Zhang Ying Jiang Rui

(School of Cyber Science and Engineering, Southeast University, Nanjing 210096, China)

Abstract：To verify that an organization-friendly blockchain system may suffer from forgery and collusion attacks, forgery and collusion attacks were theoretically carried out according to the phase sequence of an organization-friendly blockchain system.Then, the organization-friendly blockchain system was improved and based on the phase sequence forgery and collusion attacks were conducted.The results show that the attacker can obtain illegal transaction data from forgery and collusion attacks on the organization-friendly blockchain system.However, for the improved organization-friendly blockchain, the attacker’s forgery and collusion attacks cannot be completed.Therefore, the organization-friendly blockchain system may be subject to forgery and collusion attacks, but the improved organization-friendly blockchain system can prevent such attacks.

Key words：blockchain; identity privacy; transaction supervision; forgery attack; collusion attack

In 2008, SatoshiNakamoto proposed a peer-to-peer electronic cash system, which is called Bitcoin[1].Consequently, considerable research on its underlying technology, which is called blockchain, has been conducted worldwide.However, blockchain technologies[1-2]may encounter the privacy protection problem.

To solve the privacy protection problem in blockchains, many schemes[3-8]have been proposed.The Mixcoin mechanism[3]was proposed to hide the transaction process among transaction users.However, the centralized Mixcoin scheme may result in the transactional centralization problem.A ring signature was applied to the Monero cryptocurrency[4].However, in this anonymous technology, the ring signature operation relies on other users’ public keys.Ring confidential transactions[5]improve the Monero cryptocurrency[4]by introducing a Pedersen commitment on the basis of the ring signature.In 2013, Zerocoin[6], a distributed e-cash system, was proposed to apply cryptographic techniques to unlink transactions from the payment’s origin without adding trusted parties.However, Zerocoin has limited functionalities.To overcome this problem, Zerocash[7]was proposed to hide the transaction amount and the origin or destinations of the payment anonymously.However, Zerocash has weak efficiency.Bolt[8]was proposed by constructing three anonymous payment channels to ensure a secure, instantaneous, and private payment.However, all of the above schemes have inappropriate or excessive privacy protection and may result in the transaction supervision problem.Hence, no one can determine the relevant information of transaction users, and illegal crimes, such as fraud, money laundering, and drug smuggling, are prone to occur.

To solve the conflict between privacy protection and transaction supervision in blockchains, a number of schemes[9-12]have been proposed.Auditable Zerocoin[9]was proposed to allow designated auditors to extract link information from Zerocoin transactions.A decentralized anonymous payment scheme with accountability and privacy[10]was proposed to address regulatory concerns by adding the privacy-preserving policy-enforcement mechanism.The confidential and auditable payment scheme[11]was proposed to keep the transaction confidential.The organization-friendly blockchain system[12]was proposed to realize the balance between privacy protection and transaction supervision.However, the scheme may suffer from forgery and collusion attacks, from which an attacker can easily obtain the transaction amount illegally.

In this paper, the organization-friendly blockchain system[12]is briefly reviewed, the forgery and collusion attacks that the system[12]may suffer from are described, and countermeasures to remedy such attacks are presented.

1 Organization-Friendly Blockchain System

The organization-friendly blockchain system[12]has nine main phases: system setup Setup, key generation KeyGen, organization issue Issue, user registration Join, address generation AddrGen, transaction generation TransGen, transaction verification TransVer, transaction relay TransRelay, and user identity tracing UserTrace.

In the KeyGen phase, the registration node RegMan, organization node OrgMan, and member user node MebUser generate their respective key pairs.

In the Join phase, MebUser and OrgMan interactively generate a sub-certificateCu.SedUser and RecUser submit respective public keysupksupkrand and other identifying information to SedOrg and RecOrg for registration.Once the identity verification for the user is passed, SedOrg and RecOrg send sub-certificatesCsu=(A=(g1/u3)1/(r1+a),a)andCru=(A′=(g1/u4)1/(r2+a1),a1)and organization certificatesCsoandCroto SedUser and RecUser, respectively.Once SedUser and RecUser have verified respective sub-certificates and organization certificates, OrgMan binds the sub-certificate to the user public key and places it in the sub-certificate libraryClu.

In the AddrGen phase, OrgMan and MebUser generate their respective wallet addresses.SedOrg and RecOrg compute their respective wallet addressesaso=H(opks), andaro=H(opkr).SedUser and RecUser compute their respective wallet addressesasu=H(upks)andaru=H(upkr).

In the TransGen phase, SedUser performs an operation to generate a transaction and broadcast it to the blockchain network.

SedUser attachesCsoas the transaction certificate to generate a transactionT=(aso,aro,σ,h3,opks,Cso).Then, SedUser broadcasts the transactionTto the blockchain network.

In the TransVer phase, the miner node Miner verifies the validity of the transactionT=(aso,aro,σ,h3,opks,Cso)according to the following equations:

(1)

(2)

(3)

Once Eqs.(1),(2), and(3)hold, Miner broadcasts the transactionT=(aso,aro,σ,h3,opks,Cso)and generates a blockBto complete the transaction based on the blockchain trading system.

In the UserTrace phase, the system tracks the identity of the malicious transaction user when an abnormal transaction occurs.The whole process is divided into external tracing and internal tracing.

In external tracking, RegMan receives the transaction sent by Miner and tracks the public keyopksof SedOrg according to the organization certificateCso.

2 Forgery Attack and Collusion Attack

2.1 Forgery attack

In this section, the forgery attack is described in detail as follows.The forgery attack has two phases: the preparation phase and the implementation phase.

At the forgery attack preparation phase, the attackerA0registers with the legitimate OrgMan.

In the AddrGen phase of the scheme[12], the attackerA0computes the wallet addressaA=H(upkA).

Having finished the forgery attack preparation phase, the attackerA0can start the forgery attack implementation phase.

Firstly, the attackerA0immediately intercepts the transaction when MebUser broadcasts a transactionT=(aso,aro,σ,h3,opks,Cso)at the TransGen phase of the scheme[12].A0modifies the original transactionTasT′=(oso,oro,σ′,hA,opks,Cso), and broadcastsT′ to the blockchain network.A0modifiesσ=(T1,T2,T3,c0,c1,…,cl,cl+1,c,sα,sβ,sa,sx3,sδ1,sδ2)asσ′=(T′1,T′2,T′3,c′0,c1,…,cl,cl+1,c′,s′α,s′β,s′a,s′xA,s′δ1,s′δ2), and changesh3tohAas follows.

Secondly, in the TransVer phase of the scheme[12], Miner verifies the validity of the transactionT′=(aso,aro,σ′,hA,opks,Cso).If Eqs.(1),(2), and(3)will hold, then the modified transactionT′ can be verified.

(e(T′3,w1)/e(g1,g2))c′=

e(h1,w1)-r′α-r′β-c′(α′+β′)e(h1,g2)-r′δ1-r′δ2-c′a′(α′+β′)·

2)The two sides of Eq.(1)are equal.Therefore, Eq.(1)can hold.

5)Having checked the three equations, Miner broadcasts the transactionT′ and generates a new blockB′ to complete the transaction based on the blockchain trading system.

2.2 Collusion attack

In this study, the collusion attack is regarded as an attack where some nodes in the blockchain conspire to exchange effective information and modify transaction content to illegally obtain other legal nodes’ transaction amounts.

Specifically, the collusion attack is launched as the malicious nodeA2sends its own address to another malicious nodeA1, whereA2is a MebUser belonging to the same organization as the original RecUser andA1is a MebUser belonging to the same organization as the original SedUser.Then,A1modifies the original transaction information and changes the receiving address of the original transaction toA2’s address.Finally,A2can illegally obtain the transaction amount of the original SedUser.

The collusion attack has two phases: the preparation phase and the implementation phase.

At the collusion attack preparation phase,attackersA1andA2register with the legitimate OrgMan, andA2may send its wallet address toA1.

In the Join phase of the scheme[12],A1andA2register with the legitimate OrgMan, respectively.As an example for registration to OrgMan,A1can get sub-certificatesCA1=(AA1=(g1/uA1)1/(r1+a*),a*).

In the AddrGen phase of the scheme[12],A1andA2compute their respective wallet addressesaA1=H(upA1)andaA2=H(upA2).Then,A2sends its wallet addressaA2toA1.

After the collusion attack preparation phase, attackerA1can start the collusion attack implementation phase.

Secondly, in the TransVer phase of the scheme[12], Miner verifies the validity of the transactionT″=(aso,aro,σ″,hA1,opks,Cso).If Eqs.(1),(2), and(3)will hold, then the verification process is the same as that at the forgery attack.Therefore, the modified transactionT″ can be verified.

Finally, in the TransRelay phase of the scheme[12], RecOrg receives the transactionT″ broadcasted by Miner and decrypts the ciphertextsc″0,ci,i∈{1,2,…,l} with its private keyoskr=(x2,y2,r2,λ2)to obtain the transaction receiver’s wallet addressaA2and transaction amountmi.Then, RecOrg relays the transaction amount to attackerA2.

3 Counter measures

3.1 Improvement

In this section, the improvement of the scheme[12]is proposed.The TransGen and TransVer phases of the scheme[12]are modified, and the details are presented as follows:

3.2 Forgery attack resistance

The improvement of the system[12]can resist forgery attacks.An attacker cannot successfully conduct a forgery attack.The detailed description is as follows.

After the forgery attack preparation phase, the attackerA0may start the forgery attack implementation phase.

where

3.3 Collusion attack resistance

The improvement of the system[12]can resist collusion attacks.AttackersA1andA2cannot successfully launch collusion attacks.After the collusion attack preparation phase, attackerA1may start the collusion attack implementation phase.

4 Conclusions

1)In the organization-friendly blockchain system, attackerA0can obtain the transaction amount without being detected, which means the forgery attack succeeds.

2)In the organization-friendly blockchain system, attackerA2can obtain the transaction amount without being detected, which means the collusion attack succeeds.

3)In the improved organization-friendly blockchain system, forgery and collusion attacks can be prevented.