高效安全的可审计盲混币服务方案

doi:10.11959/j.issn.2096-109x.2020043

摘要/Abstract

摘要：

混币服务能够为区块链隐私泄露问题提供解决方案，但仍然面临效率瓶颈和安全风险，为进一步提升混币服务的效率和安全防护能力，提出一种高效安全的可审计盲混币服务方案。该方案首先增加了审计措施，在传统的混币模型基础上，增加审计区块链，以记录用户和混币器行为，实现可追溯和可问责；然后利用椭圆曲线算法构造盲签名，替代现有研究中基于双线性对或 RSA 的盲签名算法；最后基于可审计的混币模型和新构造的盲签名算法，提出可审计的盲混币服务协议。仿真分析表明，所提方案在提供隐私保护的同时，具有可审计性、抗盗窃攻击等6种安全特性；在同等安全强度下，较对比方案，所提方法能够有效降低计算开销和存储开销。

关键词: 区块链, 可审计, 混币服务, 隐私保护

Abstract:

The mixed-coin service can provide solutions for the privacy problem of blockchain,but it still faces efficiency bottlenecks and security risks.To further improve the efficiency and security protection of the mixed-coin service,an efficient and safe auditable mixed-coin service scheme based on blind signature was proposed.Firstly,this scheme added audit measures.It added an audit blockchain to the traditional mix-coin model to record the behavior of users and mixers,achieving traceability and accountability.Then,this method used elliptic curves algorithm to construct blind signatures instead of blind signature schemes based on bilinear pairs or RSA.Finally,this scheme proposed an auditable blind mix-coin service agreement based on the auditable mix-coin model and the blind signature algorithm based on elliptic curve.Simulation analysis shows that the proposed scheme has six security features,such as auditability and anti-theft attack,while providing privacy protection.Under the same security intensity,the proposed scheme can effectively reduce the computational overhead and storage overhead.

Key words: blockchain, auditable, mixed-coin, privacy protection

中图分类号:

TP399

乔康,汤红波,游伟,李海涛. 高效安全的可审计盲混币服务方案[J]. 网络与信息安全学报, 2020, 6(4): 23-36.

Kang QIAO,Hongbo TANG,Wei YOU,Haitao LI. Efficient and safe auditable mixed-coin service scheme based on blind signature[J]. Chinese Journal of Network and Information Security, 2020, 6(4): 23-36.

图/表 17

图1

图2

图3

表1

图4

图5

图6

图7

表2

图8

图9

表3

盲签名方案的算法运算过程　Table 3 Algorithm operation process of blind signature scheme"

方案	盲化	签名	解盲	验证
本文	A=αR+βQ+λG=(x,y) r=x(mod n) ,c=SHA256(m\|\|r) c'=α^-1(c-λ)	S'=d_A(k-c')(mod n)	S=(αS'+β)(mod n)	c=SHA256(m\|\|R_x(cG+SQ)mod n)
Heilman^[8]	$\bar{s n} = H (s n) g^{r}$	$\bar{σ} = {\bar{s n}}^{sk}$	$σ = \bar{σ} p k^{- r}$	e(pk,H (sn))=e(g,σ)
RSA-Mixing^[10]	$M = H (S n), S n' = M r^{{ev}_{i}} (\mod n)$	$δ (n) = {(S n^{'})}^{d_{c}} (\mod n)$	δ=(δ'(n))r^-1(mod n)	$M = δ^{e v_{i}} (\mod n), H' = H (S n)$

表3

表4

计算和存储开销的量化比较　Table 4 Quantitative comparison of calculation and storage overhead"

运算过程	本文		Heilman^[8]		RSA-Mixing^[10]
运算过程	计算开销	主要数据长度/bit	计算开销	主要数据长度/bit	计算开销	主要数据长度/bit
盲化	n (H+4P_m+P_c+3P_d)	消息摘要c'=256	n (H+2P_m+P_e)	消息摘要H(sn)=256	n (H+P_m+P_e)	消息摘要H(sn)=256
签名	n (P_d+P_m+P_c)	盲签名S'=256	n (P_e+P_m)	盲签名 $\bar{σ} = 256$	n (P_e+P_m+P_c)	盲签名δ'(n)=1024
解盲	n (P_m+P_d)	解盲后的签名S=256	n (2P_m+P_e)	解盲后的签名σ=256	n(P_m+P_c)	解盲后的签名δ(n)=1 024
验证	n (H+P_d +2P_m)	生成验证结果c=256	n (H+P_a)	生成验证结果e=256	n(H+P_e+P_m)	生成验证结果M'=256

表4

图10

表5

图11

表6

参考文献 27

[1]	DORIT R , SHAMIR A . Quantitative analysis of the full bitcoin transaction graph[C]// International Conference on Financial Cryptography and Data Security. 2013: 6-24.
[2]	REID F , HARRIGAN M . An analysis of anonymity in the bitcoin system[M]// Security and privacy in social networks. 2013: 197-223.
[3]	KOSHY P , KOSHY D , MCDANIEL P . An analysis of anonymity in bitcoin using P2P network traffic[C]// International Conference on Financial Cryptography and Data Security. 2014: 469-485.
[4]	MILLER A , LITTON J , PACHULSKI A ,et al. Discovering bitcoin’s public topology and influential nodes[R]. 2015.
[5]	MAXWELL G , . CoinJoin:bitcoin privacy for the real world[C]// Post on Bitcoin Forum. 2013.
[6]	BONNEAU J , NARAYANAN A , MILLER A ,et al. Mixcoin:anonymity for bitcoin with accountable mixes[C]// International Conference on Financial Cryptography and Data Security. 2014: 486-504.
[7]	VALENTA L , ROWAN B . Blindcoin:blinded,accountable mixes for bitcoin[C]// International Conference on Financial Cryptography and Data Security. 2015: 112-126.
[8]	HEILMAN E , BALDIMTSI F , GOLDBERG S . Blindly signed contracts:anonymous on-blockchain and off-blockchain bitcoin transactions[C]// International Conference on Financial Cryptography and Data Security. 2016: 43-60.
[9]	BAO Z , WANG B , ZHANG Y ,et al. Lockcoin:a secure and privacy-preserving mix service for bitcoin anonymity[J]. International Journal of Information Security, 2018,19(3): 311-321.
[10]	吴文栋 . 基于盲签名技术的比特币混币系统设计与实现[D]. 深圳:深圳大学, 2015.
	WU W D . Bitcoin mix system design based on partial blind signature[D]. Shenzhen:Shenzhen University, 2015.
[11]	FENG Q , HE D , ZEADALLY S ,et al. A survey on privacy protection in blockchain system[J]. Journal of Network and Computer Applications, 2019,126: 45-58.
[12]	BIRYUKOV A , KHOVRATOVICH D , PUSTOGAROV I . Deanonymisation of clients in Bitcoin P2P network[C]// Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 2014: 15-29.
[13]	SCHOTT P A . Reference guide to anti-money laundering and combating the financing of terrorism[M]. The World Bank, 2006.
[14]	DUBOVITSKAYA A , XU Z , RYU S ,et al. Secure and trustable electronic medical records sharing using blockchain[C]// AMIA Annual Symposium Proceedings.American Medical Informatics Association. 2017:650.
[15]	YAO Y , CHANG X , MI?? J ,et al. BLA:blockchain-assisted lightweight anonymous authentication for distributed vehicular fog services[J]. IEEE Internet of Things Journal, 2019: 3775-3784.
[16]	CHAUM D L . Untraceable electronic mail,return addresses,and digital pseudonyms[J]. Communications of the ACM, 1981,24(2): 84-90.
[17]	CHAUM D , . Blind signatures for untraceable payments[C]// Advances in Cryptology. 1983: 199-203.
[18]	ISLAM S K H , AMIN R , BISWAS G P ,et al. Provably secure pairing-free identity-based partially blind signature scheme and its application in online e-cash system[J]. Arabian Journal for Science and Engineering, 2016,41(8): 3163-3176.
[19]	SHENTU Q C , YU J P . A blind-mixing scheme for Bitcoin based on an elliptic curve cryptography blind digital signature algorithm[J]. Computer Science, 2015
[20]	CAMENISCH J L , PIVETEAU J M , STADLER M A . Blind signatures based on the discrete logarithm problem[C]// Workshop on the Theory and Application of of Cryptographic Techniques. 1994: 428-432.
[21]	DINGLEDINE R , MATHEWSON N , SYVERSON P . Tor:the second-generation onion router[J]. Journal of the Franklin Institute, 2004,239(2): 135-139.
[22]	王化群, 张力军, 赵君喜 . 基于椭圆曲线的 Schnorr 盲签名[J]. 计算机工程与设计, 2005,26(007): 1819-1822.
	WANG H Q , ZHANG L J , ZHAO J X . Schnorr blind signature based on elliptic curve[J]. Computer Engineering and Design, 2005,26(7): 1819-1822.
[23]	CONTI M , KUMAR E S , LAL C ,et al. A survey on security and privacy issues of bitcoin[J]. IEEE Communications Surveys ＆ Tutorials, 2018,20(4): 3416-3452.
[24]	RUFFING T , MORENO-SANCHEZ P , KATE A . Coinshuffle:Practical decentralized coin mixing for bitcoin[C]// European Symposium on Research in Computer Security. 2014: 345-364.
[25]	RUFFING T , MORENO-SANCHEZ P , . ValueShuffle:mixing confidential transactions for comprehensive transaction privacy in bitcoin[C]// International Conference on Financial Cryptography and Data Security. 2017: 133-154.
[26]	MIERS I , GARMAN C , GREEN M ,et al. Zerocoin:Anonymous distributed e-cash from bitcoin[C]// 2013 IEEE Symposium on Security and Privacy. 2013: 397-411.
[27]	SASSON E B , CHIESA A , GARMAN C ,et al. Zerocash:Decentralized anonymous payments from bitcoin[C]// 2014 IEEE Symposium on Security and Privacy. 2014: 459-474.

参数	描述
U_in	U 的真实地址
U_out	U 的目的地址
R	托管地址，对每个用户都是唯一的，由M 提供给U
R'	M 用来向U_out转移资金的托管地址，与R无关
U_in′	U 的匿名身份，用来向审计区块链发送消息
R_P	审计区块链的地址
P	M 的公钥
d	M 的私钥
Q	U 的公钥
f	U 的私钥
?	M 确认U 转账交易成功所需的区块数目
nonce	生成不同消息的随机数
v_M	M 预置的押金（v_M >>v_U）
v_U	U 向M 转移的混币金额
ρ	U 向M 支付的混币服务费率
t₁	U_in必须在时间t₁内向R转移v 资金，才能参与混币
t₂	M 必须在时间t₂ 内，将盲签名S 发送到审计区块链
t₃	U_in必须在t₃内，将解盲的签名发送到审计区块链
t₄	R 必须在时间t₄ 内，将v 转移到U_out
D	表示一组混币参数D={t₁,t₂,t₃,t₄,v,?,ρ,v_M}

步骤					运行时间/ms
步骤	U=10	U=100	U=500	U=1000	U=3000	U=5 000	U=7000	U=10 000
密钥生成	733.070457	607.219378	1058.532322	1093.89664	1777.432531	2620.259005	3099.466574	4335.089122
盲化	22.399536	99.996325	453.115392	697.206227	1562.69743	2751.897109	3811.14879	5274.156843
盲签名	0.23049	0.2151	0.927091	1.920491	6.051791	6.286574	9.194305	12.5701114.63204
解盲	0.023096	0.07483	0.257013	1.063502	1.028833	1.664293	2.385791	12.5701114.63204
验证	14.771948	85.232928	296.170681	543.565355	1382.222114	2398.496338	3293.995758	4763.119775
总时间	770.495527	792.738561	1809.002 499	2337.652215	4729.432699	7778.603319	10216.19122	14389.567890.433508
密钥生成（平均）	73.307 045	6.072193	2.117064	1.093896	0.592477	0.524051	0.44278	14389.567890.433508
盲化（平均）	2.239953	0.999963	0.90623	0.697206	0.520899	0.550379	0.544449	0.527415
盲签名（平均）	0.023049	0.002151	0.001854	0.00192	0.002017	0.001257	0.001313	0.0012570.000463
解盲（平均）	0.002309	0.000748	0.000514	0.001063	0.000342	0.000332	0.00034	0.0012570.000463
验证（平均）	1.477194	0.852329	0.592341	0.543565	0.46074	0.479699	0.47057	0.476311
总时间（平均）	77.049552	7.927385	3.618004	2.337652	1.576477	1.55572	1.459455	1.438956

方案	每轮交易量	轮数	时间	费用	可审计	防盗窃攻击
本文方案	5	1	10???5	vρ	√	√
Lockcoin^[9]	6	1	10???6	vρ	√	√
Blindcoin^[7]	4	1	10???4	vρ	√	×
RSA-Coinmix^[10]	2	1	10???2	vρ	×	×
Blind-mixing^[20]	2	1	10???2	vρ	×	×

方案	不可追踪性	不可连接性	防DoS攻击	防盗窃攻击	可审计性	可扩展性	兼容性
本文方案	√	√	√	√	√	√	√
Coinjoin^[5]	√	×	×	√	×	弱	√
Coinshuffle^[24]	√	弱	√	√	×	弱	√
Valueshuffle^[25]	√	√	×	√	×	弱	√
Zerocoin^[26]	√	√	√	√	×	√	×
Zerocash^[27]	√	√	√	√	×	√	×
Mixcoin^[6]	√	弱	√	×	√	√	√
Blindcoin^[7]	√	弱	√	弱	√	√	√
Blindmixing^[19]	√	√	×	×	×	√	√
Lockcoin^[9]	√	√	√	√	√	√	√