Research article

A preliminary study of porous ceramics with carbon black contents

  • Received: 13 July 2023 Revised: 20 August 2023 Accepted: 28 August 2023 Published: 06 September 2023
  • This paper is a study of porous ceramics from a mixture of clay (kaolinite), silica (silicon dioxide), and feldspar by adding the carbon black (CB) with different contents. The results were presented in terms of apparent porosity, relative density, microstructure and porous characteristic, flexural strength and phase formation. As observed, the sintering at 1200 ℃ is the optimum temperature in this work. In comparison to the samples without CB content, the apparent porosity and relative density of ceramics are highly dependent on the CB contents. This might be attributed to the presence of porous structure as seen in SEM images on the fracture surface of ceramics. It also revealed that the addition of CB resulted in smaller pore sizes and a more uniform pore distribution. The creation of pores in porous ceramics was mainly attributed to the loss of shape of CB microspheres at high temperatures, as observed from SEM. The flexural strength of the sintered samples exhibited an average decrease from 60 to 55 MPa due to the presence of CB, which is typically known to reduce the mechanical properties with high porosity. In XRD results, the muscovite phase is represented by a few of peaks with significant intensities, while the rest peaks are of undetermined phase. The strongest peak at a 26° of 2θ angle, suggesting the presence of potassium and aluminium in the form of silicate minerals.

    Citation: Mohamed Lokman Jalaluddin, Umar Al-Amani Azlan, Mohd Warikh Abd Rashid. A preliminary study of porous ceramics with carbon black contents[J]. AIMS Materials Science, 2023, 10(5): 741-754. doi: 10.3934/matersci.2023041

    Related Papers:

    [1] Mohammed Alshehri . Blockchain-assisted cyber security in medical things using artificial intelligence. Electronic Research Archive, 2023, 31(2): 708-728. doi: 10.3934/era.2023035
    [2] Yunfei Tan, Shuyu Li, Zehua Li . A privacy preserving recommendation and fraud detection method based on graph convolution. Electronic Research Archive, 2023, 31(12): 7559-7577. doi: 10.3934/era.2023382
    [3] Youqun Long, Jianhui Zhang, Gaoli Wang, Jie Fu . Hierarchical federated learning with global differential privacy. Electronic Research Archive, 2023, 31(7): 3741-3758. doi: 10.3934/era.2023190
    [4] Seyha Ros, Prohim Tam, Inseok Song, Seungwoo Kang, Seokhoon Kim . A survey on state-of-the-art experimental simulations for privacy-preserving federated learning in intelligent networking. Electronic Research Archive, 2024, 32(2): 1333-1364. doi: 10.3934/era.2024062
    [5] Qingjie Tan, Xujun Che, Shuhui Wu, Yaguan Qian, Yuanhong Tao . Privacy amplification for wireless federated learning with Rényi differential privacy and subsampling. Electronic Research Archive, 2023, 31(11): 7021-7039. doi: 10.3934/era.2023356
    [6] Sahar Badri . HO-CER: Hybrid-optimization-based convolutional ensemble random forest for data security in healthcare applications using blockchain technology. Electronic Research Archive, 2023, 31(9): 5466-5484. doi: 10.3934/era.2023278
    [7] Zhuang Wang, Renting Liu, Jie Xu, Yusheng Fu . FedSC: A federated learning algorithm based on client-side clustering. Electronic Research Archive, 2023, 31(9): 5226-5249. doi: 10.3934/era.2023266
    [8] Mengjie Xu, Nuerken Saireke, Jimin Wang . Privacy-preserving distributed optimization algorithm for directed networks via state decomposition and external input. Electronic Research Archive, 2025, 33(3): 1429-1445. doi: 10.3934/era.2025067
    [9] Shaochen Lin, Xuyang Liu, Xiujuan Ma, Hongliang Mao, Zijian Zhang, Salabat Khan, Liehuang Zhu . The impact of network delay on Nakamoto consensus mechanism. Electronic Research Archive, 2022, 30(10): 3735-3754. doi: 10.3934/era.2022191
    [10] Yang Shi, Xuehua Yang . Pointwise error estimate of conservative difference scheme for supergeneralized viscous Burgers' equation. Electronic Research Archive, 2024, 32(3): 1471-1497. doi: 10.3934/era.2024068
  • This paper is a study of porous ceramics from a mixture of clay (kaolinite), silica (silicon dioxide), and feldspar by adding the carbon black (CB) with different contents. The results were presented in terms of apparent porosity, relative density, microstructure and porous characteristic, flexural strength and phase formation. As observed, the sintering at 1200 ℃ is the optimum temperature in this work. In comparison to the samples without CB content, the apparent porosity and relative density of ceramics are highly dependent on the CB contents. This might be attributed to the presence of porous structure as seen in SEM images on the fracture surface of ceramics. It also revealed that the addition of CB resulted in smaller pore sizes and a more uniform pore distribution. The creation of pores in porous ceramics was mainly attributed to the loss of shape of CB microspheres at high temperatures, as observed from SEM. The flexural strength of the sintered samples exhibited an average decrease from 60 to 55 MPa due to the presence of CB, which is typically known to reduce the mechanical properties with high porosity. In XRD results, the muscovite phase is represented by a few of peaks with significant intensities, while the rest peaks are of undetermined phase. The strongest peak at a 26° of 2θ angle, suggesting the presence of potassium and aluminium in the form of silicate minerals.



    Blockchain, as a type of decentralized and public computational paradigm using multi-party consensus, provides new solutions for data security and information sharing in many scenarios. Increasingly numerous assets have gradually appeared in the blockchain amid blockchain's wide application in various field such as the Internet of Things, smart grids and so on [1,2]. For example, many products' information is processed by blockchain for product traceability in the Internet of Things. Some blockchain-based data sharing schemes are also designed for sensitive information such as medical data and so on, that needs both privacy and some levels of data sharing[3,4,5]. Effective evaluation of privacy risk and ensuring privacy have always attracted broad attention[6,7,8,9]. In addition, many blockchain-based privacy preserving payment mechanisms for the Internet of Things have also been constructed to provide efficient and decentralized transactions[10,11]. Therefore, how to achieve privacy of transaction contents, making monetary assets and data assets hidden from observers, and how to achieve public verification of transactions to ensure monetary assets and data assets satisfy transaction rules are crucial and have been focused on.

    Traditional ledger-based transaction schemes in blockchain, such as Bitcoin, etc., lack of privacy. All transaction information, including transaction values that are permanently recorded on the blockchain is public, and it can be obtained by attackers for malicious using and spreading. Therefore, in order to hide transaction contents to make blockchain-based transactions more reliable, many cryptographic solutions have been used to offer privacy enhancing schemes in cryptocurrency which is based on the public blockchain. For example, Monero achieves hiding of transaction amounts by using Pedersen commitments. It also uses the homomorphic property of commitments and Bulletproofs to verify transactions. Zcash introduces one time encryption to protect transaction contents privacy and uses zero-knowledge Succinct Non-interactive ARgument of Knowledge (zk-SNARK) to ensure the transaction compliance. However, these solutions provide strong privacy guarantees that give users potential to circumvent regulatory controls, such as money laundering without authorities, evasion, fraud and many illicit activities that create many regulatory concerns. Enforcing reliable auditing in a blockchain-based transaction system is crucial[12], and especially in a system that offers privacy protection of transaction information, it is more challenging and essential.

    Therefore, there are many challenging concerns about blockchain transaction privacy, effective auditing and public verification, as we mentioned above. More concretely, in terms of data assets such as the quantity of goods in supply chains, and sensitive information of patients in medical data sharing, many schemes do not pay attention to the public verification for data compliance while preserving privacy. For monetary assets in the unspent transaction output (UTXO) model, there is a lack of flexible transaction schemes that can both preserve privacy and achieve auditing of a transaction amount for a single transaction. How to simultaneously preserve privacy, keep a public ledger and reliably audit is challenging. Also, as there are extra leger space requirements in the UTXO model with the generation of transaction outputs and deletion of transaction inputs, how to save storage space of ledger and achieve efficiency gains for the user should be taken into consideration. Aiming to address these challenges, we focus on designing and constructing an efficient blockchain-based privacy preserving transaction scheme with public verification and reliable auditing. The main contributions of our paper are summarized as follow shows:

    ● We propose a privacy-preserving transaction scheme in blockchain. Our scheme offers privacy preserving both for monetary assets and data assets based on homomorphic encryption. We decoupled transaction identity information from transaction contents for the convenience of combining with different blockchain identity privacy protection schemes, which is more flexible.

    ● We propose and design a multiplicative zero-knowledge proof to prove the encrypted values (C1,C2,C3) corresponding to (v1,v2,v3) satisfy multiplicative relationship v1v2=v3. It can be widely used in blockchain based financial applications, blockchain based supply chains and many other scenarios to achieve data compliance and preserve privacy. We give formal security analysis of the proposed multiplicative zero-knowledge proof.

    ● We achieve public verification of hidden transaction contents based on zero-knowledge proof in our privacy preserving transaction scheme. We define several types of verification rules. For monetary assets, it achieves the balance verification relied on the signature of knowledge. For data assets, it achieves multiplicative verification by applying the proposed multiplicative zero-knowledge proof, which can also be used to save transaction computation and storage cost in the specific scenario in UTXO model.

    ● We also achieve reliable auditing of hidden transaction contents. In our scheme, we introduce the auditor. It can audit transaction values of each transaction instead of total transaction amounts, which is different from many existing schemes. There is also a verification of the audit zero-knowledge proof to ensure the audit reliability.

    ● We give formal security analysis of our blockchain-based privacy preserving transaction scheme. We also aggregate the balance proofs and audit proofs to save the ledger space. We implement the proposed scheme and evaluate its performance, and then we make a functional comparison between our scheme and others.

    The rest of the paper is organized as follows. The related work is presented in Section 2. We give a brief introduction about background knowledge in Section 3. In Section 4, we present the proposed multiplicative zero-knowledge proof. We present our blockchain-based privacy-preserving transaction scheme in Section 5. Section 6 gives the security analysis of the proposed scheme. In Section 7, we give the performance analysis of the proposed scheme. Conclusions are drawn in Section 8.

    Blockchain is a new concept that involves a consensus mechanism and distributed data storage. It was put forward as Bitcoin[13] in 2008. All transactions in Bitcoin are public and transparent. It cannot satisfy the confidentiality requirement of some applications. In 2014, Monero[14], which is a cryptocurrency deriving from Bitcoin, was proposed. It uses linkable ring signature, stealth address and RingCT to hide sensitive information of transactions such as transaction contents and user identities. Other cryptocurrencies that focus on privacy protection are Zerocash[15] and Zerocoin[16]. Zerocash leverages encryption and zk-SNARKs[17] to achieve strong privacy guarantees of transactions. Zerocoin provides strong user anonymity and coin security based on RSA accumulators and non-interactive zero-knowledge proofs. Mimblewimble [18] is also a privacy-enhancing cryptocurrency using confidential transactions[19] which is based on the Pedersen commitments[20] to hide transaction amount. Though these solutions achieve privacy protection of blockchain, neither of them satisfies the auditability, which is not compatible with illegal behaviors and is essential in financial applications.

    In [21], the first distributed ledger system with auditing is proposed. In this system, commitments are used to hide transaction amount. They also provide a rough audit about the sums of transaction values. However, it needs some auditors to keep online and make queries to the system users to achieve audit, which leads auditors and all users to communicate with each other sequentially and significantly reduces the efficiency. In [22], the authors achieve an advance zero-knowledge ledger by proposing an efficient range-proof technique based on the improved inner product based zero-knowledge proofs. The reducing of proof size greatly improves the system efficiency. In [23], a private, authenticated and auditable blockchain is proposed. It achieves privacy protection and auditability in terms of user identity and transaction contents based on additive homomorphic encryption and BBS group signature. In [24], the authors propose a decentralized system framework using the blockchain and IPFS system to provide high security for sharing and exchanging the multimedia file system. They use the secure authentication protocol which is based on zero-knowledge proofs to guarantee multimedia data user privacy. In [25], the authors achieve anonymity of users and privacy of transaction amount. As for regulation, the system can regulate the total amount of transactions in a certain time. Also, there are some auditable solutions based on the account model[26,27,28].

    We give the analysis and functional comparison between our scheme and other comparable schemes in Table 1 in aspects of transaction model (TM), transaction confidentiality (TC), balance verification (BV), multiplicative verification decoupled user identity and transaction contents (DIC), audit reliability (AR) and audit of each transaction (AoET). In summary, as we can see in Table 1, the above papers provide various privacy protections in terms of both identity and transaction contents, and they rarely achieve precise auditing of transactions, which is essential in financial applications. In particular, they mainly focus on transfer transactions, as blockchain has been widely applied in supply chains, data sharing and many other fields; and it is also quite necessary to provide efficient verifications for those scenarios with both monetary assets and data assets, which has been ignored.

    Table 1.  Functional comparison between our scheme and others.
    Scheme TM TC BV MV DIC AR AoET
    [14] UTXO Yes Yes No No No No
    [15] UTXO Yes Yes No No No No
    [18] UTXO Yes Yes No Yes No No
    [23] UTXO Yes Yes No No Yes Yes
    [25] UTXO Yes Yes No No No No
    Ours UTXO, data assets Yes Yes Yes Yes Yes Yes

     | Show Table
    DownLoad: CSV

    In this section, we introduce some related techniques that are used in this paper.

    At present, there are many decentralized payment systems, such as Bitcoin, RSCoin[29], Fabcoin in Hyperledger fabric[30] and so on, that are based on the UTXO model, in which each transaction is formed by a set of inputs and a set of outputs. It is different from the traditional account model used by Ethereum, where the transaction value is specified and moved from one account to another. The UTXO model is shown in Figure 1. It represents some amount of monetary assets that have been authorized by one user to be spent by another. Details of monetary assets' flowS in transactions with the UTXO model are recorded in the blockchain ledger.

    Figure 1.  UTXO model.

    Pedersen commitment is used to achieve transaction confidentiality in Bitcoin. It can be described as follows.

    setup(1λ): This algorithm takes the security parameter λ as input, and it generates the cyclic group G with q order. G is the generator of group G. H is the random element of G. It outputs the public parameter pp={G,G,H,q}.

    Cm(pp,v): This algorithm takes the public parameter pp, commitment c, the value v and the blind element r as input. It computes c=rG+vH as the commitment of v.

    Open(pp,c,v,r): This algorithm takes the public parameter pp, commitment c, the value v and the blind element r as input. It checks whether c=rG+vH holds or not.

    Definition 1. (Discrete logarithm (DL) problem). Let G be a cyclic group. Given a random instance (P,aP), where PG, and aZp, computation of a is computationally hard by a polynomial time algorithm. The probability that a polynomial time algorithm A can solve the DL problem is defined as AdvDLA(λ).

    Definition 2. (Discrete logarithm assumption). For any probabilistic polynomial time algorithm A, AdvDLA(λ) is negligible; that is, AdvDLA(λ)ϵ, for some negligible function ϵ.

    There is a homomorphic encryption based on ElGamal encryption called twisted ElGamal[28], which is zero-knowledge friendly. Given a cyclic group G with order q, let P and H be two random generators of G. So, pp={G,P,H,q}. Then, it consists of the following algorithms:

    keygen: It takes pp as input and randomly chooses xZq as secret key. It computes public key Y=xP, and then it outputs (X,Y).

    enc: It takes the public key Y and message m as input. It randomly chooses sZq, computes C1=sP, C2=mH+sP and outputs C={C1,C2}.

    dec: It takes the ciphtertext C and secret key as input. It computes mH=C2x1C1 to obtain m.

    A non-interactive zero-knowledge (NIZK) proof[31] is a protocol that the prover can use to convince the verifier that it indeed has the knowledge of a secret value by some public information without revealing the secret value. The non-interactive zero-knowledge proof has properties of completeness, soundness, and zero-knowledge[32]. We introduce a non-interactive zero-knowledge proof that is the signature of knowledge of the discrete logarithm (SKDL)[33,34]. Let G be a cyclic group. P,GG. A pair (c,s){0,1}k×Zn satisfying c=H0(P,Y,sP+cY) is a signature of the knowledge of the discrete logarithm of YG to the base P. It is denoted as SKDL{(a)Y=aP}. It is as follows:

    (1) The prover randomly chooses rZq, then it computes T=rP, c=H0(P,Y,T) and s=rca. The prover sends (c,s) to the verifier.

    (2) The verifier verifies whether c=H0(P,Y,sP+cY) holds. If the equation holds, it means that the prover knows the knowledge of the discrete logarithm of Y to the base P.

    Our proposed multiplicative zero-knowledge proof aims to convince the verifier that v3 encrypted in C3 is actually the product of v1 and v2, encrypted respectively in C1 and C2, i.e., v1v2=v3. It mainly contains three steps that are as follows:

    setup: Let G be a cyclic group with q order, where q is λ bits. P and H are two random generators of G. Then, the public parameter is pp={G,P,H,q}.

    prove: The prover randomly chooses s1,s2,s3Zq, and then it computes C1=v1H+s1P, C2=v2H+s2P and C3=v3H+s3P. The prover randomly chooses y1,y2,y3,s1,s2,s3Zq, and then it computes d1=y1H+s1P, d2=y2H+s2P, d3=y3H+s3P and d4=y2C21+s4P. The prover sends the generated C1, C2, C3, d1, d2, d3, d4 to the verifier. The verifier randomly chooses a challenge cZq and returns it to the prover. Then, the prover computes u1=y1+v1c, u2=y2+v2c, u3=y3+v3c, θ1=s1+s1c, θ2=s2+s2c, θ3=s3+s3c and θ4=s4+(s3s1v2)c. The prover sends the generated u1, u2, u3, θ1, θ2, θ3, θ4 to the verifier.

    verify: The verifier computes d1=θ1P+u1HcC1, d2=θ2P+u2HcC2, d3=θ3P+u3HcC3, d4=θ4P+u2C1cC3, and then it checks whether d1=d1, d2=d2, d3=d3 and d4=d4 holds. If the above equations hold, it outputs 1. Otherwise, it outputs 0.

    According to the above steps, the prover proves that C1,C2,C3 are encrypted values of v1,v2,v3 satisfying v1v2=v3. In addition, the above proof can turn to be non-interactive by applying the Fiat-Shamir heuristic[35]. Particularly, there are some applications in blockchain for the proposed multiplicative zero-knowledge proof to be used in variants of scenarios, no matter for monetary assets and data assets. We give explanations about it in Section 7.

    Theorem 1. The proposed multiplicative proof is a zero-knowledge proof under the Discrete logarithm assumption, which means that it satisfies correctness, zero knowledge (can be simulated) and a proof of knowledge (has an extractor).

    We prove it through Lemmas 1–3.

    Lemma 1. The proposed multiplicative zero-knowledge proof satisfies correctness.

    Proof of Lemma 1. If the prover follows the computation steps specified for it, we have the following.

    d1=(s1+s1c)P+(y1+v1c)Hc(v1H+s1P)=y1H+s1P=d1 (4.1)
    d2=(s2+s2c)P+(y2+v2c)Hc(v2H+s2P)=y2H+s2P=d2 (4.2)
    d3=(s3+s3c)P+(y3+v3c)Hc(v3H+s3P)=y3H+s3P=d3 (4.3)
    d4=y2C1+v2cC1+(s4+(s3s1v2))Pc(v3H+s3P)=y2C1+s4P+(v1v2cHv3cH)+(v2s1cPv2s1cP)+(s3cPs3cP)=d4 (4.4)

    As we can see from the above equations, Eqs (4.1)–(4.4) hold. Therefore, the verifier always accepts the proof, and then the proposed multiplicative zero-knowledge proof satisfies correctness.

    Lemma 2. The proposed multiplicative zero-knowledge proof can be simulated under the Discrete logarithm assumption.

    Proof of Lemma 2. We describe a simulator that can outputs the proof. It randomly chooses a set of values v1,v2,v3 and computes C1=v1H+s1P, C2=v2H+s2P, C3=v3H+s3P. The distribution of these values generated by the simulator is indistinguishable from the distribution output by the prover. In the remainder of the simulation, it does not assume knowledge of v1,v2,v3.

    The simulator randomly chooses a challenge cZq and u1, u2, u3, θ1, θ2, θ3, θ4. It computes d1=θ1P+u1HcC1, d2=θ2P+u2HcC2, d3=θ3P+u3HcC3 and d4=u2C1+θ4PcC3 that satisfy Eqs (4.1)–(4.4). Moreover, these values have the same distribution as those in the real proof. The simulator outputs c, u1, u2, u3, θ1, θ2, θ3, θ4, d1, d2, d3, d4 that are indistinguishable from the real proof in the multiplicative proof. Therefore, the proposed multiplicative zero-knowledge proof can be simulated under the Discrete logarithm assumption.

    Lemma 3. The proposed multiplicative zero-knowledge proof has an extractor.

    Proof of Lemma 3. Suppose there exits an extractor that enables one to rewind a prover in the multiplicative proof we proposed above to the point before it generates c. To the challenge value c, there is (u1,u2,u3,θ1,θ2,θ3,θ4). For challenge value cc, the prover responds with (u1,u2,u3,θ1,θ2,θ3,θ4). If the prover is convincing, then all Eqs (4.1)–(4.4) hold.

    So, we have Δc=cc, Δu1=u1u1, and Δu2, Δu3, Δθ1, Δθ2, Δθ3, Δθ4 are similar with Δu1. Considering Eq (4.1), we have ΔcC1=Δθ1P+Δu1H, so let v1=Δu1/Δc and let s1=Δθ1/Δc. Similarly, from Eqs (4.2)–(4.4), we obtain v2, s2, v3, s3 and s=Δθ4/Δc. We have (v1v2v3)H=(s3sv2s1)P. Therefore, the extractor obtains a Discrete logarithm problem solution logPH=(s3sv2s1)/(v1v2v3). Therefore, the proposed multiplicative zero-knowledge proof has an extractor.

    We propose a blockchain-based transaction scheme with privacy-preserving that enables reliable auditing and different verification rules. There are four roles in our scheme that are described as follows:

    ● Trusted Center: It initializes the whole scheme.

    ● Users: It includes payer and payee that involves in the blockchain based transactions. It also contains users that transact, share and store data assets through blockchain.

    ● Validator: It verifies whether proposed encrypted transactions satisfy verification rules.

    ● Auditor: It audits encrypted transactions in the scheme.

    As we can see in Figure 3, the transaction overflow of our privacy preserving transaction scheme is summarized as follows:

    (1) Setup: The trusted center makes an initialization and generates an audit key pair for auditor.

    (2) Transact: Users generate transactions, and they send transactions to validators.

    (3) Verify: Validators receive transaction and verify whether it satisfies verification rules and audit reliability.

    (4) Aggregate: Balance and audit zero-knowledge proofs in transaction are aggregated and sent to committing nodes.

    (5) Chain: committing nodes make verifications of the aggregated information. If they pass verifications, transactions are committed to the blockchain.

    (6) Audit: The auditor audit transaction contents. It does not need to be online all the time and can achieves audit transaction contents of each transaction.

    Notations in our paper are summarized in Table 2. In our scheme, transaction tx is used to record the encrypted payment process between payers and payees for monetary assets, and it is used to record the encrypted data transaction for data assets. Transactions are finally recorded in the ledger of the blockchain. The structure of transaction tx is tx={tx.in,tx.out,tx.data,πbl,πrp,πpro,πau}. tx.in is the encrypted inputs of the transaction, and tx.out is the encrypted outputs of the transaction. tx.data is the encrypted data of data assets. πbl is the balance proof generated by users for balance verification. πrp is the range proof to prove the transaction value is in a certain range [0,vmax], where vmax is a system parameter. πpro is the multiplicative proof that can prove transaction values satisfy product relationship, and πau is the audit proof to prove the auditor can reliably audit the transaction.

    Table 2.  Notations.
    Symbols Descriptions
    λ Security parameter
    pp Public parameters
    G A cyclic group
    tx Transaction
    tx.in Transaction encrypted inputs
    tx.out Transaction encrypted outputs
    tx.data Transaction encrypted data
    Cini,Coutj Encrypted inputs and outputs
    C1,C2,C3 Encrypted data assets

     | Show Table
    DownLoad: CSV

    More concretely, tx.in includes n inputs of a transaction such that tx.in={CiniCini={Cin1i,Cin2i},i[1,n]}. The value of each input Cini is vini. tx.out includes n outputs of a transaction and the change Cc, which can be presented as tx.out={Coutj,CcCoutj={Cout1j,Cout2j},j[1,n],Cc={C1c,C2c}. The value of each output Coutj is voutj, and the change value is vc. tx.out includes encrypted data tx.data={C1={C11,C21},C2={C12,C22},C3={C13,C23},...}, where C1,C2,C3 are encrypted data of some values v1,v2,v3.

    Our scheme is designed to satisfy the security requirements of transaction confidentiality, public verification and audit reliability.

    Definition 3. (Transaction confidentiality). Transaction confidentiality means the plaintext of transaction contents such as payment value or data assets cannot be obtained by an attacker in our system.

    We define the transaction confidentiality of our scheme by the following transaction confidentiality experiment. The adversary A is a user in the system, and it has the UTXO that belongs to him.

    |Pr[ppsetup(1λ); (X,Y)keygen(pp);({ptx.rmdr0,ptx.rmdr1})A1(pp,Y);b=b:bR{0,1};tx.outtx(pp,ptx.rmdr.Y)πauau(pp,ptx.out,πpau,Y);bAO2(tx.out,πau)]12|negl(λ),

    in which the definitions of the oracles Opre and OGenCT are as follows:

    Opre: On input ((Cini,vini,sini),vρ), run ptxpretx(pp,Cini,vini,sini,vρ,Y) and store {(Cini,vini,sini),vρ,Y,ptx} into the list L.

    OGenCT: On input (ptx.rmdr), search L, run tx.outtx(pp,ptx.rmdr,Y) and πauau(pp,ptx.out,πpau,Y), and then return tx.out and πau.

    Public verification means that transactions in our scheme can be publicly verified by validators to satisfy various verification rules. We design two types of verification rules, and they are transaction balance and transaction multiplicative relationship that are defined as follows.

    Definition 4. (Transaction balance). For monetary assets, it satisfies balance verification such that the sum of inputs' values is equal to the sum of outputs' values.

    We define the transaction balance of our scheme by the following transaction balance experiment. The adversary A is a user in the system, and it has the UTXO that belongs to him.

    Pr[ppsetup(1λ); veribl(pp,πbl)=1(X,Y)keygen(pp);n1vininj=1voutj+voutc:(tx.in,tx.out,vini,πbl)AO(pp,Y)]negl(λ),

    in which the definitions of the oracles Opre and Obal are as follows:

    Opre: On input ((Cini,vini,sini),vρ), run ptxpretx(pp,Cini,vini,sini,vρ,Y) and store {(Cini,vini,sini),vρ,Y,ptx} into the list L.

    Obal: On input ptx.rmdr, run tx.outtx(pp,ptx.rmdr,Y), search L to find the corresponding πpbp and Pb, then run πblbl(pp,πpbp,Pb), and return tx.out and πbl.

    Definition 5. (Transaction multiplicative relationship). For data assets, the validator can publicly verify whether some values v1,v2,v3 satisfy multiplicative relationship such as v1v2=v3.

    We define the transaction multiplicative relationship of our scheme by the following transaction multiplicative relationship experiment. The adversary A is a user in the system.

    Pr[ppsetup(1λ); veripro(pp,πpro,C1,C2,C3)=1(X,Y)keygen(pp);v3v1v2:(v1,v2,v3,C1,C2,C3,πpro)AO(pp,Y)]negl(λ),

    in which the definitions of the oracles Opro are as follows:

    Opro: On input v1,v2,v3, run (C1,C2,C3)tx(pp,v1,v2,v3,Y) and πpropro(pp,v1,v2,v3,C21,C22,C23), and return C1,C2,C3 and πpro.

    Definition 6. (Audit reliability). Audit reliability means they can be reliably audited by the auditor.

    We define the audit reliability of our scheme by the following audit reliability experiment. The adversary A is a user in the system and it has the UTXO that belongs to him.

    Pr[ppsetup(1λ); veriau(pp,πau,Cforge)=1:(Cforge)A(pp,vf,outj,Yf);]negl(λ)

    It consists of six phases, including Setup, Transact, Verify, Aggregate, Chain and Audit.

    Setup: In the setup phase, the trusted center generates public parameters and audit key pair. First, it executes the setup(1λ) algorithm, where λ is the security parameter. G is a cyclic group which is q order, where q is λ bits. P and H are two random generators of G. H0, H1, H2 and H3 are hash functions that satisfy H0:=G×GZq, H1:=G×G×G×GZq, H2:G×G×G×G×G×G×GZq, H3:=G×......2n+2×GZq. Second, it executes the keygen(pp) algorithm. It randomly chooses xZq as the audit secret key X, and then it computes the audit public key Y=xP. At last, the trusted center outputs the audit public key Y and the public parameters pp={G,P,H,q,H0,H1,H2,H3}.

    Transact: In the transact phase, the payee and the payer generate transaction that preserves privacy of the transaction contents that can be audited by the auditor. In addition, they also generate proofs to ensure the transaction satisfy verification rules and reliable audit. In this phase, they provide balance proof that ensures the sum of outputs is equal to the sum of inputs, range proof that ensures the transaction value is greater than zero, multiplicative proof that ensures that some transaction data satisfies the multiplicative relationship and audit proof that guarantees the audit reliability. In this phase, there are five algorithms that are described as follows:

    (1) The pretx(pp,Cini, vini,sini,vρ,Y) algorithm is executed by the payer. It takes as input the public parameters pp, transaction inputs Cini, value vini, randomness sini, transfer value vρ and the audit public key Y. It outputs the pre-transaction ptx as the following shows:

    ● The payer selects n inputs Cini of total value v=ni=1vinivρ. Let pre-transaction input be ptx.in={Cinii[1,n]}. It generates n outputs of total value vρ=nj=1voutj. Let the pre-transaction remainder be ptx.rmdr={voutjj[1,n]}.

    ● The payer computes the change value voutc=vvρ. Let the change value be ptx.chg=voutc. It randomly selects randomness of the change value soutcZq. It computes Cout1c=soutcY and Cout2c=soutcP+voutcH. Let Coutc={Cout1c,Cout2c}, and it stores Coutc in tx.out.

    ● The payer generates the pre-transaction balance proof πpbp. It randomly chooses raZq and computes sins=ni=1sini+soutc. It computes Xa=sinsP, Ra=raP, ea=H0(Ra,Xa) and σa=ra+esins. So, the pre-transaction balance proof πpbp={σa,ea,Ra,Xa}.

    ● The payer computes the pre-transaction audit proof πpau. The proof can be described as SKDL{(voutc,soutc):Cout1c=soutcYCout2c=soutcP+voutcH}, which ensures that this transaction can be reliably audited. It randomly chooses soutcZq and voutcZq, then it computes R1c=soutcY, R2c=soutcP+voutcH, ˜cp=H1(R1c,R2c,Coutc), σc,1=soutc+˜cpsoutc and σc,2=voutc+˜cpvoutc. So the pre-transaction audit proof is πpau={σc,1,σc,2,R1c,R2c,˜cp}.

    The payer outputs the generated pre-transaction ptx={ptx.in,ptx.out,πpbp,πpau}, where ptx.out={ptx.chg,ptx.rmdr}.

    (2) The tx(pp,ptx.rmdr,Y) algorithm is executed by the payee. It takes as input the public parameters pp, pre-transaction remainder ptx.rmdr and the audit public key Y. It generates the transaction outputs tx.out, balance randomness Pb and range proof πrp as the following shows: The payee checks whether ni=1vini=nj=1voutj+voutc holds. If it does not hold, it aborts. Otherwise, the payee executes the txenc(pp,vini,Y) algorithm, which is twisted ElGamal encryption. This algorithm randomly chooses soutjZq and computes Cout1j=soutjY and Cout2j=soutjP+voutjH, and then it stores them to tx.out. The payee computes souts=nj=1soutj and the balance randomness Pb=soutsP, and then the payee executes the Bulletproofs[36] to generate range proof πrp={πrpc,πrpjj[1,n]}. For data assets such as v1,v2,v3(v3=v1v2), it generates C1,C2,C3 by txenc(pp,v1,v2,v3,Y) in the same way, and it stores them in tx.data={C1,C2,C3}.

    (3) The bl(pp,πpbp,Pb) algorithm is executed by the payer and payee. It takes as input the public parameters pp, pre-transaction balance proof πpbp and balance randomness Pb. It generates balance proof πbl as the following shows:

    ● The payee computes ea=H0(Ra,Xa), and then it verifies whether σaP=Ra+eaXa holds. If it does not hold, the payee aborts. Otherwise, the payee randomly chooses rbZa, computes Rb=rbP, R=Ra+Rb and ˉX=Xa+Pb. It calculates e=H0(R,ˉX) and computes σB=rb+esouts. The payee sends these generated σB and Pb to the payer.

    ● The payer computes R=Ra+Rb, ˉX=Xa+Pb=xsP, e=H0(R,ˉX), σA=ra+esins and σ=σA+σB. Therefore, the generated balance proof is πbl={σ,e,R,ˉX}.

    (4) The pro(pp,v1,v2,v3,C21,C22,C23) algorithm is executed by the user. It proves that some encrypted transaction values v1,v2,v3 satisfy the product relationship v1v2=v3. It takes as input the public parameters pp, C21=v1H+s1P, C22=v2H+s2P and C23=v3H+s3P that are encrypted values of v1, v2, v3. It generates multiplicative proof πpro as the following shows:

    ● The user randomly chooses y1,y2,y3,s1,s2,s3Zq, and then it computes d1=y1H+s1P, d2=y2H+s2P, d3=y3H+s3P and d4=y2C21+s3H. It computes c=H2(d1,d2,d3,d4,C21,C22,C23).

    ● It computes u1=y1+v1c, u2=y2+v2c, u3=y3+v3c, θ1=s1+s1c, θ2=s2+s2c, θ3=s3+s3c and θ4=s3+(s3s1v2)c. So, the multiplicative proof πpro is πpro={c,u1,u2,u3,θ1,θ2,θ3,θ4}.

    (5) The au(pp,ptx.out,πpau,Y) algorithm is run by the payee. It takes as input public parameters pp, a remainder ptx.rmdr, the pre-transaction audit proof πpau and the audit public key Y. It outputs the audit proof πau as the following shows:

    ● The payee randomly chooses soutjZq and computes R1=R1c+nj=1R1j=R1c+n1jsoutjY, and then it randomly selects voutjZq and computes R2=R2c+n2jR2j=R2c+n2j(soutjP+voutjH).

    ● It calculates ˜c=H3(R1,R2,tx.out) and σj,1=soutj+˜csoutj, σj,2=voutj+˜cvoutj, where voutj is the output value, and soutj is the random number.

    ● It computes ˉσ=σc,1+nj=1σj,1 and σ=σc,2+nj=2σj,2. So, the audit proof πau is πau={ˉσ,σ,R1,R2,˜c}.

    Finally, the payee sends the transaction to the validating nodes.

    Verify: In the verify phase, validating nodes are responsible for verifying whether the transaction meets some requirements that we defined. There are four verifying algorithms that are described as the following shows:

    (1) The verirp(pp,tx.out,πrp) algorithm takes as input the public parameters pp, transaction output tx.out and the range proof πrp. It uses the Bulletproofs[36] to verify whether the transaction output is in a certain range [0,vmax]. The detailed Bulletproofs can be seen in [36].

    (2) The veribl(pp,πbl) algorithm takes as input the public parameters pp and balance proof πbl. It verifies whether the transaction satisfies the balance property as the following shows: It computes e=H0(R,ˉX), and then it checks whether e=e and σP=R+eˉX hold. If they hold, it outputs true which means that the transaction satisfies balance property.

    (3) The veripro(pp,πpro) algorithm takes as input the public parameters pp and the multiplicative proof πpro. It verifies whether these encrypted transaction values satisfy product relationship v1v2=v3. It computes d1=θ1P+u1HcC21, d2=θ2P+u2HcC22, d3=θ3P+u3HcC23, d4=θ4P+u2C21cC23 and c=H2(d1,d2,d3,d4,C21,C22,C23), and then it checks whether c=c holds. If it holds, it outputs true which means that these encrypted transaction values satisfy product relationship.

    (4) The veriau(pp,πau) algorithm takes as input the public parameters pp and audit proof πau. It verifies whether the transaction can be reliably audited as the following shows: It computes R1=ˉσY˜cCout1cnj=1˜cCout1j, R2=σH+ˉσP˜cCout2cnj=1˜cCout2j and ˜c=H3(R1,R2,tx.out). It checks whether ˜c=˜c holds. If this equation holds, it outputs true, which means that the transaction can be reliably audited.

    Aggregate(σk,R,σk,ˉσk,R1k,R2k): In the aggregate phase, the ordering nodes takes as input the balance signature σk, balance randomness R, audit signature σk,ˉσk, and audit randomness R1k,R2k, it aggregates m transactions' balance signature and audit signature, where km. The ordering nodes compute σAgg=m1σk, RAgg=m1Rk, σAgg=m1σ, ˉσAgg=m1ˉσk, R1Agg=m1R1k and R2Agg=m1R2k. Therefore, the aggregated message is infoAgg={σAgg,RAgg,σAgg,ˉσAgg,R1Agg,R2Agg}.

    Chain(infoAgg,ˉXk,tx.outk,ek,˜ck): In the chain phase, the committing nodes take as input the aggregated message infoAgg, public randomness ˉXk, transaction outputs tx.outk, hash value ek corresponding to each transaction and balance challenge value ˜ck. They verify the correctness of the aggregated message infoAgg by checking whether σAggP=RAgg+kekˉXk, ˉσAggP=R1Agg+˜ckCout1c+nj=1˜ckCout1j and σAggH+ˉσAggP=R2Agg+˜ckCout2c+nj=1˜ckCout2j hold. If these two equations hold, it outputs true, then committing nodes add transactions that have been verified onto the ledger and the updated ledger is Λ.

    Audit(pp,X,tx.out): In the audit phase, the auditor takes as input the public parameters pp, audit secret key X and transaction outputs tx.out, and it computes voutjH=Cout2jX1˙Cout1j and auditing transaction by comparing voutjH with the pre-computed bH, where b[0,vmax).

    Theorem 2 (Transaction confidentiality). Our scheme satisfies transaction confidentiality, if the twisted ElGamal algorithm is IND-CPA secure, and the audit proof πau is zero-knowledge.

    Proof of Theorem 2. We prove it via the following games. Let Wini denote the probability that the adversary A wins the Gamei.

    Game0: We proceed with the transaction confidentiality experiment defined in Section 5.2. The challenger C and the adversary A interact as the following shows:

    (1) C computes ppsetup(λ) and (X,Y)keygen. It returns the generated pp and Y to A.

    (2) A queries OPre and OGenCT. C answers these queries. On input ((Cini,vini,sini),vρ), run ptxpretx(pp,Cini,vini,sini,vρ,Y) and store {(Cini,vini,sini),vρ,Y,ptx} into the list L. On input (ptx.rmdr), search L, run tx.outtx(pp,ptx.rmdr,Y) and πauau(pp,ptx.out,πpau,Y), and then return tx.out and πau.

    (3) A chooses {ptx.rmdr0,ptx.rmdr1}. C randomly selects b[0,1] and computes tx.outtx(pp,ptx.rmdrb,Y), πauau(pp,ptx.rmdrb,ptx.chg,πpau,Y). It returns the generated {tx.out,πau} to A.

    (4) A generates the guess b of b. If b=b, it wins the experiment.

    Therefore, we have AdvA(λ)=Pr[Win0]12.

    Game1: Game1 is similar to Game0 except that the audit proof πau is generated by simulator S=(S1,S2). S1 generates the trapdoor τ, and then S2 takes τ as input without any proof. It outputs the simulated proof πau. Therefore, the proof generated by S2 is the same as the proof computed in Game1. The probability that A wins Game1 satisfies

    |Pr[Win1]Pr[Win0]|negl(λ). (6.1)

    As we can see in Lemma 1, we have Pr[Win1]negl(λ).

    Lemma 4. If the twisted ElGamal algorithm is IND-CPA secure, then for all PPT adversary A, we have Pr[Win1]negl(λ).

    Proof of Lemma 4. Suppose that there is a PPT adversary A that wins Game1 with non-negligible advantage, and then we can contruct algorithm B that can break the IND-CPA secure property of the twisted ElGamal algorithm. B simulates Game1 as the following shows:

    (1) B computes ppsetup(λ) and (X,Y)keygen(pp). It uses S1 to generate the trapdoor τ, and then it returns them to A.

    (2) A queries the oracle OPre and the oracle OGenCT. The challenger C answers these queries.

    OPre: A makes this query with (Cini,vini,sini,vρ). C receives this query, and then it executes ptxpretx(Cini,vini,sini,vρ,Y). It stores (Cini,vini,sini,vρ,Y,ptx) in the list L.

    OGenCT: A makes this query with (ptx.rmdr). C receives this query, and then it executes tx.outtx(pp,ptx.rmdr,Y). It takes the trapdoor τ generated by S2, and it outputs simulated πtr. It returns tx.out and πtr to A.

    (3) A selects two pre-transaction remainders {ptx.rmdr0,ptx.rmdr1}. B sends {ptx.rmdr0,ptx.rmdr1} to its challenger C. B receives Coutj={Cout1j,Cout1j}, where Coutj is the encrypted value that is obtained by encrypting ptx.rmdrb using audit public key Y. Let tx.out={Coutj}. B takes the trapdoor τ as input. It outputs the simulated audit proof πtr. B returns tx.out and πtr to A as challenge.

    (4) A generates b as the guess of b, then B returns the guess generated by A.

    We can see that B successfully simulates the Game1, so it can break the IND-CPA secure property of twisted ElGamal algorithm with the same advantage. We prove the Lemma 4.

    To sum up, we prove that if the twisted ElGamal algorithm is IND-CPA secure, and the audit proof πau is zero-knowledge, our scheme satisfies transaction confidentiality.

    Theorem 3 (Balance verification). Our scheme enables transaction balance verification, which means that outputs of the transaction and the inputs of the transaction are equal, if the Discrete logarithm assumption holds.

    Proof of Theorem 3. Suppose that there is a PPT adversary A that wins the transaction balance experiment we defined in Section 3 with non-negligible advantage, and then we can construct algorithm B that can solve the Discrete logarithm problem with the same advantage. Let pp=(G,P,H,q,H0). (P,H) is the instance of B's Discrete logarithm problem, where P and H are two random generators of G. B simulates the experiment as the following shows:

    (1) B computes ppsetup(λ) and (X,Y)keygen(pp). It returns the generated public parameters pp and the public key Y to A.

    (2) A queries oracles OPre and OGenBal. These oracles answer these queries.

    OPre: A makes this query with (Cini,vini,sini,vρ). C computes (ptx)pretx(pp,Cini,vini,sini,vρ,Y), and then it stores (Cini,vini,sini,vρ,Y,ptx) into the list L.

    OGenBal: A makes this query with (ptx.rmdr). C receives this query and computes tx.outtr(pp,ptx.rmdr,Y). It selects L to find the corresponding (πpbp,Pb), and then it computes πbpbl(pp,πpbp,Pb). It returns tx.out and πbp to A.

    (3) A obtains complete transaction information that includes transaction inputs tx.in={Cini|Cini={Cin1i,Cin2i,i[1,n]}}, transaction outputs tx.out={Coutj,Coutc|Coutj={Cout1j,Cout2j},j=[1,n],Coutc={Cout1c,Cout2c}} and transaction balance information πbl={σ,e,,ˉX}. B rewinds e2 and σ2. Therefore, we have:

    Yσe(Cout1c+nj=1Cout1jni=1Cini) (6.2)
    =Yσ2e2(Cout1c+nj=1Cout1jni=1Cini)e(Cout2c+nj=1Cout2jni=1Cin2i)σP=e2(Cout2c+nj=1Cout2jni=1Cin2i)σ2P (6.3)

    Let xs=(σσ2)/(ee2), and then ¯X=xsG can be regarded as the transaction public balance excess value. We have

    xsY=Cout1c+nj=1Cout1jni=1Cin1i (6.4)
    xsG=¯X=Cout2c+nj=1Cout2jni=1Cin2i (6.5)

    If ni=1vininj=1voutj+voutc, then we have

    xsG=¯X=Cout2c+nj=1Cout2jni=1Cin2i=(ni=1vinivoutcnj=1voutj)H+(soutssins)G (6.6)

    So, we have (ni=1vinivoutcnj=1voutj)H=(soutssinsxs)P. Therefore, B can take logPH=(soutssinsxs)/(ni=1vinivoutcnj=1voutj) as the solution of the Discrete logarithm problem.

    Thus, if the Discrete logarithm problem is hard to solve, our scheme satisfy the transaction balance property.

    Theorem 4 (Multiplicative verification). Our scheme enables multiplicative verification, which means that our scheme is able to prove and verify some encrypted values v1,v2,v3 satisfy product relationship v1v2=v3, if the Discrete logarithm assumption holds.

    Proof of Theorem 4. Suppose that there exists a PPT adversary A that can break the multiplicative verification property with non-negligible advantage, and then we can construct algorithm B that can solve the Discrete logarithm problem with the same advantage. Let pp=(G,P,H,q,H0). (P,H) is the instance of B's Discrete logarithm problem, where P and H are two random generators of G. B simulates the experiment as the following shows:

    (1) B computes ppsetup(λ) and (X,Y)keygen(pp). It returns the generated public parameters pp and the public key Y to A.

    (2) A queries the Opro oracle with (v1,v2,v3,C21,C22,C23). C computes πpropro(pp,v1,v2,v3,C21,C22,C23). It returns πpro to the adversary A.

    (3) A obtains the transaction information (C21,C22,C23) and multiplicative proofs πpro={c,u1,u2,u3,θ1,θ2,θ3,θ4}. B rewinds c, u1, u2, u3, θ1, θ2, θ3 and θ4. Therefore, we have

    θ1P+u1HcC21=θ1P+u1HcC21 (6.7)
    θ2P+u2HcC22=θ2P+u2HcC22 (6.8)
    θ3P+u3HcC23=θ3P+u3HcC23 (6.9)
    u2C21+θ4PcC23=u2C21+θ4PcC23 (6.10)

    Let v1=(u1u1)/(cc), s1=(θ1θ1)/(cc), v2=(u2u2)/(cc), s2=(θ2θ2)/(cc), v3=(u3u3)/(cc), s3=(θ3θ3)/(cc) and s=(θ4θ4)/(cc). Then, we have v3H+s3P=v1v2H+(v2s1+s)P. If v1v2v3, we have (v1v2v3)H=(s3sv2s1)P. B can take logPH=(s3sv2s1)/(v1v2v3) as the solution of the Discrete logarithm problem.

    Thus, if the Discrete logarithm problem is hard to solve, our scheme satisfies multiplicative verification.

    Theorem 5 (Reliable audit). Transactions in our privacy-preserving transaction scheme can be reliably audited.

    Proof of Theorem 5. Suppose that trading parties (payee and payer) may construct a fake to escape audit. The adversary's malicious actions can be roughly summarized as the following two types:

    (1) The adversary A randomly chooses YG,YY to generate encrypted transaction outputs instead of using audit public key Y. It computes Cout1j=soutjY, Coutj={Cout1j,Cout2j}. Therefore, validating nodes can verify it as the following shows:

    R1=ˉσY˜cCout1c˜cnj=1Cout1j=soutcY+nj=1soutjY+˜csoutcY+˜cnj=1soutjY˜csoutcY˜cnj=1soutjY. (6.11)

    We can see that YY, so R1soutcY+nj=1soutjY and R1soutcY+nj=1soutjY. Therefore, we have R1R1. Besides, hash functions are collision-resistant, so we get ˜c˜c.

    (2) The adversary A randomly chooses voutjvoutj to generate encrypted transaction outputs instead of using the real transaction value voutj. It computes Cout2j=soutjP+voutjH,Coutj={Cout1j,Cout2j}. Therefore, validating nodes can verify it as the following shows:

    R2=σH+ˉσP˜cCout2c˜cnj=1Cout2j=voutcH+soutcP+nj=1voutjH+nj=1soutjP+˜cnj=1voutjH˜cnj=1voutjH=R2c+nj=1voutjH+nj=1soutjP+˜cHnn=1(voutjvoutj) (6.12)

    We can see that voutjvoutj, so R2R2c+nj=1voutjH+nj=1soutjP that is R2R2. Therefore, we get ˜c˜c.

    In summary, the probability of the audit proof information forged by the adversary A that can pass the verification is negligible. Therefore, our scheme satisfies transaction auditability.

    In order to evaluate the performance of our proposed scheme, we implement the prototype of the proposed privacy preserving transaction scheme which mainly focuses on the transaction layer without considering the differences of consensus mechanisms. This makes our privacy preserving transaction scheme more feasible for different blockchain systems. Our implementation is in Golang language on a laptop with 8GB of RAM, an Intel Core i7-8500U 2.00GHz. The elliptic curve we used is secp256k1, and the hash function is sha256.

    According to Table 3, we give an evaluation of the computation time about each step of the main phase in our proposed privacy preserving transaction scheme. We take the most frequently used 2 inputs-1 outputs as instance. As we can see from Table 3, computation times in each phase such as setup, transact, verify and audit are all in milliseconds. The total time is approximate 7.65 ms. It is practical and feasible for low frequency transaction scenarios.

    Table 3.  Computation time of the main phase of our proposed scheme in milliseconds.
    Phase Step Time (ms)
    Setup Setup 0.232
    Transact Generate encrypted outputs 0.439
    Generate balance proofs 0.877
    Generate multiplicative proofs 1.308
    Generate Audit proofs 0.953
    Verify Balance proofs verification 0.349
    Multiplicative relationship verification 1.810
    Audit proofs verification 1.244
    Audit Audit 0.438

     | Show Table
    DownLoad: CSV

    In Figures 3 and 4, we also evaluate our privacy preserving transaction scheme's time costs in transact, verify and audit phases with increasing inputs and outputs. According to Figure 3, as the number of inputs and outputs grows from 2-2 to 12-12 in one transaction, the balance zero-knowledge prove time and audit zero-knowledge prove time are approximately 0.9 and 1.0 ms with no obvious increasing. In Figure 4, the balance zero-knowledge proofs verification time requirements is kept approximate 0.4 ms as the number of inputs and outputs increasing from 2-2 to 12-12. Though the time of generating encrypted values grows from 0.8 to 4.9 ms in Figure 3, and the time of verifying audit zero-knowledge proofs and auditing time are increasing from 1.6 to 5.4 ms and 0.9 to 5.1 ms respectively in Figure 4, they are still within milliseconds.

    Figure 2.  Overview of our scheme.
    Figure 3.  Computation time comparison in transact phase with increasing inputs and outputs.

    Figure 5 presents the verification time comparison before and after aggregation, and Figure 6 presents the block size comparison before and after aggregation. According to Figure 5, the verification time linearly grows from 4.9 to 21.0 ms as the number of inputs and outputs is set to be 2-2, 4-4, 6-6, 8-8, 10-10, 12-12 respectively when there is no aggregation of balance proofs and audit proofs. However, in our proposed privacy preserving transaction scheme, we aggregate the balance proofs and audit proofs, which greatly shortens the verification time, as it approximately grows 3.8 to 7.5 ms when the number of inputs and outputs is set to be 2-2, 4-4, 6-6, 8-8, 10-10, 12-12, respectively. For the reason that we replace the multiplication operation with the faster add operation of group in our aggregation algorithm, the verification time has no obvious growth. Therefore, our aggregation algorithm makes the transaction verification more efficient. As we can see in Figure 6, the growth rate of block size has been significantly slowed as the number of transactions in a block after we make aggregation of the audit proofs and balance proofs. Thus, the aggregation technique reduces the storage size of proof at least 50% of the size before optimization. It effectively saves the ledger space.

    Figure 4.  Computation time comparison in verify and audit phase with increasing inputs and outputs.
    Figure 5.  Verification time comparison before and after aggregation.
    Figure 6.  Block size comparison before and after aggregation.

    Our scheme has functional advantages. In particular, there are several applications in blockchain for the proposed multiplicative zero-knowledge proof to be used in some specific scenarios. For monetary assets in UTXO model, if there are k outputs with the same value v for a user and the total amount of them is sum=vk, it needs to computes k encrypted values that C1={C11=s1Y,C21=vH+s1P},...,Ck={C1k=skY,C2k=vH+skP}, and it needs to store k encrypted values C1,C2,...,Ck in the leger. However, by using the proposed multiplicative zero-knowledge proof, it only needs to compute two encrypted values Cv,Ck and only stores these two ciphertexts in the leger without influencing the transaction balance and reliable audit. It is obvious that using the proposed multiplicative zero-knowledge proof achieves space savings of ledger and efficiency gains for the user. For data assets such as those in supply chain, suppose that the quantity of goods is r, the unit price of goods is v, and the total amount is t=vr. r, v and tneed to record in chain with privacy preserving. We can compute Cv={C1v=svY,C2v=vH+svP}, Cr={C1r=srY,C2r=rH+srP}, and Ct={C1t=stY,C2t=tH+stP}. This hides the transaction information, and then the multiplicative zero-knowledge proof ensures t=vr to be public verified by validators in blockchain without revealing t, r and v.

    In this paper, we propose a privacy preserving transaction scheme with public verification and reliable audit in blockchain. Our scheme not only provides confidentiality for transaction contents in a more flexible way by decoupling user identity and transaction contents, but also defines several verification rules that makes full use of validators in blockchain. It enables balance verification for monetary assets, and then we design a multiplicative zero-knowledge proof with security analysis, which can be potentially used in blockchain based financial applications, supply chains and so on. Then, validators can optionally multiplicative verification of data assets to ensure the data compliance by applying the proposed multiplicative proof. In addition, our proposal enables the auditor to make precise audit of each transaction which audit reliability is guaranteed by publicly verifying the audit proof. Security analysis shows that the proposed scheme satisfies the security requirements we defined. Performance analysis indicates that its computation cost is in milliseconds, and the aggregation effectively saves the storage space. Also, how to construct a more efficient range-proof is still to be taken into consideration.

    This paper was supported by National Natural Science Foundation of China (Grant no. U21A20463).

    The authors declare there is no conflicts of interest.



    [1] Taslicukur Z, Balaban C, Kuskonmaz N (2007) Production of ceramic foam filters for molten metal filtration using expanded polystyrene. J Eur Ceram Soc 27: 637–640. https://doi.org/10.1016/j.jeurceramsoc.2006.04.129 doi: 10.1016/j.jeurceramsoc.2006.04.129
    [2] Vogt UF, Györfy L, Herzog A, et al. (2007) Macroporous silicon carbide foams for porous burner applications and catalyst supports. J Phys Chem Solids 68: 1234–1238. https://doi.org/10.1016/j.jpcs.2006.12.008 doi: 10.1016/j.jpcs.2006.12.008
    [3] Zhang Y, Wu Y, Yang X, et al. (2020) High-strength thermal insulating mullite nanofibrous porous ceramics. J Eur Ceram Soc 40: 2090–2096. https://doi.org/10.1016/j.jeurceramsoc.2020.01.011 doi: 10.1016/j.jeurceramsoc.2020.01.011
    [4] Orlovská M, Chlup Z, Bača Ľ, et al. (2020) Fracture and mechanical properties of lightweight alumina ceramics prepared by fused filament fabrication. J Eur Ceram Soc 40: 4837–4843. https://doi.org/10.1016/j.jeurceramsoc.2020.02.026 doi: 10.1016/j.jeurceramsoc.2020.02.026
    [5] Ohji T, Fukushima M (2012) Macro-porous ceramics: Processing and properties. Int Mater Rev 57: 115–131. https://doi.org/10.1179/1743280411Y.0000000006 doi: 10.1179/1743280411Y.0000000006
    [6] Twigg MV, Richardson JT (2007) Fundamentals and applications of structured ceramic foam catalysts. Ind Eng Chem Res 46: 4166–4177. https://doi.org/10.1021/ie061122o doi: 10.1021/ie061122o
    [7] Eom JH, Kim YW, Raju S (2013) Processing and properties of macroporous silicon carbide ceramics: A review. J Asian Ceram Soc 1: 220–242. https://doi.org/10.1016/j.jascer.2013.07.003 doi: 10.1016/j.jascer.2013.07.003
    [8] Tofighy MA, Mohammadi T (2019) Chapter Nine—Barrier, diffusion, and transport properties of rubber nanocomposites containing carbon nanofillers, In: Yaragalla S, Mishra RK, Thomas S, et al., Carbon-Based Nanofillers and Their Rubber Nanocomposites, Oxford: Elsevier.
    [9] Fan Y, Fowler GD, Zhao M (2020) The past, present and future of carbon black as a rubber reinforcing filler—A review. J Clean Prod 247: 119115. https://doi.org/10.1016/j.jclepro.2019.119115 doi: 10.1016/j.jclepro.2019.119115
    [10] Donnet JB, Bansal RC, Wang MJ (2017) Carbon Black: Science and Technology, 2 Eds., New York: Routledge.
    [11] Chen Y, Fan C, Li X, et al. (2023) Preparation of carbon black‐based porous carbon adsorbents and study of toluene adsorption properties. J Chem Technol Biot 98: 117–128. https://doi.org/10.1002/jctb.7220 doi: 10.1002/jctb.7220
    [12] Živcová Z, Gregorová E, Pabst W, et al. (2009) Thermal conductivity of porous alumina ceramics prepared using starch as a pore-forming agent. J Eur Ceram Soc 29: 347–353. https://doi.org/10.1016/j.jeurceramsoc.2008.06.018 doi: 10.1016/j.jeurceramsoc.2008.06.018
    [13] Liu J, Li Y, Li Y, et al. (2016) Effects of pore structure on thermal conductivity and strength of alumina porous ceramics using carbon black as pore-forming agent. Ceram Int 42: 8221–8228. https://doi.org/10.1016/j.ceramint.2016.02.032 doi: 10.1016/j.ceramint.2016.02.032
    [14] Wang W, Sun K, Liu H (2020) Effects of different aluminum sources on morphologies and properties of ceramic floor tiles from red mud. Constr Build Mater 241: 118119. https://doi.org/10.1016/j.conbuildmat.2020.118119 doi: 10.1016/j.conbuildmat.2020.118119
    [15] Talaei M, Mostofinejad D (2021) Mechanical properties of fiber-reinforced concrete containing waste porcelain aggregates under elevated temperatures. Constr Build Mater 289: 122854. https://doi.org/10.1016/j.conbuildmat.2021.122854 doi: 10.1016/j.conbuildmat.2021.122854
    [16] Anwar MS, Bukhari SZA, Ha JH, et al. (2021) Effect of Ni content and its particle size on electrical resistivity and flexural strength of porous SiC ceramic sintered at low temperature using clay additive. Ceram Int 47: 31536–31547. https://doi.org/10.1016/j.ceramint.2021.08.032 doi: 10.1016/j.ceramint.2021.08.032
    [17] Chen Y, Wang N, Ola O, et al. (2021) Porous ceramics: Light in weight but heavy in energy and environment technologies. Mater Sci Eng R 143: 100589. https://doi.org/10.1016/j.mser.2020.100589 doi: 10.1016/j.mser.2020.100589
    [18] Çelik A, Çağlar G, Çelik Y (2022) Fabrication of porous Al2O3 ceramics using carbon black as a pore forming agent by spark plasma sintering. Ceram Int 48: 28181–28190. https://doi.org/10.1016/j.ceramint.2022.06.121 doi: 10.1016/j.ceramint.2022.06.121
    [19] Maurath J, Willenbacher N (2017) 3D printing of open-porous cellular ceramics with high specific strength. J Eur Ceram Soc 37: 4833–4842. https://doi.org/10.1016/j.jeurceramsoc.2017.06.001 doi: 10.1016/j.jeurceramsoc.2017.06.001
    [20] Nuaklong P, Jongvivatsakul P, Pothisiri T, et al. (2020) Influence of rice husk ash on mechanical properties and fire resistance of recycled aggregate high-calcium fly ash geopolymer concrete. J Clean Prod 252: 119797. https://doi.org/10.1016/j.jclepro.2019.119797 doi: 10.1016/j.jclepro.2019.119797
    [21] Yang Y, Ma M, Zhang F, et al. (2020) Low-temperature sintering of Al2O3 ceramics doped with 4CuO-TiO2-2Nb2O5 composite oxide sintering aid. J Eur Ceram Soc 40: 5504–5510. https://doi.org/10.1016/j.jeurceramsoc.2020.06.068 doi: 10.1016/j.jeurceramsoc.2020.06.068
  • This article has been cited by:

    1. Karol Salazar-Ariza, Rafael Torres, Statistical theory of the polarization on the Poincaré sphere, 2019, 44, 0146-9592, 3318, 10.1364/OL.44.003318
    2. Amanda Swan, Thomas Hillen, John C. Bowman, Albert D. Murtha, A Patient-Specific Anisotropic Diffusion Model for Brain Tumour Spread, 2018, 80, 0092-8240, 1259, 10.1007/s11538-017-0271-8
    3. Juan D. Olarte-Plata, Fernando Bresme, Theoretical description of the thermomolecular orientation of anisotropic colloids, 2019, 21, 1463-9076, 1131, 10.1039/C8CP06780E
    4. Karl K. Sabelfeld, Application of the von Mises–Fisher distribution to Random Walk on Spheres method for solving high-dimensional diffusion–advection–reaction equations, 2018, 138, 01677152, 137, 10.1016/j.spl.2018.03.002
    5. K.J. Painter, A.Z. Plochocka, Efficiency of island homing by sea turtles under multimodal navigating strategies, 2019, 391, 03043800, 40, 10.1016/j.ecolmodel.2018.10.025
    6. Daria Stepanova, Helen M. Byrne, Philip K. Maini, Tomás Alarcón, Roeland M.H. Merks, A multiscale model of complex endothelial cell dynamics in early angiogenesis, 2021, 17, 1553-7358, e1008055, 10.1371/journal.pcbi.1008055
    7. Ion Bica, Thomas Hillen, Kevin J. Painter, Aggregation of biological particles under radial directional guidance, 2017, 427, 00225193, 77, 10.1016/j.jtbi.2017.05.039
    8. Paul C. Bressloff, Samuel R. Carroll, Stochastic neural fields as gradient dynamical systems, 2019, 100, 2470-0045, 10.1103/PhysRevE.100.012402
    9. Kevin J. Painter, Thomas Hillen, 2018, Chapter 5, 978-3-319-96841-4, 103, 10.1007/978-3-319-96842-1_5
    10. Rangaprasad Arun Srivatsan, Mengyun Xu, Nicolas Zevallos, Howie Choset, Probabilistic pose estimation using a Bingham distribution-based linear filter, 2018, 37, 0278-3649, 1610, 10.1177/0278364918778353
    11. S.T. Johnston, K.J. Painter, The impact of short- and long-range perception on population movements, 2019, 460, 00225193, 227, 10.1016/j.jtbi.2018.10.031
    12. Yaping LI, Xiaowei CHEN, Yongbo SHAO, Numerical Modeling of Natural Fracture Distributions in Shale, 2023, 1000-9515, 10.1111/1755-6724.15050
    13. N. LOY, T. HILLEN, K. J. PAINTER, Direction-dependent turning leads to anisotropic diffusion and persistence, 2022, 33, 0956-7925, 729, 10.1017/S0956792521000206
    14. James D. McLaren, Heiko Schmaljohann, Bernd Blasius, Predicting performance of naïve migratory animals, from many wrongs to self-correction, 2022, 5, 2399-3642, 10.1038/s42003-022-03995-5
    15. Ryan Thiessen, Thomas Hillen, Anisotropic Network Patterns in Kinetic and Diffusive Chemotaxis Models, 2021, 9, 2227-7390, 1561, 10.3390/math9131561
    16. Martina Conte, Nadia Loy, Multi-Cue Kinetic Model with Non-Local Sensing for Cell Migration on a Fiber Network with Chemotaxis, 2022, 84, 0092-8240, 10.1007/s11538-021-00978-1
    17. Romain Fayat, Viviana Delgado Betancourt, Thibault Goyallon, Mathieu Petremann, Pauline Liaudet, Vincent Descossy, Lionel Reveret, Guillaume P. Dugué, Inertial Measurement of Head Tilt in Rodents: Principles and Applications to Vestibular Research, 2021, 21, 1424-8220, 6318, 10.3390/s21186318
    18. Yaping Li, Xiaowei Chen, Yongbo Shao, 3D natural fracture model of shale reservoir based on petrophysical characterization, 2023, 166, 01918141, 104763, 10.1016/j.jsg.2022.104763
    19. Szabolcs Suveges, Kismet Hossain-Ibrahim, J. Douglas Steele, Raluca Eftimie, Dumitru Trucu, Mathematical Modelling of Glioblastomas Invasion within the Brain: A 3D Multi-Scale Moving-Boundary Approach, 2021, 9, 2227-7390, 2214, 10.3390/math9182214
    20. Gwangbin Bae, Ignas Budvytis, Roberto Cipolla, 2021, Estimating and Exploiting the Aleatoric Uncertainty in Surface Normal Estimation, 978-1-6654-2812-5, 13117, 10.1109/ICCV48922.2021.01289
    21. Dominik Friml, Pavel Vaclavek, 2022, Bayesian Inference of Total Least-Squares With Known Precision, 978-1-6654-6761-2, 203, 10.1109/CDC51059.2022.9992409
    22. Vitaly V Ganusov, Viktor S Zenkov, Barun Majumder, Correlation between speed and turning naturally arises for sparsely sampled cell movements, 2023, 20, 1478-3967, 025001, 10.1088/1478-3975/acb18c
    23. Qingchao Li, Mohammed El-Hajjar, Ibrahim Hemadeh, Deepa Jagyasi, Arman Shojaeifard, Lajos Hanzo, Performance Analysis of Active RIS-Aided Systems in the Face of Imperfect CSI and Phase Shift Noise, 2023, 72, 0018-9545, 8140, 10.1109/TVT.2023.3239398
    24. Mamoru Ota, Yuji Tanaka, Yoshiya Kasahara, Propagation Analysis Method Considering Angular Spread for Random Electromagnetic Waves in Magnetized Cold Plasma, 2023, 58, 0048-6604, 10.1029/2023RS007673
    25. Qingchao Li, Mohammed El-Hajjar, Yanshi Sun, Ibrahim Hemadeh, Arman Shojaeifard, Yuanwei Liu, Lajos Hanzo, Achievable Rate Analysis of the STAR-RIS-Aided NOMA Uplink in the Face of Imperfect CSI and Hardware Impairments, 2023, 71, 0090-6778, 6100, 10.1109/TCOMM.2023.3287995
    26. Shengxi Li, Danilo Mandic, Von Mises–Fisher Elliptical Distribution, 2023, 34, 2162-237X, 11006, 10.1109/TNNLS.2022.3160519
    27. Hanyu WANG, Qiang SHEN, Zilong DENG, Xinyi CAO, Xiaokang Wang, Absolute pose estimation of UAV based on large-scale satellite image, 2023, 10009361, 10.1016/j.cja.2023.12.028
    28. Jisan Yang, Jie Jiang, Jian Li, Yan Ma, Lingfeng Tian, Guangjun Zhang, Uncertainty Estimation and Multi-FOV Data Fusion for Star Sensors Based on Directional Statistics, 2024, 73, 0018-9456, 1, 10.1109/TIM.2023.3341142
    29. Qingchao Li, Mohammed El-Hajjar, Ibrahim Hemadeh, Arman Shojaeifard, Lajos Hanzo, Low-Overhead Channel Estimation for RIS-Aided Multi-Cell Networks in the Presence of Phase Quantization Errors, 2024, 73, 0018-9545, 6626, 10.1109/TVT.2023.3339968
    30. Sourav Chandra, Rajeev Singh, Rakesh Kumar Singh, Statistical insights of polarization speckle via von Mises–Fisher distribution on the Poincaré sphere, 2024, 41, 1084-7529, 1287, 10.1364/JOSAA.519685
    31. Linzhou Zeng, Xuewen Liao, Zhangfeng Ma, Hao Jiang, Zhen Chen, UAV-to-UAV MIMO Systems Under Multimodal Nonisotropic Scattering: Geometrical Channel Modeling and Outage Performance Analysis, 2024, 11, 2327-4662, 26266, 10.1109/JIOT.2024.3395524
    32. Linzhou Zeng, Xuewen Liao, Zhangfeng Ma, Wenwu Xie, Hao Jiang, Zhen Chen, Envelope Level Crossing Rate and Average Fade Duration of Low-Altitude UAV-to-UAV Channels, 2024, 13, 2162-2337, 2220, 10.1109/LWC.2024.3407865
    33. Qingchao Li, Mohammed El-Hajjar, Yanshi Sun, Lajos Hanzo, Performance Analysis of Reconfigurable Holographic Surfaces in the Near-Field Scenario of Cell-Free Networks Under Hardware Impairments, 2024, 23, 1536-1276, 11972, 10.1109/TWC.2024.3386850
    34. Andrei Ciprian Macarie, Szabolcs Suveges, Mohamed Okasha, Kismet Hossain-Ibrahim, J. Douglas Steele, Dumitru Trucu, Post–operative glioblastoma cancer cell distribution in the peritumoural oedema, 2024, 14, 2234-943X, 10.3389/fonc.2024.1447010
    35. Alexandra Shyntar, Thomas Hillen, Mathematical modeling of microtube-driven regrowth of gliomas after local resection, 2024, 22, 1551-0018, 52, 10.3934/mbe.2025003
    36. Thomas Hillen, Maria R. D’Orsogna, Jacob C. Mantooth, Alan E. Lindsay, Mean First Passage Times for Transport Equations, 2025, 85, 0036-1399, 78, 10.1137/24M1647667
  • Reader Comments
  • © 2023 the Author(s), licensee AIMS Press. This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0)
通讯作者: 陈斌, bchen63@163.com
  • 1. 

    沈阳化工大学材料科学与工程学院 沈阳 110142

  1. 本站搜索
  2. 百度学术搜索
  3. 万方数据库搜索
  4. CNKI搜索

Metrics

Article views(1959) PDF downloads(249) Cited by(2)

/

DownLoad:  Full-Size Img  PowerPoint
Return
Return

Catalog