Anonymous Digital Signatures and Their Application in Cryptocurrency
Insight from our technical advisor Professor Guomin Yang.
Digital signature is a basic cryptographic tool that allows users to electronically sign digital documents. It can provide several security properties including integrity, authenticity and non-repudiation that are crucial for many applications such as secure electronic transaction, secure email, digital currency, and so on.
Basic Digital Signature
A basic digital signature scheme, such as the well-known RSA signature and the Digital Signature Algorithm (DSA), is based on public key cryptography. In such a system, each user has a public and private key pair, which are referred to as the signature verification key and the signing key, respectively. The private key is kept secret by the signer and used to produce digital signatures on digital documents whereas the public key is known by everyone and used to verify the validity of the digital signatures on the documents. A secure digital signature scheme should ensure that without the knowledge of the private key, it is computationally infeasible for an attacker to produce a forged signature on a new message that could pass the verification, even if the attacker has seen many valid message-signature pairs generated by the signer. It ensures that a digitally signed document cannot be tampered with and must be produced by the signer.
Digital Signature in Cryptocurrency
In modern cryptocurrencies such as Bitcoin and Ethereum, digital signature is a core cryptographic primitive for authorizing transactions. For example, to transfer a certain amount of digital coins from an account, represented by a public key, to another one, the owner of the sending account uses the private key of the account to digitally sign the transaction that contains the two accounts, the amount and other information related to the transaction. By verifying the signature using the public key of the sending account, anyone can verify that the transaction is authorized by the owner of the account. A popular digital signature scheme widely used by the prominent cryptocurrencies is the Elliptic Curve Digital Signature Algorithm (ECDSA), a standardized digital signature scheme.
Anonymous Digital Signature
Although the basic digital signature can ensure the integrity and authenticity of a message (e.g., a transaction), it does not provide signer anonymity or unlinkability. Since the verification of a basic digital signature on any message requires the knowledge of the signer’s public key, it is easy to at least link all the signatures generated by a signer even if the real identity of the signer is unknown (i.e., pseudonymity).
It is worth to note that under the assumption that the signed message is only known by certain intended recipients, some popular digital signature schemes (e.g., Schnorr, RSA, PSS) can be modified to achieve signer anonymity and unlinkability against outsiders (Yang-Wong-Deng-Wang, PKC’06). However, such an assumption may not be true in many applications that require public verification of the signature (e.g., in the application of cryptocurrency).
To address the signer anonymity and unlinkability issue in digital signature while retaining public verifiability, several anonymous digital signatures were proposed in the literature. Two notions that attracted the most attention are Group Signature and Ring Signature.
· Group Signature
In a Group Signature scheme, introduced by Chaum and van Heyst in EUROCRYPT’91, there exists a group manager who handles group member registration and provides each group member with a group signing key (or a group certificate). Each group member can then sign messages anonymously on behalf of the whole group. Meanwhile, the group manager (or a separate revocation manager) is able to identify the real signer of a valid group signature.
· Ring Signature
The concept of Ring Signature was introduced by Rivest, Shamir and Tauman in ASIACRYPT’01. Similar to group signature, a ring signature scheme allows a ring member to sign anonymously and unlinkably on behalf of a ring (i.e., set) of users. However, in ring signature there is no ring manager involved and each user has the complete freedom in selecting other ring members. Moreover, no one is able to revoke the anonymity of a ring signature.
Anonymous Digital Signatures in Cryptocurrency
Due to the spontaneity in forming a ring and the freedom in choosing the ring members, ring signature has been used in the development of privacy-focused cryptocurrencies. A typical example is Monero, which is among the most popular privacy-centric cryptocurrencies. Monero is based on CryptoNote which uses (linkable) ring signature to achieve sender anonymity and the stealth address mechanism to achieve receiver anonymity. It is worth noting that a normal ring signature scheme is not suitable for the application of cryptocurrency due to the problem of double spending, since no one is able to identify the real spending account in the ring. A linkable/traceable ring signature (Liu-Wei-Wong ACISP’04, Fujisaki-Suzuki PKC’07) on the other hand can resolve this issue by allowing ring signatures generated by the same secret key to be linked, even when the two rings formed by the signer are different.
Post-quantum Anonymous Digital Signature with Optional Accountability for Abelian
In the Abelian project, we aim to develop a new post-quantum anonymous digital signature with optional accountability.
· Quantum Resistance
The (anonymous) digital signature schemes used by all the prominent cryptocurrencies nowadays are based on the hardness of two computational problems: the Integer Factorization problem and the Discrete Logarithm problem. However, there exist quantum algorithms that can efficiently solve these problems. In other words, digital signature schemes based on these problems can be broken by quantum computers. In the Abelian project, one of our goals is to develop a secure and practical quantum resistant anonymous digital signature based on hard problems in lattices that cannot be solved efficiently even by a quantum computer. When combined with a compatible stealth address mechanism that will also be developed in the project, the system will ensure security, anonymity and efficient wallet management for Abelian coin in the post-quantum era.
· Optional Accountability
Although anonymity and untraceability are desirable features from users’ perspective, absolute anonymity is not ideal in a digital currency system when privacy is abused by some malicious users, e.g., money launderer, ransomware attacker, and so on. Therefore, in the Abelian project, we aim to develop a post-quantum anonymous digital signature that can support optional accountability. Although group signature can provide the tracing functionality, our approach is different in the sense that there is no group manager involved. The system allows a user to produce a digital signature that is fully anonymous to the public but can be traced by a designated authority (or a combination of several authorities) chosen by the signer. Different authorities could be designated by a signer for different types of transaction. It allows an authority to passively monitor transactions under its supervision while maintaining user privacy against other players in the system.
You may also be interested in this: Some Thoughts on the Security Strength and Cryptographic Algorithms for Blockchain Platform by our CEO Dr. Duncan Wong.
