Abstract
Bitcoin prevents doublespending using the blockchain, a public ledger kept with every client. Every single transaction till date is present in this ledger. Due to this, true anonymity is not present in bitcoin. We present a method to enhance anonymity in bitcointype cryptocurrencies. In the blockchain, each block holds a list of transactions linking the sending and receiving addresses. In our modified protocol the transactions (and blocks) do not contain any such links. Using this, we obtain a far higher degree of anonymity. Our method uses a new primitive known as composite signatures. Our security is based on the hardness of the Computation DiffieHellman assumption in bilinear maps.
Keywords
 Bitcoin
 Cryptocurrency
 Aggregate signatures
 Plausible deniability
 Anonymity
This is a preview of subscription content, access via your institution.
Buying options
Notes
 1.
If an attacker can extract signatures, he can isolate the input and add any output.
 2.
These pairs can be generated as follows. First set all \(c_i\)s to 1. If \(k\) is odd, randomly set one of the \(c_i\)s to 0. Then for those \(c_i\)s that are 1, randomly set half of the \(d_i\)s to \(+1\) and the rest to \(1\).
References
Nakamoto, S.: Bitcoin: A PeertoPeer Electronic Cash System
Martins, S., Yang, Y.: Introduction to bitcoins: a pseudoanonymous electronic currency system. In: Proceedings of the 2011 Conference of the Center for Advanced Studies on Collaborative Research, CASCON ’11, Riverton, NJ, USA, pp. 349–350. IBM Corp. (2011)
Bitcoin Developers. Bitcoin client source code (github) (2008)
Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003)
Coron, J.S., Naccache, D.: Boneh et al.’s kElement aggregate extraction assumption is equivalent to the diffiehellman assumption. In: Laih, C.S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 392–397. Springer, Heidelberg (2003)
Lysyanskaya, A., Micali, S., Reyzin, L., Shacham, H.: Sequential aggregate signatures from trapdoor permutations. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 74–90. Springer, Heidelberg (2004)
Zhu, H., Bao, F., Li, T., Wu, Y.: Sequential aggregate signatures for wireless routing protocols. In: 2005 IEEE Wireless Communications and Networking Conference, vol. 4, pp. 2436–2439 (2005)
Ma, D.: Practical forward secure sequential aggregate signatures. In: Abe, M., Gligor, V.D. (eds.), ASIACCS, pp. 341–352. ACM (2008)
Boldyreva, A., Gentry, C., O’Neill, A., Yum, D.H.: Ordered multisignatures and identitybased sequential aggregate signatures, with applications to secure routing. In: CCS ’07: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 276–285. ACM, New York (2007)
Lu, S., Ostrovsky, R., Sahai, A., Shacham, H., Waters, B.: Sequential aggregate signatures and multisignatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 465–485. Springer, Heidelberg (2006)
Fischlin, M., Lehmann, A., Schröder, D.: Historyfree sequential aggregate signatures. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 113–130. Springer, Heidelberg (2012)
Brogle, K., Goldberg, S., Reyzin, L.: Sequential aggregate signatures with lazy verification from trapdoor permutations. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 644–662. Springer, Heidelberg (2012)
Androulaki, E., Karame, G., Roeschlin, M., Scherer, T., Capkun, S.: Evaluating user privacy in bitcoin. Cryptology ePrint Archive, Report 2012/596 (2012)
Reid, F., Harrigan, M.: An analysis of anonymity in the bitcoin system. In: Altshuler, Y., Elovici, Y., Cremers, A.B., Aharony, N., Pentland, A. (eds.) Security and Privacy in Social Networks, pp. 197–223. Springer, New York (2013)
Ron, D., Shamir, A.: Quantitative analysis of the full bitcoin transaction graph. Cryptology ePrint Archive, Report 2012/584 (2012). http://eprint.iacr.org/
Zerocoin: Anonymous distributed ecash from bitcoin (2012)
Maxwell, G.: Coinjoin: Bitcoin privacy for the real world (2013)
Pisinger, D.: Where are the hard knapsack problems. Comput. Oper. Res. 32, 2271–2284 (2005)
Chvatal, V.: Hard knapsack problems. Oper. Res. 28(6), 1402–1411 (1980)
Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient oneway functions. Comput. Complex. 16(4), 365–411 (2007). (Prelim. In: FOCS 2002)
Miller, V.S.: The Weil pairing, and its efficient calculation. J. Cryptology 17(4), 235–261 (2004)
Uchida, Y., Uchiyama, S.: The tatelichtenbaum pairing on a hyperelliptic curve via hyperelliptic nets. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 218–233. Springer, Heidelberg (2013)
Hess, F., Smart, N.P., Vercauteren, F.: The Eta pairing revisited. IEEE Trans. Inf. Theor. 52(10), 4595–4602 (2006)
Shinohara, N., Shimoyama, T., Hayashi, T., Takagi, T.: Key length estimation of pairingbased cryptosystems using \(\eta _T\) pairing. In: Ryan, M.D., Smyth, B., Wang, G. (eds.) ISPEC 2012. LNCS, vol. 7232, pp. 228–244. Springer, Heidelberg (2012)
Scott, M.: Scaling security in pairingbased protocols. IACR Cryptology ePrint Archive 2005, 139 (2005)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof of Theorem 1
A Proof of Theorem 1
Proof. Let \(g, g^x, g^y \in G_1\) be the given CDH instance we need to solve (our goal is to compute \(g^{xy}\)). We show how to solve this using \(A\) as a blackbox.
Setup: We generate and set the target public keys as \(pk_i=g^{x+a_i}\) for \(1\le i \le n\). The set \(PK=\{pk_i\}_{i\in [1..n]}\) is given to \(A\).
Hlist: \(A\) can query the random oracle \(H\) on points from \(\varSigma ^*\times \varSigma ^\kappa \times G_1\). To respond to such queries, we maintain a list called the Hlist, which is initially empty and contains tuples of the type
such that \(h=g^{cdy+b}\) always holds.
HQueries: On \(H(m_i, r_i, pk_i)\) query, if a tuple \((m_i, r_i, pk_i, h_i, b_i, c_i, d_i)\) exists in the Hlist, we respond with \(h_i=H(m_i, r_i, pk_i)\), otherwise we add such an entry as follows. Generate uniformly and set \(d_i=1\). If \(pk_i\notin PK\), set \(c_i=0\), otherwise set \(c_i=1\). Finally, set \(h_i = g^{c_iy+b_i}\) and respond with \(h_i=H(m_i, r_i, pk_i)\). In effect, \(h_i=g^{b_i}\) if \(pk_i\notin PK\), otherwise \(h_i=g^{b_i+y}\).
Sign queries: Let \(\ell =((m_1, pk_1), (m_2, pk_2),\dots (m_k, pk_k))\) be any sign query for \(k\le n\). To respond to this, we generate \(k\) random numbers and for each \(i \in [1..k]\) we check the Hlist for entries starting with \((m_i, r_i, pk_i)\). If any such entry exists, we report failure and abort, otherwise we add the entries as follows. We uniformly select \(k\) pairs \(((c_1, d_1),(c_2, d_2), \ldots (c_k, d_k)) \in (\mathbb {Z}_2\times \pm 1)^k\) such that \(\sum _{i=1}^{k}{c_{i}d_i} = 0\) and \(k\sum _{i=1}^{k}{c_{i}}\in \mathbb {Z}_2\). The latter says that at most one of the \(c_i\)s can be 0.^{Footnote 2} We then generate and for each \(i\in [1..k]\), we set \(h_i=g^{c_id_iy_i+b_i}\). We add \((m_i, r_i, pk_i, h_i, b_i, c_i, d_i)\) to the Hlist.
Let \(\sigma ' = g^{\sum ^{k}_{i=1}(x+a_i)(c_id_iy+b_i)} = g^{xy\sum ^{k}_{i=1}c_id_i+\sum ^{k}_{i=1}xb_i+a_ic_id_iy+a_ib_i}\). We know that \(\sum ^{k}_{i=1}c_id_i=0\) (by construction). Therefore, \(\sigma '= g^{\sum ^{k}_{i=1}xb_i+a_ic_id_iy+a_ib_i}\), a value that can be computed by us. Also, \(\sigma =(\sigma ', \{r_1, r_2, \ldots r_k\})\) is a valid signature on \(\ell \), which is our response to the query.
Output: Finally, \(A\) outputs a pair \((\sigma _A, \ell _A)\). If \(\sigma _A\) is not a valid forgery on \(\ell _A\), we report failure. Let \(PK_A\) be the set of public keys in this forgery. Some of these keys may not be from \(PK\). Let \(PK^{\#}=PK_A\setminus PK\) and \(PK^*=PK\cap PK_A\).
By construction, all \(c_i\)s in the Hlist corresponding to the messages signed under \(PK^{\#}\) are 0. Therefore, the respective \(b_i\)s are the discrete logarithms (to base \(g\)) of the corresponding \(h_i\)s. Hence, we can compute the subcomposite signature corresponding to the messages of \(PK^*\), denoted by \(\sigma _*\) (we compute this by first computing the subcomposite signature corresponding to the messages of \(PK^{\#}\) and “dividing” \(\sigma _A\) by that).
Let \(((a^*_1, b^*_{1}, c^*_{1}, d^*_{1}), \ldots , (a^*_{k^*},b^*_{k^*},c^*_{k^*}, d^*_{k^*}))\) be tuples containing \(a_i\)s and Hlist entries corresponding to \(PK^*\). If \(\sum _{i=1}^{k^*}{c^*_{i}d^*_i} = 0\), we report failure and abort, otherwise \(\sigma _*\) corresponds to a signature we could not have computed ourselves, which can be used to solve the CDH problem as follows. We know that \(\sigma _*=(\sigma _*', \{r^*_1, \ldots r^*_{k^*}\})\) such that \(\sigma _*' = g^{\sum ^{k^*}_{i=1}(x+a^*_i)(c^*_id^*_iy+b^*_i)}= g^{xy\sum ^{k^*}_{i=1}c^*_id^*_i}\cdot g^{\sum ^{k^*}_{i=1}xb^*_i+a^*_ic^*_id^*_iy+a^*_ib^*_i}=g^{xyz}\cdot w\) for some nonzero \(w\) and \(z\) that we know. Thus, we can compute \(g^{xy} = (\sigma _*'/w)^{1/z}\).
It now remains to bound the probability of success. Define events:

\(\mathcal {E}_1=\) We do not abort during sign queries.

\(\mathcal {E}_2= \mathcal {E}_1\) and \(A\) outputs a successful forgery.

\(\mathcal {E}_3= \mathcal {E}_2\) and \(\sum _{i=1}^{k^*}{c^*_{i}d^*_i} \ne 0\).
Then \(\Pr [{success}]\) \(=\) \(\Pr [\mathcal {E}_3\mathcal {E}_2]\cdot \Pr [\mathcal {E}_2\mathcal {E}_1]\cdot \Pr [\mathcal {E}_1]\).
Claim 1
\(\Pr [\mathcal {E}_1]\ge \left( 1\frac{\alpha +\gamma 1}{2^\kappa }\right) ^{n\alpha }\)
Proof. Consider the number of entries in the Hlist corresponding to a given (message, publickey) pair \((m, pk)\). Each Hquery can add at most one entry to the Hlist for this pair. Since a sign query can contain at most one instance of the pair \((m, pk)\), therefore, each sign query can add at most one entry in the Hlist for this pair. Therefore there can be a maximum of \(\alpha +\gamma 1\) entries in the Hlist corresponding to \((m, pk)\). Now select and consider the event that an entry beginning with \((m, r, pk)\) exists in the Hlist. Since there are \(2^\kappa \) possible ways to select \(r\), we can be assured that \(\Pr [\text {no entry in Hlist for (m, r, pk)}]\ge 1\frac{\alpha +\gamma 1}{2^\kappa }\). Now there can be maximum \(n\) pairs in a sign query. Therefore, \(\Pr [\text{ we } \text{ do } \text{ not } \text{ abort } \text{ in } \text{ one } \text{ sign } \text{ query }]\ge \left( 1\frac{\alpha +\gamma 1}{2^\kappa }\right) ^n\), and so
Claim 2
\(\Pr [\mathcal {E}_2\mathcal {E}_1]=\epsilon \).
Proof. If we do not abort during sign queries, then the view of the adversary is identical to a real simulation, and it follows that \(\Pr [\mathcal {E}_2\mathcal {E}_1]=\epsilon \). \(\square \)
Claim 3
\(\Pr [\mathcal {E}_3\mathcal {E}_2]\ge 1/3\)
Proof. Split Hlist entries into two disjoint sets based on how they are generated:

1.
\(S_1\): Sign queries on single (message, publickey) pairs. Here \(\Pr [c=0]=1\).

2.
\(S_2\): Hqueries or sign queries on two or more (message, publickey) pairs. It can be checked that \(\Pr [c=0] \le 1/3\) for such entries.
Let the forgery contain \(k^*\) (message, publickey) pairs. Let \(\{(m^*_i, r^*_i, pk^*_i)\}_{i\in }\) \({[1..k^*]}\) be the set of tuples corresponding to the forgery. We ensure that an entry for each tuple exists in the Hlist (by simulating Hqueries ourselves if necessary).
Lemma 1
If the forgery is valid (i.e., \(\ell _A\) is not signable), then at least one of the tuples in the forgery must must correspond to an element of \(S_2\).
Proof
If all tuples \(\{(m^*_i, r^*_i, pk^*_i)\}_{i\in [1..k^*]}\) in the forgery correspond to elements from \(S_1\), then \(A\) made sign queries on every pair \((m^*_i, pk^*_i)\), possibly more than once. By definition, \(\ell _A\) is signable. Hence the forgery cannot be valid. \(\square \)
For any signature \(\sigma _\ell \) from the sign queries or the forgery, define \(f(\sigma _\ell )=\sum _{i=1}^{k}{c_{i}d_i}\), obtained from corresponding entries \((m_i, r_i, pk_i, h_i, b_i, c_i, d_i)\) in the Hlist. \(A\)’s goal is to maximize \(\Pr [\lnot \mathcal {E}_3\mathcal {E}_2]=\Pr [f(\sigma _*)=0]\).
Since we did not abort during the sign queries, each tuple \((m^*_i, r^*_i, pk^*_i)\) was used in at most one sign query. Therefore \(A\)’s view of any of the \(c^*_i\)s for tuples from \(S_2\) is independent of any queries. Extending Lemma 1, we can see that if \(\ell _A\) is not signable, then \(A\)’s view of \(f(\sigma _*)\) is independent of all queries. An upper bound for \(\Pr [\lnot \mathcal {E}_3\mathcal {E}_2]\) then gives us the worst case scenario.
Keeping tuples from \(S_1\) in the forgery is not useful for \(A\), since \(c_i=0\) for such values and so \(f(\sigma _*)\) is independent of them. Therefore, assume that \(A\)’s forgery contains only elements from \(S_2\). Now \(S_2\) can be further divided into: (1) \(S'_2\) consisting of entries due to Hqueries and (2) \(S''_2\) consisting of entries due to sign queries. Since for elements of \(S''_2\), the \(d_i\)s are uniformly distributed between \(\pm 1\), while for those of \(S'_2\), the \(d_i\)s are guaranteed to be \(+1\), a symmetric argument shows that including elements from \(S'_2\) is not beneficial to \(A\) since it only biases \(f(\sigma _*)\) towards nonzero. Therefore, assume that \(A\)’s forgery contains only elements from \(S''_2\). A counting argument shows that if all elements are from \(S''_2\), then \(\Pr [f(\sigma _*)=0]\le 2/3\), with the maximum occurring when \(A\) extracts a 2tuple signature from a 4tuple signature. Hence \(\Pr [\mathcal {E}_3\mathcal {E}_2]\ge 1/3\) \(\square \)
This proves Theorem 1. \(\square \)
Rights and permissions
Copyright information
© 2014 IFCA/SpringerVerlag Berlin Heidelberg
About this paper
Cite this paper
Saxena, A., Misra, J., Dhar, A. (2014). Increasing Anonymity in Bitcoin. In: Böhme, R., Brenner, M., Moore, T., Smith, M. (eds) Financial Cryptography and Data Security. FC 2014. Lecture Notes in Computer Science(), vol 8438. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783662447741_9
Download citation
DOI: https://doi.org/10.1007/9783662447741_9
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 9783662447734
Online ISBN: 9783662447741
eBook Packages: Computer ScienceComputer Science (R0)