In 2008, SatoshiNakamoto proposed a peer-to-peer electronic cash system, which is called Bitcoin[1].Consequently, considerable research on its underlying technology, which is called blockchain, has been conducted worldwide.However, blockchain technologies[1-2] may encounter the privacy protection problem.
To solve the privacy protection problem in blockchains, many schemes[3-8] have been proposed.The Mixcoin mechanism[3]was proposed to hide the transaction process among transaction users.However, the centralized Mixcoin scheme may result in the transactional centralization problem.A ring signature was applied to the Monero cryptocurrency[4].However, in this anonymous technology, the ring signature operation relies on other users’ public keys.Ring confidential transactions[5] improve the Monero cryptocurrency[4] by introducing a Pedersen commitment on the basis of the ring signature.In 2013, Zerocoin[6], a distributed e-cash system, was proposed to apply cryptographic techniques to unlink transactions from the payment’s origin without adding trusted parties.However, Zerocoin has limited functionalities.To overcome this problem, Zerocash[7]was proposed to hide the transaction amount and the origin or destinations of the payment anonymously.However, Zerocash has weak efficiency.Bolt[8] was proposed by constructing three anonymous payment channels to ensure a secure, instantaneous, and private payment.However, all of the above schemes have inappropriate or excessive privacy protection and may result in the transaction supervision problem.Hence, no one can determine the relevant information of transaction users, and illegal crimes, such as fraud, money laundering, and drug smuggling, are prone to occur.
To solve the conflict between privacy protection and transaction supervision in blockchains, a number of schemes[9-12] have been proposed.Auditable Zerocoin[9] was proposed to allow designated auditors to extract link information from Zerocoin transactions.A decentralized anonymous payment scheme with accountability and privacy[10] was proposed to address regulatory concerns by adding the privacy-preserving policy-enforcement mechanism.The confidential and auditable payment scheme[11] was proposed to keep the transaction confidential.The organization-friendly blockchain system[12] was proposed to realize the balance between privacy protection and transaction supervision.However, the scheme may suffer from forgery and collusion attacks, from which an attacker can easily obtain the transaction amount illegally.
In this paper, the organization-friendly blockchain system[12] is briefly reviewed, the forgery and collusion attacks that the system[12] may suffer from are described, and countermeasures to remedy such attacks are presented.
1 Organization-Friendly Blockchain System
The organization-friendly blockchain system[12] has nine main phases: system setup Setup, key generation KeyGen, organization issue Issue, user registration Join, address generation AddrGen, transaction generation TransGen, transaction verification TransVer, transaction relay TransRelay, and user identity tracing UserTrace.
In the Setup phase, the system runs Setup to initialize the system.The system takes as input a security parameter 1k and outputs the system public parameter P.G1 and G2 are bilinear groups: e:G1×G2→GT;|G1|=|G2|=p, where p is the prime, g1 is a generator of G1, g2 is a generator of G2, g1←ψ(g2), and hash function 
The system public parameter is P=(G1,G2,g1,g2,p,H).
In the KeyGen phase, the registration node RegMan, organization node OrgMan, and member user node MebUser generate their respective key pairs.
1)RegMan randomly chooses 
The public key of RegMan is rpk=(u,v), and the private key is rsk=(x,y).
2)The transaction sending organization SedOrg randomly chooses h1∈G1\{1G1}, 
and u1,v1∈G1, such that 
.SedOrg randomly chooses 
, and computes 
.Then, it randomly chooses 
SedOrg also randomly chooses two large primes p1 and q1, and computes n1=p1q1, such that gcd(n1,(p1-1)(q1-1))=1.SedOrg computes λ1=lcm(p1-1,q1-1).SedOrg randomly chooses 
where L(x)=x-1/n1.The public key of SedOrg is 
and the private key is osks=(x1,y1,r1,λ1).In the same way, the transaction receiving organization RecOrg can obtain its public key 
and private key oskr=(x2,y2,r2,λ2).
3)The transaction sender SedUser randomly chooses 
The public key of SedUser is upks=(h3,u3), and the private key is usks=x3.In the same way, the transaction receiver RecUser can obtain its public key upkr=(h4,u4)and private key uskr=x4.
In the Issue phase, OrgMan and RegMan interactively generate an organization certificate Co.SedOrg and RecOrg submit respective organization public keys opks and opkr and other identifying information to RegMan for registration.Once the identity verification for the organization is passed, RegMan sends certificates Cso=(σ0=g1/(x+ν1+yr1), r and 
to SedOrg and RecOrg, respectively.Once SedOrg and RecOrg have verified their respective organization certificates, RegMan binds the organization certificate to the organization’s public key and places it in the certificate library Clo.
In the Join phase, MebUser and OrgMan interactively generate a sub-certificate Cu.SedUser and RecUser submit respective public keys upks upkr and and other identifying information to SedOrg and RecOrg for registration.Once the identity verification for the user is passed, SedOrg and RecOrg send sub-certificates Csu=(A=(g1/u3)1/(r1+a),a)and Cru=(A′=(g1/u4)1/(r2+a1),a1)and organization certificates Cso and Croto SedUser and RecUser, respectively.Once SedUser and RecUser have verified respective sub-certificates and organization certificates, OrgMan binds the sub-certificate to the user public key and places it in the sub-certificate library Clu.
In the AddrGen phase, OrgMan and MebUser generate their respective wallet addresses.SedOrg and RecOrg compute their respective wallet addresses aso=H(opks), and aro=H(opkr).SedUser and RecUser compute their respective wallet addresses asu=H(upks)and aru=H(upkr).
In the TransGen phase, SedUser performs an operation to generate a transaction and broadcast it to the blockchain network.
SedUser encrypts the transaction amount for each input address mi, i∈{1,2,…,l} and RecUser’s addresses aruwith RecOrg’s public key opkr, where l is the number of input addresses.SedUser applies the Paillier algorithm[13] for encryption.The corresponding ciphertexts are 
SedUser proves that every transaction amount mi is greater than 0.SedUser generates a commitment to his account amount m and computes 
SedUser signs the transaction information with its private key usks.The signature is σ=(T1,T2,T3,c0,c1,…,cl,cl+1,c,sα,sβ,sa,sx3,sδ1,sδ2), where 
where u1,v1,h1 are the values in SedOrg’s public key 
and β are random numbers, and A is a value in SedUser’s sub-certificate Csu=(A=(g1/u3)1/(r1+a),a).
SedUser attaches Cso as the transaction certificate to generate a transaction T=(aso,aro,σ,h3,opks,Cso).Then, SedUser broadcasts the transaction T to the blockchain network.
In the TransVer phase, the miner node Miner verifies the validity of the transaction T=(aso,aro,σ,h3,opks,Cso)according to the following equations:
(1)
(2)
(3)
Once Eqs.(1),(2), and(3)hold, Miner broadcasts the transaction T=(aso,aro,σ,h3,opks,Cso)and generates a block B to complete the transaction based on the blockchain trading system.
In the TransRelay phase, RecOrg receives the transaction T=(aso,aro,σ,h3,opks,Cso)broadcasted by Miner and decrypts the wallet address 
mod n2 and transaction amount 
mod n2, i∈{1,2,…,l}.Then, RecOrg relays the transaction amount to RecUser.
In the UserTrace phase, the system tracks the identity of the malicious transaction user when an abnormal transaction occurs.The whole process is divided into external tracing and internal tracing.
In external tracking, RegMan receives the transaction sent by Miner and tracks the public key opks of SedOrg according to the organization certificate Cso.
In internal tracking.SedOrg receives the transaction sent by RegMan and decrypts the user’s sub-certificate Csu with its private key osks=(x1,y1,λ1,r1).After a given σ, SedOrg computes 
and obtains A of Csu.The internal malicious user’s public key usks is further tracked according to the sub-certificate Csu.
2 Forgery Attack and Collusion Attack
2.1 Forgery attack
In this section, the forgery attack is described in detail as follows.The forgery attack has two phases: the preparation phase and the implementation phase.
At the forgery attack preparation phase, the attacker A0 registers with the legitimate OrgMan.
In the KeyGen phase of the scheme[12], the attacker A0, as MebUser, generates key pairs.A0 randomly chooses hA∈G1\{1G1}, 
The public key of A0 is upkA=(hA,uA), and the private key is uskA=xA.
In the Join phase of the scheme[12], A0 registers with the legitimate OrgMan.As an example for registration to OrgMan, A0 submits its public key upkA and other identifying information to OrgMan and easily passes the identity verification.OrgMan will randomly choose 
compute AA=(g1/uA)1/(r1+a′), and generate the sub-certificate CA=(AA,a′).OrgMan sends the sub-certificate CA and organization certificate Co to A0.In the same way, A0 can obtain the sub-certificate and organization certificate from other legitimate OrgMan.
In the AddrGen phase of the scheme[12], the attacker A0 computes the wallet address aA=H(upkA).
Having finished the forgery attack preparation phase, the attacker A0 can start the forgery attack implementation phase.
Firstly, the attacker A0 immediately intercepts the transaction when MebUser broadcasts a transaction T=(aso,aro,σ,h3,opks,Cso)at the TransGen phase of the scheme[12].A0 modifies the original transaction T as T′=(oso,oro,σ′,hA,opks,Cso), and broadcasts T′ to the blockchain network.A0 modifies σ=(T1,T2,T3,c0,c1,…,cl,cl+1,c,sα,sβ,sa,sx3,sδ1,sδ2)as σ′=(T′1,T′2,T′3,c′0,c1,…,cl,cl+1,c′,s′α,s′β,s′a,s′xA,s′δ1,s′δ2), and changes h3 to hA as follows.
To modify σ as σ′, A0 randomly chooses 
A0 randomly chooses 
where AA is the sub-certificate issued by SedOrg to A0 during the forgery attack preparation phase, and computes δ′1=a′α′,δ′2=a′β′.A0 randomly chooses r′α, 
Then, A0 computes c′=H(c′0‖c1‖…‖cl‖cl+1‖T′1‖T′2‖T′3‖R′1‖R′2‖R′3‖R′4‖R′5), and s′α=r′α+c′α′, s′β=r′β+c′β′, s′a=r′a+c′a′, 
s′δ1=r′δ1+c′δ′1,s′δ2=r′δ2+c′δ′2.The modified signature is σ′=(T′1,T′2,T′3,c′0,c1,…,cl,cl+1,c′,s′α,s′β,s′a,s′xA,s′δ1,s′δ2).A0 changes h3 to hA.The modified transaction T′=(aso,aro,hA,opks,Cso).
Secondly, in the TransVer phase of the scheme[12], Miner verifies the validity of the transaction T′=(aso,aro,σ′,hA,opks,Cso).If Eqs.(1),(2), and(3)will hold, then the modified transaction T′ can be verified.
1)Miner verifies Eq.(1), which is changed as 
holds or not.Apparently, Eq.(1)will hold.The left side of Eq.(1)is c′, which is included in σ′ at the modified transaction T′ and is equal to H(c′0‖c1‖…‖cl‖cl+1‖T′1‖T′2‖T′3‖R′1‖R′2‖R′3‖R′4‖R′5).The right side of Eq.(1)is 
Here,
e(T′3,g2)s′ae(h1,w1)-s′α-s′βe(h1,g2)-s′δ1-s′δ2e(hA,g2)s′xA·
(e(T′3,w1)/e(g1,g2))c′=
e(h1,w1)-r′α-r′β-c′(α′+β′)e(h1,g2)-r′δ1-r′δ2-c′a′(α′+β′)·
·
·
·
2)The two sides of Eq.(1)are equal.Therefore, Eq.(1)can hold.
3)The original signature is σ=(T1,T2,T3,c0,c1,…,cl,cl+1,c,sα,sβ,sa,sx3,sδ1,sδ2), and the modified signature is σ′=(T′1,T′2,T′3,c′0,c1,…,cl,cl+1,c′,s′α,s′β,s′a,s′xA,s′δ1,s′δ2).The transaction amount ci, i∈{1,2,…,l,l+1} is not modified, so the equation 
can hold.The verification process is 
4)The original transaction is T=(aso,aro,σ,h3,opks,Cso), and the modified transaction is T′=(aso,aro,σ′,hA,opks,Cso).SedOrg’s certificate Cso has not been modified, so the equation 
5)Having checked the three equations, Miner broadcasts the transaction T′ and generates a new block B′ to complete the transaction based on the blockchain trading system.
Finally, in the TransRelay phase of the scheme[12], RecOrg receives the transaction T′=(aso,aro,σ′,hA,opks,Cso)broadcasted by Miner and decrypts the wallet address 
mod n2 and transaction amount mod n2, i∈{1,2,…,l}.Then, RecOrg relays the transaction amount to the wallet address aA of the attacker node A0 instead of the real legal RecUser.
2.2 Collusion attack
In this study, the collusion attack is regarded as an attack where some nodes in the blockchain conspire to exchange effective information and modify transaction content to illegally obtain other legal nodes’ transaction amounts.
Specifically, the collusion attack is launched as the malicious node A2 sends its own address to another malicious node A1, where A2 is a MebUser belonging to the same organization as the original RecUser and A1 is a MebUser belonging to the same organization as the original SedUser.Then, A1 modifies the original transaction information and changes the receiving address of the original transaction to A2’s address.Finally, A2 can illegally obtain the transaction amount of the original SedUser.
The collusion attack has two phases: the preparation phase and the implementation phase.
At the collusion attack preparation phase,attackers A1 and A2 register with the legitimate OrgMan, and A2 may send its wallet address to A1.
In the KeyGen phase of the scheme[12], attackers A1 and A2, as MebUser, generate their respective key pairs.A1 randomly chooses hA1∈G1\{1G1}, 
The public key of A1 is upA1=(hA1,uA1), and the private key is usA1=xA1.In the same way, the attacker A2 can generate its public key upA2=(hA2,uA2)and private key usA2=xA2.
In the Join phase of the scheme[12],A1 and A2 register with the legitimate OrgMan, respectively.As an example for registration to OrgMan, A1 can get sub-certificates CA1=(AA1=(g1/uA1)1/(r1+a*),a*).
In the AddrGen phase of the scheme[12],A1 and A2 compute their respective wallet addresses aA1=H(upA1)and aA2=H(upA2).Then, A2 sends its wallet address aA2 to A1.
After the collusion attack preparation phase, attacker A1 can start the collusion attack implementation phase.
Firstly, attacker A1 immediately intercepts the transaction when the member user node broadcasts a transaction T=(aso,aro,σ,h3,opks,Cso)at the TransGen phase of the scheme[12].Then, A1 modifies the original transaction T as T″=(aso,aro, σ″,hA1,opks,Cso), and broadcasts T″ to the blockchain network.A1 modifies σ=(T1,T2,T3,c0,c1,…,cl,cl+1,c,sα,sβ,sa,sx3,sδ1,sδ2)as σ″=(T″1,T″2,T″3,c″0,c1,…,cl,cl+1,c″,s″α,s″β,s″a,s″xA1,s″δ1,s″δ2), where 
The rest of the modification process is the same as that at the forgery attack.
Secondly, in the TransVer phase of the scheme[12], Miner verifies the validity of the transaction T″=(aso,aro,σ″,hA1,opks,Cso).If Eqs.(1),(2), and(3)will hold, then the verification process is the same as that at the forgery attack.Therefore, the modified transaction T″ can be verified.
Finally, in the TransRelay phase of the scheme[12], RecOrg receives the transaction T″ broadcasted by Miner and decrypts the ciphertexts c″0,ci,i∈{1,2,…,l} with its private key oskr=(x2,y2,r2,λ2)to obtain the transaction receiver’s wallet address aA2 and transaction amount mi.Then, RecOrg relays the transaction amount to attacker A2.
3 Counter measures
3.1 Improvement
In this section, the improvement of the scheme[12] is proposed.The TransGen and TransVer phases of the scheme[12] are modified, and the details are presented as follows:
At the TransGen phase of the scheme[12], the original transaction T=(aso,aro,σ,h3,opks,Cso)is modified as 
The original transaction input and output addresses aso and aro, SedUser’s public key h3, and the signature σ=(T1,T2,T3,c0,c1,…,cl,cl+1,c,sα,sβ,sa,sx3,sδ1,sδ2)are modified, and RecOrg’s public key opkr is added.
1)The transaction input address aso=H(opks)is modified as ain=H(opks‖T3).Randomly choose 
where A is the value in SedUser’s sub-certificate Csu=(A=(g1/u3)1/(r1+a),a)and h1 is the value in SedOrg’s public key 
2)The transaction output address aro=H(opkr)is modified as aout=H(opkr‖T3r).Randomly choose 
where A′ is the value in RecUser’s sub-certificate Cru=(A′=(g1/u4)1/(r2+a1),a1)and h2 is the value in RecOrg’s public key 
3)h3 is modified as s1=e(h3,g2), and to modify σ as 
the R3=e(T3,g2)rae(h1,w1)(-rα-rβ)e(h1,g2)(-rδ1-rδ2)e(h3,g2)rx3 is modified as 
Then, c=H(c0‖c1‖…‖cl‖cl+1‖T1‖T2‖T3‖R1‖R3‖R4‖R5)is modified as 
4)RecOrg’s public key opkr is added to the transaction T.Finally, the modified transaction is 
opkr,Cso).
At the TransVer phase of the scheme[12], the verification equation 
and am=H(opks‖T3).
3.2 Forgery attack resistance
The improvement of the system[12]can resist forgery attacks.An attacker cannot successfully conduct a forgery attack.The detailed description is as follows.
After the forgery attack preparation phase, the attacker A0 may start the forgery attack implementation phase.
First, attacker A0 immediately intercepts the transaction when the member user node broadcasts a transaction 
at the TransGen phase of the improved scheme.A0 modifies the original transaction 
to the blockchain network.A0 modifies s1=e(h3,g2)as s′1=e(hA,g2), where hA is the value in attacker A0’s public key upkA=(uA,hA), and modifies 
Then, in the TransVer phase of the improved scheme, Miner may verify the validity of the transaction 
according to Eqs.(1),(2), and(3).Here,
where
e(T′3,g2)s′aaine(h1,w1)(-s′α-s′β)aine(h1,g2)(-s′δ1-s′δ2)ain·
e(T′3,g2)(r′a+c′a′)aine(h1,w1)((-r′α-r′β)-c′(α′+β′))ain
·
=
·
·
·
·
·
·
Eq.(1)does not hold, and the Miner may send the transaction to RegMan for user identity tracing.
3.3 Collusion attack resistance
The improvement of the system[12]can resist collusion attacks.Attackers A1and A2 cannot successfully launch collusion attacks.After the collusion attack preparation phase, attacker A1 may start the collusion attack implementation phase.
Attacker A1 immediately intercepts the transaction when the member user node broadcasts a transaction at the TransGen phase of the improved scheme.Then, A1 modifies the original transaction 
to the blockchain network.A1 modifies s1=e(h3,g2)as s″1=e(hA1,g2), where hA1 is the value in attacker A1’s public key upA1=(uA1,hA1), and modifies 
Then, in the TransVer phase of the improved scheme, Miner may verify the validity of the transaction 
according to Eqs.(1),(2), and(3).The verification process is the same as that at the forgery attack.Hence, Eq.(1)does not hold.Miner may send the transaction to RegMan for user identity tracing.
4 Conclusions
1)In the organization-friendly blockchain system, attacker A0 can obtain the transaction amount without being detected, which means the forgery attack succeeds.
2)In the organization-friendly blockchain system, attacker A2 can obtain the transaction amount without being detected, which means the collusion attack succeeds.
3)In the improved organization-friendly blockchain system, forgery and collusion attacks can be prevented.
[1] Nakamoto S.Bitcoin: A peer-to-peer electronic cash system[EB/OL].(2008)[2021-01-20].http://www.bitcoin.org/bitcoin.pdf.
[2] Buterin V.Ethereum: A next generation smart contract and decentralized application platform[EB/OL].(2013)[2021-01-10].http://ethereum.org/en/whitepaper.
[3] Bonneau J, Narayanan A, Miller A, et al.Mixcoin: Anonymity for bitcoin with accountable mixes[C]//Financial Cryptography and Data Security.Christ Church, Barbados, 2014: 486-504.DOI: 10.1007/978-3-662-45472-5_31.
[4] Van Saberhagen N.Cryptonote v2.0[EB/OL].(2012)[2021-01-10].http://cryptonote.org/whitepaper.pdf.
[5] Noether S, Mackenzie A.Ring confidential transactions[J].Ledger, 2016, 1:1-18.DOI: 10.5195/LEDGER.2016.34.
[6] Miers I, Garman C, Green M, et al.Zerocoin: Anonymous distributed e-cash from bitcoin[C]//IEEE Symposium on Security and Privacy.Berkeley, CA, USA, 2013:397-411.DOI: 10.1109/SP.2013.34.
[7] BenSasson E, Chiesa A, Garman C, et al.Zerocash: Decentralized anonymous payments from bitcoin[C]//IEEE Symposium on Security and Privacy.San Jose, CA, USA, 2014:459-474.DOI: 10.1109/SP.2014.36.
[8] Green M,Miers I.Bolt: Anonymous payment channels for decentralized currencies[C]//2017 ACM SIGSAC Conference on Computer and Communications Security. Dallas, TX, USA, 2017:473-489.DOI: 10.1145/3133956.31 34093.
[9] Naganuma K, Yoshino M, Sato H, et al.Auditable Zerocoin[C]//IEEE European Symposium on Security and Privacy Workshops.Paris, France, 2017: 59-63.DOI: 10.1109/EuroSP.2017.51.
[10] Garman C, Green M,Miers I.Accountable privacy for decentralized anonymous payment[C]//Financial Cryptography and Data Security. Christ Church, Barbados, 2016:81-98.DOI: 10.1007/978-3-662-54970-4_5.
[11] Mitani T, Otsuka.Confidential and auditable payments[C]//Financial Cryptography and Data Security. Kota Kinabalu, Malaysia, 2020: 466-480.DOI: 10.1007/978-3-030-544553-3 _33.
[12] Zheng H, Wu Q, Xie J, et al.An organization-friendly blockchain system[J].Computer & Security, 2020, 88:101598.DOI: 10.1016/j.cose.2019.101598.
[13] Paillier P.Public-key cryptosystems based on composite degree residuosity classed[J].Lecture Notes in Computer Science, 1999, 1592:223-238.DOI: 10.1007/3-540-48910-X16.