Privacy‐aware PKI model with strong forward security

With the development of network technology, privacy protection and users anonymity become a new research hotspot. The existing blockchain privacy‐aware public key infrastructure (PKI) model can ensure the privacy of users in the authentication process to a certain extent, but there are still problems of the storage and leakage of users' keys. This paper first proposes a strong forward‐secure ring signature scheme based on RSA, which ensures the anonymity of the signing users and the forward‐backward security of the keys. Then, by introducing the ring signature technology into the privacy‐aware PKI model, this paper proposes a privacy‐aware PKI model with strong forward security based on block chains, which not only ensures the users' identity privacy, but also solves the problem of the storage and leakage of the users' keys, greatly improving the success rate and security of the users' identity authentication. Finally, this paper applies the proposed PKI model to anonymous transactions, designs a privacy‐aware anonymous transaction model with strong forward security, realizing anonymous transactions without relying on trusted third parties, and implementing users' privacy protection.

(2) By introducing the proposed ring signature algorithm into the PKI mechanism, this paper designs a privacy-aware PKI model with strong forward security based on blockchain. The model guarantees the correctness of key iteration and strong forward security. (3) Based on the privacy-aware PKI model with strong forward security proposed in this paper, an anonymous transaction model is designed in this paper. The model realizes the anonymity and privacy protection in the user transaction process.
In this paper, Section 2 introduces the basic concepts; Section 3 introduces the strong forward-secure ring signature based on RSA; Section 4 introduces the detailed content and security analysis of our PKI model; Section 5 describes the presentation of applying the model to anonymous transactions; Section 6 summarizes this paper.

| Blockchain
As Satoshi Nakamoto came up with the concept of Bitcoin, the blockchain technology developed rapidly. As the core technology of Bitcoin, blockchain is a decentralized accounting system. All users share the same "account book," so it has immutability and unforgeability. As a form of bookkeeping, blockchain naturally has staff involved in bookkeeping, which we call miners, and the behavior of miners to book data blocks is called mining. The blockchain rewards miners for doing the right thing. Blockchain works correctly as long as most miners are honest. Each block of the blockchain contains the hash value of the previous block, block is connected in turn to form a chain structure. All users can trace the data in the chain structure. Blockchain can be divided into public chain, private chain, and alliance chain according to the restrictions on participants. Public chain is a blockchain that everyone can participate in, so it also has the function of anonymity. The users' identity can use the public key as the account to participate in transactions, and a user can create multiple accounts, which greatly improves the security of anonymity. The private chain is a blockchain that can only participate after authentication has passed. It does not need to guarantee anonymity and is suitable for small-scale bookkeeping. And the alliance chain is formed by combining different groups as participants, which is applicable to the accounting method between companies.

| Public key infrastructure
PKI is a system that provides public key encryption and digital signature. By identifying and verifying the users' identity information correctly, the PKI issues a certificate to the user, which binds the key and the users' identity. The traditional public key infrastructure is a system that relies on a CA. Users send identity information to CA, then CA verify and authenticate identities. If the authentication is successful, the user is issued with an identity certificate. So, the user can perform various activities requiring positive identity. Although this method is simple and fast, it has the problem of CA centralization. Once the CA vulnerability is stolen, the users' identity information will be disclosed. Even if users' identity information is secret, there is no guarantee that the CA will be honest. Hence the emergence of decentralized authentication, namely public key infrastructure based on blockchain. In this way, the centralized CA is replaced by blockchain. The users' identity information is verified by most people, and once passed, it will be put into the blockchain by miners. Due to the immutability and unforgeability characteristics of the blockchain, the security and reliability of identity authentication can be guaranteed.

| Ring signature
Ring signature was first proposed in 2001 by Rivest, Shamir, and Tauman, 17 and is named for the fact that it can form a ring structure according to certain rules. The signature verifier can determine that the signer is from a member of the ring, but not the identity of the real signer. Unlike group signatures, ring signatures can choose any member as a possible signer. There is no group building process. It does not need administrators of group and it can guarantee the unconditional anonymity of the identity of the signer. These characteristics make the ring signature have a wide range of applications in electronic cash, electronic voting, ADHOC anonymous authentication fields. The forward security ring signature adds the forward security on the basis of the ring signature, which divides the signature cycle into several time periods. The private key is iteratively updated in stages, while the public key remains unchanged, so that the adversary cannot forget the previous ring signature even if he obtains the users' current private key.

| Privacy-aware PKI model
Privacy-aware in blockchain-based PKI is an improvement on Certcoin 18 by Louise Axon. On the basis of the framework of Certcoin, the privacy awareness part was added, that is, the identity of registered user was hidden through the iteration of public and private keys in the key update process, and the identity leakage problem was further solved through the authentication of pseudonyms to ensure that the real identity id of user would not be disclosed in the key update process. The process is also divided into two phases: the registration phase and the update phase. The most important difference between PB-PKI and Certcoin is in the key update phase. PB-PKI needs to update the online key iteratively with the newly generated pair of offline keys. The iteration process is shown in Figure 1 below.
In this process, the function "f" is the key evolution function: pk pk sk According to this function, PB-PKI can obtain a new pair of online keys: (pk sk , n n n n ). At the same time, the relationship between online public and private keys which satisfying the formula ≡ pk sk N × 1m o d n n n n is guaranteed. Finally, the user will publish the updated publicly available information to the blockchain to authenticate the pseudonym.

| STRONG FORWARD-SECURE RING SIGNATURE BASED ON RSA
Based on literature [16], this paper proposes a new strong forward-secure ring signature scheme based on RSA, which is introduced in det ail in this section: (1) Key generation: According to the key generation algorithm in RSA encryption algorithm, user U i n ( = 1, …, ) i randomly selects two large prime numbers p q , . Then U i selects two larger integers e i and y i which coprime with φ N ( ) i as the public keys. Finally U i calculates the inverse elements d i and x i of the public keys according to the formula:   Finally, U k calculates s k and s′ k : s , and output the signature: σ j c s s s s = ( , , , …, , ′, …, ′) m n n 1 1 1 . (4) Verification: After the verifier receives the signature σ m , the message m and the set L of public keys, for i n = 1, 2, …, , in turn, calculates the Equation (4): Then the verifier calculates c H L m r r = ( , , , ′) and finally verifies whether c H L m r r = ( , , , ′) n n 1 1 holds. If it is established, the signature is correct. Otherwise, the signature is invalid. (5) Correctness: According to the key update formula (1) and (2), we get the Equations (5) and (6): (6) Strong forward security: Forward security is achieved by the iterative update of the private key of the first part of the user And backward security is achieved by the update of the private key of the second part of the user U i : According to the intractability of "finding the square root in the case of a large composite number," it is difficult to obtain the previous private key from the latter private key. (7) Security: We prove the security of the proposed strong forward-secure ring signature by the following theorem.
Theorem If the factorization of large numbers is difficult, the strong forward-secure ring signature based on RSA proposed in this paper is provably secure in the EU-CMA security model.
Proof. We construct a simulator B, and then B interacts with a probabilistic polynomial time (PPT) adversary A in the following steps. A can make q H inquiries to hash oracles H i n ( = 1, −, ) i and q S inquiries to signature oracle (SO) at most. If A can forge a valid signature in time τ with a non-negligible probability ∕Q k ϵ > 1 ( ) on the message m and a set L of public keys, and the signature satisfies V m L σ ( , , ) = 1 (where Q is a polynomial function and k is a sufficiently large security parameter), there is a PPT algorithm, which can solve the large numbers factorization problem with a nonnegligible probability n q q Q k within time τ. This is contradictory to the difficult problem of large numbers factorization. Therefore, the hypothesis is not true, that is, it is impossible to have a PPT adversary A, who can forge an effective signature in time τ with a nonnegligible probability ∕Q k ϵ > 1 ( ). . A is a PPT adversary and can make q H inquiries to hash oracles H i n ( = 1, −, ) i and q S inquiries to SO at most. In addition to repeated queries, the independent random oracles H i output random results, SO can also query the oracles H i and be consistent with the query output of A.

| Query
At this stage, the adversary A can make hash queries and signature queries to the oracles H i and SO, respectively. Simulator B prepares a hash list and a signature list to record all queries and responses as follows, where both lists are empty at the beginning. When the adversary uses L m ,

| Forgery
By running adversary A, simulator B is able to simulate a random oracle and get a consistent answer with each hash function H i and signature oracle SO. For any message m, any public key set ⊆ L L′, B simulates SO, does not use any private key, and only controls hash function H to generate a valid signature as follows: 1 when i n = . SO returns the signature for the U k as the actual signer.
A returns a forged signature with a probability not less than − Q k q q q for n random oracles used for validation. Where the q is the number of possible responses of all the oracles. Since is negligible, A returns a forged signature with a probability not less than ∕Q k 1 ( ) for all random oracles used for verification. Therefore, when A forges a valid signature, it must ask n queries to hash oracles H i that are consistent with the verification equation. So, Let's call these n queries Let X X X , , …, be the n queries that satisfy the verification for the first time, and let k satisfy formula (8).
That is, X i k corresponds to the query to H k in validation, and k is called the gap of ring signature σ. If i = ℓ 1 , the forged signature σ is denoted as k (ℓ, )-σ. In other words, the first query associated with all verifications is the ℓ query and the gap is k.
At the beginning of the simulation, B selects a pair k (ℓ, ), then B can ensure that k (ℓ, ) satisfies a successfully forged signature k (ℓ, )-σ with a probability not less than n q q Q k .
When the query X i k occurs (and the query X i k+1 has also occurred), B returns c k as the value At this point, since c z z , , ′ k k k are known, if A can successfully forge the ring signature, the s k and

| Model architecture
In this paper, the privacy-aware model proposed in literature [15] is adopted as the model framework. During the key update process, a new pair of online keys is generated each time, rather than by iteratively updating the online keys using the offline key. In identity authentication, the newly generated online key is authenticated through the ring signature of the users' registration key released in the blockchain to ensure the correctness and security of the users' online key. The frame structure is shown in Figure 2 4.2 | A privacy-aware PKI model with strong forward security This paper introduces the strong forward-secure ring signature into the PKI model. Based on the RSA algorithm, the privacy-aware PKI model with strong forward security is proposed to update the users' registration key, which solves the security hidden danger of the registration key loss and ensures the forward security of the registration key. The model of this paper is divided into two parts: registration stage and key update stage. The model of this paper is divided into two parts: the registration stage and the key update stage. The registration process authenticates the real identity of users through the block chain structure, while the update process takes place after the registration process. At the end of the registration process, the registered user carries on the key update operation to generate the new pseudonym and identity key, and uses the ring signature technology to prove himself as the valid registered user, so as to realize the purpose of hiding his real identity and achieving anonymity. In the following sections we will introduce the two parts in detail.

| Registration
The registration stage is mainly to bind the real identity id of the user to the registration key obtained by the RSA key generation algorithm, and publish it to the blockchain to complete the registration of users' identity, the specific registration process is shown in Figure 3 below.
At the registration stage, the user first generates the registration key and master key according to the RSA key generation algorithm. The registration key is bound to the users' identity, and then participates in the users' key update process as the signature key. The function of the key pair is to prove his identity when an adversary impersonates himself. The specific algorithms for generating registration key are as follows:  Then the master key pair is generated: similarly, p m and q m are taken, and is calculated. Then according to the formual ⋅ ≡ mpk msk φ N 1 mod ( ) m , we can get the master key pair (mpk msk , ). At this point, after the two pairs of keys required for user registration are generated, the user needs to sign the identity (id) according to the RSA signature scheme to get σ σ , ′ and publishes it to the blockchain. Where id represents the real identity of the user, register represents this operation as a user registration operation, T 0 represents the current timestamp, PK 0 represents the generated registration public key, σ 0 and σ′ 0 represent the signature of F I G U R E 3 Flow chart of registration the registration private key to the identity, and the intention is to associate the registered public key with the identity, the last σ m indicates the signature of the master private key to the identity, and the intention is that if someone impersonates the users' identity in the future, the user can prove his identity by providing the master key and its signature. The rest of the information includes that the current registered private key SK sk sk = ( , ′) 0 0 0 and the master key pair mpk msk ( , ) are stored locally.
At the end of the registration phase, the members of the blockchain verify the information published by the user. First, they will verify whether the registered id and registered public key pk pk , ′ 0 0 are registered for the first time, and then verify the correctness of the signature according to the RSA signature algorithm. That is, Equations (10) and (11): pk sk pk sk pk 0 0 0 0 If the signature is correct, the user publishes a block containing this information into the blockchain.

| Key update
The key update stage is the focus of this model, in which we hide the real identity of the user through the evolution of user's public keys. After the registration process, to hide their real identity, registered users will perform the key update process to generate new pseudonyms and keys, and prove themselves as registered users through ring signature technology, while hiding the relationship between pseudonyms and real id. The specific process is shown in Figure 4 below.
In the update phase, based on the RSA key generation algorithm, registered user first generates a new key pair: PK pk pk SK sk sk = ( , ′), = ( , ′) n n n n n n . And then the user publishes the ring signature of the registration key: PK pk pk SK sk sk = ( , ′), = ( , ′) 0 0 0 0 0 0 , so as to prove that the user's identity is indeed a registered member.
According to the flow chart, we can describe the process of key update in detail as below: (1) Key iteration: The user generates a random number ∈ R {0, 1}* n as the pseudonym of user's identity at this stage. Next, according to the RSA key generation algorithm, a new identity key pair: PK pk pk SK sk sk = ( , ′), = ( , ′) n n n n n n is generated. Then, the strong forward-secure ring signature scheme proposed in Section 3 is used to perform the ring signature operation on pseudonym R n , and the signature σ r n is obtained: (a) Key generation: Assume that the user is ≤ ≤ U k n (1 ) k . Set the registration key for user U k as PK pk pk SK sk sk = ( , ′ ), | 10059 (b) Key update: The registration key's validity period of user U k is divided into T time periods, and when the time enters the j-th time period, U k calculates the Equations (12) and (13).  (2) Information collation: The user collates all the corresponding information and packages them into the following format: T PK pk pk R σ (update, , = ( , ′), , ) n n n n n r n . Where update indicates that the current operation is an update operation, T n indicates the current timestamp, and R n is the pseudonym generated this time.
(3) Information verification and release: Finally, the verifier of blockchain verifies that the updated key has not been registered before, and uses a verification algorithm of strong forward-secure ring signature to verify the signature and ensure the validness of the signature. After the verification, the blockchain members will publish the packets sorted out in step (2) to the blockchain.

| Security analysis
The security of the strong forward-secure PKI model proposed in this paper is mainly analyzed into two aspects: one is the security of RSA scheme itself, and the other is the security of the model.

| RSA security
The security of RSA algorithm depends on the principle of large number decomposition, that is, given the value of an integer, and that it is the product of two prime numbers and requires the calculation of the value of two prime numbers. When n is large enough, factorization of large integers is computationally difficult, and there is no general effective algorithm. The key point for cryptanalysts to attack RSA systems is how to break down n. If the decomposition succeeds in making ⋅ n p q = , then ⋅ φ n p q ( ) = ( − 1) ( − 1) can be calculated, and then the private key d can be obtained from the public key e. So, if p and q are large enough prime numbers for RSA Security, the analyst cannot decompose n in the effective time (polynomial time). Of course, the theory has not proved that the RSA algorithm must need large number factorization, and there may be some decoding algorithms without large number factorization. In this case, we will not go deep into this problem. The more complex and secure the module we select by default.

| Model security
The security of the privacy-aware PKI model with strong forward security proposed in this paper is mainly in two aspects: one is to ensure the security of master key and identity key generated by the users; the other is the security of the signature scheme used in the model. The security of the ring signature scheme used in this paper has been demonstrated in Section 3, which focuses on the security of master key and identity key generated by the users. The security objective of the model in this paper is to completely distinguish the real identity of the user from the updated key, that is, the updated key cannot be traced back to the real identity of the user. For this security goal, we analyze the following key security situations.
(1) When only the master key is lost, the adversary can only analyze the user's id by using the master key, but will not associate the id with the pseudonym the user is using. (2) When only the identity key is lost, the user can update the identity key in time, or revoke the identity key directly by issuing the master key, which can prevent the adversary from committing illegal acts by posing as himself. (3) When the master key and identity key are lost at the same time, the adversary obtains the user's complete identity information and identity proof credentials, and the user can only revoke his/her identity with the master key and then reregister.

| THE PRIVACY-AWARE ANONYMOUS TRADING MODEL WITH STRONG FORWARD SECURITY
Now that there is an anonymous public key infrastructure, we can then apply it to anonymous transactions. 19 This paper divides anonymous transactions into two forms, one is the direct connection between the two parties to the transaction, through their respective anonymity to ensure the anonymity of the transaction; the second is to set up an anonymous transaction model: such as joining a third party: proxy. 20 For the first form, the PKI model based on blockchain design adds identity anonymity that can be controlled by users and can be directly applied to anonymous transactions. Using the public key and pseudonym generated by the model itself to participate in the transaction, can prevent the enemy from tracing back to the real identity of the user, plus the characteristics of the blockchain itself to the center, to trust, can completely guarantee the anonymity of the transaction.
For the second form, we use the form of adding proxy to further enhance transaction anonymity.

| Anonymous trading architecture
The role of proxy in the anonymous transaction model can cut off the relationship between the two parties and further enhance the anonymity of the transaction. Based on the anonymous transaction model [16], the third party: proxy "I" is added between "A" and "B" to form the framework of the transaction model. See Figure 5 below. Through this simple model, we can use proxy "I" to confuse transactions users A and B, destroy the connection between A and B, so that user A and B transactions will not be traced back, and greatly improve the anonymity and security of transactions.

| Privacy-aware anonymous trading model
For the anonymous transaction model, the trader and the proxy use the key generated by the PKI model as the transaction account and set up four transaction algorithms: are issued simultaneously by the counterparty A and the proxy "I" in a block, for confirmation of the first two transactions. The specific process is shown in Figure 6 below. Thus, the confirmation mechanism of the blockchain itself can ensure that the transaction party A I the transaction currency to the proxy, and the proxy "I" carry out the transaction simultaneously with the transaction currency to the transaction party, so as to prevent the transaction from going wrong. At the same time, a transaction party A can be set up to trade a part of the currency to the proxy "I" to encourage the proxy "I" to perform the operation of anonymous transactions. In this way, under the premise of the anonymity of its own account, the anonymous mechanism of proxy is added, and the anonymity of the transaction is greatly improved by double guarantee.  The proposed privacy-aware anonymous transaction model consists of two parts: the PKI model and the anonymous transaction model. First, the PKI model ensures that only the user's public and private keys and pseudonyms are used in the whole transaction model, and the user's real identity is not connected, which greatly improves the anonymity of both parties. Second, the proxy mechanism of the anonymous transaction model only use the proxy as the communication hub of the two parties, which can cut off the relationship between the two parties of the transaction, further improving the anonymity of the transaction. The security of the trading model is guaranteed by the four functions set in the model. The four functions are published in three blocks: first, the currency exchange voucher transaction block initiated by user A is published to proxy "I": are published simultaneously in the third block to confirm the two previously published trades. In this way, even if the proxy is malicious, the proposed model can ensure the correct transaction, greatly improving the security of the anonymous transactions.

| CONCLUSION
First, this paper proposes a strong forward security loop signature scheme based on RSA, which not only guarantees the anonymity of the user, but also ensures the forward and backward security of the signed user key. then, by introducing the ring signature technology into the privacy-aware PKI model, this paper proposes a forward security privacy-aware PKI model based on blockchain. while ensuring user identity privacy, it solves the problem of user key storage and disclosure, and greatly improves the success rate and security of user identity authentication. Finally, this paper applies forward security privacy perception PKI model to anonymous transactions, and designs a privacy perception anonymous transaction model, which realizes anonymous transactions without relying on trusted third parties and protects the privacy of user.