A Secure Cryptocurrency Scheme Based On PostQuantum Blockchain

Download as pdf or txt
Download as pdf or txt
You are on page 1of 9

SPECIAL SECTION ON THE INTERNET OF ENERGY: ARCHITECTURES, CYBER SECURITY,

AND APPLICATIONS (PART II)

Received February 11, 2018, accepted March 19, 2018, date of publication April 18, 2018, date of current version June 5, 2018.
Digital Object Identifier 10.1109/ACCESS.2018.2827203

A Secure Cryptocurrency Scheme Based


on Post-Quantum Blockchain
YU-LONG GAO 1 , XIU-BO CHEN1,2 , YU-LING CHEN2 , YING SUN3 ,
XIN-XIN NIU1,2 , AND YI-XIAN YANG1,2
1 State Key Laboratory of Networking and Switching Technology, Information Security Center, Beijing University of Posts and Telecommunications,
Beijing 100876, China
2 Guizhou Provincial Key Laboratory of Public Big Data, Guizhou University, Guiyang 550025, China
3 Beijing Electronic Science and Technology Institute, Beijing 100070, China

Corresponding author: Xiu-Bo Chen ([email protected])


This work was supported in part by the NSFC under Grant 61671087, Grant 61272514, Grant 61170272, and Grant 61003287, in part by
the Major Science and Technology Support Program of Guizhou Province under Grant 20183001, in part by the Fok Ying Tong Education
Foundation under Grant 131067, and in part by the Open Foundation of Guizhou Provincial Key Laboratory of Public Big Data under
Grant 2017BDKFJJ007.

ABSTRACT Nowadays, blockchain has become one of the most cutting-edge technologies, which has been
widely concerned and researched. However, the quantum computing attack seriously threatens the security
of blockchain, and related research is still less. Targeting at this issue, in this paper, we present the definition
of post-quantum blockchain (PQB) and propose a secure cryptocurrency scheme based on PQB, which can
resist quantum computing attacks. First, we propose a signature scheme based on lattice problem. We use
lattice basis delegation algorithm to generate secret keys with selecting a random value, and sign message
by preimage sampling algorithm. In addition, we design the first-signature and last-signature in our scheme,
which are defined as double-signature. It is used to reduce the correlation between the message and the
signature. Second, by combining the proposed signature scheme with blockchain, we construct the PQB and
propose this cryptocurrency scheme. Its security can be reduced to the lattice short integer solution (SIS)
problem. At last, through our analysis, the proposed cryptocurrency scheme is able to resist the quantum
computing attack and its signature satisfies correctness and one-more unforgeability under the lattice SIS
assumption. Furthermore, compared with previous signature schemes, the sizes of signature and secret keys
are relatively shorter than that of others, which can decrease the computational complexity. These make our
cryptocurrency scheme more secure and efficient.

INDEX TERMS Blockchain, post-quantum, lattice, cryptocurrency, security.

I. INTRODUCTION Furthermore, each block references the hash of the previous


With the in-depth study of computer network technology block. This establishes a link between these blocks, thus,
and cryptography, more and more research results have been it creates a blockchain. Then, by combining peer-to-peer
applied in our daily life, such as mobile cloud comput- network, cryptographic algorithm, distributed data storage
ing [1], [2], dynamic searchable symmetric encryption [3], and a decentralized consensus mechanism, blockchain tech-
secure multiparty computation [4], [5], especially online nology provides a way for people that record in a secure
transaction. Online transaction has to rely on financial institu- and verifiable manner, and it can prevent double spending
tions serving as trusted third parties mostly, but it may cause effectively [7]–[10].
leakage of personal privacy and security threats. Nakamoto In particular, blockchain 2.0 has been presented which
designed a peer-to-peer electronic cash system and described includes hyperledger and smart contract technology,
the blockchain for the first time [6]. Using a public ledger, complex contracts are created and enforced automati-
Bitcoin is transacted as cryptocurrency in this decentralized cally [11], [12]. In addition, blockchain integrates the
system. In the Bitcoin, blockchain establishes a decentralized cryptographic algorithm, the hash algorithm and distributed
consensus about the order of transactions among a large network technology together [13]. It feels more like a
number of members who need not to know or trust anyone. distributed super-ledger system that relies on maintenance

2169-3536
2018 IEEE. Translations and content mining are permitted for academic research only.
VOLUME 6, 2018 Personal use is also permitted, but republication/redistribution requires IEEE permission. 27205
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Y.-L. Gao et al.: Secure Cryptocurrency Scheme Based on PQB

of all users, transactions can not be forged and altered had been proposed [23]. Agrawal et al. [24] presented a
intuitively. technique for delegating a short lattice basis. The algorithm
Besides, the public-key cryptography plays a very funda- can keep the lattice dimension unchanged which can improve
mental role in the security of blockchain. Currently, Elliptic the efficiency of the lattice-based cryptographic scheme.
Curves Cryptography (ECC) is used in blockchain. Its secu- Zhang and Sang [25] and Zhang and Ma [26] proposed proxy
rity is based on the intractability of elliptic curve discrete blind signature schemes from lattice basis delegation. In order
logarithm problem. The main functions of the public-key to satisfy the strong unforgeability, Zhang et al used proxy key
cryptography are as follows. and private key to sign the message respectively. Gu et al. [27]
(1) Using private key to generate the signature of message, presented a signature scheme provably secure in the random
and the signer can not deny it. oracle model. Yan et al. [28] presented an identity-based
(2) Preventing transaction message from being maliciously signcryption from lattices.
forged. Inspired by the researches and analyses above, we con-
(3) Public key is used to participate in address exchange as sider that lattice-based cryptography becomes a hot research
the receiving address of cryptocurrency. topic of post-quantum cryptography now and we can use it
(4) Private key is used to protect and manage to enhance the security of blockchain. By combining post-
cryptocurrency. quantum cryptography with blockchain together, we provide
At present, classical cryptographic algorithm is still used a more secure and efficient cryptocurrency scheme. The main
in blockchain technology. The security of classical crypto- contributions of this paper are summarized as follows.
graphic algorithm mainly depends on intractability of ellip- (1) We propose a new signature scheme based on lat-
tic curve discrete logarithm problem or integer factorization tice. We use lattice basis delegation algorithm to gener-
problem. However, with the research on quantum computing, ate secret keys with selecting a random value, and use
quantum computer can have powerful parallel computing preimage sampling algorithm to sign message. In addition,
ability which becomes a great threat to classic cryptographic we design the first-signature and last-signature in our scheme
algorithm. Shor proposed quantum algorithms for finding which are defined as double-signature. It can reduce the
discrete logarithms and factoring integers on a quantum com- correlation between the message and signature. Besides,
puter which can break the RSA, DSA and ECDSA algo- the security of the signature scheme depends on the lattice
rithms [14]. Both U.S. National Security Agency (NSA) SIS problem.
and National Institute of Standards and Technology (NIST) (2) We present the definition of PQB for the first time.
pointed out that the necessity for transition to quantum- In particular, by combining the proposed signature scheme
resistant schemes is increasing. In 2015, NSA issued a based with blockchain, we construct the PQB and provide a
statement that NSA decided to adopt the post-quantum cryp- secure cryptocurrency scheme that can resist quantum com-
tography instead of suite B algorithm because of potential puting attacks.
threats of quantum computer. NSA also planned to transition (3) Through our analysis, the signature of the cryptocur-
from ECC to post-quantum cryptography. In addition, NIST rency scheme satisfies the correctness and can resist quantum
announced its plan for a public call for post-quantum schemes computing attacks. Under the standard hardness assumption
to construct new public-key cryptography standards [15]. of the SIS, this scheme is proven to be one-more unforgeable
We consider that traditional classical cryptography will in the standard model. In addition, the size of our scheme’s
be cracked, including the ECC algorithm, and there are few signature is shorter than its counterpart in other schemes,
relevant researches on the security of blockchain. Therefore, which can decrease the computational complexity of our
targeting at this issue, we design a post-quantum blockchain proposed cryptocurrency scheme.
and apply it to cryptocurrency scheme. The remainder of this paper is organized as follows.
In order to resist the quantum computing attack, people In Section II, we mainly introduce the transaction in
proposed post-quantum cryptography. In particular, lattice- the blockchain, the lattice problems and some lemmas.
based cryptography is widely believed to be able to resist In Section III, we present the definition of the post-quantum
quantum computing attacks [16]. Ajtai [17] and [18] pro- blockchain and propose our signature scheme. By using the
posed a stochastic and short lattice construction algorithm PQB based on lattice, we also provide a new cryptocurrency
that can be proved to be secure. In 2008, Gentry et al. [19] scheme. In Section IV, we analyze our proposed cryptocur-
proposed new cryptographic constructions include trapdoor rency scheme from correctness, one-more unforgeability,
functions with preimage sampling. In 2010, Rückert [20] security and efficiency. Some concluding remarks are given
designed the Lattice-based Blind Signature Scheme (LBSS) in Section V.
which is the first lattice-based blind signature scheme which
uses the trapped trapdoor one-way function. Additionally,
he also proposed the Lattice-based Identity-based Signature II. PRELIMINARIES
Scheme (LIBSS) [21]. In 2010, Cash et al. [22] proposed Before we introduce our signature scheme, we should give
a new cryptographic definition which is called bonsai tree descriptions of the transaction in blockchain, lattice-based
based on hard lattice. And other proxy signature scheme cryptography and some lemmas.

27206 VOLUME 6, 2018


Y.-L. Gao et al.: Secure Cryptocurrency Scheme Based on PQB

A. TRANSACTION IN BLOCKCHAIN Based on the hardness of SIS problem, for√any polynomial-


Unspent Transaction Output (UTXO) is used to prevent dou- bounded m, v and any prime q ≥ v · ω n log n, solving
ble spending. Every transaction consists of transaction inputs SIS on the average is as hard as approximating the shortest
and transaction outputs, and these transactions constitute a independent vector problem (SIVP) in the worst case.
chain structure. Transaction inputs have to be unspent trans- Definition 3 ([30] Smoothing Parameter): For an
action outputs, that is to say, outputs of previous transactions m-dimensional lattice 3, and positive real ε > 0. Its
that have not yet been spent. All legitimate transactions can smoothing parameter ηε (3) is the smallest s such that
be traced back to the output of one or more transactions. ρ1/s (3∗ \ {0}) ≤ ε.
The beginning is the reward of mining and the end of the
transaction is unspent transaction output. C. TRAPDOOR AND LEMMAS
Lemma 1 [19]: For a lattice L with dimensional m and rank n,
c ∈ Rm , positive real ε < exp(−4π ) and s ≥ ηε (L), for
random x ∈ L such that DL,s,c (x) ≤ 1+ε −n
1−ε 2 .
Lemma 2 [30]: For any lattice L with dimensional m and
rank n, c ∈ span(L), a real ε ∈ (0, 1), s ≥ ηε (L), we have

√  1 + ε −n
kx − ck > s m ≤ 2 .

Pr (4)
x←DL,s,c 1−ε

Gentry et al. proposed an algorithm SampleD that samples


FIGURE 1. Transaction in Bitcoin based on blockchain. from a discrete Gaussian over any lattice. SampleD takes
A Bitcoin is defined as a chain of digital signatures [6], and some n-dimensional basis A ∈ Zn×m of rank m, Gaussian
each block contains a reference to a previous block. As shown parameter s that is related to the length kAk of the basis,
in Fig. 1, by signing the hash of transaction 1 and Owner 2’s a center c ∈ Rn , and efficiently outputs a sample from
public key, Owner 1 transfers the coin to the Owner 2. Other (a distribution close to) DL(A),s,c .
miners can verify the signature of transaction 2. Owner 2 has Lemma 3√ [19]: For any lattice basis A ∈ Zm×n , any real
the ownership of the Bitcoin. When the Owner 2 wants to s ≥ kAk ω( log n) and any c ∈ Rm , the output distribution
spend this coin, he can use his private key to generate the of SampleD(A, s, c) is within negligible statistical distance of
transaction 3 in this way above. DL(A),s,c .
Lemma 4 [19]: Let q > 2, a matrix A ∈ Zn×m q and B is a
B. LATTICES AND HARD PROBLEMS basis of 3q (A), and Gaussian parameter s ≥ ||B̃||ω(logm).

We use R, Z to denote the set of all reals and the set of Then any vector y ∈ Znq , algorithm SamplePre(A, B, y, s)
positive integers, respectively. Let Rm be the m-dimensional outputs a vector e ∈ Zqm from a distribution that is statistically
Euclidean vector space with its usual topology. In the fol- close to D3⊥q (A),s (x).
lowing content, m ∈ Z, n ∈ Z, m ≥ n. L and 3 denote Lemma 5 [19]: For any prime q = poly(n) and any m ≥
lattice, the orthogonal lattice corresponding to 3 is repre- 5n lg q, there is a probabilistic polynomial-time algorithm
sented by 3⊥ , vector x = (x1 , x2 , · · · , xn−1 , xn )T in the TrapGen(1n ) that outputs a matrix A ∈ Zn×m q and a full-
space
q Rm , and its Euclidean norm is denoted by kxk = rank set S ⊂ 3⊥ (A, q). The distribution of A is statistically
x1 + x22 + · · · xn−1
2 2 + xn2 . close to uniform over Zn×m q and the length kSk ≤ L =
Definition 1 (Lattice [29]): Given n-linearly independent m1+ε ∧ ε > 0.
vectors v1 , v2 , · · · , vn ∈ Rm , lattice L generated by them is Lemma 6 [24]: Given a matrix A ∈ Zn×m q and an m-
the set of vectors dimensional lattice 3⊥ q (A), then input a basis T of the
lattice 3q (A) which has nonsingular matrix R = T−1 and

( n )
X
L(v1 , v2 , · · · , vn ) = ai vi |ai ∈ Z, i = 1, · · · , n (1) R ∈
Zm×m , input a Gaussian parameter s ≥
T̃ m ω(lgd+1 (m)), BasisDel(A, R, T, s) can output a
i=1 d
V = [v1 , v2 , · · · , vn ] is known as a basis of the lattice L.
B √of 3 (AR ) with overwhelming probability
⊥ −1
basis
The same lattice can be represented by different lattice bases.

B̃ ≤ s m.

Given a prime number q,a matrix A ∈ Zn×m q , define:
n o
3q (A) = y ∈ Zm y = AT x mod q, x ∈ Zn , (2) III. CRYPTOCURRENCY SCHEME BASED ON PQB

We firstly present the definition of post-quantum blockchain.
3⊥q (A) = y ∈ Z |Ay = 0 mod q .
m

(3)
Then we introduce our proposed signature scheme based
Definition 2 (Lattice SIS Problem): Given an integer q, on lattice. Finally, we provide a secure cryptocurrency
a matrix A ∈ Zn×m
q , and a real constant v > 0, find a nonzero scheme based on PQB that can resist quantum computing
vector x ∈ Zm such that Ax ≡ 0 mod q and kxk ≤ v. attacks.

VOLUME 6, 2018 27207


Y.-L. Gao et al.: Secure Cryptocurrency Scheme Based on PQB

A. FORMAL DEFINITION AND SECURITY MODEL Besides, post-quantum cryptography includes Hash
Definition 4: The signature scheme in this paper consists function-based cryptography, Lattice-based cryptography,
of four algorithms as follows: Code-based cryptography, Multivariate cryptography and
Setup(n): Input a security parameter n, the Setupalgorithm other post-quantum cryptography algorithms. By using these
outputs the master secret key MK and public parameters PP. algorithms, PQB can resist the quantum computing attack and
KeyGen(PP, MK, ms): Input the public parameters PP, guarantee the security of secret keys.
the master secret key MK and an identity ms, the Key- Definition 7: The security model of PQB scheme is
Genalgorithm outputs a signing key skcorresponding described by the following content.
with ms. Step1: Setup(n) User A inputs a security parameter n,
Sign(PP, msg, sk, ms): Input the public parameters PP, the Setupalgorithm outputs the master secret key MK and
a message msg and a signing key skof the user with iden- public parameters PP.
tity ms, the Signalgorithm outputs a signature e. Step2: KeyGen(PP, MK, ms) A inputs the public parame-
Verify(PP, msg, e, ms): Input the public parameters PP, ters PP, the master secret key MK and an identity ms, the Key-
a signature e, a message msgand an identity ms, the Ver- Genalgorithm outputs public key and private key (pka , ska ),
ifyalgorithm outputs 1 if the signature e is valid and and pka has been used to receive the cryptocurrency by Alice
0 otherwise. in transaction tx1. User B generates his own public key and
Definition 5: The security model of our scheme which is private key (pkb , skb ) by the above step.
existentially unforgeable against chosen message is described Step3: B transmits his public key pkb to A.
by the following game. Step4: A uses pkb and tx1 to generate message M , then A
Setup. The challenger C runs the algorithm Setup(n) to publishes the public parameters PP.
generate public parameters PPand MK, and sends PP to the Step5: Sign(PP, ska , M ) A inputs the public parameters PP,
adversary A. message M and a signing key ska , the Signalgorithm outputs
Private key query. Adversary A issues a query on identity a signature e.
ms, the challenger C runs the algorithm KeyGen(PP, MK, ms) Step6: A uses the signature e and pkb to generate transac-
and returns a signing key skto adversary A. tiontx2 and transmits it in the P2P network.
Sign query. Adversary A issues a query on message Step7: Verify(PP, pka , M , e) Miners verify the correctness
msgand identity ms, the challenger C runs the algo- of the signature e and whether transaction tx2 satisfies UTXO.
rithm Sign(PP, msg, sk, ms) and returns a signature e to If the above conditions are satisfied, the transaction tx2 is
adversary A. included in a new block.
Forgery. The adversary A outputs a signature e of message On one hand, it is necessary to ensure the security of sign-
msg, A wins the game if: ing key. On the other hand, the signatures are linkable so that
(i) Verify(PP, e, msg, ms) = 1. each transaction can be traced for preventing double spend-
(ii) (e, msg, ms) has never been submitted to sign query. ing. Therefore, in the PQB, if there is a quantum algorithm
which can return a signing key ska to adversary A. and A can
use it to generate a legal signature. Or if user A has issued a
B. POST-QUANTUM BLOCKCHAIN transaction tx2 by signing the hash of transaction tx1. Then,
This paper is concerned with the study on the security of A can issue a new transaction tx20 by signing the hash of
blockchain. As described in Section I, Quantum comput- transaction tx1 again without being discovered. We consider
ing attack seriously threatens the security of blockchain, this PQB scheme is not secure.
and related research is still less. Therefore, in this paper,
we use post-quantum cryptography to enhance the security of
blockchain. At first, we give the definition of post-quantum C. SIGNATURE SCHEME BASED ON LATTICE
blockchain. In this section, we will describe our signature scheme based
Definition 6 (PQB): PQB is a secure blockchain tech- on lattice. We use R, Z, Z+ to denote the set of all reals, the set
nology which combines post-quantum cryptography and of integers and the set of positive integer respectively. The
blockchain technology together. This means that PQB not security parameter is a positive integer n, q is a prime and
only has the advantages of blockchain but also can resist q ≥ 2, m ≥ 5n lg q, and H : {0, 1}∗ → Zqm×m is a collision-
attacks by quantum computer effectively. We think PQB resistant hash function. The scheme is described as follows.
should satisfy these following four conditions. Setup(1n ): Sender selects a security parameter n.
(1) PQB is a combination of post-quantum cryptography (1) According to lemma 5, sender uses TrapGen(1n ) to
and blockchain technology; generate a uniformly random matrix A0 ∈ Zn×m q with a
(2) PQB is able to resist known classical attack methods; corresponding short basis S0 ∈ 3⊥ (A0 , q). S0 ∈ Zm×m q is
(3) PQB is able to resist the known quantum algorithm sender’s master key MK = S0 .
attacks, such as Shor algorithm, Grover algorithm; (2) The hash function that takes as input the message msg,
(4) Signature scheme in PQB has the linkable or traceable outputs M = H (msg) and M ∈ {0, 1}d , d is the length of
property. message M . Sender selects random and independent vectors

27208 VOLUME 6, 2018


Y.-L. Gao et al.: Secure Cryptocurrency Scheme Based on PQB

C1 , C2 , · · · , Cd ∈ Znq . Sender obtains the public parameter D. SECURE CRYPTOCURRENCY SCHEME BASED
PP = hA0 , C1 , C2 , · · · , Cd i. ON POST-QUANTUM BLOCKCHAIN
KeyGen(PP,ms,MK): Sender selects a random message ms The proposed lattice-based signature scheme was introduced
and inputs master key MK, public parameter PP and Gaussian in Section III-C. According to the definition of PQB we
parameter s. presented in Section III-B, by combining the proposed sig-
Using basis delegation technique in lemma 6, sender runs nature scheme with blockchain together, we provide a secure
BasisDel(A0 , H(ms), S0 , s) to output sender’s private key cryptocurrency scheme and use it to complete a transaction
Sms for signing the message. In addition, Sms is a basis of between Alice and Bob.
3⊥ (A0 H(ms)−1 ), and the public key which correspond with We suppose that Alice and Bob trade through cryptocur-
private key is A1 = A0 H(ms)−1 . rency scheme based on PQB, and Alice transfers her cryp-
Sign(PP, Sms , M ) : The sender does as follows. tocurrency to Bob. We use R, Z to denote the set of all reals
(1) Uniform random select t ∈ D = t ∈ R ktk−1 ≤ s ,

and the set of integers, n denotes the security parameter and
then do u ← SampleD(A1 , s). n ∈ Z+ . q is a prime and q ≥ 2, m ≥ 5n lg q. H : {0, 1}∗ →
d
(2) Compute µ = t
P
(−1)M [i] Ci +A1 u and output µ. Zqm×m is a collision-resistant hash function.
i=1 Step1: Setup(1n ) Alice selects a security parameter n to
(3) According to lemma 4, sender uses algorithm run TrapGen(1n ). According to the lemma 5, Alice gener-
SamplePre(A1 , Sms , µ, s) to obtain the first-signature ates a matrix A0 ∈ Zn×m q and corresponding short basis
e0 ∈ Zm q. S0 ∈ 3⊥ (A0 , q), which S0 ∈ Zqm×m is Alice’s master key

(4) Verify e0 ≤ s m and e0 6 = 0. From lemma 2 and MK = S0 .
lemma 4, we know it is satisfied with overwhelming proba- Step2: K eyGen(PP, ms, MK ) Alice selects a random value
bility. If it is not satisfied, sender returns back and selects t ms, then she can use lattice basis delegation algorithm
again. BasisDel(A0 , H(ms), S0 , s) to output her public key pka and
(5) Compute e = t −1 (e0 − u), and e is the last-signature of private key ska , and pka has been used to receive the cryp-
message me. tocurrency by Alice in transaction tx1. Bob generates his own
Verify(PP, A1 , msg, e) : Every users can verify the correct- public key and private key (pkb , skb ) by the above steps. Then,
ness of (msg, e) as follows. √ Alice transfers her cryptocurrency to Bob with transaction
(1) Verify e 6 = 0 and kek ≤ 2s2 m. tx2 as the follows.
d
(2) Verify A1 e =
P
(−1)M [i] Ci . Step3: Bob transmits his public key pkb to Alice.
i=1 Step4: Alice computes M = H (tx1, pkb ), the message
(3) Verify M = H (msg). M ∈ {0, 1}d , d is the length of M. Alice selects random
If the above equations are satisfied, it means that the sig- and independent vectors C1 , C2 , · · · , Cd ∈ Znq , then Alice
nature is the generated by the sender, otherwise this output is publishes the public parameter PP = hA0 , C1 , C2 , · · · , Cd i.
rejected. Step5: Sign(PP, ska , M ) Alice signs message M as follows.
Our lattice-based signature scheme is introduced in (1) Select a random t ∈ D = {t ∈ R |ktk ≥ 1/s }, and use
Section III-C. We use and modify the model of identity-based sampling algorithm SampleD(pka , s) to generate a vector u.
signature scheme. In our scheme, there is no the third party d
(2) Compute µ = t (−1)M [i] Ci +pka u.
P
and users generate their secret keys with selecting a random
value. By using this key generation method in the blockchain, i=1
(3) Use algorithm SamplePre(pka , ska , µ, s) to output the
four advantages are summarized below: first-signature e0 ∈ Zm .
q√
(1) Generating the user’s public key and private key based
(4) Verify e0 ≤ s m and e0 6 = 0. According to lemma 2
on the random value increases the security of the private key.
and lemma 4, we know it is satisfied with overwhelming
(2) It is hard for adversary Eve to forge a valid signature
probability. If it is not satisfied, Alice selects t again.
which will be analyzed in Section IV-B.
(5) Compute the last-signature e = t −1 (e0 − u).
(3) Users are anonymous in the blockchain, our scheme
Step6: Alice uses the signature (e, M ) and pkb to generate
does not use identity information which can weaken the role
transactiontx2 and transmits it in the whole P2P network.
of identity information in the signature scheme and protect
Step7: Verify(PP, pka , M , e) Miners in the P2P network get
users’ privacy.
this transactiontx2 and then verify the signature in it as the
(4) The users can obtain a large number of keys for trans-
follows.
actions which is practical in application.
Miners verify
In addition, we also design the first-signature e0 and last-

signature e in our scheme, and we define them as double- kek ≤ 2s2 m ∧ e 6 = 0, (5)
signature. The first-signature is generated by the forward
sampling algorithm. Then users perform to signature recov- and
ery operation get the last-signature e = t −1 (e0 −u). This fuzzy d
X
processing can reduce the correlation between message and pka e = (−1)M [i] Ci , (6)
corresponding signature. i=1

VOLUME 6, 2018 27209


Y.-L. Gao et al.: Secure Cryptocurrency Scheme Based on PQB

If these above equations (5) and (6) are satisfied, and A1 e = t −1 (µ − A1 u). So
M = H (tx1, pkb ). It is shown that this signature is generated
A1 e = A1 (t −1 (e0 − u)) = t −1 (µ − A1 u)
by Alice, otherwise the output is rejected. Miners verify
d
whether transaction tx2 satisfies UTXO, then they include X
= t −1 (t (−1)M [i] Ci + A1 u) − t −1 A1 u
transaction tx2 in a new block. Through the blockchain con-
i=1
sensus mechanism, miners compete for the right to add this d
block to chain. X
= (−1)M [i] Ci . (8)
Step8: By using consensus mechanism, miners can com-
i=1
municate among themselves and agree on a common set
of validated transactions to be added to the ledger. The Through the analysis of the above equations (7) and (8),
miner who gets the right to produce new block will be it is proved that the proposed cryptocurrency scheme satisfies
compensated. the correctness and the signer can not deny his signature.
Step9: When five blocks are added to the chain after this
block, transactiontx2 will be confirmed. Then, Bob can get B. ONE-MORE UNFORGEABILITY
the cryptocurrency and spend it by using corresponding pri- Juels et al. [31] and Pointcheval and Stern [32] analyzed
vate key skb as the above steps. the security of the signature scheme, and it needs to satisfy
one-more unforgeability. If an adversary Eve exchanges the
messages with an honest signer l times and gets l signatures,
IV. ANALYSIS
the probability of Eve forges a new l + 1 message’s valid sig-
As we described in Section I, public-key cryptography plays
nature is negligible, it means this signature scheme satisfies
a very fundamental role in the security of blockchain which
one-more unforgeability.
is used for information encryption and identity authentica-
Theorem 2: The proposed signature scheme is existentially
tion. In addition, the public key is used as the receiving
unforgeable against adaptive chosen message, assuming the
address of the cryptocurrency and private key is used to
hardness of lattice SIS problem.
manage and spend cryptocurrency. We consider that rela-
Proof: Assume Eve is a polynomial-time adversary who
tionship between public-key cryptography and the secu-
can break our signature scheme and successfully forge a legit-
rity of blockchain is very close. Specifically, public-key
imate signature, the probability of success is ε. We construct a
cryptography is of great significance to the security of
polynomial-time algorithm T who can use the adversary Eve
blockchain.
as a subroutine to solve the lattice SIS problem with non-
According to the definition of PQB in Section III-B,
negligible probability. Algorithm T does so by interacting
we use this signature scheme based on lattice as the
with the adversary Eve as follows.
public-key cryptography in PQB. The security of PQB
Setup. Algorithm T does as follows.
is mostly equivalent to the security of our signature (1) Select a random matrix B ∈ Zn×m and corresponding
q
scheme, and so is our cryptocurrency scheme. Therefore,
short basis T0 ∈ 3 (B).

in Section IV, we analyze the cryptocurrency scheme in
(2) Select a matrix R1 ∼ Dm×m , then run algorithm
detail from correctness, one-more unforgeability, security and
efficiency.
BasisDel(B,
  R1 , T0 , s) to put out a lattice basis S0 of
3⊥ BR−1 1 .
By using SampleD(B, s), Algorithm T selects d random
A. CORRECTNESS vectors E1 , E2 , · · · , Ed ∈ Zm q and these vectors BEi dis-
Theorem 1: Our cryptocurrency scheme satisfies tribution of SampleD(B, s, c) is within negligible statistical
correctness. distance of DL(B),s,c .
Proof: The signature verification process is divided into (3) Select qe − 1 nonsingular matrices R2 , R3 , · · · ,
two steps, and the correctness of an honest signature informa- Rqe ∼ Dm×m . Let Ci = BEi , A0 = BR−1 1 , the public
tion is verified as follows. parameter PP = hA0 , C1 , C2 , · · · , Cd i, master key
The last-signature
−1 e = t −1 (e0 − u) and kek = is MK.
t (e0 − u) . According to lemma 3 and lemma 4, we have
√ √ Private key queries. Selecting many random messages
kuk ≤ s m and e0 ≤ s m. And ktk−1 ≤ s, so we have msx , x = 1, 2, · · · , qe , algorithm T computes H (msx ) =
x and runs BasisDel(A0 , H (msx ) , S0 , s) to generate cor-
R−1
√ responding private key Sx , and sends (A0 H(msx )−1 , Sx )
kek ≤ ktk−1 e0 + kuk ≤ 2s2 m.

(7) to Eve.
Signature queries. Algorithm T selects the transactions of
A0 H(msx )−1 , and gets µM of message M . Eve issues such a
For A1 (t −1 (e0 − u)) = t −1 (A1 e0 − A1 u), according to the query on (µM , A0 H(msx )−1 , Si ), runs algorithm SamplePre
lemma 4, the output e0 ← SamplePre(A1 , Sms , µ, s) satisfies
x ) √ , Si , µM , s).
−1
to obtain e0 M ← SamplePre(A 00H(ms
d
A1 e0 = µ. Thus we have µ = t
P
(−1)M [i] Ci +A1 u and Then algorithm T verifies e M ≤ s m. If it is satisfied,
i=1 algorithm T holds the tuple (msx , µM , e0 M ) and outputs the

27210 VOLUME 6, 2018


Y.-L. Gao et al.: Secure Cryptocurrency Scheme Based on PQB

first-signature e0 M to adversary Eve. By recovery operation, NP-hard means there is no efficient polynomial-time algo-
Eve gets the last-signature (A0 H(msx )−1 , M , eM ). rithm to crack the problem. In particular, Lattice-based cryp-
Forgery. We suppose after a finite number of private key tography is generally considered to have the advantage of
extraction queries and signature queries, adversary Eve can resisting quantum computing attacks, and it can deal with the
forge a signature (A0 H(msx )−1 , M , eM ). It can be reduced to threat of quantum computer in the future. By using the theory
find a solution of the SIS problem, Adversary Eve succeeded of random lattice and the corresponding lattice basis, Gentry
in forging valid signature with the probability of ε. et al. presented new cryptographic constructions. He pro-
According to our signature scheme, we know that the valid posed a forward sampling trapdoor algorithm based on lattice
signature should satisfy the following equations SIS problem. And it has been proven to be able to resist
√ quantum computing attacks
keM k ≤ 2s2 m ∧ eM 6 = 0 (9)
On one hand, in our proposed cryptocurrency scheme,
and we use short lattice delegation algorithm to generate user’s
d secret keys. Then we sign the message by the preimage
X
A0 H(msx )−1 eM = (−1)M [i] Ci . (10) sampling algorithm with trapdoor, which is based on lattice
i=1 problem SISs√m . Additionally, the lattice SIS problem in
average-case can be reduced to the SIVP in the worst-case,
Because A0 H(msx )−1 = BR−1
x Rx = B and Ci = BEi , and the lattice problem which is used in our scheme is able to
so we have resist quantum computing attacks. Therefore, it is shown that
d
X our cryptocurrency scheme based on PQB can resist quantum
BeM = B (−1)M [i] Ei , (11) computing attacks.
i=1 On the other hand, as shown in step 7 and step 9 of our
d
X cryptocurrency scheme, the signatures are used to establish a
B(eM − (−1)M [i] Ei ) = 0modq. (12) link between these transactions. In this way, signatures are
i=1 linkable so that every transaction can be traced, so double
So we can have spending can be prevented in our cryptocurrency scheme.
d
d
X X
eM − (−1)M [i] Ei ≤ keM k + (−1)M [i] Ei D. EFFICIENCY


i=1

i=1
The efficiency of signature scheme mainly depends on the

≤ 3s2 m. (13) sizes of public key, signing key and signature. In the following
content, n ∈ Z+ , q is a prime number and q ≥ 2, n, m,
Because this solution
√ is a non-zero solution to SIS prob- d denote security parameter, dimensional of lattice and the
lem with (q, m, 3s2 m, B), by the preimage min-entropy length of message, respectively.
property, this non-zero solution with probability no less than
1 − 2−ω(lg m) . Adversary Eve succeeded in forging a valid TABLE 1. Comparison of lattice-based signature scheme.
signature with the probability of ε, and pro(i = 1) = q−1 e .
So the non-zero solution to this SISq,m,3s2 √m,B problem with
negligible probability 1 − 2−ω(lg m) q−1e ε.


On the other hand, in our proposed scheme, sender inputs


a random value ms, master key MK, public parameter PP,
Gaussian parameter s and uses basis delegation technique in
lemma 6 to generate his secret keys. Because the ms is a
random value and users can generate new secret keys easily
for every transaction, just like one-time padding. In private
key queries, only if adversary Eve obtains this value ms, can
he forge a signature with the probability of ε.
Through the above analyses, adversary Eve forges a valid
signature of message with negligible probability, and this The proposed signature scheme underlying the cryptocur-
scheme satisfies one-more unforgeability under the lattice rency scheme mainly adopts simple linear operations such as
SIS assumption. This completes the proof. modular multiplication and modular addition, its computation
efficiency is higher obviously. We provide the comparison of
C. SECURITY several lattice-based signature schemes in Table 1. As shown
Through the researches on the lattice problems, many in Table 1, the sizes of public key, signing key and signature in
achievements have been obtained. The security of lattice- our scheme are shorter than that in [23] and [25]. The signa-
based cryptography depends on intractability of lattice prob- ture size in our scheme is shorter than that in [26]. Compared
lem, and many researchers have proven that some lattice with [27], our signature scheme has the advantage of provably
problems are non-deterministic polynomial-hard (NP-hard). security in the standard model. In summary, the proposed

VOLUME 6, 2018 27211


Y.-L. Gao et al.: Secure Cryptocurrency Scheme Based on PQB

signature scheme has relatively shorter signature and secret [12] K. Christidis and M. Devetsikiotis, ‘‘Blockchains and smart contracts for
keys, which can decrease computational complexity of our the Internet of Things,’’ IEEE Access, vol. 4, pp. 2292–2303, 2016.
[13] I. Eyal, ‘‘Blockchain technology: Transforming libertarian cryptocurrency
proposed cryptocurrency scheme. Besides, it has the advan- dreams to finance and banking realities,’’ Computer, vol. 50, no. 9,
tage of provably security in the standard model. Therefore, pp. 38–49, 2017.
our cryptocurrency scheme is more secure and efficient. [14] P. W. Shor, ‘‘Algorithms for quantum computation: Discrete logarithms and
factoring,’’ in Proc. IEEE 35th Annu. Symp. Found. Comput. Sci., Santa Fe,
NM, USA, Nov. 1994, pp. 124–134.
V. CONCLUSIONS [15] C. Cheng, R. Lu, A. Petzoldt, and T. Takagi, ‘‘Securing the Internet
We should actively deal with the threat of powerful parallel of Things in a quantum world,’’ IEEE Commun. Mag., vol. 55, no. 2,
pp. 116–120, Feb. 2017.
computing power that quantum computer has in the future. [16] K. Lauter, ‘‘Postquantum opportunities: Lattices, homomorphic encryp-
In section III, we present the definition of the post-quantum tion, and supersingular isogeny graphs,’’ IEEE Security Privacy, vol. 15,
blockchain and introduce the proposed signature scheme no. 4, pp. 22–27, Aug. 2017.
[17] M. Ajtai, ‘‘Generating hard instances of lattice problems,’’ in Proc. 28th
based on lattice. Finally, we provide a secure cryptocurrency Annu. ACM Symp. Theory Comput., Philadelphia, PA, USA, May 1996,
scheme. In section IV, we analyze this proposed cryptocur- pp. 99–108.
rency scheme. Its signature satisfies the correctness, one- [18] M. Ajtai, ‘‘Generating hard instances of the short basis problem,’’ in
International Colloquium on Automata, Languages, and Programming.
more unforgeability under the SIS assumption. Moreover, Berlin, Germany: Springer, Jul. 1999, pp. 1–9.
the sizes of signature and secret keys are shorter so that it [19] C. Gentry, C. Peikert, and V. Vaikuntanathan, ‘‘Trapdoors for hard lattices
can decrease computational complexity of the proposed cryp- and new cryptographic constructions,’’ in Proc. 14th Annu. ACM Symp.
Theory Comput., Victoria, BC, Canada, May 2008, pp. 197–206.
tocurrency scheme. In addition, the security of our scheme [20] M. Rückert, ‘‘Lattice-based blind signatures,’’ in Proc. Int. Conf. Theory
depends on the lattice problem SIS, it is shown that cryp- Appl. Cryptol. Inf. Secur., Dec. 2010, pp. 413–430.
tocurrency scheme can resist quantum computing attacks. [21] M. Rückert, ‘‘Strongly unforgeable signatures and hierarchical identity-
based signatures from lattices without random oracles,’’ in Proc. Int.
Compared with original cryptocurrency scheme, user’s pri- Workshop Post-Quantum Cryptogr., May 2010, pp. 182–200.
vate key has the advantage of resisting quantum computing [22] D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert, ‘‘Bonsai trees, or how to
attack. In other words, cryptocurrency is more secure in this delegate a lattice basis,’’ J. Cryptol., vol. 25, no. 4, pp. 601–639, 2010.
[23] L. L. Zhang and Y. Sang, ‘‘A lattice-based identity-based proxy signa-
cryptocurrency scheme. It is shown that our cryptocurrency ture from bonsai trees,’’ Int. J. Adv. Comput. Technol., vol. 4, no. 20,
scheme is more secure and efficient. Our research will help pp. 99–104, 2012.
us to protect the security of blockchain, which will be more [24] S. Agrawal, D. Boneh, and X. Boyen, ‘‘Lattice basis delegation in fixed
dimension and shorter-ciphertext hierarchical IBE,’’ in Proc. Adv. Cryptol.
practical under the present technical conditions. We also Conf. CRYPTO, Santa Barbara, CA, USA, Aug. 2010, pp. 98–115.
believe that the post-quantum blockchain is very significant [25] L. Zhang and Y. Sang, ‘‘Proxy blind signature scheme from lattice basis
for other blockchain applications in the future. delegation,’’ Int. J. Adv. Comput. Technol., vol. 4, no. 21, pp. 329–336,
2012.
[26] L. Zhang and Y. Ma, ‘‘A lattice-based identity-based proxy blind signa-
REFERENCES ture scheme in the standard model,’’ Math. Problems Eng., vol. 2014,
[1] H. Li, D. Liu, Y. Dai, T. H. Luan, and X. S. Shen, ‘‘Enabling efficient multi- Sep. 2014, Art. no. 307637.
keyword ranked search over encrypted mobile cloud data through blind [27] C. Gu, L. Chen, and Y. Zheng, ‘‘ID-based signatures from lattices in the
storage,’’ IEEE Trans. Emerg. Topics Comput., vol. 3, no. 1, pp. 127–138, random oracle model,’’ in Proc. Int. Conf. Web Inf. Syst. Mining, Oct. 2012,
Mar. 2015. pp. 222–230.
[2] H. Li, D. Liu, Y. Dai, T. H. Luan, and S. Yu, ‘‘Personalized search over [28] J. Yan, L. Wang, M. Dong, Y. Yang, and W. Yao, ‘‘Identity-based signcryp-
encrypted data with efficient and secure updates in mobile clouds,’’ IEEE tion from lattices,’’ Secur., Commun. Netw., vol. 8, no. 18, pp. 3751–3770,
Trans. Emerg. Topics Comput., vol. 6, no. 1, pp. 97–109, Jan./Mar. 2018. 2015.
[3] H. Li, Y. Yang, Y. Dai, J. Bai, S. Yu, and Y. Xiang, ‘‘Achieving [29] D. Micciancio and O. Regev, ‘‘Lattice-based cryptography,’’ in Post-
secure and efficient dynamic searchable symmetric encryption over med- Quantum Cryptography. Berlin, Germany: Springer, 2009, pp. 147–191.
ical cloud data,’’ IEEE Trans. Cloud Comput., to be published, doi: [30] D. Micciancio and O. Regev, ‘‘Worst-case to average-case reductions
10.1109/TCC.2017.2769645. based on Gaussian measures,’’ SIAM J. Comput., vol. 37, no. 1,
[4] X. Liu, S. Li, X. Chen, G. Xu, X. Zhang, and Y. Zhou, ‘‘Effi- pp. 267–302, 2007.
cient solutions to two-party and multiparty millionaires’ problem,’’ [31] A. Juels, M. Luby, and R. Ostrovsky, ‘‘Security of blind digital signatures,’’
Secur. Commun. Netw., vol. 2017, May 2017, Art. no. 5207386, in Proc. Annu. Int. Cryptol. Conf., Aug. 1997, pp. 150–164.
doi: 10.1155/2017/5207386. [32] D. Pointcheval and J. Stern, ‘‘Security arguments for digital signatures and
[5] X. Liu, S. Li, J. Liu, X. Chen, and G. Xu, ‘‘Secure multiparty computation blind signatures,’’ J. Cryptol., vol. 13, no. 3, pp. 361–396, 2000.
of a comparison problem,’’ SpringerPlus, vol. 5, no. 1, p. 1489, 2016.
[6] S. Nakamoto. (2008). Bitcoin: A Peer-to-Peer Electronic Cash System.
[Online]. Available: https://bitcoin.org/bitcoin.pdf
[7] P. Giungato, R. Rana, A. Tarabella, and C. Tricase, ‘‘Current trends in sus-
tainability of bitcoins and related blockchain technology,’’ Sustainability,
vol. 9, no. 12, p. 2214, 2017.
[8] C. Decker and R. Wattenhofer, ‘‘Information propagation in the bitcoin
network,’’ in Proc. IEEE 13th Int. Conf. Peer-Peer Comput. (P2P), Trento, YU-LONG GAO received the M.S. degree in
Italy, Sep. 2013, pp. 1–10. computer technology from Henan Polytechnic
[9] G. Zyskind and O. Nathan, ‘‘Decentralizing privacy: Using blockchain to University, Jiaozuo, Henan, China, in 2017. He is
protect personal data,’’ in Proc. IEEE Secur. Privacy Workshops (SPW), currently pursuing the Ph.D. degree with the
San Jose, CA, USA, May 2015, pp. 180–184. Beijing University of Posts and Telecommunica-
[10] D. Puthal, N. Malik, S. P. Mohanty, E. Kougianos, and C. Yang, ‘‘The tions. His research interests include information
blockchain as a decentralized security framework,’’ IEEE Consum. Elec- security and cryptography.
tron. Mag., vol. 7, no. 2, pp. 18–21, Mar. 2018.
[11] A. Anjum, M. Sporny, and A. Sill, ‘‘Blockchain standards for compliance
and trust,’’ IEEE Cloud Comput., vol. 4, no. 4, pp. 84–90, Jul. 2017.

27212 VOLUME 6, 2018


Y.-L. Gao et al.: Secure Cryptocurrency Scheme Based on PQB

XIU-BO CHEN received the Ph.D. degree from XIN-XIN NIU received the M.S. degree from
the Beijing University of Posts and Telecommu- the Beijing University of Posts and Telecommu-
nications in 2009. She is currently an Associate nications in 1988 and the Ph.D. degree from
Professor with the School of Cyberspace Secu- The Chinese University of Hong Kong in 1997.
rity, Beijing University of Posts and Telecommu- She is currently a Professor with the School of
nications, Beijing, China. Her research interests Cyberspace Security, Beijing University of Posts
include cryptography, information security, quan- and Telecommunications. Her research interests
tum network coding, and quantum private include network security, digital watermarking,
communication. and digital rights management.

YU-LING CHEN received the B.S. degree from


Taishan University in 2006 and the M.S. degree
from Guizhou University in 2009. She is cur-
rently an Associate Professor with the Guizhou
Provincial Key Laboratory of Public Big Data,
Guizhou University, Guiyang, China. Her recent
research interests include cryptography and infor-
mation security. YI-XIAN YANG received the M.S. degree in
applied mathematics and the Ph.D. degree in
electronics and communication systems from
the Beijing University of Posts and Telecom-
YING SUN received the Ph.D. degree from the munications, Beijing, China, in 1986 and 1988,
Beijing University of Post and Telecommunica- respectively. He has authored over 40 national
tions in 2010. She is currently an Assistant Pro- and provincial key scientific research projects,
fessor with the Beijing Electronic Science and published over 300 high-level papers, and
Technology Institute, Beijing, China. Her research 20 monographs. His research interests include
interests include quantum computation and quan- cryptography, information and network security.
tum cryptography. He was elected for the Yangtze River Scholar Program Professor Award,
the National Outstanding Youth Fund Award, and the National Teaching
Masters.

VOLUME 6, 2018 27213

You might also like