Increasing Anonymity in Bitcoin

Abstract

Bitcoin prevents double-spending using the blockchain, a public ledger kept with every client. Every single transaction till date is present in this ledger. Due to this, true anonymity is not present in bitcoin. We present a method to enhance anonymity in bitcoin-type cryptocurrencies. In the blockchain, each block holds a list of transactions linking the sending and receiving addresses. In our modified protocol the transactions (and blocks) do not contain any such links. Using this, we obtain a far higher degree of anonymity. Our method uses a new primitive known as composite signatures. Our security is based on the hardness of the Computation Diffie-Hellman assumption in bilinear maps.

A Proof of Theorem 1

Proof. Let \(g, g^x, g^y \in G_1\) be the given CDH instance we need to solve (our goal is to compute \(g^{xy}\)). We show how to solve this using \(A\) as a black-box.

Setup: We generate and set the target public keys as \(pk_i=g^{x+a_i}\) for \(1\le i \le n\). The set \(PK=\{pk_i\}_{i\in [1..n]}\) is given to \(A\).

H-list: \(A\) can query the random oracle \(H\) on points from \(\varSigma ^*\times \varSigma ^\kappa \times G_1\). To respond to such queries, we maintain a list called the H-list, which is initially empty and contains tuples of the type

$$(m, r, pk, h, b, c, d)\in \varSigma ^*\times \varSigma ^\kappa \times G_1\times G_1\times \mathbb {Z}_q\times \mathbb {Z}_2\times \pm 1,$$

such that \(h=g^{cdy+b}\) always holds.

H-Queries: On \(H(m_i, r_i, pk_i)\) query, if a tuple \((m_i, r_i, pk_i, h_i, b_i, c_i, d_i)\) exists in the H-list, we respond with \(h_i=H(m_i, r_i, pk_i)\), otherwise we add such an entry as follows. Generate uniformly and set \(d_i=1\). If \(pk_i\notin PK\), set \(c_i=0\), otherwise set \(c_i=1\). Finally, set \(h_i = g^{c_iy+b_i}\) and respond with \(h_i=H(m_i, r_i, pk_i)\). In effect, \(h_i=g^{b_i}\) if \(pk_i\notin PK\), otherwise \(h_i=g^{b_i+y}\).

Sign queries: Let \(\ell =((m_1, pk_1), (m_2, pk_2),\dots (m_k, pk_k))\) be any sign query for \(k\le n\). To respond to this, we generate \(k\) random numbers and for each \(i \in [1..k]\) we check the H-list for entries starting with \((m_i, r_i, pk_i)\). If any such entry exists, we report failure and abort, otherwise we add the entries as follows. We uniformly select \(k\) pairs \(((c_1, d_1),(c_2, d_2), \ldots (c_k, d_k)) \in (\mathbb {Z}_2\times \pm 1)^k\) such that \(\sum _{i=1}^{k}{c_{i}d_i} = 0\) and \(k-\sum _{i=1}^{k}{c_{i}}\in \mathbb {Z}_2\). The latter says that at most one of the \(c_i\)s can be 0.² We then generate and for each \(i\in [1..k]\), we set \(h_i=g^{c_id_iy_i+b_i}\). We add \((m_i, r_i, pk_i, h_i, b_i, c_i, d_i)\) to the H-list.

Let \(\sigma ' = g^{\sum ^{k}_{i=1}(x+a_i)(c_id_iy+b_i)} = g^{xy\sum ^{k}_{i=1}c_id_i+\sum ^{k}_{i=1}xb_i+a_ic_id_iy+a_ib_i}\). We know that \(\sum ^{k}_{i=1}c_id_i=0\) (by construction). Therefore, \(\sigma '= g^{\sum ^{k}_{i=1}xb_i+a_ic_id_iy+a_ib_i}\), a value that can be computed by us. Also, \(\sigma =(\sigma ', \{r_1, r_2, \ldots r_k\})\) is a valid signature on \(\ell \), which is our response to the query.

Output: Finally, \(A\) outputs a pair \((\sigma _A, \ell _A)\). If \(\sigma _A\) is not a valid forgery on \(\ell _A\), we report failure. Let \(PK_A\) be the set of public keys in this forgery. Some of these keys may not be from \(PK\). Let \(PK^{\#}=PK_A\setminus PK\) and \(PK^*=PK\cap PK_A\).

By construction, all \(c_i\)s in the H-list corresponding to the messages signed under \(PK^{\#}\) are 0. Therefore, the respective \(b_i\)s are the discrete logarithms (to base \(g\)) of the corresponding \(h_i\)s. Hence, we can compute the sub-composite signature corresponding to the messages of \(PK^*\), denoted by \(\sigma _*\) (we compute this by first computing the sub-composite signature corresponding to the messages of \(PK^{\#}\) and “dividing” \(\sigma _A\) by that).

Let \(((a^*_1, b^*_{1}, c^*_{1}, d^*_{1}), \ldots , (a^*_{k^*},b^*_{k^*},c^*_{k^*}, d^*_{k^*}))\) be tuples containing \(a_i\)s and H-list entries corresponding to \(PK^*\). If \(\sum _{i=1}^{k^*}{c^*_{i}d^*_i} = 0\), we report failure and abort, otherwise \(\sigma _*\) corresponds to a signature we could not have computed ourselves, which can be used to solve the CDH problem as follows. We know that \(\sigma _*=(\sigma _*', \{r^*_1, \ldots r^*_{k^*}\})\) such that \(\sigma _*' = g^{\sum ^{k^*}_{i=1}(x+a^*_i)(c^*_id^*_iy+b^*_i)}= g^{xy\sum ^{k^*}_{i=1}c^*_id^*_i}\cdot g^{\sum ^{k^*}_{i=1}xb^*_i+a^*_ic^*_id^*_iy+a^*_ib^*_i}=g^{xyz}\cdot w\) for some nonzero \(w\) and \(z\) that we know. Thus, we can compute \(g^{xy} = (\sigma _*'/w)^{1/z}\).

It now remains to bound the probability of success. Define events:

• \(\mathcal {E}_1=\) We do not abort during sign queries.

• \(\mathcal {E}_2= \mathcal {E}_1\) and \(A\) outputs a successful forgery.

• \(\mathcal {E}_3= \mathcal {E}_2\) and \(\sum _{i=1}^{k^*}{c^*_{i}d^*_i} \ne 0\).

Then \(\Pr [{success}]\) \(=\) \(\Pr [\mathcal {E}_3|\mathcal {E}_2]\cdot \Pr [\mathcal {E}_2|\mathcal {E}_1]\cdot \Pr [\mathcal {E}_1]\).

Claim 1

\(\Pr [\mathcal {E}_1]\ge \left( 1-\frac{\alpha +\gamma -1}{2^\kappa }\right) ^{n\alpha }\)

Proof. Consider the number of entries in the H-list corresponding to a given (message, public-key) pair \((m, pk)\). Each H-query can add at most one entry to the H-list for this pair. Since a sign query can contain at most one instance of the pair \((m, pk)\), therefore, each sign query can add at most one entry in the H-list for this pair. Therefore there can be a maximum of \(\alpha +\gamma -1\) entries in the H-list corresponding to \((m, pk)\). Now select and consider the event that an entry beginning with \((m, r, pk)\) exists in the H-list. Since there are \(2^\kappa \) possible ways to select \(r\), we can be assured that \(\Pr [\text {no entry in H-list for (m, r, pk)}]\ge 1-\frac{\alpha +\gamma -1}{2^\kappa }\). Now there can be maximum \(n\) pairs in a sign query. Therefore, \(\Pr [\text{ we } \text{ do } \text{ not } \text{ abort } \text{ in } \text{ one } \text{ sign } \text{ query }]\ge \left( 1-\frac{\alpha +\gamma -1}{2^\kappa }\right) ^n\), and so

$$\Pr [\mathcal {E}_1]=\Pr [\text {we do not abort in }\alpha \text { sign queries}]\ge \left( 1-\frac{\alpha +\gamma -1}{2^\kappa }\right) ^{n\alpha }\qquad \qquad \square $$

Claim 2

\(\Pr [\mathcal {E}_2|\mathcal {E}_1]=\epsilon \).

Proof. If we do not abort during sign queries, then the view of the adversary is identical to a real simulation, and it follows that \(\Pr [\mathcal {E}_2|\mathcal {E}_1]=\epsilon \).    \(\square \)

Claim 3

\(\Pr [\mathcal {E}_3|\mathcal {E}_2]\ge 1/3\)

Proof. Split H-list entries into two disjoint sets based on how they are generated:

1. 1.

   \(S_1\): Sign queries on single (message, public-key) pairs. Here \(\Pr [c=0]=1\).

2. 2.

   \(S_2\): H-queries or sign queries on two or more (message, public-key) pairs. It can be checked that \(\Pr [c=0] \le 1/3\) for such entries.

Let the forgery contain \(k^*\) (message, public-key) pairs. Let \(\{(m^*_i, r^*_i, pk^*_i)\}_{i\in }\) \({[1..k^*]}\) be the set of tuples corresponding to the forgery. We ensure that an entry for each tuple exists in the H-list (by simulating H-queries ourselves if necessary).

Lemma 1

If the forgery is valid (i.e., \(\ell _A\) is not signable), then at least one of the tuples in the forgery must must correspond to an element of \(S_2\).

Proof

If all tuples \(\{(m^*_i, r^*_i, pk^*_i)\}_{i\in [1..k^*]}\) in the forgery correspond to elements from \(S_1\), then \(A\) made sign queries on every pair \((m^*_i, pk^*_i)\), possibly more than once. By definition, \(\ell _A\) is signable. Hence the forgery cannot be valid.    \(\square \)

For any signature \(\sigma _\ell \) from the sign queries or the forgery, define \(f(\sigma _\ell )=\sum _{i=1}^{k}{c_{i}d_i}\), obtained from corresponding entries \((m_i, r_i, pk_i, h_i, b_i, c_i, d_i)\) in the H-list. \(A\)’s goal is to maximize \(\Pr [\lnot \mathcal {E}_3|\mathcal {E}_2]=\Pr [f(\sigma _*)=0]\).

Since we did not abort during the sign queries, each tuple \((m^*_i, r^*_i, pk^*_i)\) was used in at most one sign query. Therefore \(A\)’s view of any of the \(c^*_i\)s for tuples from \(S_2\) is independent of any queries. Extending Lemma 1, we can see that if \(\ell _A\) is not signable, then \(A\)’s view of \(f(\sigma _*)\) is independent of all queries. An upper bound for \(\Pr [\lnot \mathcal {E}_3|\mathcal {E}_2]\) then gives us the worst case scenario.

Keeping tuples from \(S_1\) in the forgery is not useful for \(A\), since \(c_i=0\) for such values and so \(f(\sigma _*)\) is independent of them. Therefore, assume that \(A\)’s forgery contains only elements from \(S_2\). Now \(S_2\) can be further divided into: (1) \(S'_2\) consisting of entries due to H-queries and (2) \(S''_2\) consisting of entries due to sign queries. Since for elements of \(S''_2\), the \(d_i\)s are uniformly distributed between \(\pm 1\), while for those of \(S'_2\), the \(d_i\)s are guaranteed to be \(+1\), a symmetric argument shows that including elements from \(S'_2\) is not beneficial to \(A\) since it only biases \(f(\sigma _*)\) towards nonzero. Therefore, assume that \(A\)’s forgery contains only elements from \(S''_2\). A counting argument shows that if all elements are from \(S''_2\), then \(\Pr [f(\sigma _*)=0]\le 2/3\), with the maximum occurring when \(A\) extracts a 2-tuple signature from a 4-tuple signature. Hence \(\Pr [\mathcal {E}_3|\mathcal {E}_2]\ge 1/3\)    \(\square \)

This proves Theorem 1.    \(\square \)