2021 16th Asia Joint Conference on Information Security (AsiaJCIS)

A Privacy-Preserving Enforced Bill Collection

System using Smart Contracts
2021 16th Asia Joint Conference on Information Security (AsiaJCIS) | 978-1-6654-1788-4/21/$31.00 ©2021 IEEE | DOI: 10.1109/AsiaJCIS53848.2021.00018

Tomoki Fujitani Keita Emura Kazumasa Omote

University of Tsukuba
National Institute of
Information and
Communications Technology
Japan
National Institute of University of Tsukuba
Information and National Institute of
Communications Technology Information and
Japan Communications Technology
Japan

Abstract—Maintaining a balance between anonymity and
traceability is a fundamental issue in privacy-preserving systems.
Isshiki et al. proposed an identity management system based
on group signatures in which a service provider anonymously
determines whether or not users of the service are legitimate
members, and only a bill collector can identify users for the
purposes of sending them invoices. It is particularly worth noting
that, under the Isshiki system, the service provider is not required
to manage personal information such as user lists, which allows
the system to outperform other in terms of preserving user
privacy and managing personal information leakage risk. It is
also noteworthy that the Isshiki system only considers cases in
which the bill collector identifies users who have used the service
and that, in fact, identified users who ignore invoices can use the
service for free. In this paper, we extended the Isshiki system
by adding a smart contract-enabled enforcement bill collection
functionality. Under this functionality, deposits made by users
who do not pay a service fee are automatically transferred to
the bill collector. Because of their centralized structure, group
signatures are not suitable to blockchain systems, therefore, the
proposed system employs accountable ring signatures as building
blocks. The privacy-preserving enforced bill collection system
is implemented using the accountable ring signature scheme
developed by Bootle et al. and Ethereum smart contracts. To
reduce the gas costs associated with running smart contracts,
the smart contract is not run unless the user ignores an invoice,
and basic procedures are run via an off-chain channel. To avoid
the use of heavy cryptographic algorithms in carrying out the
accountable ring signature scheme for running smart contracts,
we employed standard elliptic curve digital signature algorithm
(ECDSA) signatures without especially changing the state to be
verified in smart contracts.
I. I NTRODUCTION
A. A Privacy-Preserving Bill Collection System
Group signatures [20] provide signer anonymity through the
use of the verification algorithm that checks only whether a
signer of a group signature is a member of the group, and
traceability through the use of an authority called a group
manager or an opener who is only able to identify signers.
These anonymity and traceability are important in preserving
privacy and accountability. For example, Isshiki et al. [29]
proposed a privacy-preserving identity management system
using group signatures (hereafter referred to as the Isshiki
system). The Isshiki system is shown in Figure 1. Under this
system, a bill collector has the role in the group manager. A
user of a service is given a signing key of a group signature
scheme by the bill collector, generates a group signature as a
certificate, and sends it to the service provider. Owing to the
anonymity of group signatures, the service provider can only
verify whether or not the user is a valid group member and
then provide a service. After delivering the service, the service
provider sends an invoice (a group signature) to a different
entity, called the bill collector, who manages the opening
key of group signatures. The bill collector opens the group
signature, identifies the user who has used the service, and
sends an (actual) invoice to the user. Because group signatures
are traceable, there is no group signature that is valid but
cannot be traced to a user.
Fig. 1. Isshiki System
In implementing the Isshiki system, potentially any group
signature scheme can be employed. Following a similar system
proposed by Camenisch at al. [17], Isshiki et al. further
considered the use of revocations when users leave the service
or ignore an invoice, and defined a user-revocation manager
that revokes users from the system (more precisely it expires
users’ signing keys). To make the underlying group signature
scheme revocable, Isshiki et al. employed an extension of
the Camenisch-Groth revocable group signature scheme [16].
We note that, although the bill collector and user-revocation
manager can be the same entity under these schemes, the
service provider must be a distinct entity to ensure separation
of the tracing ability. It is particularly worth noting that the

978-1-6654-1788-4/21/$31.00 ©2021 IEEE 51

DOI 10.1109/AsiaJCIS53848.2021.00018

Authorized licensed use limited to: Synopsys. Downloaded on November 25,2021 at 11:06:09 UTC from IEEE Xplore. Restrictions apply.
service provider is not required to manage personal informa-
tion such as user lists, that eliminates the risk of personal
information leakage. Because information leakage incidents
are common, the Isshiki system outperforms other in terms of
preserving user privacy while managing personal information
leakage risk. Isshiki et al. presented their system as an identity
management scheme, the Isshiki system can be considered a
privacy-preserving bill collection system.
Extension of the Isshiki System: The Isshiki system assumes
that the bill collector is trusted for user identification in the
sense that the open results of group signatures are always
trusted. Problems can arise, however, when even users who
do not use the service are required to pay a service fee, which
would be impossible to prevent owing to anonymity. As a
service that generated such illegal fees would be unlikely to
be used, we can realistically assume that the bill collector
will not send charges to users who do not use the service.
Similarly, we assume that services are always performed by
service providers (once again, a system in which this did not
occur would be unlikely to be used). However, it is possible
for users who have used the service to claim that they did
not, in fact, use it and insist that the bill collector has made a
mistake. In this case, the bill collector must prove that the open
result is correct. Emura and Hayashi [26] considered a case in
which the bill collector generates a proof for opening and the
Judge algorithm is used to publicly check whether the opening
result is correct (see Section II-A for details of the syntax).
Although the Judge algorithm had previously been defined
in the group signature context under the Bellare-Shi-Zhang
(BSZ) model [9], Emura and Hayashi further considered the
weak opening soundness defined in the Sakai et al. model [42],
which captures the unforgeability of the opening proof.
Remaining Issue with the Isshiki System: The Isshiki system
(as well as its extension [26]) considers only the case in which
the bill collector identifies users who have used the service. If,
in fact, an identified user ignores invoices, they are able to use
the service for free. Although they will of course be subse-
quently revoked from the system, the revocation functionality
itself will not help in collecting the fee. Therefore, practical
implementation of the Isshiki system requires the introduction
of a method for forcibly collecting service fees.
B. Our Contribution
In this paper, we propose a privacy-preserving enforced bill
collection system supporting a functionality for forcibly col-
lecting service fees from users. The proposed system employs
smart contracts that provide a mechanism for automatically
executing programs on the blockchain. Intuitively, a user sends
a deposit to the smart contract before receiving a service,
which is delivered by the service provider via the Isshiki
system. If the user pays the service fee, that is, the user
accepts the invoice sent by the bill collector, the deposit
is automatically refunded to the user; otherwise, if the user
ignores the invoice the deposit is automatically transferred to
the bill collector.
52
Authorized licensed use limited to: Synopsys. Downloaded on November 25,2021 at 11:06:09 UTC from IEEE Xplore. Restrictions apply.
Although smart contracts are a promising approach to
implementing the Isshiki system, the centralized structure of
group signatures, where users’ signing keys are issued by a
group manager, is not fully compatible with a decentralized
blockchain system. Typically, blockchain systems employ ring
signatures [40] (or their linkable variants [37], [47]) because
users generate signing keys by themselves. However, ring
signatures do not support the tracing functionality necessary
for the Isshiki system. Thus, we employ accountable ring
signatures [13], [50] that support both stand-alone key gener-
ation and tracing functionality.1 In particular, the accountable
ring signature scheme proposed by Bootle et al. [13], which
supports the Judge algorithm and weak opening soundness
as found under the Emura-Hayashi extension [26], is used
by the proposed system. We demonstrated implementation of
the proposed system using the Bootle et al. accountable ring
signature scheme and Ethereum smart contracts [49].
C. Differences from Fair Exchange
It might be assumed that the proposed enforced bill col-
lection system, which essentially involves the exchange of
services and fees, could be constructed from a fair exchange
scheme. Although this would be possible, the proposed system
differs from fair exchange in several respects. Several opti-
mistic fair exchange (OFE) systems, especially smart contract-
based systems, have been proposed [6], [18], [24], [25],
[45], [48]. In these systems, a trusted third party (TTP), or
adjudicator, is replaced by smart contracts.2 Although the
TTP (adjudicator) is implemented only if an exchange fails,
its involvement in cryptographic protocols should still be
minimized. From this perspective, smart contract-based OFEs
serve as reasonable instantiations of OFE in practice. For
example, under OptiSwap [25], which is known to be the most
efficient smart contract-based OFE system to date, a buyer
pays a coin to a seller in exchange for a witness x that satisfies
φ(x) = 1 for a predicate function φ. If the final value x is not
correct, that is, φ(x) = 0, then the buyer initiates an interactive
dispute protocol (SmartJudge [48]) that freezes the coins in the
contract.
The proposed enforced bill collection system adds smart
contracts to the Isshiki system to support a functionality for
forcibly collecting service fees from users. As under the Isshiki
system, it is assumed that all agreed-upon services are always
provided to the users; by contrast, OptiSwap considers cases in
which services are not provided, that is, φ(x) = 0, and initiates
the dispute protocol when this happens. By introducing the
assumption that all services are provided, the proposed system
avoids the dispute protocol, thereby reducing the number
of procedures that need to be run in the smart contract.
Furthermore, the service fee is transferred via typical payment
systems, that is, the smart contract is employed only when
a user ignores an invoice. Under OptiSwap, by contrast, the
service fee is always transferred via smart contract, making
1 In this paper, we adopted the suggestion by Sato et al. [43] that accountable
ring signatures are useful in blockchain systems.
2 We note that, in [36], both a TTP and smart contracts are used.
gas costs necessary for each payment even when the buyer and
seller correctly exchange the coin and witness. In Section IV,
we demonstrate the effectiveness of our assumption in terms
of reducing gas costs.
D. Related Work
Achieving privacy with traceability, auditability, or account-
ability is an important issue in blockchain systems.3 Damgård
et al. [23] proposed a system in which accounts are generally
anonymous but can be identified when accidents occur. In this
system, each user has an identity and credentials authorized
by an identity provider and, through the use of a threshold
cryptosystem, an appropriate number of anonymity revokers
can identify the user. As in the Isshiki system, it only considers
the case that anonymity revokers identify users, and there is
no explicit mechanism for collecting service fees.
Kosba et al. [30] proposed a decentralized privacy-
preserving smart contract system called Hawk in which finan-
cial transactions are encrypted and stored on the blockchain.
In developing their approach, they considered how to ensure
financial fairness against malicious contractual parties who
prematurely abort from a protocol to avoid making finan-
cial payment. Hawk guarantees that the aborting party will
be financially penalized while the remaining parties receive
compensation. The system proposed in this paper can also be
regarded as one that ensures financial fairness through the use
of smart contracts.
Büunz et al. [14] proposed a decentralized, confidential
payment mechanism called Zether in which account bal-
ances are encrypted and their validity is proved using zero-
knowledge proofs. As in Monero [2], the sender and re-
ceiver involved in a transaction are hidden among a group
of users, enabling a level of anonymity equivalent to that
under group/ring signatures.4 Zether introduced a new type
of zero-knowledge proof, Σ-Bullets, which enhances the in-
teroperability of Σ-protocols [22] with Bulletproofs [15]. Σ-
Bullets are constructed using zero-knowledge proofs, public
key encryption, and digital signatures, which are essentially
the components used under the Bootle et al. accountable
ring signature scheme [13] employed in our implementation.
Unlike the proposed system, Zether does not consider user
identification because all users are essentially equivalent and
all transactions are sent among them.
Chen et al. [21] proposed an auditable decentralized con-
fidential payment system called Pretty Good Confidentiality
(PGC). In this context, auditability means that an auditor
specifies a set of transactions and requests that the participants
prove compliance with several policies, such as a limit policy
(under which the sum of amounts is less than a limit), a rate
policy (under which the ratio of two transfer amounts is a
specific value), or an open policy (under which the underlying
transfer amount of a confidential transaction is equal to a
3 A useful survey of auditability and accountability in distributed payment
systems was published by Chatzigiannis et al. [19].
4 That is, user keys can be reused. Fauzi et al. proposed Quisquis [27],
which applies a stronger anonymity in which each key is used only once.
53
Authorized licensed use limited to: Synopsys. Downloaded on November 25,2021 at 11:06:09 UTC from IEEE Xplore. Restrictions apply.
specific value). Although, unlike the proposed system, PGC
checks whether confidential transactions follow compliance, it
supports no functionality to forcibly collect amounts.
Zhang et al. [51] proposed an onion chain that considers
both the privacy and traceability of blockchain-based appli-
cations. Their system is inspired by Onion routing protocols,
in which there are many hops between each transmitter and
receiver and identity disclosure is obtained by reversing the
message transmission process. Although each message in
an onion chain is encrypted, anonymity and traceability are
achieved through a non-cryptographic approach, whereas the
proposed system employs accountable ring signatures that
guarantee anonymity and traceability via cryptography.
II. P RELIMINARIES
A. Accountable Ring Signatures
Here, we introduce accountable ring signatures [13], [50]
which is a generalization of ring signatures and group signa-
tures. Briefly, as in ring signatures, each user generates own
public key pk and secret key sk. This decentralized structure
matches blockchain systems. There are openers where each
opener has a public key opk and a secret key osk. When a user
who has (pk, sk) generates a ring signature Σ on a message M ,
the user selects a set of public keys, which we call ring R, and
assume that pk ∈ R. The user then designates an opener by
specifying opk. From (Σ, M ), it is possible to verify whether
the signer is a member of R; that is, that there exists pk ∈ R
for which the corresponding sk has been used to generate Σ.
As under the group signatures approach, the designated opener
can trace the signer using osk.
Definition 1 (Syntax of Accountable Ring Signatures [13]):
• Setup(1λ ): The setup algorithm takes the security param-
eter λ ∈ N as input and outputs the common parameter
pp.
• OKGen(pp): The opener key generation algorithm takes
pp as input and outputs the opener public and secret keys
opk and osk, respectively.
• UKGen(pp): The user key generation algorithm takes pp
as input and outputs the user public verification key pk
and the user secret signing key sk.
• RSign(opk, M, R, sk): The signing algorithm takes the
designated opener public key opk, a message to be signed
M , a ring R, and sk as inputs and outputs a ring signature
Σ. Here, R is a set of user public keys and the pk
corresponding to sk is assumed to be pk ∈ R.
• RVerify(opk, M, R, Σ): The verification algorithm takes
opk, M , R, and Σ as inputs and outputs 1 (accept) or 0
(reject).
• Open(M, R, Σ, osk): The open algorithm takes as M , R,
Σ, and osk as inputs and outputs pk ∈ R of the signer
and its proof π or ⊥ otherwise.
• Judge(opk, M, R, Σ, pk, π): The judge algorithm takes
opk, M , R, Σ, pk, and π as inputs and outputs 0 if
RVerify(opk, M, R, Σ) = 0; otherwise, it outputs 1 to
 indicate that Σ is generated by sk corresponding to pk,
and 0 otherwise.
In [13], Bootle et al. defined unforgeability, anonymity,
traceability, and tracing soundness. See [13] for details on
these security definitions.
The signing and verification algorithms contain a ring R,
which is a set of public keys. In systems in which an authority
such as the public key infrastructure (PKI) administrator
publishes all public keys as a list, revocation can be simply
performed by having a verification algorithm check whether
or not a ring is a subset of the list and removing a public
key from the list if the corresponding user is revoked. Under
the proposed system, the service provider manages the list. To
verify group signatures, the verification algorithm takes a com-
mon group public key as an input. As a result, the revocation
of group signatures is much more complex (e.g., [5], [8], [11],
[26], [28], [31]–[34], [38], [39], [41], [44]) than the revocation
of (accountable) ring signatures; this is an additional advantage
of employing accountable ring signatures under the Isshiki
system.
Fully dynamic group signatures [7], [12], [35] allow users to
join and leave a system at any time. As their results demon-
strated that accountable ring signatures can be regarded as
fully dynamic group signatures, we can say that the proposed
system is based on fully dynamic group signatures and smart
contracts.
B. Smart Contracts
Smart contracts provide a mechanism for the automatic
execution of programs on a blockchain. In deploying a smart
contract, the conditions of a transaction (trigger) are specified
in addition to the terms of the contract. If these conditions are
satisfied, the contract (program) is automatically run. Smart
contracts can be used in cryptocurrencies such as Ethereum,
EOS, and Steem. In this study, we used Ethereum, which is
currently the second-largest cryptocurrency in terms of market
capitalization. To carry out an Ethereum transaction, a fee
known as the gas cost, which depends on the number of
computation steps and the size of the storage space needed
for the transaction, must be paid. Ethereum gas costs are paid
in the Ethereum coin ETH.
In our implementation, we employed the Ropsten testnet [3]
as the implementation environment for Ethereum. Because
Ropsten, like the Ethereum main network, applies the Proof
of Work (PoW) consensus algorithm, it allowed us to closely
emulate actual operation
III. P ROPOSED E NFORCED B ILL C OLLECTION S YSTEM
In this section, we present the proposed privacy-preserving
enforced bill collection system. The system comprises three
entities: user, service provider, and bill collector. The service
provider verifies a certificate (a ring signature) and provides
a service. As in the Isshiki system, service providers have no
personal data. The bill collector identifies users who have used
the service and sends invoices to them. If a user does not pay
a fee, the fee is automatically or forcibly transferred to the bill
54
Authorized licensed use limited to: Synopsys. Downloaded on November 25,2021 at 11:06:09 UTC from IEEE Xplore. Restrictions apply.
collector via the smart contract. The bill collector is assumed
to send no illegal charges to users who do not use the service,
and services are always provided by the service providers (as,
otherwise, the system would not be used). We note that ring
signatures are sent via an off-chain channel because the user
address becomes public when the transaction is issued, which
detracts from anonymity. We also note that we do not consider
anonymity when a fee is forcibly collected via a smart contract.
Security Requirements: As in the Isshiki system, we assume
that the service provider and bill collector do not collude with
each other and follow the protocol description (i.e., that they
are semi-honest entities). Our security requirements are as
follows:
• User Anonymity: No one, except for the bill collector,
can identify a user from a certificate.
• Certificate Unforgeability: No one can modify/forge a
certificate.
• Collection Correctness: Each fee is correctly collected
from each user by the bill collector even if the user
ignores a payment request.
A Straightforward Construction and its Limitation: Here,
we make an initial consideration of a straightforward incor-
poration of smart contracts into the Isshiki system (based
on the use of accountable ring signatures) and explain the
limitations of this approach from the perspective of gas cost.
We assume that a user has generated a ring signature and
that the bill collector receives it as an invoice. Because under
the Isshiki system (specifically, under the Emura-Hayashi
extension [26]) the bill collector outputs the identity of the
user (i.e., the opening result) and a proof of opening, the
most straightforward trigger for running a smart contract is
signature and proof verification using the Judge algorithm (we
note that the RVerify algorithm is run internally within the
Judge algorithm because it outputs 0 if Σ is invalid). That is,
the bill collector inputs the ring signature, the identity of the
user (more precisely the user public key), and the proof, and
the smart contract transfers the deposit to the bill collector
address only if both the ring signature and proof are valid.
Thus, each smart contract needs to run the Judge algorithm.
To reduce the gas costs required to run a smart contract, the
procedures run by the contract should be as simple as possible.
This is particularly important given the recent rise in Ethereum
prices.5
Our Construction Idea: To reduce the gas cost, the smart
contract does not explicitly check the validity of the ring signa-
ture and opening proof because anyone can check their validity
outside of the blockchain. Let (opk, M, R, Σ, pki , π) be a ring
signature and opening proof input to the Judge algorithm.
Since the public key of the bill collector opk is included in the
input, the algorithm also checks whether π is introduced by
5 For example, the price of 1 ETH rose from 128.72US$ on January 1st,
2020 to 384.47US$ on April 11, 2020. See Ethereum Price (ETH) Price Index
and Live Chart-CoinDesk (https://www.coindesk.com/price/ethereum).
the bill collector. Owing to the unforgeability and weak open-
ing soundness of the underlying accountable ring signature
scheme, (M, Σ) and π are unforgeable. However, if someone
declares (opk, M, R, Σ, pk , π) where pki = pk and pk ∈ R,
then (M, Σ) is still valid since RVerify(opk, M, R, Σ) = 1
holds but the Judge algorithm outputs 0. So, it may be used for
a proof that the key holder of pk did not generate Σ and thus
it should be guaranteed that the tuple (M, R, Σ, pki , π) is not
modified. In other words, we cannot guarantee that the staste of
the verification outside of the blockchain is the same as that of
the smart contract verification unless (M, R, Σ, pki , π) is guar-
anteed to be unmodified. Thus, in our system we additionally
emoloy a signature scheme where the bill collector generates
a signature σ on each ring signature and opening proof. In our
implementation, we employ the elliptic curve digital signature
algorithm (ECDSA), which has been widely employed in
Ethereum smart contracts. We remark that in Solidity that
is used in our implementation, the sender of a message can
be verified by require(msg.sender==Bill Collector) that also
guarantees the transaction is not modified. However, it does not
verify the transaction itself, especially an ECDSA signature,
and thus, we explicitly verify the ECDSA signature in our
system and the smart contract transfers the deposit only if
the ECDSA signature is valid.6 In terms of running time,
the Judge algorithm is approximately 107 times slower than
the ECDSA verification algorithm (see Section IV). Thus, by
employing ECSDA signatures it is possible to significantly
reduce the number of procedures performed by the smart
contract.
Proposed Enforced Bill Collection System: Here, we de-
scribe the proposed bill collection system. The system op-
erates in four steps: Setup, Authentication, BillCollection,
and Revocation. In Figure 2, we illustrate the flow of
this system when a user does not pay a service fee. Let
(KGen, Sign, Verify) be a signature scheme. For a security
parameter λ ∈ N, the KGen algorithm generates a verifica-
tion key vk and a signing key sigk such that (vk, sigk) ←
KGen(1λ ). For a message M , the Sign algorithm generates
a signature σ using sigk such that σ ← Sign(sigk, M ). The
Verify algorithm outputs 1 if σ is a valid signature on M under
vk such that Verify(vk, M, σ) = 1, and outputs 0 otherwise.
In this implementation, the ECDSA is employed. We let i
be the user index, where addri the address of user i, and
we let (pki , ski ) be the verification and signing keys of the
accountable ring signature scheme generated by the UKGen
algorithm. We assume that the service provider manages the
public key list plist = {pki } and each user defines a ring R
by selecting public keys from plist. We then consider the two
6 We remark that in our implementation first the smart contract runs the
require check, and then checks the validity of the ECDSA signature. This
double check might be redundant, however, purposes of these procedures are
different, i.e., the former checks who sent the transaction and the latter checks
the validity of the ECDSA signature. Moreover, the gas cost is increased
just 0.2% (5.28 × 10−7 EHT, 0.0003 USD) compared to the case that smart
contract does not run the require check and checks the validity of the ECDSA
signature only. Thus, we selected the current option as our system.
55
Authorized licensed use limited to: Synopsys. Downloaded on November 25,2021 at 11:06:09 UTC from IEEE Xplore. Restrictions apply.
following methods:
• Method 1: A smart contract is assigned to each user,
with the number of smart contact deployments depending
linearly on the number of users. We let sc addri be the
address of the smart contract for user i.
• Method 2: All users share a smart contract. The common
smart contact is deployed only once; in place of deploying
new contracts, it is necessary to manage a user list
containing the address of each user and to search it when
a program is run for a user. We let sc addr be the address
of the common smart contract.
• Setup: The setup phase involves key generation and the
deployment of smart contracts.
- (S-1) Bill Collector: Generate the opener public key
opk of the accountable ring signature scheme such
that pp ← Setup(1λ ) and (opk, osk) ← OKGen(pp).
Generate a key pair of the signature scheme such that
(vk, sigk) ← KGen(1λ ). Publish (pp, opk, vk) as the
public key of the bill collector.
- (S-2) User i: Let addri be the address. Generate a
verification key and a signing key for the account-
able ring signature scheme such that (pki , ski ) ←
UKGen(pp). Send pki to the service provider (via an
off-chain channel) and notify the bill collector that
user i is participating in the system.
- (S-3) Bill Collector: Deploy smart contacts according
to the method. In both cases, the addresses addrbc and
vk are set in the contract (in our implementation, vk is
used as addrbc ). addrbc is used to transfer a deposit
from addri to addrbc , and vk is used for ESDSA
verification.
- Method 1: Deploy the smart contract sc addri for
user i. Set the addresses addrbc and vk in the
contract.
- Method 2: Deploy a common smart contract,
sc addr. Set the addresses addrbc and vk in
the contract and set a user list ulist =
{(addri , Deposit)}, for which the initial value is
the empty set.
- (S-4) User i: Set addri and deposit it into the con-
tract.7 Without loss of generality, we assume that the
deposit is higher than the service fee.
- Method 1: Set addri and the deposit to sc addri .
- Method 2: Set addri and the deposit to sc addr.
The contract searches addri to determine if it
is contained in ulist: if not, (addri , Deposit) is
registered as ulist; otherwise, the deposit of the
entry of addri is updated to the current deposit
value.
- (S-5) Bill Collector: Confirm that user i has set addri
and the deposit in the contract. Notify the service
7 If user i interacts with the smart contract right after sending pk to the
i
service provider, then it may allow timing attacks (especially if the number
of users is small) that deanonymize users to the service provider. Thus, we
assume that user i interacts with the smart contract after a certain period.
 Fig. 2. Flow of proposed bill collection system in enforced bill collection case
provider that the contract has been configured for user
i.
- (S-6) Service Provider: Add pki to plist. Using this
procedure, non-registered users who do not set de-
posits in the contract can be prevented from using
the service.
• Authentication: The user generates a ring signature as a
certificate and the service provider verifies the validity
of the signature and then provides the service. These
processes occur on an off-chain.
- (A-1) User i: Select a ring R ⊆ plist, where
pki ∈ R. Generate a ring signature Σ ←
RSign(opk, M, R, ski ) on the message M : = {Service
Name: yyyy/mm/dd: Use}. Send the certificate
(R, M, Σ) to the service provider.
- (A-2) Service Provider: If R ⊆ plist and
RVerify(opk, M, R, Σ) = 1 hold, the service provider
provides the service and sends (R, M, Σ) to the bill
collector.
• BillCollection: For each (R, M, Σ) sent by the service
provider, the bill collector opens a ring signature using
osk and sends an invoice to the user via an off-chain
channel.8 If the user ignores the invoice, the contract
forcibly transfers the deposit set by the user to the bill
collector.
• Revocation: Here, we consider the case in which user i
- (B-1) Bill Collector: Open (R, M, Σ) such that
(pki , π) ← Open(M, R, Σ, osk) to identify user i.9
Send an invoice containing (M, Σ, pki , π, R) to user
8 Of
course, here we do not restrict what currency is used for this payment.
9 Because the service provider has checked the validity of Σ, the Open
algorithm will correctly identify the user owing to the traceability of the
accountable ring signature scheme and, therefore, we do not consider the
case in which the Open algorithm outputs ⊥.
56
Authorized licensed use limited to: Synopsys. Downloaded on November 25,2021 at 11:06:09 UTC from IEEE Xplore. Restrictions apply.
i. The contract is only executed if i ignores the
invoice, in which case the following two processes
are carried out:
- (B-2) Bill Collector: Generate a signature on
(M, Σ, pki , π, R) such that M  := M, Σ, pki , π, R
and σ ← Sign(sigk, M  ). (M  , σ) then becomes
the trigger for the contract to transfer the deposit.
To reduce the search cost under Method 2, the
bill collector indicates the index i of ulist, that is,
ulist[i ] = (addri , Deposit).
- Method 1: Input (M  , σ) to sc addri .
- Method 2: Input (M  , σ) and i to sc addr where
ulist[i ] = (addri , Deposit).
- (B-3) Smart Contract: For (M  , σ), the contract
checks whether Verify(vk, M  , σ) = 1. Here, vk is
intentionally excluded as an input value because vk
has been set in the contract as the verification key
for the bill collector.
- Method 1: If Verify(vk, M  , σ) = 1, the deposit is
transferred from sc addri to addrbc ; otherwise, if
Verify(vk, M  , σ) = 0, do nothing.
- Method 2: If Verify(vk, M  , σ) = 1, then transfer
the deposit from sc addr to addrbc ; otherwise, if
Verify(vk, M  , σ) = 0, do nothing.
intentionally leaves the service. However, this approach
can also treat cases in which users are revoked because of
misbehavior involving, for example, ignoring an invoice.
In this case, phase (R-3) is sufficient after the deposit has
been forcibly transferred ((B-2) and (B-3)).
- (R-1) User i: Notify the bill collector to delete the
membership of i from the service.
 - (R-2) Bill Collector: If addri is not contained in ulist,
the request is rejected. Otherwise, the leave message
is forwarded to the service provider. For a revocation
message Mrevoke :={Service Name: yyyy/mm/dd:
Revoke}, generate σ ← Sign(sigk, Mrevoke ) as the
trigger for refunding the deposit.
- Method 1: Input (Mrevoke , σ) to sc addri .
- Method 2: Input (Mrevoke , σ) and i to sc addr
where ulist[i ] = (addri , Deposit).
- (R-3) Service Provider: Delete pki from plist.
- (R-4) Smart Contract: For (Mrevoke , σ), the contract
checks whether Verify(vk, Mrevoke , σ) = 1.
- Method 1: If Verify(vk, Mrevoke , σ) = 1, the deposit
is transferred from sc addri to addri . Otherwise,
do nothing.
- Method 2: If Verify(vk, Mrevoke , σ) = 1, transfer
the deposit from sc addr to addri and remove the
entry addri from ulist. Otherwise, do nothing.
Security Discussion: Here, we briefly describe how the sys-
tem satisfies the following security requirements:
• User Anonymity: Owing to the anonymity of the under-
lying accountable ring signature scheme, the certificate
(R, M, Σ) does not leak information on user i. We note
that we do not consider leakage from meta-information
such as IP addresses or messages to be signed, M .
• Certificate Unforgeability: Owing to the unforgeability
of the underlying accountable ring signature scheme, the
certificate (R, M, Σ) is unforgeable.
• Collection Correctness: Each invoice contains (M, Σ, pki ,
π, R), where π proves that Σ is generated by ski corre-
sponding to pki , i.e., that user i has provided the service.
Owing to the traceability of the underlying accountable
ring signature scheme, the opening result i is correct.
Moreover, owing to the weak opening soundness of
the underlying accountable ring signature scheme, π is
unforgeable. Finally, owing to the unforgeability of the
signature scheme, no one except the bill collector can
run the smart contract.
IV. I MPLEMENTATION
In this section, we discuss the implementation results ob-
tained using an accountable ring signature scheme constructed
following Bootle et al. [13] with a ring size of N = nm .
Because Morero used a ring size of 11, [46], we set n = 4
and m = 2 to obtain a ring size of N = 16. The security of the
Bootle et al. scheme relies on the hardness of the decisional
Diffie-Hellman (DDH) problem. Accordingly, in implementing
the scheme we used the Curve25519 [10], which is known
to be a DDH-hard curve. We generated ECDSA signatures
using the ethereumjs-util [1] of Node.js. We note that, whereas
an ECDSA signature is usually described as σ = (r, s), in
Ethereum smart contracts σ = (r, s, v), with the additional
value v used to obtain the verification key from σ. Using a
Solidity API (erecover), an ECDSA signature σ = (r, s, v)
and a message M  (which was hashed in our implementation)
57
Authorized licensed use limited to: Synopsys. Downloaded on November 25,2021 at 11:06:09 UTC from IEEE Xplore. Restrictions apply.
were input and the API returned the verification key recovered
from σ. In our implementation, the verification key of the bill
collector, vk, was set in the deployment phase (S-3) and the
contract checked whether vk was the same as the verification
key recovered from σ in (B-3).
First, we show the running times of cryptographic algo-
rithms in Table I. We used MacBook Pro (2.3 GHz Intel Core
i5, 16 GB 2133 MHz LPDDR3).
TABLE I
RUNNING T IMES OF S IGNATURE S CHEMES
Signature Algorithm Time (ms)
RSign 13.7
Accountable RVerify 11.0
Ring Signatures Open 17.4
Judge 17.1
ECDSA Sign 9.9 × 10−2
Verify 1.6 × 10−1
As mentioned previously, the Judge algorithm runs the RVerify
algorithm internally and, therefore, its running time contains
that of the RVerify algorithm. We note that, although the
ECDSA Verify algorithm is run in the smart contract im-
plemented in our system, the results in Table I show the
running time of the Verify algorithm on an off-chain envi-
ronment as a reference. In terms of running time, the Judge
algorithm is approximately 107 times slower than the ECDSA
verification algorithm. This result indicates the effectiveness
of our approach and suggests the usefulness of employing
ECDSA instead of verifying accountable ring signatures in
implementing smart contracts.
We then evaluated the proposed system in terms of the gas
costs relating to smart contract execution. To assess these, we
used the Ethereum testnet Ropsten [3], with the results listed
in Table II. Our experiment was run on December 9, 2020
between 5:25 and 5:45 (UTC), during which 1 ETH=573.44
USD. We set the gas price to three Gwei (1 Gwei= 1.0 ×
10−9 ETH). We considered the case in which one transaction
is included in a block within a minute. The Deploy, Send
ETH, Enforced Bill Collection, and Refund laws were used
to describe, respectively, the deployment phase undertaken
by the bill collector (S-3), the deposit phase undertaken by
users (S-4), the enforcement bill collection phase (B-4), and
the revocation phase (R-4). We recall that one smart contract
is assigned per user under Method 1 and a common smart
contract is shared by all users under Method 2. In Method 2,
the search cost depends linearly on the number of users (i.e., a
simple sequential search is required); therefore, we evaluated
the costs under Method 1 and under Method 2 for cases of
three, 50, and 100 users, respectively. Although under Method
2 the list (ulist) is also set during the deployment phase, this
initial setting does not require a list size and, therefore, the
cost does not depend on the number of users. The index i is
input to remove entries from ulist, which allows the contract
to directly remove entries without searching them. As a result,
the cost of the revocation phase does not depend on the number
of users.
 TABLE II
G AS C OSTS PER T RANSACTION

Operation Method 1 Method 2

Gas cost Dollar Gas Cost (ETH) Dollar
(ETH) (USD) 3 Users 50 Users 100 Users 3 Users 50 Users 100 Users
Deploy 2.18 × 10−3 1.25 3.03 × 10−3 1.74
Send ETH 1.43 × 10−4 0.082 2.18 × 10−4 4.73 × 10−4 7.46 × 10−4 0.125 0.271 0.428
Enforced Bill Collection 2.60 × 10 −4 0.149 2.69 × 10−4 0.154
Refund 2.15 × 10−4 0.123 2.16 × 10−4 0.124

As seen from Table II, the deployment of smart contracts TABLE IV

requires the highest gas cost of all operations. Method 1 C OMPARISON OF M ETHOD 2 AND PAY PAL
requires several contract deployments but does not require Total User PayPal (USD) Method 2 (USD)
a search operation, whereas Method 2 deploys a contract 3 9.6 2.5
only once but requires a search operation. Table III shows 50 160.0 21.6
100 320.0 57.2
a comparison of the costs of Method 1 and Method 2 more
concretely for three, 50, and 100 users, respectively. It is
TABLE V
assumed that, 33% (resp. 10%) of the users pay no fee and G AS COSTS UNDER O PTI S WAP
their deposits are forcibly collected for the three-user case
(resp. for the 50 and 100-user cases); this corresponds to one Case Function ETH USD
Deployment (Seller) 6.82 × 10−3 3.91
Enforced Bill Collection and two Refunds for the three-user Optimistic accept (Buyer) 9.72 × 10−5 0.056
case, five Enforced Bill Collections and 45 Refunds for the 50- revealKey (Seller) 1.65 × 10−4 0.095
noComplain (Buyer) 4.16 × 10−5 2.38 × 10−2
user case, and 10 Enforced Bill Collections and 90 Refunds
challenge (Buyer) 2.88 × 10−3 1.66
for the 100-user case. We note that each user must pay gas Pessimistic response (Seller) 1.58 × 10−2 9.04
costs when setting the deposit in the contract (S-4); we assume complainAboutLeaf (Buyer) 5.82 × 10−4 0.33
that these costs are paid by the bill collector. It is seen from
Table III that the cost of Method 2 is lower than that of Method
1, indicating that Method 2 is more efficient. 5. Aggregated gas costs for the challenge-response procedure
for a file sale based on OptiSwap). For the comparison, we
TABLE III set 1 ETH=573.44 USD and the gas price to 3 GWei. Our
C OMPARISON OF COSTS M ETHODS 1 AND 2 implementation results are listed. Unlike the proposed system,
Number of Users Method 1 (USD) Method 2 (USD)
under OptiSwap both the buyer and seller must run smart
3 4.4 2.5 contracts and pay gas costs; therefore, the table notes the
50 73.0 21.6 entity that runs each function in parentheses. Under OptiSwap,
100 146.0 57.2 where each buyer pays a coin to their seller in exchange for
a witness x that satisfies φ(x) = 1 for a predicate function
We then compared Method 2 with an actual online pay-
φ, each seller encrypts x using a symmetric key encryption
ment system, PayPal10 . Note that, unlike our system, PayPal
scheme and generates commitments of the encryption key
must manage personal information such as users’ real names,
and ciphertext. The seller deploys a smart contract containing
bank accounts or credit card numbers, etc., and, therefore,
the addresses of the seller and buyer, the price, and the
anonymity is not guaranteed. We assumed that all transactions
commitments (deployment in Table V). The seller sends a
were made in the United States and settled online, with a per-
ciphertext to the buyer directly (i.e., via an off-chain channel).
transaction fee of 2.9% plus 0.3 USD based on the assumption
The buyer checks the values contained in the smart contract
that each person made a payment of 100 USD (these fees
and, upon acceptance, sends a transaction to the smart contract
are paid by PayPal). Table IV shows a comparison between
(see Table V). The coins are then locked into the contract
the results of Method 2 and PayPal in terms of fees for the
and the buyer can no longer obtain a witness x. Finally, the
cases of three, 50, and 100 users, respectively. It is seen that,
seller reveals the encryption key and its validity is checked
even though the proposed system guarantees user anonymity
by decommitting the commitment (revealKey in Table V). If
and has an enforced bill collection functionality, the gas costs
the decryption result is correct, that is, φ(x) = 1, then the
paid by the service manager (bill collector) are less than those
buyer obtains the witness (noComplain in Table V). If not,
under PayPal.
i.e., if φ(x) = 0, the buyer initiates an interactive challenge-
Finally, we compared Method 2 with OptiSwap [25], which
response dispute protocol (SmartJudge [48]) that freezes the
is known to be the most efficient smart contract-based OFE
coins in the contract (challenge and response in Table V). We
system to date. Table V shows gas costs under OptiSwap.
note that the function complainAboutLeaf in Table V is an
We adopted the gas costs given in [25] (Table 3. Gas costs of
option for implementing the contract (see [24] for details).
all functions executed in the optimistic execution, and Table
As mentioned previously, under the proposed system it is
10 PayPal Holdings, Inc. -https://www.paypal.com/us/home assumed that a service is always provided to a user; by

58

Authorized licensed use limited to: Synopsys. Downloaded on November 25,2021 at 11:06:09 UTC from IEEE Xplore. Restrictions apply.
contrast, OptiSwap considers cases in which services are not
provided. To demonstrate the effectiveness of this assumption
in reducing gas costs, we show an optimistic case (in which
the service is normally provided and the fee is paid) and a
pessimistic case (in which the buyer finds that the received
witness is incorrect, that is, φ(x) = 0, and runs the dispute
protocol) for OptiSwap in Table V. Table VI shows the
comparison of Method 2 and OptiSwap.
TABLE VI
C OMPARISON OF M ETHOD 2 AND O PTI S WAP
Number of Users Method 2 (USD) OptiSwap (USD)
3 2.5 19.2
50 21.6 70.8
100 57.2 133.8
It is seen that the ratio of enforced bill collection to refund is
the same as in Table III (the pessimistic case is regarded as
the enforced bill collection case). In Optiswap, each user is
essentially regarded as a buyer and the service provider and bill
collector are regarded as sellers. Under the proposed system,
no gas cost is required for users. Because it is assumed that
the bill collector will pay the gas costs for setting a user’s
deposit into the contract, for fairness we calculated the total
costs of the seller and buyer. It is seen from the results that the
proposed system is more efficient than OptiSwap, leading us
to conclude that assuming that the service is always provided
to the user is effective in reducing gas costs.
V. C ONCLUSION AND F UTURE W ORK
In this paper, we proposed a privacy-preserving enforced
bill collection system that supports a functionality for forcibly
collecting service fees from users. The proposed system is
based on the use of accountable ring signatures and smart
contracts.
In future work, it would be interesting to enhance our system
in terms of privacy by, for example, providing membership
privacy using the fully dynamic group signature scheme de-
veloped by Backes et al. [7]. It would also be interesting to
develop a bill collection method in which the service fee is
collected from users without identifying them, for example,
through the use of anonymous cryptoassets such as Monero [2]
or Zcash [4].
Acknowledgment: This work was supported by JSPS KAK-
ENHI Grant Numbers JP19H04107 and JP21K11897.
R EFERENCES
[1] ethereumjs-util. 7.0.7, 2020-10-15, https://github.com/ethereumjs/
ethereumjs-util.
[2] Monero. https://getmonero.org.
[3] Testnet Ropsten (ETH) blockchain explorer. https://ropsten.etherscan.io/.
[4] Zcash. https://z.cash/.
[5] Nuttapong Attrapadung, Keita Emura, Goichiro Hanaoka, and Yusuke
Sakai. A revocable group signature scheme from identity-based revo-
cation techniques: Achieving constant-size revocation list. In Applied
Cryptography and Network Security, pages 419–437, 2014.
[6] Nicola Atzei, Massimo Bartoletti, Tiziana Cimoli, Stefano Lande, and
Roberto Zunino. SoK: Unraveling bitcoin smart contracts. In POST,
pages 217–242, 2018.
59
Authorized licensed use limited to: Synopsys. Downloaded on November 25,2021 at 11:06:09 UTC from IEEE Xplore. Restrictions apply.
[7] Michael Backes, Lucjan Hanzlik, and Jonas Schneider-Bensch. Mem-
bership privacy for fully dynamic group signatures. In ACM CCS, pages
2181–2198. ACM, 2019.
[8] Nasima Begum and Toru Nakanishi. Efficiency improvement in group
signature scheme with probabilistic revocation. J. Inf. Process., 27:508–
516, 2019.
[9] Mihir Bellare, Haixia Shi, and Chong Zhang. Foundations of group
signatures: The case of dynamic groups. In CT-RSA, pages 136–153,
2005.
[10] Daniel J. Bernstein. Curve25519: New Diffie-Hellman speed records.
In Public Key Cryptography, pages 207–228, 2006.
[11] Dan Boneh and Hovav Shacham. Group signatures with verifier-local
revocation. In ACM CCS, pages 168–177, 2004.
[12] Jonathan Bootle, Andrea Cerulli, Pyrros Chaidos, Essam Ghadafi, and
Jens Groth. Foundations of fully dynamic group signatures. In Applied
Cryptography and Network Security, pages 117–136, 2016.
[13] Jonathan Bootle, Andrea Cerulli, Pyrros Chaidos, Essam Ghadafi, Jens
Groth, and Christophe Petit. Short accountable ring signatures based on
DDH. In ESORICS, pages 243–265, 2015.
[14] Benedikt Bünz, Shashank Agrawal, Mahdi Zamani, and Dan Boneh.
Zether: Towards privacy in a smart contract world. In Financial
Cryptography and Data Security, pages 423–443, 2020.
[15] Benedikt Bünz, Jonathan Bootle, Dan Boneh, Andrew Poelstra, Pieter
Wuille, and Gregory Maxwell. Bulletproofs: Short proofs for confiden-
tial transactions and more. In IEEE Symposium on Security and Privacy,
pages 315–334, 2018.
[16] Jan Camenisch and Jens Groth. Group signatures: Better efficiency and
new theoretical aspects. In Security in Communication Networks, pages
120–133. Springer, 2004.
[17] Jan Camenisch, Jean-Marc Piveteau, and Markus Stadler. An efficient
fair payment system. In ACM CCS, pages 88–94. ACM, 1996.
[18] Matteo Campanelli, Rosario Gennaro, Steven Goldfeder, and Luca
Nizzardo. Zero-knowledge contingent payments revisited: Attacks and
payments for services. In ACM CCS, pages 229–243, 2017.
[19] Panagiotis Chatzigiannis, Foteini Baldimtsi, and Konstantinos Chalkias.
SoK: Auditability and accountability in distributed payment systems. In
Applied Cryptography and Network Security, pages 311–337, 2021.
[20] David Chaum and Eugène van Heyst. Group signatures. In EURO-
CRYPT, pages 257–265, 1991.
[21] Yu Chen, Xuecheng Ma, Cong Tang, and Man Ho Au. PGC: decentral-
ized confidential payment system with auditability. In ESORICS, pages
591–610, 2020.
[22] Ivan Damgård. On Σ-protocols. https://www.cs.au.dk/∼ivan/Sigma.pdf,
2010.
[23] Ivan Damgård, Chaya Ganesh, Hamidreza Khoshakhlagh, Claudio Or-
landi, and Luisa Siniscalchi. Balancing privacy and accountability in
blockchain identity management. In CT-RSA, pages 552–576, 2021.
[24] Stefan Dziembowski, Lisa Eckey, and Sebastian Faust. FairSwap: How
to fairly exchange digital goods. In ACM CCS, pages 967–984, 2018.
[25] Lisa Eckey, Sebastian Faust, and Benjamin Schlosser. OptiSwap: Fast
optimistic fair exchange. In ASIACCS, pages 543–557, 2020.
[26] Keita Emura and Takuya Hayashi. A revocable group signature scheme
with scalability from simple assumptions. IEICE Trans. Fundam.
Electron. Commun. Comput. Sci., 103-A(1):125–140, 2020.
[27] Prastudy Fauzi, Sarah Meiklejohn, Rebekah Mercer, and Claudio Or-
landi. Quisquis: A new design for anonymous cryptocurrencies. In
ASIACRYPT, pages 649–678, 2019.
[28] Ai Ishida, Yusuke Sakai, Keita Emura, Goichiro Hanaoka, and Keisuke
Tanaka. Fully anonymous group signature with verifier-local revocation.
In Security and Cryptography for Networks, pages 23–42, 2018.
[29] Toshiyuki Isshiki, Kengo Mori, Kazue Sako, Isamu Teranishi, and Shoko
Yonezawa. Using group signatures for identity management and its
implementation. In ACM Digital Identity Management, pages 73–78,
2006.
[30] Ahmed E. Kosba, Andrew Miller, Elaine Shi, Zikai Wen, and Charalam-
pos Papamanthou. Hawk: The blockchain model of cryptography and
privacy-preserving smart contracts. In IEEE Symposium on Security and
Privacy, pages 839–858, 2016.
[31] Vireshwar Kumar, He Li, Jung-Min ”Jerry” Park, Kaigui Bian, and
Yaling Yang. Group signatures with probabilistic revocation: A
computationally-scalable approach for providing privacy-preserving au-
thentication. In ACM CCS, pages 1334–1345, 2015.
[32] Adeline Langlois, San Ling, Khoa Nguyen, and Huaxiong Wang.
Lattice-based group signature scheme with verifier-local revocation. In
Public-Key Cryptography, pages 345–361, 2014.
[33] Benoı̂t Libert, Thomas Peters, and Moti Yung. Group signatures with
almost-for-free revocation. In CRYPTO, pages 571–589, 2012.
[34] Benoı̂t Libert, Thomas Peters, and Moti Yung. Scalable group signatures
with revocation. In EUROCRYPT, pages 609–627, 2012.
[35] San Ling, Khoa Nguyen, Huaxiong Wang, and Yanhong Xu. Lattice-
based group signatures: Achieving full dynamicity (and deniability) with
ease. Theor. Comput. Sci., 783:71–94, 2019.
[36] Jian Liu, Wenting Li, Ghassan O. Karame, and N. Asokan. Toward
fairness of cryptocurrency payments. IEEE Secur. Priv., 16(3):81–89,
2018.
[37] Joseph K. Liu, Victor K. Wei, and Duncan S. Wong. Linkable
spontaneous anonymous group signature for ad hoc groups (extended
abstract). In ACISP, pages 325–335, 2004.
[38] Toru Nakanishi and Nobuo Funabiki. Verifier-local revocation group
signature schemes with backward unlinkability from bilinear maps. In
ASIACRYPT, pages 533–548, 2005.
[39] Kazuma Ohara, Keita Emura, Goichiro Hanaoka, Ai Ishida, Kazuo Ohta,
and Yusuke Sakai. Shortening the Libert-Peters-Yung revocable group
signature scheme by using the random oracle methodology. IEICE Trans.
Fundam. Electron. Commun. Comput. Sci., 102-A(9):1101–1117, 2019.
[40] Ronald L. Rivest, Adi Shamir, and Yael Tauman. How to leak a secret.
In ASIACRYPT, pages 552–565, 2001.
[41] Shahidatul Sadiah and Toru Nakanishi. Revocable group signatures
with compact revocation list using vector commitments. IEICE Trans.
Fundam. Electron. Commun. Comput. Sci., 100-A(8):1672–1682, 2017.
[42] Yusuke Sakai, Jacob C. N. Schuldt, Keita Emura, Goichiro Hanaoka, and
Kazuo Ohta. On the security of dynamic group signatures: Preventing
signature hijacking. In Public Key Cryptography, pages 715–732, 2012.
[43] Teppei Sato, Keita Emura, Tomoki Fujitani, and Kazumasa Omote. An
anonymous trust-marking scheme on blockchain systems. In IEEE
International Conference on Blockchain and Cryptocurrency, ICBC,
pages 1–3, 2021.
[44] Yasuyuki Seita and Toru Nakanishi. Speeding up revocable group
signature with compact revocation list using vector commitments. IEICE
Trans. Fundam. Electron. Commun. Comput. Sci., 102-A(12):1676–
1687, 2019.
[45] Cheng Shi and Kazuki Yoneyama. Formal verification of fair exchange
based on bitcoin smart contracts. In INDOCRYPT, pages 89–106, 2020.
[46] Riccardo Spagni. Monero 0.13.0 “Beryllium Bullet” release.
https://web.getmonero.org/tr/2018/10/11/monero-0.13.0-released.html.
Accessed : 2018-10-11.
[47] Shifeng Sun, Man Ho Au, Joseph K. Liu, and Tsz Hon Yuen. RingCT
2.0: A compact accumulator-based (linkable ring signature) protocol for
blockchain cryptocurrency Monero. In ESORICS, pages 456–474, 2017.
[48] Eric Wagner, Achim Völker, Frederik Fuhrmann, Roman Matzutt, and
Klaus Wehrle. Dispute resolution for smart contract-based two-party
protocols. In IEEE ICBC, pages 422–430, 2019.
[49] G. Wood. Ethereum: A secure decentralised generalised transaction
ledger (eip-150 revision), 2017. https://gavwood.com/paper.pdf.
[50] Shouhuai Xu and Moti Yung. Accountable ring signatures: A smart card
approach. In CARDIS, pages 271–286, 2004.
[51] Yue Zhang, Jian Weng, Jia-Si Weng, Ming Li, and Weiqi Luo. Onion-
chain: Towards balancing privacy and traceability of blockchain-based
applications. CoRR, abs/1909.03367, 2019.

60

Authorized licensed use limited to: Synopsys. Downloaded on November 25,2021 at 11:06:09 UTC from IEEE Xplore. Restrictions apply.