Skip to main content

Increasing Anonymity in Bitcoin

Part of the Lecture Notes in Computer Science book series (LNSC,volume 8438)


Bitcoin prevents double-spending using the blockchain, a public ledger kept with every client. Every single transaction till date is present in this ledger. Due to this, true anonymity is not present in bitcoin. We present a method to enhance anonymity in bitcoin-type cryptocurrencies. In the blockchain, each block holds a list of transactions linking the sending and receiving addresses. In our modified protocol the transactions (and blocks) do not contain any such links. Using this, we obtain a far higher degree of anonymity. Our method uses a new primitive known as composite signatures. Our security is based on the hardness of the Computation Diffie-Hellman assumption in bilinear maps.


  • Bitcoin
  • Cryptocurrency
  • Aggregate signatures
  • Plausible deniability
  • Anonymity

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-662-44774-1_9
  • Chapter length: 18 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   54.99
Price excludes VAT (USA)
  • ISBN: 978-3-662-44774-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   69.99
Price excludes VAT (USA)


  1. 1.

    If an attacker can extract signatures, he can isolate the input and add any output.

  2. 2.

    These pairs can be generated as follows. First set all \(c_i\)s to 1. If \(k\) is odd, randomly set one of the \(c_i\)s to 0. Then for those \(c_i\)s that are 1, randomly set half of the \(d_i\)s to \(+1\) and the rest to \(-1\).


  1. Nakamoto, S.: Bitcoin: A Peer-to-Peer Electronic Cash System

    Google Scholar 

  2. Martins, S., Yang, Y.: Introduction to bitcoins: a pseudo-anonymous electronic currency system. In: Proceedings of the 2011 Conference of the Center for Advanced Studies on Collaborative Research, CASCON ’11, Riverton, NJ, USA, pp. 349–350. IBM Corp. (2011)

    Google Scholar 

  3. Bitcoin Developers. Bitcoin client source code (github) (2008)

    Google Scholar 

  4. Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003)

    CrossRef  Google Scholar 

  5. Coron, J.-S., Naccache, D.: Boneh et al.’s k-Element aggregate extraction assumption is equivalent to the diffie-hellman assumption. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 392–397. Springer, Heidelberg (2003)

    CrossRef  Google Scholar 

  6. Lysyanskaya, A., Micali, S., Reyzin, L., Shacham, H.: Sequential aggregate signatures from trapdoor permutations. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 74–90. Springer, Heidelberg (2004)

    CrossRef  Google Scholar 

  7. Zhu, H., Bao, F., Li, T., Wu, Y.: Sequential aggregate signatures for wireless routing protocols. In: 2005 IEEE Wireless Communications and Networking Conference, vol. 4, pp. 2436–2439 (2005)

    Google Scholar 

  8. Ma, D.: Practical forward secure sequential aggregate signatures. In: Abe, M., Gligor, V.D. (eds.), ASIACCS, pp. 341–352. ACM (2008)

    Google Scholar 

  9. Boldyreva, A., Gentry, C., O’Neill, A., Yum, D.H.: Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing. In: CCS ’07: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 276–285. ACM, New York (2007)

    Google Scholar 

  10. Lu, S., Ostrovsky, R., Sahai, A., Shacham, H., Waters, B.: Sequential aggregate signatures and multisignatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 465–485. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  11. Fischlin, M., Lehmann, A., Schröder, D.: History-free sequential aggregate signatures. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 113–130. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  12. Brogle, K., Goldberg, S., Reyzin, L.: Sequential aggregate signatures with lazy verification from trapdoor permutations. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 644–662. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  13. Androulaki, E., Karame, G., Roeschlin, M., Scherer, T., Capkun, S.: Evaluating user privacy in bitcoin. Cryptology ePrint Archive, Report 2012/596 (2012)

    Google Scholar 

  14. Reid, F., Harrigan, M.: An analysis of anonymity in the bitcoin system. In: Altshuler, Y., Elovici, Y., Cremers, A.B., Aharony, N., Pentland, A. (eds.) Security and Privacy in Social Networks, pp. 197–223. Springer, New York (2013)

    Google Scholar 

  15. Ron, D., Shamir, A.: Quantitative analysis of the full bitcoin transaction graph. Cryptology ePrint Archive, Report 2012/584 (2012).

  16. Zerocoin: Anonymous distributed e-cash from bitcoin (2012)

    Google Scholar 

  17. Maxwell, G.: Coinjoin: Bitcoin privacy for the real world (2013)

    Google Scholar 

  18. Pisinger, D.: Where are the hard knapsack problems. Comput. Oper. Res. 32, 2271–2284 (2005)

    CrossRef  MathSciNet  MATH  Google Scholar 

  19. Chvatal, V.: Hard knapsack problems. Oper. Res. 28(6), 1402–1411 (1980)

    CrossRef  MathSciNet  MATH  Google Scholar 

  20. Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Comput. Complex. 16(4), 365–411 (2007). (Prelim. In: FOCS 2002)

    CrossRef  MathSciNet  MATH  Google Scholar 

  21. Miller, V.S.: The Weil pairing, and its efficient calculation. J. Cryptology 17(4), 235–261 (2004)

    CrossRef  MathSciNet  MATH  Google Scholar 

  22. Uchida, Y., Uchiyama, S.: The tate-lichtenbaum pairing on a hyperelliptic curve via hyperelliptic nets. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 218–233. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  23. Hess, F., Smart, N.P., Vercauteren, F.: The Eta pairing revisited. IEEE Trans. Inf. Theor. 52(10), 4595–4602 (2006)

    CrossRef  MathSciNet  MATH  Google Scholar 

  24. Shinohara, N., Shimoyama, T., Hayashi, T., Takagi, T.: Key length estimation of pairing-based cryptosystems using \(\eta _T\) pairing. In: Ryan, M.D., Smyth, B., Wang, G. (eds.) ISPEC 2012. LNCS, vol. 7232, pp. 228–244. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  25. Scott, M.: Scaling security in pairing-based protocols. IACR Cryptology ePrint Archive 2005, 139 (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Janardan Misra .

Editor information

Editors and Affiliations

A Proof of Theorem 1

A Proof of Theorem 1

Proof. Let \(g, g^x, g^y \in G_1\) be the given CDH instance we need to solve (our goal is to compute \(g^{xy}\)). We show how to solve this using \(A\) as a black-box.

Setup: We generate and set the target public keys as \(pk_i=g^{x+a_i}\) for \(1\le i \le n\). The set \(PK=\{pk_i\}_{i\in [1..n]}\) is given to \(A\).

H-list: \(A\) can query the random oracle \(H\) on points from \(\varSigma ^*\times \varSigma ^\kappa \times G_1\). To respond to such queries, we maintain a list called the H-list, which is initially empty and contains tuples of the type

$$(m, r, pk, h, b, c, d)\in \varSigma ^*\times \varSigma ^\kappa \times G_1\times G_1\times \mathbb {Z}_q\times \mathbb {Z}_2\times \pm 1,$$

such that \(h=g^{cdy+b}\) always holds.

H-Queries: On \(H(m_i, r_i, pk_i)\) query, if a tuple \((m_i, r_i, pk_i, h_i, b_i, c_i, d_i)\) exists in the H-list, we respond with \(h_i=H(m_i, r_i, pk_i)\), otherwise we add such an entry as follows. Generate uniformly and set \(d_i=1\). If \(pk_i\notin PK\), set \(c_i=0\), otherwise set \(c_i=1\). Finally, set \(h_i = g^{c_iy+b_i}\) and respond with \(h_i=H(m_i, r_i, pk_i)\). In effect, \(h_i=g^{b_i}\) if \(pk_i\notin PK\), otherwise \(h_i=g^{b_i+y}\).

Sign queries: Let \(\ell =((m_1, pk_1), (m_2, pk_2),\dots (m_k, pk_k))\) be any sign query for \(k\le n\). To respond to this, we generate \(k\) random numbers and for each \(i \in [1..k]\) we check the H-list for entries starting with \((m_i, r_i, pk_i)\). If any such entry exists, we report failure and abort, otherwise we add the entries as follows. We uniformly select \(k\) pairs \(((c_1, d_1),(c_2, d_2), \ldots (c_k, d_k)) \in (\mathbb {Z}_2\times \pm 1)^k\) such that \(\sum _{i=1}^{k}{c_{i}d_i} = 0\) and \(k-\sum _{i=1}^{k}{c_{i}}\in \mathbb {Z}_2\). The latter says that at most one of the \(c_i\)s can be 0.Footnote 2 We then generate and for each \(i\in [1..k]\), we set \(h_i=g^{c_id_iy_i+b_i}\). We add \((m_i, r_i, pk_i, h_i, b_i, c_i, d_i)\) to the H-list.

Let \(\sigma ' = g^{\sum ^{k}_{i=1}(x+a_i)(c_id_iy+b_i)} = g^{xy\sum ^{k}_{i=1}c_id_i+\sum ^{k}_{i=1}xb_i+a_ic_id_iy+a_ib_i}\). We know that \(\sum ^{k}_{i=1}c_id_i=0\) (by construction). Therefore, \(\sigma '= g^{\sum ^{k}_{i=1}xb_i+a_ic_id_iy+a_ib_i}\), a value that can be computed by us. Also, \(\sigma =(\sigma ', \{r_1, r_2, \ldots r_k\})\) is a valid signature on \(\ell \), which is our response to the query.

Output: Finally, \(A\) outputs a pair \((\sigma _A, \ell _A)\). If \(\sigma _A\) is not a valid forgery on \(\ell _A\), we report failure. Let \(PK_A\) be the set of public keys in this forgery. Some of these keys may not be from \(PK\). Let \(PK^{\#}=PK_A\setminus PK\) and \(PK^*=PK\cap PK_A\).

By construction, all \(c_i\)s in the H-list corresponding to the messages signed under \(PK^{\#}\) are 0. Therefore, the respective \(b_i\)s are the discrete logarithms (to base \(g\)) of the corresponding \(h_i\)s. Hence, we can compute the sub-composite signature corresponding to the messages of \(PK^*\), denoted by \(\sigma _*\) (we compute this by first computing the sub-composite signature corresponding to the messages of \(PK^{\#}\) and “dividing” \(\sigma _A\) by that).

Let \(((a^*_1, b^*_{1}, c^*_{1}, d^*_{1}), \ldots , (a^*_{k^*},b^*_{k^*},c^*_{k^*}, d^*_{k^*}))\) be tuples containing \(a_i\)s and H-list entries corresponding to \(PK^*\). If \(\sum _{i=1}^{k^*}{c^*_{i}d^*_i} = 0\), we report failure and abort, otherwise \(\sigma _*\) corresponds to a signature we could not have computed ourselves, which can be used to solve the CDH problem as follows. We know that \(\sigma _*=(\sigma _*', \{r^*_1, \ldots r^*_{k^*}\})\) such that \(\sigma _*' = g^{\sum ^{k^*}_{i=1}(x+a^*_i)(c^*_id^*_iy+b^*_i)}= g^{xy\sum ^{k^*}_{i=1}c^*_id^*_i}\cdot g^{\sum ^{k^*}_{i=1}xb^*_i+a^*_ic^*_id^*_iy+a^*_ib^*_i}=g^{xyz}\cdot w\) for some nonzero \(w\) and \(z\) that we know. Thus, we can compute \(g^{xy} = (\sigma _*'/w)^{1/z}\).

It now remains to bound the probability of success. Define events:

  • \(\mathcal {E}_1=\) We do not abort during sign queries.

  • \(\mathcal {E}_2= \mathcal {E}_1\) and \(A\) outputs a successful forgery.

  • \(\mathcal {E}_3= \mathcal {E}_2\) and \(\sum _{i=1}^{k^*}{c^*_{i}d^*_i} \ne 0\).

Then \(\Pr [{success}]\) \(=\) \(\Pr [\mathcal {E}_3|\mathcal {E}_2]\cdot \Pr [\mathcal {E}_2|\mathcal {E}_1]\cdot \Pr [\mathcal {E}_1]\).

Claim 1

\(\Pr [\mathcal {E}_1]\ge \left( 1-\frac{\alpha +\gamma -1}{2^\kappa }\right) ^{n\alpha }\)

Proof. Consider the number of entries in the H-list corresponding to a given (message, public-key) pair \((m, pk)\). Each H-query can add at most one entry to the H-list for this pair. Since a sign query can contain at most one instance of the pair \((m, pk)\), therefore, each sign query can add at most one entry in the H-list for this pair. Therefore there can be a maximum of \(\alpha +\gamma -1\) entries in the H-list corresponding to \((m, pk)\). Now select and consider the event that an entry beginning with \((m, r, pk)\) exists in the H-list. Since there are \(2^\kappa \) possible ways to select \(r\), we can be assured that \(\Pr [\text {no entry in H-list for (m, r, pk)}]\ge 1-\frac{\alpha +\gamma -1}{2^\kappa }\). Now there can be maximum \(n\) pairs in a sign query. Therefore, \(\Pr [\text{ we } \text{ do } \text{ not } \text{ abort } \text{ in } \text{ one } \text{ sign } \text{ query }]\ge \left( 1-\frac{\alpha +\gamma -1}{2^\kappa }\right) ^n\), and so

$$\Pr [\mathcal {E}_1]=\Pr [\text {we do not abort in }\alpha \text { sign queries}]\ge \left( 1-\frac{\alpha +\gamma -1}{2^\kappa }\right) ^{n\alpha }\qquad \qquad \square $$

Claim 2

\(\Pr [\mathcal {E}_2|\mathcal {E}_1]=\epsilon \).

Proof. If we do not abort during sign queries, then the view of the adversary is identical to a real simulation, and it follows that \(\Pr [\mathcal {E}_2|\mathcal {E}_1]=\epsilon \).    \(\square \)

Claim 3

\(\Pr [\mathcal {E}_3|\mathcal {E}_2]\ge 1/3\)

Proof. Split H-list entries into two disjoint sets based on how they are generated:

  1. 1.

    \(S_1\): Sign queries on single (message, public-key) pairs. Here \(\Pr [c=0]=1\).

  2. 2.

    \(S_2\): H-queries or sign queries on two or more (message, public-key) pairs. It can be checked that \(\Pr [c=0] \le 1/3\) for such entries.

Let the forgery contain \(k^*\) (message, public-key) pairs. Let \(\{(m^*_i, r^*_i, pk^*_i)\}_{i\in }\) \({[1..k^*]}\) be the set of tuples corresponding to the forgery. We ensure that an entry for each tuple exists in the H-list (by simulating H-queries ourselves if necessary).

Lemma 1

If the forgery is valid (i.e., \(\ell _A\) is not signable), then at least one of the tuples in the forgery must must correspond to an element of \(S_2\).


If all tuples \(\{(m^*_i, r^*_i, pk^*_i)\}_{i\in [1..k^*]}\) in the forgery correspond to elements from \(S_1\), then \(A\) made sign queries on every pair \((m^*_i, pk^*_i)\), possibly more than once. By definition, \(\ell _A\) is signable. Hence the forgery cannot be valid.    \(\square \)

For any signature \(\sigma _\ell \) from the sign queries or the forgery, define \(f(\sigma _\ell )=\sum _{i=1}^{k}{c_{i}d_i}\), obtained from corresponding entries \((m_i, r_i, pk_i, h_i, b_i, c_i, d_i)\) in the H-list. \(A\)’s goal is to maximize \(\Pr [\lnot \mathcal {E}_3|\mathcal {E}_2]=\Pr [f(\sigma _*)=0]\).

Since we did not abort during the sign queries, each tuple \((m^*_i, r^*_i, pk^*_i)\) was used in at most one sign query. Therefore \(A\)’s view of any of the \(c^*_i\)s for tuples from \(S_2\) is independent of any queries. Extending Lemma 1, we can see that if \(\ell _A\) is not signable, then \(A\)’s view of \(f(\sigma _*)\) is independent of all queries. An upper bound for \(\Pr [\lnot \mathcal {E}_3|\mathcal {E}_2]\) then gives us the worst case scenario.

Keeping tuples from \(S_1\) in the forgery is not useful for \(A\), since \(c_i=0\) for such values and so \(f(\sigma _*)\) is independent of them. Therefore, assume that \(A\)’s forgery contains only elements from \(S_2\). Now \(S_2\) can be further divided into: (1) \(S'_2\) consisting of entries due to H-queries and (2) \(S''_2\) consisting of entries due to sign queries. Since for elements of \(S''_2\), the \(d_i\)s are uniformly distributed between \(\pm 1\), while for those of \(S'_2\), the \(d_i\)s are guaranteed to be \(+1\), a symmetric argument shows that including elements from \(S'_2\) is not beneficial to \(A\) since it only biases \(f(\sigma _*)\) towards nonzero. Therefore, assume that \(A\)’s forgery contains only elements from \(S''_2\). A counting argument shows that if all elements are from \(S''_2\), then \(\Pr [f(\sigma _*)=0]\le 2/3\), with the maximum occurring when \(A\) extracts a 2-tuple signature from a 4-tuple signature. Hence \(\Pr [\mathcal {E}_3|\mathcal {E}_2]\ge 1/3\)    \(\square \)

This proves Theorem 1.    \(\square \)

Rights and permissions

Reprints and Permissions

Copyright information

© 2014 IFCA/Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Saxena, A., Misra, J., Dhar, A. (2014). Increasing Anonymity in Bitcoin. In: Böhme, R., Brenner, M., Moore, T., Smith, M. (eds) Financial Cryptography and Data Security. FC 2014. Lecture Notes in Computer Science(), vol 8438. Springer, Berlin, Heidelberg.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-44773-4

  • Online ISBN: 978-3-662-44774-1

  • eBook Packages: Computer ScienceComputer Science (R0)