Digital signature scheme for information non-repudiation in blockchain: a state of the art review

Currently, as the key technology behind Bitcoin, the blockchain has been widely researched and deployed [1]. It provides a decentralized mechanism and infrastructure in different fields [2‐5] and maintains a chronologically continuous, non-tamperable data record. Meanwhile, it is also a research hotspot [6‐9]. When assets in the real or digital world can generate digital digests, the blockchain becomes the perfect vehicle for the application of the assertion class, to provide digital evidence of ownership and timestamps. Hence, the blockchain can be applied in many fields [10], which involve online payment, stock exchange, trade management, and IoT. Blockchain technology not only serves as the technical basis for all digital cryptocurrencies, but also extends broader developments and applications in traditional finance and trade. Furthermore, it also opens the door to new technologies such as smart contracts [11].

With the development of blockchain, the issues of hard fork and double payment [12], which are caused by block conflicts, will directly impact on the validity and integrity of E-commerce transactions. The essence of these issues is information security, in short, whether it is the consensus process in the face of 51% attack [13, 14], the Byzantine failures or in the future on the asymmetric encryption algorithm, as well as those attacks from outside rivals and transaction information forgery, or there are the personal privacy leakage and the software design flaws. The non-repudiation of information is very important for the security in blockchain. In order to guarantee the non-repudiation of information in the blockchain system, some security technologies, such as digital signature [15], identity authentication, and time stamping [16] are studied and applied.

Digital signatures can be used to verify the integrity of a file or a message. It is non-repudiation. In Fig. 1, a typical digital signature process is given basic on RSA. It is one of the digital signature algorithms, which are widely used [17]. Digital signature technology can be well adapted to its characteristics in the blockchain system. It will be more secure and applicable than the traditional application field and has the possibility of increasing value. For example, digital signature only carries information on the Internet, but has no value transfer.

In blockchain system, there is not only information transmission, but also the transfer of value. In such a context, our contributions of this paper include the following:

The rest of this paper is organized as follows. Firstly, the blockchain and non-repudiation are discussed in Section 2. Then, the digital signature schemes are analyzed in Section 3. Furthermore, the related works are reviewed and compared in detail in Section 4. Finally, the conclusions and future works are given in Section 5.

In this section, we will survey and analyze several typical digital signature schemes in blockchain. These signature schemes include aggregate signature, group signature, ring signature, blind signature, and proxy signature.

In this section, we will systematically review some state-of-the-art digital signature schemes, which are deployed in blockchain. Then, we give a comparative analysis of the mentioned signature schemes, in terms of application fields, methods, security, and performance.

Zhu et al. [37] proposed an IIS, which could protect the owner’s information from being falsified and the trader’s information could not be denied. This signature protocol was mainly used to build a blockchain system that was more accurate and had higher performance than existing blockchain systems. As the core of this system, IIS could ensure that the transaction was confirmed by the dealer and was undeniable. With this signature, the merchant could assure the owner that the transaction would be included in the blockchain system in an undeniable manner. The signature scheme proved to be a security guarantee for the owner’s unforgeability and the merchant’s non-repudiation. This scheme solved the problem of ensuring instant confirmation of non-repudiation during blockchain implementation.

Tian et al. [38] proposed a BVES based on traditional verifiable cryptographic signatures and blind signature ideas. Since each node of the blockchain could read transaction data during the transaction to verify that the transaction data was correct, but the transaction data involved the content of privacy. Therefore, either the contradiction arose or the privacy was protected. It was difficult to design a fair contract-signing agreement that protected privacy on the blockchain. They built a fair and confidential contract signing agreement based on this signature system, which not only allowed contract signers to complete fair contract signing through the blockchain, but also protected the privacy content related to the contract. This new blind verifiable cryptographic signature system effectively protected contract-related privacy content in the event of a transaction being disclosed.

Sato et al. [39] pointed out how the security of blockchain information would be affected when the underlying encryption algorithm (hash function and digital signature) compromised. If compromise occurred in SHA256, it would result in stolen electronic money, double payment, and failure to complete the agreement; when RIPEMD160 compromises, it would result in a denial of payment; when ECDSA compromised, it would result in currency theft and send a false alarm claims No payment was received; the hash function and the digital signature scheme produced compromises that, when combined, resulted in denied transactions, currency theft, double payments, and changes to existing transaction data. In order to solve the security problems in the blockchain, they proposed how to use a long signature scheme like the ETSI [40] standard and did not require the TTP mechanism. Through the research and analysis, it was found that the change of the key pair and the bifurcation could not be avoided when the signature scheme was compromised, but the additional blockchain could be used in a certain period of time (within a few years) through the protocol proposed by the researchers.

Aitzhan et al. [41] solved the problem of providing transaction security in decentralized smart grid energy trading without relying on trusted third parties. The concept validation of the decentralized energy trading system was implemented through blockchain technology, multiple signatures, and anonymously encrypted information flows. It enabled peers to anonymously negotiate energy prices and conducted transactions securely. Because they replicated between all active nodes, the system used P2P community data replication methods to protect transactions from failure. In addition, the use of workload proofs, such as Bitcoin, allowed the system to overcome the Byzantine general problem and to defend against any double payment attack that occurred in electronic payment systems.

Yuan et al. [42] proposed that privacy protection and blockchain performance were two research hotspots in academia and business fields, but there were still some unsolved problems in these two aspects. They designed a new signature scheme based on the aggregation signature algorithm in the blockchain big data transaction to try to solve the above problems. This scheme was applied to the transaction with multiple inputs and outputs whose amount would be hidden. In addition, the size of the signature in the transaction was constant, and it improved the performance of the signature regardless of the number of inputs and outputs contained in the transaction.

Shen et al. [43] introduced a method of concealing the transaction amount in the strongly dispersed anonymous password currency Monero. Similar to Bitcoin, Monero is a cryptocurrency that was assigned through a workload proof “dig” process, with no center or trusted party established. The original Monero protocol was based on Crypto Note, which used ring signatures and one-time keys to hide the purpose and source of the transaction. Bitcoin core developer Gregory Maxwell had discussed and implemented techniques for using a commitment scheme to hide transaction amounts.

Benjamin [44] described how ECDSA was applied to Bitcoin technology and introduced the elliptic curve digital signature and its application in blockchain technology. The emphasis on the elliptic curve theory and its application in cryptography was a more extensive topic, and it was proved that the security of elliptic curve-based cryptosystem was infeasible by the computation of elliptic curve discrete logarithm problem, thus deriving its security. The difficulty of solving this problem also ensured the security and authenticity of the Bitcoin network’s transaction on the blockchain.

ShenTu et al. [45] proposed an order to strengthen the anonymity of Bitcoin in the blockchain and prevented the centralized coin mixing provider (mixer) to mix bits with multiple inputs and multiple outputs to reveal the relationship between them, in order to provide real anonymity for user. Then, a centralized coin mixing algorithm based on the elliptic curve blind signature scheme (expressed as Blind-Mixing) was proposed, which prevented the mixer from linking the input address with the output address. In addition, Blind-Mixing blind signature scheme was 10.5 times faster than RSA Coin-Mixing, and Blind-Mixing can resist super attackers.

Mercer [46] focused on implementing the privacy on the blockchain and introduced a unique ring signature scheme that worked with the existing blockchain systems, implemented a URS scheme by using secp256k1, and created the first instance that was compatible with the blockchain library to easily implement Ethereum smart contracts. Researchers had demonstrated the privacy and security attributes of the solution and compared its efficiency with other commonly recommended blockchain privacy methods. Although the URS scheme was expensive to implement in the Ethereum, it had realistic feasibility. The compromise between the anonymous guarantee and the availability of the program was decided by the users.

Wu et al. [47] studied how to jointly manage Bitcoin transactions in a blockchain where multiple participants had Bitcoin accounts while maintaining the anonymity of multiple owners. A scenario in which a distributor owned a Bitcoin account and authorized multiple participants to manage together, and a Bitcoin account was shared by peers. Based on the above two application scenarios, partial blind threshold signatures and their extensions were proposed to meet these requirements. The proposed solution was compatible with the current Bitcoin system. The proposed scheme bound the public information c with a key that only the distributor knew, so that an attacker who wanted to tamper with c' must solve the CDH problem, which was computationally infeasible. As for Bitcoin, the platform could not know the amount of Bitcoin and the output address of the transaction. This was the main purpose of ensuring the security of this scheme.

Andreev [48] mentioned that existing ECC blind signatures lack compatibility with the standard ECDSA and therefore could not be directly used for Bitcoin transactions in the blockchain. A solution that allowed the generation of a blind signature that was compatible with existing Bitcoin protocols was then proposed. In this situation, signatories could provide services to store private keys and authenticate transactions without knowing the funds being transferred. Combined with multi-signature transactions, the program could privately lock some money and multiple parties. As in normal ECDSA, secret parameters must never be reused in different signatures.

Bonneau et al. [49] mentioned that Bitcoin’s ecosystem in the blockchain was often subject to theft and loss, affecting businesses and individuals. Because of the irreversibility, automation, and pseudonym of transactions, Bitcoin lacked support for the complex internal control systems deployed by modern companies to stop fraud. The first threshold signature scheme compatible with Bitcoin’s ECDSA signature was proposed to solve how to use this original resource to establish a distributed Bitcoin wallet and how to use it to implement a threshold wallet and various internal control protocols. The proposed solution had the potential to significantly increase the security of Bitcoin and make it closer to the widely adopted currency.

Dikshit and Singh [50] stated that all Bitcoin transactions were recorded and stored in a publicly available database called blockchain. Because these transactions were available to everyone, Bitcoin must be stored in a secure wallet. These Bitcoin wallets could only be opened with a key, and if the wallet’s key was lost, it could not be recovered because of the irreversibility of Bitcoin transactions. In order to solve this problem, previous researchers proposed some solutions, but these solutions had the disadvantage of managing and processing each player’s key. In order to remedy this deficiency, they proposed a scheme in which all participants could obtain a single share and could meet the requirements of the weight concept.

Cruz and Kaji [51] studied various cryptographic schemes to implement a secure and efficient electronic voting system, but these systems were difficult to use for actual voting. One of the technical reasons for this unfortunate situation was that many E-voting systems require an anonymous communication channel that was difficult to implement on the Internet. An E-voting system based on Bitcoin protocol and blind signature was proposed. In the proposed system, Bitcoin protocol was supplemented by known protocols (such as blind signature protocol and digital signature protocol) to implement a secure, anonymous, and transparent electronic voting system, and several important features of the electronic voting system were discussed, including fairness, anonymity, soundness, and verifiability. It had shown that the use of the Bitcoin protocol brought other advantageous features in addition to the anonymity of the communication.

Fu et al. [52] mentioned that because of the transaction in the blockchain, even if the user used the public key as the account address to make the transaction anonymous, it would bring potential privacy leakage to the user. In addition, in order to prevent recurring costs, the system agreed only when there were k subsequent blocks generated after the target block, in order to confirm that the transaction on the target block was valid. This time, waiting for the subsequent block generation was longer, and the transaction efficiency was greatly reduced. In view of the above problems, a proxy-based payment system model of password money was proposed, and an implementation scheme based on a blind signature algorithm was given. By introducing agents at the payment stage, the transaction validation time was shortened, the transaction efficiency was improved, and the anonymity of the user was realized better.

Chalkias et al. [53] proposed BPQS, an extensible PQ-resistant digital signature scheme from the blockchain architecture and existing Merkle tree-based signature schemes. BPQS could apply specific chain/graph structures in order to decrease key generation, signing, and verification costs as well as signature size. Compared to recent improvements in the field, BPQS outperformed existing hash-based algorithms, when a key was reused for reasonable numbers of signatures. It also supported a fallback mechanism to allow for a practically unlimited number of signatures if required. BPQS had shorter signatures and faster key generation, signing, and verification times. It was computationally comparable to non-quantum schemes. One could take advantage of the easy-to-apply multiple hash-chain WOTS parallelization and cache to provide almost instant signing and faster verification. Meanwhile, it could be used as a building block to implement novel PQ schemes. In addition, when used in blockchain and DLT applications, it could deploy the underlying chain/graph structure by referencing a previous transaction, in which the same key was reused. This could effectively mean that each new BPQS signature simply required the effort of an OTS scheme, because the rest of the signature path to the root was in the ledger already and can be omitted

Lin et al. [54] introduced the concept and security model of ID-based linearly homomorphic signature and then designed a new ID-based linear homomorphic signature scheme to avoid the shortcomings of the use of public-key certificates. It meant that the signer could construct a linearly homomorphic signature in identity-based cryptosystems. The proposed scheme was proved secure against existential forgery on adaptively chosen message and ID attack under the random oracle model. The ID-based linearly homomorphic signature schemes could be deployed in e-business, cloud computing, and blockchain.

In e-Health, Guo et al. [55] proposed an attribute-based signature scheme to guarantee the validity of EHRs encapsulated in blockchain. The proposed scheme had multiple authorities, in which a patient endorsed a message according to the attribute while disclosing no information other than the evidence that he had attested to it. Furthermore, there were multiple authorities without a trusted single or central one to generate and distribute public/private keys in this scheme. It was to avoid the escrow problem and conforms to the mode of distributed data storage in the blockchain. By sharing the secret pseudorandom function seeds among authorities, this protocol resists collusion attacks. Under the assumption of the computational bilinear Diffie-Hellman, the unforgeability and perfect privacy of the attribute signer were also formally demonstrated.

Qian et al. [56] proposed an efficient short signature length aggregate signature scheme, which solved the privacy protection and performance issues of the blockchain. In this scheme, the length of the aggregate signature was independent of the number of users, which was fixed and reduced the storage overhead. In addition, the signature scheme constructed a signature based on the discrete logarithm problem, instead of constructing a bilinear map-based. It reduced the computational overhead. Meanwhile, in the blockchain transaction, the identity privacy of the receiver was effectively protected. When a transaction contained n input addresses and m output addresses, the number of signatures could be reduced from n to 1. Compared with related schemes, the privacy protection scheme reduced the computational overhead of the signature and verification process, reduced the storage overhead of the blockchain, and improved the communication efficiency.

Li et al. [57] proposed a new lattice-based signature scheme that could be used to secure the blockchain network over existing classical channels. In the key generation phase, they combined the algorithm RandBasis with the algorithm ExtBasis to generate the sub-private keys for verifying the transaction message. This could randomize the output of algorithm ExtBasis and improve the security of the users’ private information. Furthermore, the security proof showed that the scheme was secure against the adaptively chosen message attack in random oracle, and the comparison results indicated that it was more efficient than similar works. Therefore, this scheme was more suitable for the transaction implementation in P-QBN.

In addition, Cao et al. [58] proposed a group signature based on blockchain. This signature could be proofed to guarantee security in an untrusted environment and extend the real applications. Long and Wei [59] presented a new Byzantine Fault Tolerance (BFT) consensus mechanism based on an aggregated signature gossip protocol. This mechanism could take thousands of nodes to participate in the consensus process. It had high transaction throughput and low messaging complexity. To meet the requirement of lower bandwidth cost in blockchain, Ren et al. [60] proposed a compact Non-Interactive Zero-Knowledge (NIZK) argument of knowledge and then used it to improve a ring signature. The proposed signature scheme was anonymous and unforgeable and need lower storage space of signature and pairing computations in the verification process. Wang et al. [61] used both mixing and confidential transaction technique to construct a full anonymous blockchain system by a one-way aggregate signature scheme and a homomorphic encryption scheme. In this blockchain, the full anonymity of user identities and transaction amounts were achieved. All individual signatures were compresses by the one-way aggregate signature scheme to reduce storage space. Comparisons of various improved digital signature schemes in blockchain are shown in Table 2. Continuing the classification strategy of Table 1, we conclude these various improved digital signature schemes into six types as follows: aggregate signature (AS), group signature (GS), ring signature (RS), blind signature (BS), proxy signature (PS), and other signatures. The security and performance of different signature schemes in the table vary according to the specific scenarios of their application. It shows that the digital signature technology has relatively good security performance under various applications in the future of the blockchain.

From the above analysis, most of the digital signature schemes in blockchain are deployed by the asymmetric encryption algorithms, which involve RSA, DSA, and ECDSA. For example, Zhu [37], Benjamin [44], Bonneau [49], and Dikshit [50] use ECDSA to implement the digital signatures. In general, DSA can only be used for digital signatures, not encryption (some extensions can support encryption); RSA can be used as a digital signature algorithm or as an encryption algorithm. However, when RSA is used as encryption, its performance decreases sharply with the increase of key length. With the same key length, DSA is faster when doing signatures, but slower when doing signature verification. Generally, the number of signature verifications is greater than the number of signatures. Similarly, with the same key length, DSA (with extended support) decrypts the ciphertext faster and the encryption is slower; RSA is just the opposite, and generally, the decryption times are more than the encryption times. However, due to the inherent performance issues of asymmetric encryption algorithms, neither is a good choice for encryption. Compared with RSA and DSA, ECDSA has the following advantages:

In this paper, we focus on the non-repudiation of information security in blockchain. By comparing and analyzing the features of different digital signature schemes used in blockchain system in recent years, it is demonstrated that digital signature technology can well satisfy various specific application properties of blockchains and meet the security requirements in different situations. Our contributions in this paper can facilitate to guide the design of the digital signature schemes in blockchain and optimize the digital signature algorithm to enhance the blockchain security.

Based on the above overview on the digital signature schemes of blockchain systems, we propose the following future suggestions to improve security and performance in this field:

1)For the Bitcoin transaction scenario in the blockchain environment, the characteristics of schemes such as ring signature and blind signature can be used to further study the anonymity of transaction membership and the level of encryption of transaction information and reduce the transaction overhead.

2) Combining digital signatures with identity authentication or time stamps can improve multidimensional security and protect the non-repudiation of information in the blockchain from a broader perspective and direction.

The convergence of blockchain and IoT is the future development trend. Considering the resource-constrained terminals in IoT, we are working on the certificateless aggregation signature scheme for a mobile terminal.