Keywords

1 Introduction

Blockchain is a distributed database technology which can record transaction. The characteristics of blockchain are “decentralization”, “anonymization” and “de-trusted” [1]. It handles distrust among nodes and has been widely applied in the fields of e-money, financial investment, internet of things, medical care, and energy network [2]. The blockchain falls into three categories: public chain, permissioned chain, and private chain. At present blockchain-based voting schemes existing on permissioned chain and private chain have been used in credit assessment and decision making. The paper is devoted to develop a safe and transparent online voting mechanism on the blockchain: coordinating participants to ensure the fairness, allowing the voting manager to check the voting result and cancel illegal ballots [3]. Compared with existing voting schemes, blockchain-based voting methods have the ability of being irrevocable and non-repudiation, and the process can be automated in accordance with the statute, without human interference. Applications based on the blockchain with neutrality and security have shown the wide prospects.

The identities in the blockchain node, similar to the bankcard account number, are the pseudonym information used by the user to participate in the voting process. The temporary identify labels are generated by the participants using the public key encryption algorithm with anonymity. Recent studies [4, 5] have shown that the blockchain has the risk of identity leakage. The attackers exploit the message propagation vulnerabilities and trace out the initiator identities. It means that the native blockchain architecture cannot guarantee the anonymity. How to design a highly anonymous and non-repudiation blockchain architecture is the focus of this study.

To implement the voting scheme based on the group signature in blockchain, the native blockchain architecture needs to be redesigned to pick out the trusted centers. However, once the trusted centers are breached, the user secrets will be stolen. What’s more, attackers can tamper with the voting results. How to guarantee the security of the trusted centers in the isomerized blockchain is the prerequisite for the voting scheme.

To select the trusted centers on the blockchain, the metrics must be updated in order to feed back the credibility to other nodes in time. When initiating, all nodes need to generate their own private keys to calculate the share signatures which will be passed to the trusted centers. The trusted centers will accumulate the share signatures to composite the group signature. To trace the abnormal behaviors, the trusted centers must be allowed to open the signature and locate the corresponding user identities. When some nodes are unavailable, their signatures are allowed to revoke. How to design such a revocable and traceable threshold group signature scheme is the main contribution of this study.

2 Related Researches

In 1994, Marsh firstly proposed the concept of trusted computing and elaborated on the canonical representation of trust metrics [6]. The key of implementing the signature scheme in blockchain is selection of the trusted centers.

To solve the problems that the user identities on general devices are unsafe, [7] builds a mathematical model based on the D-S evidence theory and proposes the trustworthiness metrics in Ad-hoc and P2P networks. [8] proposes a dynamic trusted model based on Bayesian Network. The credibility metrics depend on the neighbors with the dynamic objective variables. However, the model still needs to be optimized in terms of prediction accuracy and time continuity. [9] quantifies the credibility based on the information theory and measures the trust propagation path in the Ad-hoc network. Since the degree of trust is regarded as the uncertainty, the entropy is introduced to quantify it. [10] proposes the trusted security discovery model TSSD in pervasive circumstances. The model is a composite architecture that supports discovery functions in both secure and insecure scenarios. [11] proposes a penalty-based incentive mechanism based on the repeated game, which can adjust the penalty according to the reputation.

Due to heterogeneity and complexity of the blockchain, the trusted metrics need to meet the requirements of dynamic adaptability, high efficiency, and strong timeliness. When adapting the traditional measurements to the blockchain, existing schemes mainly include several drawbacks [12]:

  1. 1.

    Assumptions made by those methods limit their applications.

  2. 2.

    The computing power of blockchain nodes is uneven, which leads existing methods to be inferior in terms of interaction timeliness and adaptability.

  3. 3.

    Autonomy of blockchain makes the node behaviors unpredictable. Protection methods without cooperation among nodes make them vulnerable when facing up to the attacks.

  4. 4.

    Existing researches lack robustness whose accuracy will be declined when adapting to the blockchain.

The threshold group signature schemes, according to the way of key distribution, are mainly divided into the ones with the trusted center and the ones without the trusted center. For the group signature scheme without the trusted center, each node has a high degree of autonomy, which enhances the security level with the cost of increasing computation. The trusted center for the threshold group signature scheme is considered as the management node and can trace user identities which is promising for the blockchain based voting scenes.

Traditional signature schemes based on the large number decomposition and discrete logarithm problems cannot meet the requirements of low computation and bandwidth required in the blockchain. The group signatures scheme based on the elliptic curve with lower resource consumption are more suitable for the blockchain scenarios [13].

In 2004, Tzer-Shyong et al. [14] integrated the short key feature with a threshold method and proposed a signature scheme (YC scheme) based on the elliptic curve encryption algorithm. However, it lacks the operations of tracking and cancellation of the signatures. [15] points out that arbitrary member conspiracy in the YC scheme can be able to obtain the private keys. Therefore, [16] proposes an ECC threshold signature scheme with the elliptic curve discrete logarithm difficulty, which could track the signer identity with the help of the trusted center and can effectively resist the members conspiring to forge the signature. The above threshold group signatures are based on the Shamir secret sharing scheme. Some other secret sharing methods will be discussed later.

In [17], a threshold group signature scheme is proposed based on the bilinear mapping and secret sharing. The keys are distributed in the members of the signature set. In [18], the threshold group signature scheme with the elliptic curve discrete logarithm difficulty is proposed, including signature verification, thresholds modification, etc. [19] proposes a threshold group signature scheme based on ECC scheme, which has a shorter key length, lower computation and bandwidth requirement. [20] and [21] propose the ECDSA threshold signature schemes, whose participants can reconstruct keys. Goldfeder et al. proposes a threshold signature scheme to realize the multi-party control functions on bitcoin [22], which applies the threshold cryptography for key management. However, when to recover the keys, multiple parties must be present.

To address the above problems, the paper redesigns the native blockchain, and selects the trusted centers based on Dynamic Bayesian Network, which correlates the time factor to perform the dynamic trusted metrics. In addition, this paper proposes a threshold group signature scheme. Through cooperation between users and the trusted centers, the share signatures will be synthesized to form the group signature. In order to protect the user identities, the proposed method will blind the user identities. In case of the trusted centers unavailable, the new scheme will back up the user signatures and update the trusted centers dynamically.

3 Background

3.1 Digital Signature

Digital signature is a password protection scheme, which utilizes cryptography to confirm source and integrity of the data. It is mainly used in asymmetric key encryption and digital summarization. The sender first signs the message, then others verify it. The signature is temporally valid for a single process. The steps are as follows [23]:

  1. 1.

    \( G(p)\mathop{\longrightarrow}\limits^{generate - keys}(sk,pk), \) where \( sk \) is the private key and \( pk \) is the public key.

  2. 2.

    \( S(sk,m)\mathop{\longrightarrow}\limits^{generate - signatures}sig, \) where \( m \) is the plaintext, and \( sig \) is the result signature.

  3. 3.

    \( Verify(pk,m,sig)\mathop{\longrightarrow}\limits^{verrify - signatures}\{ True,False\} \), which verifies integrity of the data through the public key, the plaintext, and the signature.

The typical signature schemes mainly include the elliptic curve digital signature [24] and the partial blind signature [25]. The elliptic curve digital signature will be the focus in the paper.

The elliptic curve digital signature algorithm is mainly designed based on the elliptic curve discrete logarithm. The elliptic curve E on the finite field \( {\text{F}}_{\text{q}} \) is expressed as [24]:

$$ y^{2} = x^{3} + ax + b (\bmod \,q ) , $$

where \( a,b,x,y \in {\text{F}}_{\text{q}} \). Assuming \( {\text{E(F}}_{\text{q}} ) \) represents the point set of the elliptic curve, and the base point is \( {\text{G}} \in {\text{E(F}}_{\text{q}} ) \), \( |G| = n \). The parameters are \( ( {\text{F}}_{\text{q}} ,\;a ,\;b ,\;{\text{G,}}\;n ) \). The steps of the elliptic curve algorithm are as follows:

  1. 1.

    \( d \) is a randomly selected value, where \( \left\{ {d|d \in Z,d \in [1,n - 1 ]} \right\} \). \( {\text{Q}} = d{\text{G}} \), where the public key is \( {\text{Q}} \), and the private key is \( d \).

  2. 2.

    Randomly select \( k \in \left[ {1,n - 1} \right] \) to obtain \( k{\text{G}} = \left( {x,y} \right) \).

  3. 3.

    \( {\text{r}} = x\,\bmod \,n \), and verify \( r = 0 \). If it holds, return to step 2.

  4. 4.

    \( e = {\text{H(m)}} \), where \( {\text{H(}} \cdot ) \) is a custom hash function.

  5. 5.

    \( s = k^{ - 1} (e + dr )\bmod \,n \), if \( s = 0 \), go back to the step 2 to continue, otherwise return the result \( \left( {r,s} \right) \).

  6. 6.

    The formula to verify the signature \( \left( {r,s} \right) \) with the plaintext \( m \) and the public key \( {\text{G}} \) is \( s^{ - 1} (eG + Qr) = k(e + dr)^{ - 1} (eG + dGr) = kG \). If it does not hold, it means that the message may be tampered.

3.2 Secret Sharing Scheme

The concept of secret sharing was first proposed by Shamir [26] and Blackey [27]. The idea is to split the secret into N copies and send each copy to different participants for management. When to recover the secret, it needs to involve a certain number of participants, whose number must be greater than or equal to the specified threshold.

The classic secret sharing scheme is the Shamir sharing scheme. The scheme firstly divides the secret \( S \) into n copies. Any \( k \) copies can recover \( S \), and \( k - 1 \) ones could not. The whole process is divided into three steps:

  1. 1.

    Initialization: Assuming \( n \) participants \( \left( {{\text{P}}_{1} \ldots .{\text{P}}_{n} } \right) \) with the threshold \( k \), let \( p \) be a prime number, the trusted center coding range be the finite field \( {\text{GF(}}p ) \), and each participant be \( x_{i} \in {\text{GF}}({\text{p}})(i = 1,2, \ldots n) \).

  2. 2.

    Encryption: The trusted center selects a \( k - 1 \) order polynomial \( f(x) = a_{0} + a_{1} x + a_{2} x^{2} + \ldots + a_{k - 1} x^{k - 1} \), where \( a_{i} \in {\text{GF(}}P ) (i = 1,2, \ldots ,k - 1 ) \), \( a_{0} = S \). Put \( x_{i} \in {\text{GF}}({\text{p}})(i = 1,2, \ldots n) \) into the above equation to obtain \( \left( {x_{1} ,f\left( {x_{1} } \right)} \right), \ldots , (x_{n} ,f (x_{n} ) ) \) which will be sent to each participant.

  3. 3.

    Decryption: \( k \) pairs of \( \left( {x,f\left( x \right)} \right) \) will be optionally collected from \( n \) participants to reconstruct the polynomial \( f(x) \), from which we can obtain \( f (0 )= a_{0} = S \) with Lagrange interpolation.

3.3 Threshold Signature Scheme

The \( (t,n ) \) threshold signature algorithm mainly includes three steps, which are key generation, signing and verification. For \( n \) members, the threshold key generation step returns the public key \( pk \) and the private key \( sk_{i} \{ 1 \le i \le n\} \) with the system parameter \( I \). The threshold signature process takes on the input \( m \) and \( I \) with the private key \( sk_{i} \), and outputs the signature \( \sigma \) [28]. The threshold verification process can be able to verify the signature \( \sigma \) with the public key \( pk \).

The threshold signature algorithm is considered as safe when meeting two requirements [29]:

  1. 1.

    Unforgeability: Given the system parameter \( I \), an attacker can destroy up to a maximum of \( t - 1 \) nodes through issuing at most \( k \) questions, where \( k \) is generally equal to \( 2^{n} \) times the length of the message.

  2. 2.

    Robustness: When the attacker breaks through up to \( t - 1 \) nodes, the correct signature can still be generated.

4 Trusted Center Selection Criterion

The threshold group signature scheme needs the trusted center to trace user identities. Its corresponding measurements must obey several principles which will be discussed later. This paper proposes a trusted center selection scheme based on Dynamic Bayesian Network. The new scheme introduces the historical interaction window, the aging factor, the penalty factor, and aggregates the direct and indirect credibility to form a set of dynamic and adaptive trusted metrics. When the reliability for the current centers is declined to a certain level, they will be re-selected as soon as possible. This paper adopts the selection scheme to the blockchain as shown in Table 1, which reduces the computational complexity and is proved to be equivalent to [12].

Table 1. Diagram of trusted centers construction
Full size table

4.1 Definitions

Definition 1:

Assuming \( C = \{ c_{i} |i \in N^{*} ,1 \le i \le n\} \) represents a set of network nodes. For the current node \( c \), if \( \forall c_{i} \in C \), \( c \ne c_{i} \), the interactive factor \( r_{i} \) exists to make \( r_{i} (c,c_{i} ) \) not empty, and the set \( R = \{ r_{1} ,r_{2} , \ldots ,r_{n} \} \) is the local relational database.

Definition 2:

For the local relational database \( R = \{ r_{1} ,r_{2} , \ldots ,r_{n} \} \), if a relational window \( w \) exists to make \( R_{w} = \{ r_{n - w} ,r_{n - w - 1} , \ldots ,r_{n} \} \) be the trusted metrics for the target entity, \( w \) is said to be valid.

Definition 3:

For the valid relationship window \( w \), at time \( t \), the corresponding context is denoted as \( W (w,t ) \).

Definition 4:

With \( n \) trust levels, the credibility set of the current network is denoted as \( L = \{ l_{1} ,l_{2} , \ldots ,l_{n} \} \) where \( i < j \), \( l_{i} < l_{j} \). The greater \( l \), the higher the credibility.

Definition 5:

Assuming \( X = \{ x_{1} [t],x_{2} [t], \ldots x_{n} [t]\} \) denotes the attribute set at time \( t \), and \( x [t ] \) denotes a serial of values for the random variable \( x_{i} [t ] \). Assuming continuous events occur at discrete time and the attribute evolving process satisfies the Markov chain model, that is \( P (x [t + 1 ]|x [0 ] ,\ldots x [t ] ) { = }P (x [t + 1 ]|x [t ] ) \), the resulting network is called Dynamic Bayesian Network.

Definition 6:

Let the priori network be \( N_{0} \) and the transfer network be \( N \). \( N_{0} \) is the distribution of \( x [0 ] \), and \( N \) represents the transition probability \( P (x [t + 1 ]|x [t ] ) \).

4.2 Trusted Metrics

For the credibility measurement, this paper adopts a strategy combining the static and dynamic behaviors to perform the trusted authentication, which considers the objective and subjective factors to make the comprehensive measurement. The proposed method tries to minimize the resource requirements when applied to the blockchain.

The static trusted metrics are the basis which includes the operating system integrity, additional protection, and hardware performance. The nodes in the blockchain who own more computing resources are able to carry out more tasks, so a high credibility will be assigned to them. The static measurement of this paper does not adopt the traditional identity authentication metric because of anonymity of the blockchain.

The dynamic trusted metrics provide the fine-grained quantitative standards for the measurement in the paper. Through real-time monitoring the node status and timely feedback to others, real-time credibility of the trusted center is ensured. The dynamic behavior metrics mainly include mining efficiency, abnormal connection attempts, and node reliability. Because each node in the blockchain needs to communicate with others during a certain time interval, the paper introduces the dynamic behavior assessment scheduling to the original communication frequency which can effectively utilize the system resource. The evaluation indicators are shown in Fig. 1.

Fig. 1.
figure 1

Metrics for selection of the trusted centers

Full size image

When a new node attempts to join the blockchain, its credibility needs measurement. This paper considers the trustworthiness as a measure of the satisfaction degree for the task. The measurement relies on the correlation among nodes with a combination of subjective and objective factors. The proposed method first initializes the measurement module, calculates the direct credibility \( (Dc ) \) and the indirect credibility \( (Ic ) \), then obtains the comprehensive credibility \( Sc \) based on \( Dc \) and \( Ic \).

Definition 7:

Assuming \( \delta^{{\prime }} (t ) \) is the aging factor, which represents the attenuation factor of the credibility with time. The formula is:

$$ \delta^{{\prime }} (t )= 1 - \frac{{\Delta t \times \zeta^{{\prime }} }}{{t - t_{0} }}, $$

where \( \zeta^{{\prime }} \in ( 0 , 1 ) \), \( \delta^{{\prime }} (t )\in ( 0 , 1 ) \), \( t_{0} \) denotes the start time, and \( t \) represents the current time. \( \zeta^{{\prime }} \) is used to adjust the decay rate. As the value increases, the decay rate will become faster. \( \Delta t \) is the interval between two operations.

Theorem 1:

In the blockchain scenario, \( \delta^{{\prime }} (t ) \) is equivalent to \( \delta (t ) \), and \( \delta (t ) \) is:

$$ \delta (t )= 1 - \frac{\zeta }{{t - t_{0} }}, $$

where \( \zeta \in ( 0 , 1 ) \), \( \delta (t )\in ( 0 , 1 ) \).

Proof: In the blockchain scenario, nodes in the network send heartbeat packets at a certain interval \( T_{h} \). In order to make full use of resources, the time interval to update the aging factor can be set as \( \Delta t = T_{h} \). Due to the fluctuation of the network, there is a certain disturbance during the process of message transmission. Assuming \( \Delta t \) obeys the normal distribution: \( \Delta t \sim N (T_{h} ,\sigma^{2} ) \), at intervals \( \Delta t_{1} ,\Delta t_{2} , \ldots .\Delta t_{n} \) for \( n \) entities in the blockchain, we obtain \( E(\Delta t_{i} ) = T{}_{h} \) and \( D(\Delta t_{i} ) = \sigma^{2} \). For any real number \( x \), we can obtain

$$ \mathop {\lim }\limits_{n \to \infty } P\left\{ {\left. {\frac{{\sum\limits_{i = 1}^{n} {\Delta t_{i} - nT_{h} } }}{\sqrt n \sigma } \le x} \right\}} \right. =\Phi (x ) , $$

where \( E (\Phi (x ) )\;{ = }\; 1 \).

For the blockchain scenario, the node number \( n \) is large and \( \Delta t \) can be approximated as a fixed value. Assuming \( \zeta = \Delta t \times \zeta^{{\prime }} \), we can obtain \( \delta (t )= 1 - \frac{\zeta }{{t - t_{0} }} \).

Definition 8:

Let the penalty factor be \( \psi \) with the formula:

$$ \psi = \left\{ {\begin{array}{*{20}c} {1,\Delta Dc_{n} \ge 0} \\ {0 < \psi < 1,\Delta Dc_{n} < 0} \\ \end{array} } \right., $$

where \( \psi \in ( 0 , 1 ) \). \( Dc_{n} \) is the direct credibility of the n-th entity, where \( \Delta Dc_{n} = Dc_{n} ( {\text{t)}} - Dc_{n} ( {\text{t}} - 1 ) \). When \( \Delta Dc_{n} < 0 \), it indicates that the current entity’s direct credibility drops down, and needs to reduce \( \psi \) to increase the punishment, which can lower the entity’s credibility to a certain value in order to remove the node from the trusted set as soon as possible.

Definition 9:

Let the target node be \( x_{j} \). \( \forall x_{i} \in X \), the corresponding relationship between \( x_{i} \) and \( x_{j} \) in the window \( {\text{W}} \) at time \( t \) corresponds to the context condition \( {\text{W(w}},t ) \). \( {\text{w}} \) represents the correlation between \( {\text{x}}_{\text{i}} \) and \( {\text{x}}_{j} \) in the valid relationship window. The direct credibility is:

$$ Dc_{n} \left( {{\text{x}}_{\text{i}} ,\;{\text{x}}_{\text{j}} ,\;{\text{W(w,}}\;{\text{t),}}\;{\text{t}}} \right){ = }\left\{ {\begin{array}{*{20}c} {\left( {\frac{1}{n},\frac{1}{n}, \ldots ,\frac{1}{n}} \right),t = 0} \\ {Dc_{n} ( {\text{x}}_{\text{i}} ,\;{\text{x}}_{\text{j}} ,\;{\text{W(w,}}\;{\text{t}} - 1 ) ,\;{\text{t}} - 1 )\times \delta (t ),} \\ {Dc_{n} ( {\text{x}}_{\text{i}} ,\;{\text{x}}_{\text{j}} ,\;{\text{W(w,}}\;{\text{t),}}\;{\text{t)}} \times\Psi ,\;else} \\ \end{array} } \right.{\text{W(w,}}\;{\text{t)}} - {\text{W(w,}}\;{\text{t}} - 1 )=\Phi , $$

where \( \sum\limits_{i = 1}^{n} {Dc_{i} } = 1 \).

When initializing the direct credibility, the credibility for target node’s neighbors are set to be the same value. If there is no change at a certain interval, the node’s credibility decays with time. When the increment of the direct credibility is positive, the penalty factor \( \psi = 1 \), and the direct credibility remains unchanged. Otherwise, the direct credibility needs to be punished.

Definition 10:

\( \forall x_{i} \in X \), let the target node be \( x_{j} \), and the context condition at time \( t \) for the node \( x_{i} \) and \( x_{j} \) within the valid window \( w \) be \( W (w,t ) \). We can obtain the indirect credibility for the target node with the formula:

$$ Ic_{n} \left( {{\text{x}}_{\text{i}} ,\;{\text{x}}_{\text{j}} ,\;{\text{W(w,}}\;{\text{t),}}\;{\text{t}}} \right){ = }\left\{ {\begin{array}{*{20}c} {\left( {\frac{1}{n},\frac{1}{n}, \ldots ,\frac{1}{n}} \right),t = 0} \\ {Ic_{n} ( {\text{x}}_{\text{i}} ,\;{\text{x}}_{\text{j}} , {\text{W(w,}}\;{\text{t}} - 1 ) ,\;{\text{t}} - 1 )\times \delta (t ),\;{\text{W(w,}}\;{\text{t) - W(w,}}\;{\text{t}} - 1 )=\Phi } \\ {\frac{{\sum\nolimits_{Z \in X} {Dc_{n} ( {\text{x}}_{\text{i}} ,\;{\text{x}}_{k} ,\;{\text{W(w,}}\;{\text{t}} - 1 ) ,\;{\text{t}} - 1 )\times Sc_{n} ( {\text{x}}_{k} ,\;{\text{x}}_{j} ,\;{\text{W(w,}}\;{\text{t}} - 1 ) ,\;{\text{t}} - 1 )} }}{{\sum\nolimits_{Z \in X} {Dc_{n} ( {\text{x}}_{\text{i}} ,\;{\text{x}}_{k} ,\;{\text{W(w,}}\;{\text{t}} - 1 ) ,\;{\text{t}} - 1 )} }} \times\Psi ,else} \\ \end{array} } \right., $$

where \( Z \) represents neighbors of the target node. The indirect credibility of its neighbors is initialized as \( \frac{1}{n} \). For the subsequent process, if the target node does not generate a new context condition, the indirect credibility decays over time. Conversely, we can obtain the target node credibility combining the direct credibility and the comprehensive credibility of the target node and its neighbors. When the increment of the indirect credibility is positive, the penalty factor \( \psi = 1 \), and the indirect credibility remains unchanged. Otherwise, the indirect credibility of the target node needs to be punished.

Definition 11:

Let \( \mu \) be the weight factor for the direct credibility with the formula:

$$ \mu = 0.5 + \frac{\text{w}}{{2\Omega }}, $$

where \( \Omega \) is the length of the valid relationship window, \( \mu \in ( 0. 5 , 1 ] \). \( \mu \) is used to adjust the weight between the direct credibility and the indirect credibility when calculating the comprehensive credibility. Since its value is always greater than 0.5, it means the priority will be assigned to the direct credibility.

Definition 12:

\( \forall x_{i} \in X \), let the target node be \( x_{j} \), the corresponding context condition of \( x_{i} \) and \( x_{j} \) is \( {\text{W(w}},t ) \). The comprehensive credibility is:

$$ Sc_{n} \left( {{\text{x}}_{\text{i}} ,\;{\text{x}}_{\text{j}} ,\;{\text{W(w,}}\;{\text{t),}}\;{\text{t}}} \right) = \left\{ {\begin{array}{*{20}c} {Ic_{n} ( {\text{x}}_{\text{i}} , {\text{x}}_{\text{j}} , {\text{W(w,}}\;{\text{t),}}\;{\text{t)}},{\text{W(w,}}\;{\text{t)}} =\Phi } \\ {Dc_{n} ( {\text{x}}_{\text{i}} ,\;{\text{x}}_{\text{j}} , {\text{W(w,}}\;{\text{t),}}\;{\text{t)}},{\text{W(w,}}\;{\text{t)}} = {\text{W(}}\Omega ,\;{\text{t)}}} \\ {Sc_{n} ( {\text{x}}_{\text{i}} ,\;{\text{x}}_{\text{j}} ,\;{\text{W(w,}}\;{\text{t}} - 1 ) , {\text{t}} - 1 )\times \delta (t ),{\text{W(w,}}\;{\text{t)}} - {\text{W(w,}}\;{\text{t}} - 1 )=\Phi } \\ { [\mu \times Dc_{n} ( {\text{x}}_{\text{i}} ,\;{\text{x}}_{\text{j}} ,\;{\text{W(w,}}\;{\text{t),}}\;{\text{t) + (1}} - \mu )Ic_{n} ( {\text{x}}_{\text{i}} ,\;{\text{x}}_{\text{j}} ,\;{\text{W(w,}}\;{\text{t),}}\;{\text{t)]}} \times\Psi ,else} \\ \end{array} } \right.. $$

The comprehensive credibility is considered as the ultimate credibility of the target node. If no change of context condition between the time \( t - 1 \) and \( t \), the comprehensive credibility decays. Otherwise the priority will be given to the direct credibility compared with the indirect credibility. If the increment is negative, the comprehensive credibility will be punished.

5 Blockchain Based Threshold Group Signature Scheme

The participants for the proposed scheme mainly include the blockchain nodes \( (US) \), the trusted centers \( (TC) \), and the backup node \( (BK) \), where the trusted centers are retrieved through Dynamic Bayesian Network as above. The proposed threshold group signature scheme adapts the signature to the blockchain scenario, which blinds user identities, and improves the effectiveness with security guarantees. In addition, the new scheme adds the backup operation to avoid the corruption of the trusted centers.

As shown in Fig. 2, the blockchain based threshold group signature is divided to eight steps which comprise selecting the trusted centers, registration, generation of the share signature, synthesizing the group signature, signature verification, signature backup, signature openness, and signature revoking. They will be discussed later.

Fig. 2.
figure 2

Architecture diagram of the proposed scheme

Full size image

For the convenience, the symbols are defined as Table 2.

Table 2. Symbols of the proposed scheme
Full size table
  1. 1.

    Select the trusted centers

    When the blockchain is initializing, the trusted center is selected based on Dynamic Bayesian Network as above.

  2. 2.

    Registration

    The parameters of the proposed threshold group signature scheme need to be set to generate the corresponding keys and hash functions. When a node attempts to join the blockchain, it needs to interact with the trusted center, blind the identities, and verify the keys.

First, select the appropriate parameters to generate the elliptic curve. \( p \) is a large prime number and \( F_{p} \) is a finite field. Select \( a \) and \( b \) at random, where \( a,b \in F_{p} \), to construct the non-singular elliptic curve: \( y^{2} = x^{3} + ax + b \), \( 4a^{3} + 27b^{2} \ne 0 (\bmod \,p ) \), where \( G \) represents generators, \( ord (G )=\Upsilon \), and \( \Upsilon \) represents a large prime.

If the private key of the trusted center \( {\text{TC}}_{\text{s}} = s \) has been decided, its public key is \( {\text{TC}}_{\text{p}} = sG \). The signature is based on the Shamir secret sharing scheme with the polynomial: \( f(x) = a_{0} + a_{1} x + a_{2} x^{2} + \ldots + a_{t - 1} x^{t - 1} \), where \( a_{i} \in {\text{GF(}}p ) (i = 1,2, \ldots ,t - 1 ) \). Set the private group key as \( c_{s} = a_{0} = f (0 ) \) and the public group key as \( c_{p} = c_{s} G = f ( 0 )G = a_{0} G \). Select a one-way hash function \( h(x) \) to blind the user identities.

\( < a,b,G,c_{p} ,p,h(x) > \) are denoted as the public information with global accessibility in the proposed scheme. \( < c_{s} ,f(x) > \) serves as the confidential information, which is stored on the trusted center and backed up to prevent the central node from malfunctioning or being offline to affect the availability of the blockchain.

When a certain node \( i \) attempts to join the blockchain, it needs to apply to the trusted centers, including identities of verification and blinding. The trusted centers then issue the partial key which will be sent to the corresponding user node after being encrypted. The specific process is as follows:

  • The node sends the randomly generated partial key \( u \in Z_{p}^{*} \) and its own identity \( Id_{i} \) to the trusted center. The trusted center then obtains \( X_{i} = uG \) according to the value \( u \) of the node \( i \). The trusted center searches the user signatures database to determine whether the node has joined the blockchain or not. If it does, the trusted center rejects its application, otherwise the trusted center obtains \( U = uG = (x_{u} ,y_{u} ) \), \( ID_{i} = (x_{u} + s )h (Id_{i} ) { + }u\,\bmod \,p \) where \( ID_{i} \) is the blinded user identity and \( < U,ID_{i} > \) will be sent to the node \( i \).

  • After the node \( i \) receives \( < U,ID_{i} > \), it needs to verify \( ID_{i} G = (x_{u} G + TC_{p} )h(Id_{i} ) + U \). If it holds, the node is required to resend its application. Otherwise its private key will be set as \( x_{i} = u \), \( X_{i} = x_{i} G \), and \( < X_{i} ,U,ID_{i} ,Id_{i} > \) will be sent to the trusted center.

  • When receiving \( < X_{i} ,U,ID_{i} ,Id_{i} > \), the trusted center verifies \( ID_{i} G = (x_{u} G + TC_{p} )h(Id_{i} ) + X_{i} \). If it does not hold, the node will be refused to join the blockchain, otherwise it can allow to enter the network and add itself to \( UL \).

  • The trusted center obtains another part of the private key for the node \( i:y_{i} = f (ID_{i} ) \), and \( y_{i} \) will be sent to the corresponding node via a secret channel. \( a_{i} G \) will be broadcasted in the network by the trust centers. After the user receives \( y_{i} \), it needs to verify \( y_{i} G = Gf ( {\text{ID}}_{\text{i}} )= \sum\nolimits_{i = 0}^{t - 1} {a_{i} GID_{i}^{i} } \). If it does not hold, the trusted center needs to re-execute this step.

  • The private key for node \( i \) is \( u_{s} = x_{i} + y_{i} \) and the public key is \( u_{p} = u_{s} G \). Blinded identity \( ID_{i} \) of the node \( i \) and the public key \( u_{p} \) are broadcasted to the blockchain.

  1. 1.

    Generate the share signature

    Assuming the set of participants as \( \Lambda = \{ {\text{N}}_{ 1} , {\text{N}}_{ 2} ,\ldots , {\text{N}}_{\text{t}} \} \), with corresponding blinded identities as \( ID = \{ {\text{ID}}_{ 1} , {\text{ID}}_{ 2} ,\ldots , {\text{ID}}_{\text{t}} \} \). First, the node \( i \) randomly selects \( k_{i} \in Z_{p}^{*} \), then obtains \( r_{i} = k_{i} G = (x_{ri} ,y_{ri} ) \) and the hash value \( z = h (m ) \) of the message \( m \). The node can obtain its share signature \( s_{i} = k_{i} x_{ri} - zu_{s} I_{i} \bmod \,p \) where \( I_{i} = \prod\nolimits_{i \ne j} {\frac{{ID_{i} }}{{ID_{i} - ID_{j} }}} \). It means that the share signature of the node \( i \) is \( (r_{i} ,s_{i} ) \), which will be sent to the trusted center through a secret channel.

  2. 2.

    Synthesize the group signature

    After the trusted center receives the share signature \( (r_{i} ,s_{i} ) \), it should be verified. Calculate \( I_{i} = \prod\nolimits_{i \ne j} {\frac{{ID_{i} }}{{ID_{i} - ID_{j} }}} \) and \( z \) with the member set \( \Lambda \) and its corresponding identities \( ID = \{ ID_{ 1} ,ID_{ 2} ,\ldots ,ID_{\text{t}} \} \). Verify \( s_{i} G + zu_{p} I_{i} = r_{i} x_{ri} \). If it holds, it shows that the share signature is legal, otherwise return to the step 3 to continue.

    The way to generate the threshold group signature is as follows: First we can obtain \( R = \sum\limits_{i = 1}^{t} {r_{i} x_{ri} } \bmod \,p \), and then merge the share signatures with \( S = \sum\limits_{i = 1}^{t} {s_{i} } \) to get \( W = \sum\nolimits_{i = 1}^{t} {I_{i} X_{i} } \). \( (R,S ) \) is the final threshold group signature. Add the signature \( < r_{i} ,s_{i,} ID_{i} > \) to \( UL \) which can allow to open the signatures.

  3. 3.

    Verify the signature

    The trusted center obtains \( (R,S ) \) which needs to be verified. The verification steps are as follows: First, calculate \( z = h (m ) \) and verify \( SG + z (c_{p} + W ) { = }R \). If it does not hold, reject the signature; otherwise, perform the backup operation.

  4. 4.

    Signature backup

    In order to prevent the user signatures from tampering, it needs to select the suboptimal node as backup which can be obtained with the above scheme based on Dynamic Bayesian Network to duplicate the user signatures.

  5. 5.

    Open the signature

    It needs to connect the trusted centers to perform the open operation. For the signature \( (R,S ) \), the trusted centers first searches \( {<}r_{i} ,s_{i} ,ID_{i} {>} \), then locates the target identity from \( < X_{i} ,Id_{i} ,ID_{i} > \) indexed by \( ID_{i} \).

  6. 6.

    Revoke the signature

    When a node in the blockchain leaves the network, the trusted center is required to delete its information. First, reinitialize \( f(x) = a_{0} + {\varvec{\upalpha}}_{1} x + {\mathbf{a}}_{2} x^{2} + \ldots + {\mathbf{a}}_{t - 1} x^{t - 1} \), where \( a_{0} \) remains unchanged. Then we can obtain the partial key \( y_{i} = f (ID_{i} ) \), re-execute from step 2 to determine whether it needs to receive \( y_{i} \).

6 Security Analysis

6.1 Correctness Analysis

Theorem 2:

When the node \( i \) is being registered to the trusted center, two authentication equations \( ID_{i} G = (x_{u} G + TC_{p} )h(Id_{i} ) + U \) and \( ID_{i} G = (x_{u} G + TC_{p} )h(Id_{i} ) + X_{i} \) hold.

Proof: Since \( U = uG = (x_{u} ,y_{u} ) \), \( ID_{i} = (x_{u} + s )h (Id_{i} ) { + }u \) and \( {\text{TC}}_{\text{p}} = sG \), we can obtain \( ID_{i} G = ( (x_{u} + s )h (Id_{i} ) { + }u )G = (x_{u} G + sG )h (Id_{i} )+ uG = (x_{u} G + {\text{TC}}_{p} )h (Id_{i} )+ U \).

Since \( x_{i} = u \), \( X_{i} = x_{i} G \), we can obtain \( ID_{i} G = ( (x_{u} + s )h (Id_{i} ) { + }u )G = (x_{u} G + {\text{TC}}_{p} )h (Id_{i} )+ X_{i} \).

Theorem 3:

The equation \( y_{i} G = Gf ( {\text{ID}}_{\text{i}} )= \sum\nolimits_{i = 0}^{t - 1} {a_{i} GID_{i}^{i} } \) holds which is used to verify the key of the trusted center by node \( i \).

Proof: Since \( y_{i} = f (ID_{i} ) \), \( f(x) = a_{0} + a_{1} x + a_{2} x^{2} + \ldots + a_{t - 1} x^{t - 1} \), we can obtain \( y_{i} G = Gf (ID_{\text{i}} )= a_{0} G + a_{1} GID_{i} + \ldots + a_{t - 1} GID_{i}^{t - 1} { = }\sum\nolimits_{i = 0}^{t - 1} {a_{i} GID_{i}^{i} } \).

Theorem 4:

When synthesizing the group signature, the verification formula \( s_{i} G + zu_{p} I_{i} = r_{i} x_{ri} \) holds.

Proof: Since \( s_{i} = k_{i} x_{ri} - zu_{s} I_{i} \), \( u_{p} = u_{s} G \), \( r_{i} = k_{i} G = (x_{ri} ,y_{ri} ) \), we can obtain \( s_{i} G = k_{i} x_{ri} G - zu_{s} I_{i} G = r_{i} x_{ri} - zu_{p} I_{i} \) and \( s_{i} G + zu_{p} I_{i} = r_{i} x_{ri} \).

Theorem 5:

When the trusted center obtains the signature \( (R,S ) \), the verification equation \( SG + z (c_{p} + W )= R \) holds.

Proof: Since \( S = \sum\limits_{i = 1}^{t} {s_{i} } \), \( s_{i} = k_{i} x_{ri} - zu_{s} I_{i} \), we obtain \( SG = \sum\limits_{i = 1}^{t} {s_{i} } G = \sum\limits_{i = 1}^{t} { (k_{i} x_{ri} G - zu_{s} I_{i} G )} \). As \( r_{i} = k_{i} G \), \( u_{s} = x_{i} + y_{i} \), \( y_{i} = f (ID_{i} ) \), \( R = \sum\limits_{i = 1}^{t} {r_{i} x_{ri} } \), we infer \( SG = \sum\limits_{i = 1}^{t} {s_{i} } G = \sum\limits_{i = 1}^{t} { (r_{i} x_{ri} )} - \sum\limits_{i = 1}^{t} {\{ z (x_{i} + f (ID_{i} ) )I_{i} G\} } = R - \sum\limits_{i = 1}^{t} { (zx_{i} I_{i} G + zf (ID_{i} )I_{i} G )} \). Since \( X_{i} = x_{i} G \), we get \( SG = R - \sum\limits_{i = 1}^{t} { (zX_{i} I_{i} + zf (ID_{i} )I_{i} G )} \). According to the Lagrange’s theorem, \( I_{i} = \prod\nolimits_{i \ne j} {\frac{{ID_{i} }}{{ID_{i} - ID_{j} }}} \), we deduce \( \sum\limits_{i = 1}^{t} { (f (ID_{i} )I_{i} G )} = \sum\limits_{i = 1}^{t} { ( (a_{0} + a_{1} ID_{i} + a_{2} ID_{i}^{2} + \ldots + a_{t - 1} ID_{i}^{t - 1} )I_{i} G )} = f ( 0 )G = c_{p} \). Since \( W = \sum\nolimits_{i = 1}^{t} {I_{i} X_{i} } \), \( SG = R - \sum\limits_{i = 1}^{t} { (zX_{i} I_{i} )} - zc_{p} = R - zW - zc_{p} \), we obtain \( SG + z (c_{p} + W )\;{ = }\;R \).

6.2 Security Analysis

6.2.1 Threshold Safety Analysis

The threshold group signature scheme is adapted to the blockchain. For the blockchain with \( n \) nodes, at least \( t \) nodes must cooperate to obtain the resulting signature. For a well-designed threshold group signature, if an attacker breaks through a certain number of nodes, as long as the number of valid nodes is greater than or equal to \( t \), the voting result still be correct.

For \( n \) participants, when generating the share signatures, each node in the blockchain utilizes its own private key \( u_{s} \) to sign the message and generate the share signature with the formula \( s_{i} = k_{i} x_{ri} - zu_{s} I_{i} \bmod \,p \). After the trusted center receives the share signature \( (r_{i} ,s_{i} ) \) for each participant, the trusted centers synthesize them with the formula \( S = \sum\limits_{i = 1}^{t} {s_{i} } = \sum\limits_{i = 1}^{t} { (k_{i} x_{ri} - zu_{s} I_{i} )} \), and need to verify the result with the formula \( SG + z (c_{p} + W )= R \).

At least \( t \) nodes are required to synthesize the share signatures. If the number of available signatures is less than \( t \), the synthesis will fail. After obtaining the group signature, it is necessary to verify \( SG + z (c_{p} + W )= R \). According to the Lagrange’s theorem, we can obtain \( \sum\limits_{i = 1}^{t} { (f (ID_{i} )I_{i} G )} = f ( 0 )G = c_{p} \), which needs at least \( t \) identities to pass the verification. In practice, because the public key \( c_{p} \) and \( G \) is well-known, the attacker can obtain them. When we want to obtain the private group key \( f ( 0 ) \), the difficulty is equivalent to the discrete logarithm problem of the elliptic curve which has been proved hard, it shows that the proposed scheme is safe.

6.2.2 Anonymity Analysis

For the blockchain applications, recent studies [4, 5] exploit the vulnerabilities of propagation and transaction mechanism of the blockchain, and successfully obtain the address of the targeted transaction to infer user identities, which shows the native blockchain cannot guarantee anonymity.

The proposed scheme blinds the user identities with \( ID_{i} = (x_{u} + s )h (Id_{i} ) { + }u\,\bmod \,p \), which relies on the partial key \( x_{u} \) of the current node \( i \) and the private key \( s \) of the trusted center. The values are respectively grasped by the users and the trusted center, other unauthorized nodes are not able to access them. Even the attacker obtains \( x_{u} \) and \( s \), it is still difficult for him to retrieve the user identities through the one-way hash function \( h (x ) \).

6.2.3 Unforgeability Analysis

Unforgeability means that the node in the blockchain cannot impersonate others to generate the signature. In the blockchain scenario, the trusted center and the users may impersonate other identities to sign the messages. For the convenience, the current node is defined as \( i \), and one of other nodes is defined as \( j \). Unforgeability of the trusted center and other nodes will be analyzed separately.

For the first case, the trusted center impersonates one user identity to sign. Since the trusted center is updated based on Dynamic Bayesian Network, the metrics of the trusted center depends on feedback from other nodes. If the attacker breaks through the trusted center, it will inevitably show some abnormal behavior characters, such as multiple re-entry, unauthorized access, etc. The credibility of the trusted center will be adjusted, which may strip the trusted center out of the blockchain. Because of \( Sc_{n} ( {\text{x}}_{\text{i}} ,\;{\text{x}}_{\text{j}} ,\;{\text{W(w,}}\;{\text{t),}}\;{\text{t)}} = Sc_{n} ( {\text{x}}_{\text{i}} ,\;{\text{x}}_{\text{j}} , {\text{W(w,}}\;{\text{t}} - 1 ) ,\;{\text{t}} - 1 )\, \times \,\delta (t ),{\text{W(w,}}\;{\text{t)}} - {\text{W(w,}}\;{\text{t}} - 1 )=\Phi \), it means that the credibility of the trusted center will decline without other positive incentive. The rigorous measurement ensures the security of the trusted center.

If the trusted center personally conducts the attack, and impersonate the user node \( i \), he can obtain some related information such as \( < c_{s} ,f(x) > \) and \( UL \). The trusted center \( TC \) randomly selects \( u_{i}^{{\prime }} \in Z_{p}^{*} \), and because of \( x_{i}^{{\prime }} = u_{i}^{{\prime }} \), he can obtain the private key \( u_{s}^{{\prime }} = x_{i}^{{\prime }} + y_{i}^{{\prime }} \), and \( X_{i}^{{\prime }} = u_{i}^{{\prime }} G \). After that, he can obtain the public key \( u_{p}^{{\prime }} = u_{s}^{{\prime }} G \). \( < r_{i} ,s_{i,} ID_{i} > \) and \( < X_{i} ,Id_{i} ,ID_{i} > \) for \( UL \) have been backed up, which need to check the integrity. However, the prerequisite to pass the verification must satisfy \( X_{i}^{{\prime }} = X_{i} \), which denotes that the trusted center \( TC \) must obtain \( X_{i} = X_{i}^{{\prime }} = u_{i}^{{\prime }} G \) and \( u_{i}^{{\prime }} \). The difficulty is equivalent to the discrete logarithm of the elliptic curve which is computationally hard.

For the second scenario, the node \( j \) poses as the node \( i \) for signature. At this time, the node \( j \) only knows \( ID_{i} \) of the node \( i \). The node \( j \) randomly selects \( u_{i}^{{\prime }} \in Z_{p}^{*} \), and generates the private key \( u_{s}^{{\prime }} = x_{i}^{{\prime }} + y_{i}^{{\prime }} \), \( X_{i}^{{\prime }} = u_{i}^{{\prime }} G \), and the public key \( u_{p}^{{\prime }} = u_{s}^{{\prime }} G \). However, the trusted center has backed up the information whose integrity will be checked. It shows that the process is computationally hard.

7 Performance Analysis

The difficulty of the blockchain threshold group signature scheme proposed in the paper is equivalent to the discrete logarithm of the elliptic curve. Compared with those schemes based on the large number decomposition and discrete logarithm, the proposed scheme can obtain the higher security level with the shorter key length. In order to compare with existing signature schemes, the following symbols are defined (Table 3).

Table 3. Symbols of operations in the proposed scheme
Full size table

Due to low overhead of modular addition and modular subtraction, those operations will not be considered in the paper. According to [14], \( C_{ec\_m} \approx 29C_{m} \), \( C_{ec\_a} \approx 0.12C_{m} \), the following parts will compare the proposed scheme with other schemes uniformly.

The paper will conduct the performance analysis from three aspects that are registration, generation and verification of the signature. In addition, when calculating the complexity of the hash function, it counts only once for the same tasks. The computational complexity is shown in Table 4.

Table 4. Computational complexity of the proposed scheme
Full size table

When comparing with existing threshold signature methods, two aspects that are generation and verification of the signature will be considered. The paper utilizes the comparison method presented in [13]. It should be noted that only the cryptographic schemes based on the elliptic curve are considered.

Table 5 is the comparison result of the computational complexity. From the table, we can infer that for the signature generation, [15] is superior to the proposed scheme, and for the signature verification, it is inferior. In the blockchain, the trusted center must undertake most of the computation. The proposed metrics consider the computing power, which makes the selected one own the abundant resource to increase the system throughout. On the other hand, the latter one does not realize the cancellation operation, which is not suitable for the blockchain.

Table 5. Comparison of computational complexity
Full size table

Compared with [13], the proposed scheme introduces the strategy based on Dynamic Bayesian Network to construct the trusted centers to enhance the security. For uneven distribution of computing resource in the blockchain, the proposed scheme is able to assign those tasks with high complexity to the trusted center, which can reduce the overhead of communication and effectively increase the system throughput. In addition, the identities have been blinded in the proposed design to achieve anonymity.

The signature generation process in [14, 30] contains the modular inverse operation, which has the high computational complexity, and [30] does not have the revoking operation. The proposed scheme can achieve the better result than [16] in the process of signature generation and signature verification.

In summary, the proposed method has the higher degree of anonymity and unforgeability that involves opening and revoking signatures. Compared with existing threshold group signature schemes, the proposed one has the lower computational complexity.

8 Conclusion

When applying the threshold group signature scheme to the blockchain to achieve the voting function, we will face up to the untrustworthy of the trusted center and the leakage of the user signatures. The paper proposes a trusted center selection scheme based on Dynamic Bayesian Network, which considers the time factor to perform the trusted metrics. The paper introduces the history interaction window, the aging factor and the penalty factor, and aggregates the direct and indirect credibility to form the dynamic metrics.

The voting scheme based on the threshold group signature for the isomerized blockchain is proposed. Through cooperation of users and the trusted centers to generate the group signature, the computational difficulty is equivalent to the discrete logarithms of the elliptic curve. The new design blinds and backs up the user identities. Security analysis shows that the proposed scheme can achieve the higher level of anonymity and effectively resist the impersonation attack. Computational complexity analysis shows that the cost of this scheme is low when adapting to the blockchain.