A Blockchain Traceable Scheme with Oversight Function

Abstract

Many blockchain researches focus on the privacy protection. However, criminals can leverage strong privacy protection of the blockchain to do illegal crimes (such as ransomware) without being punished. These crimes have caused huge losses to society and users. Implementing identity tracing is an important step in dealing with issues arising from privacy protection. In this paper, we propose a blockchain traceable scheme with oversight function (BTSOF). The design of BTSOF builds on SkyEye (Tianjun Ma et al., Cryptology ePrint Archive 2020). In BTSOF, the regulator must obtain the consent of the committee to enable tracing. Moreover, we construct a non-interactive verifiable multi-secret sharing scheme (VMSS scheme) and leverage the VMSS scheme to design a distributed multi-key generation (DMKG) protocol for the Cramer-Shoup public key encryption scheme. The DMKG protocol is used in the design of BTSOF. We provide the security definition and security proof of the VMSS scheme and DMKG protocol.

Appendices

A Non-interactive Verifiable Multi-secret Sharing Scheme

In this section, we describe the definitions, construction, and security of the VMSS scheme.

1.1 A.1 Definitions

A VMSS scheme consists of the distribution phase, verification phase, and recovery phase. In the distribution phase, the dealer distributes the secret set and sends shares to the participants. In verification phase, the participants verify the shares sent by the dealer. In recovery phase, the participants reconstruct the secret set.

We assume that a dealer D distributes a secret set \(S=\{s_1,...,s_l\} \in \mathbb {Z}_q^l\) to n participants, \(P_1,...,P_n\). Let \(Ver_{pro}\) denote the verification protocol that runs on the dealer D and participants \(P_1, ..., P_n\). A VMSS scheme is secure with threshold t if it satisfies the following two definitions (cf. [17]).

Definition 1

The \(Ver_{pro}\) must satisfy the following two requirements:

1. 1.

   If the dealer and \(P_i\) follow \(Ver_{pro}\) for \(i \in \{1,...,n\}\), and the dealer follows the distribution agreement, \(P_i\) accepts the dealer’s share with a probability of 1.

2. 2.

   For all subsets \(U_1, U_2\) of the set \(U = \{1, ..., n\}\) \((|U_1|=|U_2|=t + 1)\), if all participants in \(U_1\) and \(U_2\) have accepted their respective share sent by the dealer in \({Ver_{pro}}\), the secret set \(S_i\) that is reconstructed by \(U_i\) (\(i \in \{0,1\}\)) satisfies \(S_1=S_2\).

Definition 2

For any \(A \subseteq \{1,...,n\}\) \((|A|<=t-l+1)\) and any \(View_A\), the VMSS protocol has:

$$\begin{aligned} P [D \ has \ a \ secret \ set \ S \ | \ View_A] = P [D \ has \ a \ secret \ set \ S], \end{aligned}$$

where \(S=\{s_1,...s_l\}\) and \(View_A\) denotes the view of the set A.

1.2 A.2 Construction

We assume that the dealer D has a secret set \(S=\{s_1,...,s_l\} \in \mathbb {Z}_q^l\), and a trusted authority has chosen \(g,h \in \mathbb {Z}_p\), where \(h=g^\gamma , \gamma \in \mathbb {Z}_q\). The VMSS scheme is described as following.

Distribution Phase. The dealer D samples \(\beta _1,...,\beta _l \in \mathbb {Z}_q\) at random, and broadcasts \(E_i=g^{s_i}h^{\beta _i}\) for \(i=1,...,l\). Then, \(P_i\) randomly chooses two polynomials \(f(x), f'(x) \in \mathbb {Z}_q[x]\) of degree t such that \(f(-k)=s_k\) and \(f'(-k)=\beta _k\) for \(k=1,...,l\). Let \(f(x)=a_{0}+a_{1}x+...+a_{t}x^t\) and \(f'(x)=b_{0}+b_{1}x+...+b_{t}x^t\). Then, D broadcasts \(cm_j=g^{a_j}h^{b_j}\) for \(j=0,1,...,t\). Finally, D computes \(st_i=f(i), sh_i=f'(i)\) and sends \((st_i,sh_i)\) secretly to \(P_i\) for \(i=1,...,n\).

Verification Phase. For each \(i \in \{1,...,n\}\), \(P_i\) first verifies \(E_k\) for \(k=1,...l\) and checks if \(E_k=g^{s_k}h^{\beta _k}=\prod _{j=0}^tcm_j^{(-k)^j}\). If the check fails for an index k, \(P_i\) declines \((st_i,sh_i)\); otherwise, \(P_i\) verifies \((st_i,sh_i)\) and checks if \(g^{st_i}h^{sh_i}=\prod _{j=0}^tcm_j^{i^j}\). If the check fails, \(P_i\) declines \((st_i,sh_i)\); otherwise, \(P_i\) accepts \((st_i,sh_i)\).

Recovery Phase. Any at least \(t+1\) participants that have accepted their shares can compute the polynomial f via the Lagrange interpolation formula, and then reconstruct the secret set S.

1.3 A.3 Security

Theorem 2

If the dealer D can not compute \(\gamma \), the VMSS scheme described in Sect. A.2 is secure. That is, the VMSS scheme satisfies Definition 1 and Definition 2.

Due to space constraints, we provide the proof of Theorem 2 in the full version [13].

B Security Requirements of DMKG Protocol

The DMKG protocol is used to generate the public-private key pair (pk, sk) in the Cramer-Shoup encryption scheme, where \(pk = (c_1, c_2, c_3) = (g_1^{x_1}g_2^{x_2},g_1^{y_1}g_2^{y_2},g_1^z)\) and \(sk = (x_1, x_2, y_1, y_2, z)\). The DMKG protocol is secure with threshold t if it satisfies the following requirements in the presence of the adversary \(\mathcal {A}\) that corrupts at most \(t-1\) participants (cf. [10]).

1. 1.

   Correctness

   (P1). Any subset of t + 1 shares provided by honest participants can determine the same private key \(sk = (x_1, x_2, y_1, y_2, z)\).

   (P2). There is an effective algorithm that on input the participants’ n shares and public messages generated by the DMKG protocol, outputs the unique private key sk, even if at most \(t-1\) shares are generated by the corrupted participants.

   (P3). All honest participants have the same public key \(pk = (c_1, c_2, c_3) = (g_1^{x_1}g_2^{x_2},g_1^{y_1}g_2^{y_2},g_1^z)\), where \((x_1, x_2, y_1, y_2, z)\) is determined by P1.

   (P4). The values \(x_1, x_2, y_1, y_2\), and z of the private key are uniformly distributed in \(\mathbb {Z}_q\).

2. 2.

   Secrecy

   The adversary gets nothing about sk except for the pubic key pk. More formally, for each probabilistic polynomial-time adversary \(\mathcal {A}\) that can corrupt at most \(t-1\) participants, there is a simulator \(\mathcal {O}\) such that on input the public key pk, the output distribution produced by the simulator \(\mathcal {O}\) is indistinguishable from the adversary’s view in the real DMKG protocol that outputs the public key pk.