by Boneh et al. [25], which is
attack algorithm can proceed. At this time, the public
ommited here. For the simplification, we just prove
keys and signatures received by adversary A are
A Secure and Efficient Conditional Anonymous Scheme for Permissionless Blockchains 1223
(P1, σ1)(P2 , σ2 ) = (g1a , h)(g1b , g2ω2 ). There is 1/2 probability There is only a negligible gap in the winning
is introduced. Finally, only when adversary A chooses probability for the adversary between Game 0 and
Game 2. Assume that there is no polynomial-time
H ( m)
q = 2 and sets V = , the attack algorithm can adversary can challenge the anonymity of the bilinear
ha ring signature with a non-negligible probability, our
proceed. There is 1/2 probability is introduced. scheme satisfies the property of anonymity. □
H ( m) Theorem 3. Our scheme is traceable under the DL
The adversary B calculates h a = and sets it
V assumption.
as the answer of the co-CDH challenge tuple. Suppose Proof. Assume that the one-time address spent by
A challenges the unforgeability of the scheme Payer is Ps with Auxs , and the set of ring group is
successfully with a non-negligible advantage, U pk = {Pi : i ∈ [1, n]} . The specific steps of the proof are
adversary B successfully challenges co-CDH problem
as follows:
with 1/8 times of Pr [A Wins ] which is still non-
‧ Correct identity hidden: In a verified transaction,
negligible. However, the co-CDH problem is difficult
in order to pass the verification of SA, which needs
to solve under bilinear maps, so the supposition exists
to satisfy the equation ( R, h) = VerI 2 ( I1 ) , the I must
contradiction, and the scheme satisfies unforgeability.
□ be composed in the correct form I =
Theorem 2. Our scheme is anonymous if the bilinear EncR ( Sig xs ( R, V ), Ps ) = ( I1 , I 2 ) . The I 2 = Ps must
ring signature satisfies anonymity and the asymmetric meets Ps ∈U pk , simultaneously.
encryption scheme is IND-CPA.
Proof. We prove this theorem by feat of the game- ‧ Correct association of long-term address:
based framework. Pr [Wini ], i ∈ [0, 2] denotes the Similarly, in order to pass the verification of SA, the
probability of the adversary to win the game in Game 0 Auxmust be correctly formed as Aux =
a
to Game 2. EncR ( B, R H 2 ( K , B ) ) . In order to recognize and spend
Game 0. This challenge game is defined in Definition the one-time address for the payee, Payer must
8 and the challenge transaction is denoted as correctly generate it. Due to the DL assumption, the
(Tx, σ , U , I , V ), where U = ( P1 , P2 ) with their own probability that a malicious Payer constructs the Aux
Aux = ( Aux1 , Aux2 ) , I is the signcryption of the one- that can be verified without SA’s private key r is
time public key address of the signer and b ∈{0,1} is negligible.
Therefore, the theorem holds when Payer runs
serial number of the signer. The adversary A outputs a algorithms AddrGen, Spendand generates ( Aux, I )
guess b′ about the actual signer, and we can easily get
honestly. □
Pr [Win0 ] = Pr[b = b′] .
4.4 Efficiency Analysis
Game 1. Game 1 is same as Game 0 with one
In this subsection, we show the efficiency analysis
difference which is considering asymmetric encryption
of storeage, communication and computing compared
with IND-CPA security on probability. Since the
with [12].
identity of the real signer is hidden in I besides include
(1) Storage and communication efficiency analysis.
in the ring signature, we will consider I to help the
The overhead of communication and storage
opponent’s probability of winning in Game 1. The
advantage of Game 1 over Game 0 is only one more analysis is shown in Table 2, where G1 is the length of
public key encryption information, but the asymmetric the element in group G1 , similarly for
encryption meets IND-CPA security, so the added | Z p |, | G 2 |, | GT | , | p | is the order of cyclic groups, n
advantage is negligible. The following equation
and n′ are the number of input and output accounts in
represents the adversary’s probability of winning in
Game 1, where λ is the security parameter of this a transaction and c represents a constant order of
magnitude. The details of the results are as follows. In
system.
terms of communication overhead, 2(n + n′) | G1 | and
| Pr[Win1 ] − Pr[Win0 ] | ≤ negl(λ ) (n + 1)G 2 denote the size of input and output accounts
Game 2. Game 2 is same as Game 1 with one with corresponding Aux, respectively. In addition,
difference considering the impact of ring signature on other auxiliary information such as V and I need to
advantage. Game 2 represents the probability of the occupy 4 | Z p | . However, in the storage overhead,
adversary guessing the real signer in a bilinear ring since AP-blockchain only needs to store V and σ q ,
signature. This is the same as after removing the
probability of asymmetric encryption in Game 1. which is less n − 1 signatures than communication, the
storage overhead is only (2n + 2n′) | GT | +2 | G 2 | +
Pr[Win2 ] = Pr[Win1 ].
1224 Journal of Internet Technology Volume 22 (2021) No.6
6 Conclusion
References
Symposium on Security and Privacy, Berkeley, CA, USA, USA, 2004, pp. 168-177.
2013, pp. 397-411. [22] A. Wu, Y. Zhang, X. Zheng, R. Guo, Q. Zhao, D. Zheng,
[9] E. B. Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Efficient and Privacy-preserving Traceable Attribute-based
Tromer, M. Virza, Zerocash: Decentralized Anonymous Encryption in Blockchain, Annals of Telecommunications,
Payments from Bitcoin, 2014 IEEE Symposium on Security Vol. 74, No. 7-8, pp. 401-411, August, 2019.
and Privacy (SP), Berkeley, CA, USA, 2014, pp. 459-474. [23] H. Huang, X. Chen, J. Wang, Blockchain-based Multiple
[10] J. K. Liu, V. K. Wei, D. S. Wong, Linkable Spontaneous Groups Data Sharing with Anonymity and Traceability,
Anonymous Group Signature for Ad Hoc Groups, Science China Information Sciences, Vol. 63, No. 3, pp. 1-13,
Information Security and Privacy: 9th Australasian March, 2020.
Conference (ACISP), Sydney, Australia, 2004, pp. 325-335. [24] T. Ma, H. Xu, P. Li, SkyEye: A Traceable Scheme for
[11] B. Parno, J. Howell, C. Gentry, M. Raykova, Pinocchio: Blockchain, IACR Cryptology ePrint Archive, Vol. 2020,
Nearly Practical Verifiable Computation, 2013 IEEE Article No. 34, January, 2020.
Symposium on Security and Privacy (SP), Berkeley, CA, [25] D. Boneh, C. Gentry, B. Lynn, H. Shacham, Aggregate and
USA, 2013, pp. 238-252. Verifiably Encrypted Signatures from Bilinear Maps,
[12] Y. Li, G. Yang, W. Susilo, Y. Yu, M. H. Au, D. Liu, International Conference on the Theory and Applications of
Traceable Monero: Anonymous Cryptocurrency with Cryptographic Techniques, Warsaw, Poland, 2003, pp. 416-
Enhanced Accountability, IEEE Transactions on Dependable 432.
and Secure Computing, Vol. 18, No. 2, pp. 679-691, March- [26] E. Fujisaki, K. Suzuki, Traceable Ring Signature, 10th
April, 2021. International Conference on Practice and Theory in Public-
[13] N. Alsalami, B. Zhang, Uncontrolled Randomness in Key Cryptography, Beijing, China, 2007, pp. 181-200.
Blockchains: Covert Bulletin Board for Illicit Activity, 28th [27] J. K. Liu, M. H. Au, W. Susilo, J. Zhou, Linkable Ring
IEEE/ACM International Symposium on Quality of Service Signature with Unconditional Anonymity, IEEE Transactions
(IWQoS), Hangzhou, China, 2020, pp. 1-10. on Knowledge and Data Engineering, Vol. 26, No. 1, pp.
[14] F. Reid, M. Harrigan, An Analysis of Anonymity in the 157-165, January, 2014.
Bitcoin System, 2011 IEEE Third International Conference
on Privacy, Security, Risk and Trust (PASSAT) and 2011
Biographies
IEEE Third International Conference on Social Computing,
Boston, MA, USA, 2011, pp. 1318-1326.
Ruiyang Li received the B.S. degree
[15] D. Ron, A. Shamir, Quantitative Analysis of The Full Bitcoin
from Jinan University, Guangzhou,
Transaction Graph, International Conference on Financial
China, in 2017. He is currently a M.S.
Cryptography and Data Security (FC), Okinawa, Japan, 2013,
candidate of the School of Cyber
pp. 6-24. Engineering, Xidian University, Xian,
[16] S. Meiklejohn, M. Pomarole, G. Jordan, K. Levchenko, D. China. His research interests include
McCoy, G. M. Voelker, S. Savage, A Fistful of Bitcoins: blockchains and data security.
Characterizing Payments Among Men with No Names,
Communications of the ACM, Vol. 59, No. 4, pp. 86-93, April, Jun Shen received the B.S. and M.S.
2016. degrees from the Nanjing University
[17] A. Gaihre, Y. Luo, H. Liu, Do Bitcoin Users Really Care of Information Science and
About Anonymity? An Analysis of the Bitcoin Transaction Technology, Nanjing, China, in 2015
Graph, IEEE International Conference on Big Data, Big Data and 2018, respectively. She is
2018, Seattle, WA, USA, 2018, pp. 1198-1207. currently pursuing the Ph.D. degree
[18] A. Kumar, C. Fischer, S. Tople, P. Saxena, A Traceability with the School of Cyber Engineering,
Analysis of Monero’s Blockchain, European Symposium on Xidian University, Xian, China. Her research interests
Research in Computer Security, Oslo, Norway, 2017, pp. include cloud computing security and blockchains.
153-173.
[19] C. Garman, M. Green, I. Miers, Accountable Privacy for Shichong Tan received the B.S.
Decentralized Anonymous Payments, Financial degree in Telecommunications
Cryptography and Data Security - 20th International Engineering in 2002, the M.S. and
Conference, Christ Church, Barbados, 2016, pp. 81-98. Ph.D. degrees in Cryptography from
[20] L. Zhang, H. Li, Y. Li, Y. Yu, M. H. Au, B. Wang, An Xidian University, China, in 2005 and
Efficient Linkable Group Signature for Payer Tracing in 2009, respectively. Since 2005, he has
Anonymous Cryptocurrencies, Future Generation Computer been with Xidian University, where he
Systems, Vol. 101, pp. 29-38, December, 2019. is now an Associate Professor. His research interests
[21] D. Boneh, H. Shacham, Group Signatures with Verifier-local include cloud computing and blockchains.
Revocation, Proceedings of the 11th ACM conference on
Computer and communications security, Washington, DC,
A Secure and Efficient Conditional Anonymous Scheme for Permissionless Blockchains 1227