Supervised Blockchain Anonymous Transaction Model Based on Certificateless Signcryption

Abstract

In response to the issues of high transaction transparency and regulatory difficulties in blockchain account-model transactions, this paper presents a supervised blockchain anonymous transaction model based on certificateless signcryption aimed at ensuring secure blockchain transactions while minimizing both computational and communication overhead. During the transaction process, this approach utilizes certificateless public key signcryption without bilinear pairs to generate anonymous user identities, achieving strong anonymity of user identities and confidentiality of transaction amounts. It employs the Paillier homomorphic encryption algorithm to update transaction amounts and uses the FO commitment-based zero-knowledge proof scheme to validate transaction legality. Additionally, adopting a publicly verifiable secret threshold sharing scheme for hierarchical regulatory authority reduces the security risk of a single regulator storing the regulatory key. This model not only meets the privacy and timely update requirements of account-based blockchain transactions but also effectively regulates abnormal transactions. Rigorous security analysis and proofs demonstrate that this model possesses excellent anonymity, traceability, forward security, and backward security. When compared to similar schemes, the computational cost is reduced by at least 33.18%, effectively fulfilling the requirements for security.

1. Introduction

Since Satoshi Nakamoto proposed Bitcoin [1] in 2008, blockchain technology, as its underlying architecture, has been widely applied in various fields such as financial services and the Internet of Things, thanks to its core features of decentralization, transparency, and immutability. However, the public transparency of blockchain also brings significant privacy risks. Research shows that approximately 67% of Bitcoin users can be de-anonymized through methods such as transaction graph analysis and IP address association, thereby exposing sensitive information such as their asset flows and consumption habits. Therefore, the protection of privacy in blockchain transactions has been a focal point of interest in both academia and industry.

Currently, blockchain transaction systems commonly use a model of public ledgers and multi-party confirmation to achieve a pseudo-anonymization of user identities. However, this mechanism has fundamental flaws, as attackers can break anonymity through techniques such as network analysis and address clustering. To enhance anonymity, scholars have proposed various anonymity-enhancing technologies, such as Zerocash [2], Moreno [3], and Dash [4]. However, while these technologies achieve complete anonymity of user identity information, they also hinder regulatory needs such as anti-money laundering (AML) and financial crime investigations, leading to transaction bans on privacy coins by regulatory agencies in multiple countries. Therefore, balancing anonymity and regulatory compliance in blockchain transactions has become an important research topic.

Currently, there are two main models for blockchain transactions: the Unspent Transaction Output (UTXO) model and the account model. In the UTXO model, asset movement is viewed as a directed acyclic graph between users, and a user’s balance is represented by the state of all UTXOs associated with them in the system. This means there is a one-to-many relationship between balance and address, as seen in Bitcoin. There has been a significant amount of research, both domestically and internationally, addressing the transaction privacy issues related to the UTXO model, primarily focusing on protecting the identity privacy of transaction users and the transaction amounts. The technologies employed include mixing techniques, ring signatures, vector commitments, and zero-knowledge proofs, aimed at achieving confidentiality and untraceability of transaction amounts.

In contrast, the account model maintains a global state of all accounts and their balances, which are updated in real time as transactions occur. This results in a one-to-one correspondence between each account balance and its address, as seen in Ethereum. Consequently, most privacy-preserving schemes designed for the UTXO model are not applicable to the account model. Existing research on account model privacy heavily relies on centralized regulatory authorities, which not only contradicts the principle of decentralization in blockchain but also poses risks of single point key leakage or abuse of power.

In response to the above issues, this paper proposes a supervised blockchain anonymous transaction model based on certificateless signcryption under the account model. By integrating certificate-free cryptography with a distributed regulatory mechanism, it achieves a balance between user privacy protection and transaction supervision. The main contributions are outlined below.

(1)

A supervised blockchain anonymous transaction model based on certificateless signcryption is proposed—CLSC_SAT. It not only achieves anonymity of transaction users and confidentiality of transaction amounts but also ensures the entire process is in compliance with regulations, thus striking a balance between transaction privacy protection and regulatory requirements.

(2)

A certificateless signcryption algorithm without bilinear pairing is designed to generate anonymous identities for transaction users and conceal transaction amounts, achieving strong anonymity for transaction users, reducing computational and communication overhead, and significantly improving signature efficiency. At the same time, the Paillier homomorphic encryption algorithm is used to verify transaction amounts, and zero-knowledge range proofs based on FO commitments are employed to validate the legitimacy of transaction amounts, ensuring the privacy of transaction content.

(3)

Implementation of a multi-party regulatory mechanism that achieves “comprehensive supervision and decentralized authority”. Introduction of a collaborative model with one primary regulator and n secondary regulators to ensure the decentralization and comprehensiveness of regulatory responsibilities. In the event of abnormal behavior during transactions, tracking of the true identity of the anomalous user; at the same time, adopt a publicly verifiable secret threshold sharing scheme for distributed storage of regulatory keys. This not only reduces the potential risk of misconduct associated with a single regulator holding the regulatory key but also effectively mitigates the risk of single points of failure, ensuring the security and compliance of the transaction process.

2. Related Work

2.1. Certificateless Signcryption Scheme

Certificateless signcryption is an important cryptographic primitive that combines certificateless encryption and certificateless signature. Compared with encryption before signature and signature before encryption, both communication modes have higher computational efficiency. In 2008, Barbosa et al. [5] first proposed a certificateless signcryption scheme based on bilinear pairing, and, subsequently, a series of certificateless signcryption schemes were introduced. Zhu et al. [6] first proposed a certificateless signature scheme without bilinear pairing and provided a security proof. Zhou et al. [7] verified that the scheme in reference [6] could not withstand Type I attacks and made improvements. Yue et al. [8] reconstructed a certificateless signature scheme based on reference [7], but it still did not satisfy the property of unforgeability. Yang et al. [9] improved the scheme in reference [8] and proved that the newly proposed scheme satisfies confidentiality and unforgeability in the random oracle model.

2.2. Privacy Protection Scheme Under Account Model

Guan et al. [10] first proposed the privacy protection scheme BlockMaze under the account model based on zk-SNARKs, introducing a dual-balance model to hide the identities of the transaction parties. However, the scheme requires a trusted setup and has low throughput. Ma et al. [11] proposed a decentralized smart contract system DSC with hiding and updating features based on homomorphic encryption and zero-knowledge proofs, using homomorphic encryption technology to conceal user account balances and transaction amounts, and proving the validity of transactions through non-interactive zero-knowledge proofs, but the transfer relationship between the sender and receiver remains exposed. Bünz et al. [12] proposed a fully decentralized confidential payment mechanism and designed new smart contracts to achieve transaction privacy protection. Rondelet et al. [13] implemented Zerocash on Ethereum using additional smart contracts, but the overall operation of the scheme is complex. Guo et al. [14] achieved compatibility between blockchain regulatory compliance and anonymity through dual-layer signature authentication at the network and application layers. Bao et al. [15] designed a scheme based on a check mechanism to hide the relationship between the transaction sender and receiver, employing confidential transactions to conceal account balances and transaction amounts, while supporting flexible auditing.

3. Preliminaries

3.1. Hard Problem Hypothesis

Elliptic Curve Discrete Logarithm Problem, ECDLP [16]: Let q be a large prime number, G an additive group of order q, and P a generator of the group G. Given $P,aP\in G$, the goal is to solve for the specific value of a, where $a\in Z_q^{*}$.

Computational Diffie–Hellman (CDH) [17] problem: Let q be a large prime number, G an additive group of order q, and P a generator of the group G. Given $P,aP,bP\in G$, the goal is to solve for the specific value of $abP\in G$, where $a,b\in Z_q^{*}$.

3.2. Paillier Homomorphic Encryption

The Paillier homomorphic encryption algorithm was proposed by Pascal Paillier [18] in 1999. It is an asymmetric encryption algorithm that allows for addition and multiplication operations to be performed directly on encrypted data without the need for decryption. It is based on the composite residuosity class problem’s homomorphic scheme. Paillier algorithm mainly includes three parts: key generation, encryption and decryption.

(1)

Key generation algorithm: Randomly select two large prime numbers p and q of equal length, and $\gcd =(pq,(p-1)(q-1))=1$. Compute $n=pq$ and $\lambda =lcm(p-1,q-1)$, where $\lambda$ represents the least common multiple. Randomly select the integer $g=1+n\in {Z_{n^2}}^{*}$, where ${Z_{n^2}}^{*}=Z_n\times {Z_n}^{*}$, $Z_n=\{x|x\in Z,0\le x\le n\}$, $Z_n^{*}=\{x|x\in Z,0\le x\le n$, $\gcd (x,n)=1\}$, so that $\mu ={(L(g^{\lambda }\mathrm{mod}{n}^2))}^{-1}\mathrm{mod}n$, the public key is $(n,g)$, the private key is $(\lambda ,\mu )$, where $L(x)={\displaystyle \frac{x-1}{n}}$.

(2)

Encryption algorithm: Set plaintext to m, $0\le m\le n$, select random numbers $r\in Z_n^{*}$ and $\gcd (r,n)=1$, ciphertext is $c=g^m{r}^n\mathrm{mod}{n}^2$.

(3)

Decryption algorithm: Input the private key $\lambda$ and ciphertext c, output $m=L(c^{\lambda }\mathrm{mod}{n}^2)\mu$ $\mathrm{mod}n$.

The Paillier cryptosystem exhibits the following additive homomorphic properties:

The product of two ciphertexts encrypted with Paillier, when decrypted, yields the sum of the corresponding plaintexts. Given two ciphertexts $c_1,c_2\in Z_{n^2}$, where $c_1=En{c}_{pk}(m_1)$, $c_2=En{c}_{pk}(m_2)$, the addition operation between ciphertexts is expressed as:

$$\begin{array}{cc}\hfill c_1\oplus c_2& =c_1{c}_2\mathrm{mod}{n}^2\hfill \\ & =(g^{m_1}\cdot r_1^n\mathrm{mod}{n}^2)(g^{m_2}\cdot r_2^n\mathrm{mod}{n}^2)\hfill \\ & =g^{m_1+m_2}\cdot {(r_1{r}_2)}^n\mathrm{mod}{n}^2\hfill \end{array}$$

(1)

where $r_1,r_2\in Z_{n^2}$, $r_1{r}_2\in Z_{n^2}$. The resulting ciphertext $c_1{c}_2\mathrm{mod}{n}^2$ corresponds to the encryption of $m=m_1+m_2\mathrm{mod}n$.

4. System and Security Models

4.1. Symbol Specification

The main symbols used in the CLSC_RAT model are explained in Table 1.

Table 1. Symbol Description.

Symbol	Description
k	security parameter
$p_1,q_1$	two prime numbers
$E/F_p$	elliptic curves in finite fields $F_P$
$G$	cyclic addition group of order $q$
P	a generator of the group $G$
PPT	probabilistic polynomial time
$\lambda$	supervisory private key
$P_{pub}$	system master public key
s	system master private key
$v_0$	transaction amount
tx	transaction information
$M_{pub}$	trace public key
r	trace private key
$add{r}_i=EI{D}_i=\{EI{D}_{i,1},EI{D}_{i,2}\}$	user anonymous ID
${\alpha }_i$	user anonymous identity index
KGC (Key Generation Center)	key generation center
$(P{K}_R,S{K}_R)$	supervisory key pair
$(P{K}_G,S{K}_G)$	user partial key pair
$(P{K}_i=(G_i,X_i),S{K}_i=(x_i,d_i))$	user key pair
MR	main regulator
SR	secondary regulators
$RI{D}_i$	user real identity
$V{M}_i$	the validity of anonymous identity
${\sigma }_i=(U_i,S_i,C_{i,1},C_{i,2})$	transaction signature
${\sigma }_i^{*}$	a forged signature
EIDList	user anonymous identity tracing table
Random Oracle Model, ROM	Random Oracle Model

4.2. System Model

CLSC_SAT model mainly includes four participating entities: Key Generation Center (KGC), transaction user, miner, and regulators. The functions of each participating entity are as follows.

Key Generation Center (KGC): As a semi-trusted third party, it initializes the system with the regulatory authority, generates system public parameters and public and private key pairs, generates part of public/private key pairs for transaction users.

Transaction user: The main participants of the blockchain transaction system, including the transaction sender and the recipient, each user has an anonymous identity as an anonymous identity address, and a pair of transaction key pairs.

Miner: The entity is responsible for verifying the legality of transactions, packaging legal transactions into blocks and adding them to the blockchain, and maintaining the blockchain ledger.

Regulators: a semitrusted group with the functions of supervision and accountability. When abnormal transactions are found, it decrypts the ciphertext of the transaction, tracks the real identity of malicious users, and uploads the smart contract blacklist to prohibit them from initiating transactions again.

The CLSC_SAT model consists of nine probabilistic polynomial-time algorithms:

(1)

$Setup(1^k)\to (PP)$: The algorithm is invoked by the KGC and the main regulator MR. It takes a security parameter k as input and outputs the system master key s, the tracking key r, and the system public parameters PP. The KGC and MR secretly store s and r, respectively, and publicly share PP. In subsequent algorithms, PP is implicitly input.

(2)

$CreateAddr(EI{D}_{i,1},{\alpha }_i)\to add{r}_i$: The algorithm is invoked by users and regulatory agencies, inputting PP, the user’s partially anonymous address $EI{D}_{i,1}$, and the user identity index ${\alpha }_i$, and outputting the user’s anonymous identity address $add{r}_i$.

(3)

$CreateRkey(PP)\to (P{K}_R,S{K}_R)$: The algorithm is invoked by the regulatory authority, inputting PP and outputting the regulatory key pair $(P{K}_R,S{K}_R)$ and the public key $P{K}_R$.

(4)

$SetPartialKey(EI{D}_i)\to (P{K}_G,S{K}_G)$: The algorithm is invoked by the KGC. It inputs the user’s anonymous identity address $EI{D}_i$ and outputs the user’s partial public–private key pair $(P{K}_G,S{K}_G)$.

(5)

$SetKey(EI{D}_i,(P{K}_G,S{K}_G))\to (P{K}_i,S{K}_i)$: The algorithm is invoked by the transacting user. It inputs the user’s anonymous identity address $EI{D}_i$ and the partial public–private key pair $(P{K}_G,S{K}_G)$, and outputs the user’s anonymous address key pair $(P{K}_i,S{K}_i)$.

(6)

$CreateTx(add{r}_{i_1},P{K}_{i_1},S{K}_{i_1},v_0,add{r}_{i_2},P{K}_{i_2},P{K}_R)\to t{x}_{send}$: The algorithm is invoked by the transaction sender. The inputs are PP, the anonymous account address of the transaction sender $add{r}_{i_1}$, the anonymous address key pair $(P{K}_{i_1},S{K}_{i_1})$, the transaction amount $v_0$, the anonymous account address of the transaction receiver $add{r}_{i_2}$, the public key of the transaction receiver $P{K}_{i_2}$, the supervised public key $P{K}_R$, and then output transaction information $t{x}_{send}$.

(7)

$VerifyTx(t{x}_{send})\to b$: The algorithm is invoked by blockchain miner nodes. When input transaction $t{x}_{send}$ is received, the miner node verifies the legitimacy of the transaction. If the verification is successful, it outputs $b=1$, and the miner node records the transaction on the blockchain using a consensus algorithm and broadcasts it; otherwise, it outputs $b=0$ and sends the transaction to the regulatory authority for auditing.

(8)

$RenewalTx(add{r}_{i_2},P{K}_{i_2},S{K}_{i_2},t{x}_{send},P{K}_R)\to t{x}_{rec}$: The algorithm is invoked by the transaction recipient. It takes as input the recipient’s anonymous account address $add{r}_{i_2}$, the anonymous address key pair $(P{K}_{i_2},S{K}_{i_2})$, the transaction $t{x}_{rec}$, and the regulatory public key $P{K}_R$, and outputs the received transaction $t{x}_{rec}$.

(9)

$TraceTx(S{K}_R,r,EIDList,t{x}_{send}/t{x}_{rec})\to (v_0,RI{D}_i)$: The algorithm is invoked by regulatory authorities. When an abnormal transaction occurs, it inputs the PP, regulatory private key $S{K}_R$, and tracking key r, transaction information $t{x}_{send}/t{x}_{rec}$, and user anonymous verification list EIDList, and outputs the transaction amount $v_0$ and the true identity of the malicious user $RI{D}_i$.

4.3. Security Model

Two categories of attackers are defined in certificateless cryptography: Type I attackers $A_I$ and Type II attackers $A_{II}$. $A_I$ simulates an external attacker who can replace the user’s public key but cannot obtain the system’s master key; $A_{II}$ simulates an internal attacker with access to KGC’s master key, but cannot replace any user’s public key. The security model in this paper is primarily based on confidentiality under adaptive chosen ciphertext attacks (IND-CCA2) and unforgeability under adaptive chosen message attacks (EUF-CMA). The security of the scheme is formally verified through an interactive game framework involving a challenger C and adversaries $A_I$ and $A_{II}$.

The adversary can query the following random oracles:

• Hash Query: The adversary can execute arbitrary hash function $H_i(i=1,2,3,4)$ queries. The challenger C returns the corresponding hash value to the adversary.
• Partial Private Key Query: When the adversary requests a partial private key with an anonymous identity $EI{D}_i$, the challenger C sends the partial private key $d_i$ to the adversary.
• Private Key Query: When the adversary requests a full private key with an anonymous identity $EI{D}_i$, the challenger C sends the private key $S{K}_i$ to the adversary.
• Public Key Query: When the adversary requests a public key with an anonymous identity $EI{D}_i$, the challenger C sends the public key $P{K}_i$ to the adversary.
• Public Key Replacement Query: Upon receiving a request to replace the public key of user $EI{D}_i$, the challenger C replaces $EI{D}_i$’s public key $P{K}_i$ with $P{K}_i^{\prime }$.
• Signcryption Query: When receiving a signcryption request for message m, the challenger C generates the signcrypted ciphertext $C_m$ by executing the signcryption algorithm and returns it to the adversary.
• Unsigncryption Query: When receiving a query for unsigncryption with the sender $EI{D}_i$’s public key, the receiver’s identity $EI{D}_j$, and the signcrypted ciphertext $C_m$, the challenger C retrieves $EI{D}_j$’s private key, executes the unsigncryption algorithm to recover the message m, and returns m to the adversary.

Definition 1 (Confidentiality).

Under the Random Oracle Model, if there are no adversaries that can achieve victory over Game 1 and Game 2 with a significant advantage within the PPT, then the CLSC_SAT model satisfies indistinguishability against adaptive chosen ciphertext attacks for certificateless signcryption (IND-CLSC-CCA2).

Game 1 (IND-CLSC-CCA2-G1). The challenger C interacts with adversary $A_I$ as follows:

(1)

Initialization: The challenger C takes a security parameter as input, runs the system initialization algorithm to generate the system master key s and public parameters PP. C sends PP to $A_I$ and keeps s secret.

(2)

Query Phase: $A_I$ adaptively issues queries to the oracles defined above, subject to the following constraints:

• $A_I$ cannot request a partial private key query for the receiver $EI{D}_j$.
• If the receiver’s public key has been replaced, $A_I$ cannot request a private key query for $EI{D}_j$.
• $A_I$ cannot request an unsigncryption query for the challenge ciphertext $C^{*}$.

(3)

Challenge Phase: $A_I$ submits two equal-length distinct messages $m_0,m_1$, a sender identity $EI{D}_i$, and a receiver identity $EI{D}_j$. The challenger C randomly selects $b\in \{0,1\}$, computes the signcrypted ciphertext $C^{*}$, and returns $C^{*}$ to $A_I$.

(4)

Guessing Stage: $A_I$ outputs a guess $b^{\prime }$. If $b=b^{\prime }$, $A_I$ wins the game. The advantage of $A_I$ is defined as:

$$Ad{v}_{A_1}^{IND-CLSC-CCA2}=|Pr[b^{\prime }=b]-{\displaystyle \frac{1}{2}}|$$

(2)

Game 2 (IND-CLSC-CCA2-G2). The challenger C interacts with adversary $A_{II}$ as follows:

(1)

Initialization: C executes the system initialization algorithm to generate the system master key s and public parameters PP. C sends both PP and s to $A_{II}$.

(2)

Query Phase: $A_{II}$ adaptively issues queries to the oracles except private key queries and public key replacement queries, under the constraints:

• $A_{II}$ cannot request a private key query for the receiver $EI{D}_j$.
• $A_{II}$ cannot request an unsigncryption query for the challenge ciphertext $C^{*}$.

(3)

Challenge Phase: Same as in Game 1.

(4)

Guess Phase: $A_{II}$ outputs a guess $b^{\prime }$. If $b=b^{\prime }$, $A_{II}$ wins the game. The advantage of $A_{II}$ is defined analogously as:

$$Ad{v}_{A_2}^{IND-CLSC-CCA2}=|Pr[b^{\prime }=b]-{\displaystyle \frac{1}{2}}|$$

(3)

Definition 2 (Unforgeability).

Under the Random Oracle Model (ROM), if no adversary can achieve a non-negligible advantage in winning Game 3 and Game 4 within probabilistic polynomial time (PPT), then the CLSC_SAT model satisfies existential unforgeability of certificateless signcryption under chosen message attack (EUF—CLSC—CMA).

Game 3 (EUF—CLSC—CMA-G3): The challenger C interacts with adversary $A_I$ as follows:

(1)

Initialization: $A_I$ adaptively executes the same initialization phase as in Game 1.

(2)

Query Phase: $A_I$ adaptively performs the above oracle query if the following conditions are met.

• $A_I$ cannot request a signcryption query for the tuple $\{m,EI{D}_i,EI{D}_j\}$.
• If the sender $EI{D}_i$’s public key has been replaced, A_I cannot request a partial private key query for $EI{D}_i$.
• $A_I$ cannot request a private key query for the sender $EI{D}_i$.

(3)

Forgery Phase: $A_I$ outputs a forged signcryption $C^{*}$ for message m. If there is no output $\perp$, the signature is legal and $A_I$ wins this game. The advantage of $A_I$ is defined as:

$$Ad{v}_{A_1}^{EUF-CLSC-CMA}(k)=Pr[Suc{c}_{A_1}(k)]$$

(4)

where $Suc{c}_{A_1}(k)$ denotes the probability that $A_I$ successfully forges a valid signcryption under security parameter k.

Game 4 (EUF—CLSC—CMA-G4): The challenger C interacts with adversary $A_{II}$ as follows:

(1)

Initialization: $A_{II}$ adaptively executes the same initialization phase as in Game 2.

(2)

Query Phase: $A_{II}$ adaptively performs the above oracle query if the following conditions are met.

• $A_{II}$ cannot request a signcryption query for the tuple $\{m,EI{D}_i,EI{D}_j\}$.
• $A_{II}$ cannot request a private key query for the sender $EI{D}_i$.

(3)

Forgery Phase: $A_{II}$ outputs a forged signcryption $C^{*}$ for message m. If there is no output $\perp$, the signature is legal and $A_{II}$ wins this game. The advantage of $A_{II}$ is defined as:

$$Ad{v}_{A_2}^{EUF-CLSC-CMA}(k)=Pr[Suc{c}_{A_2}(k)]$$

(5)

where $Suc{c}_{A_2}(k)$ denotes the probability that $A_{II}$ successfully forges a valid signcryption under security parameter k.

5. Concrete Scheme

5.1. Specific Transaction Process

Taking the example of Alice paying a transaction amount $v_0$ to Bob, before the transaction, the local account balances of Alice and Bob are $v_A$ and $v_B$, respectively. After the transaction, Alice’s local account balance is updated to $v_A^{\prime }=v_A-v_0$, and Bob’s local account balance is updated to $v_B^{\prime }=v_B+v_0$. To protect account privacy, the account balances of Alice and Bob are stored on the blockchain using Paillier homomorphic encryption, i.e., $c_A=En{c}_{P{K}_R}(v_A)$ and $c_B=En{c}_{P{K}_R}(v_B)$. The transaction model is shown in Figure 1.

Figure 1. Transaction model.

(1) $Setup(1^k)\to (PP)$: Algorithm 1 is invoked by the KGC and MR. Given the security parameter $k$, select an elliptic curve addition cyclic group $G$ of order q, with P as the generator of $G$. The KGC randomly selects $s\in Z_q^{*}$ as the system master private key and computes $P_{pub}=sP$ as the system master public key. The MR randomly selects $r\in Z_q^{*}$ as the tracing key and computes $M_{pub}=rP$ as the tracing public key. The KGC and MR select five hash functions: $H:G\times G\times G\times {\{0,1\}}^{*}\to Z_q^{*}$, $H_1:{\{0,1\}}^{*}\times G\times G\to Z_q^{*}$, $H_2:{\{0,1\}}^{*}\times G\times G\times G\to Z_q^{*}$, $H_3:G\times {\{0,1\}}^{*}\times G\times G\to Z_q^{*}$, $H_4:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times G\times G\times {\{0,1\}}^{*}\to Z_q^{*}$. The KGC publishes $PP=\{G,q,P,P_{pub},M_{pub},H,H_1,H_2,H_3,H_4\}$, where the system master private key $s$ is secretly kept by the KGC, and $r$ is secretly kept by the MR.

Algorithm 1. System initialization algorithm.

Input: $k$

Output: $PP$, $s$, $r$

1. KGC selects an elliptic curve addition cyclic group $G$ of order q, with P as the generator of $G$.

2. KGC selects $s\in Z_q^{*}$ as the primary private key.

3. Calculate $P_{pub}=sP$ as the system’s main public key.

4. MR Selects $r\in Z_q^{*}$ as the tracking key.

5. Calculate $M_{pub}=rP$ as the tracking public key.

6. KGC and MR Jointly define hash function: $$\begin{array}{l}H:G\times G\times G\times {\{0,1\}}^{*}\to Z_q^{*};\\ H_1:{\{0,1\}}^{*}\times G\times G\to Z_q^{*};\\ H_2:{\{0,1\}}^{*}\times G\times G\times G\to Z_q^{*};\\ H_3:G\times {\{0,1\}}^{*}\times G\times G\to Z_q^{*};\\ H_4:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times G\times G\times {\{0,1\}}^{*}\to Z_q^{*}.\end{array}$$

7. KGC discloses security parameters: $PP=\{G,q,P,P_{pub},M_{pub},H,H_1,H_2,H_3,H_4\}$

8. KGC Keeps s in secret.

9. MR Keeps r in secret.

(2) $CreateAddr(EI{D}_{i,1},{\alpha }_i)\to add{r}_i$: Algorithm 2 is invoked by the transaction user and the regulatory authority. The transaction user randomly selects $e_i\in Z_q^{*}$, computes the partial anonymous identity $EI{D}_{i,1}=e_{i}P$, and the identity index ${\alpha }_i=e_i{M}_{pub}\oplus RI{D}_i$. The user then sends $\{{\alpha }_i,EI{D}_{i,1}\}$ to MR. Subsequently, MR computes $RI{D}_i={\alpha }_i+rEI{D}_{i,1}$ to retrieve the real identity of the transaction user, computes the partial anonymous identity $EI{D}_{\mathrm{i},2}=RI{D}_i\oplus H(rEI{D}_{i,1}||EI{D}_{i,1}||M_{pub}||V{M}_i)$, and generates the transaction user’s anonymous identity address $add{r}_i=EI{D}_i=\{EI{D}_{i,1},EI{D}_{i,2}\}$, where $V{M}_{\mathrm{i}}$ represents the validity period of the anonymous identity. Send $EI{D}_i$ to KGC.

Simultaneously, MR establishes a user anonymous identity traceability table EIDList, storing the user’s anonymous identity identifier and identity index ${\alpha }_{\mathrm{i}}$.

Alice and Bob randomly select $v_A\in Z_q^{*}$ and $v_B\in Z_q^{*}$, respectively, compute $EI{D}_{A,1}=e_{A}P$ and $EI{D}_{B,1}=e_{B}P$. MR then computes their respective anonymous identity addresses, $add{r}_A=EI{D}_A=\{EI{D}_{A,1},EI{D}_{A,2}\}$ and $add{r}_A=EI{D}_A=\{EI{D}_{A,1},EI{D}_{A,2}\}$.

Algorithm 2. User registration and anonymous identity address generation algorithm.

Input: PP, $EI{D}_{i,1}$, ${\alpha }_i$

Output: $add{r}_i$

1. Transaction user randomly selectes $e_i\in Z_q^{*}$.

2. Calculate $EI{D}_{i,1}=e_{i}P$.

3. Calculate ${\alpha }_i=e_i{M}_{pub}\oplus RI{D}_i$.

4. Send $\{{\alpha }_i,EI{D}_{i,1}\}$ to MR.

5. MR calculates $RI{D}_i={\alpha }_i+rEI{D}_{i,1}$ and $EI{D}_{i,2}=RI{D}_i\oplus H(rEI{D}_{i,1}||EI{D}_{i,1}||M_{pub}||V{M}_i)$.

6. Generate anonymous address of transaction user $add{r}_i=EI{D}_i=\{EI{D}_{i,1},EI{D}_{i,2}\}$.

7. Send $(EI{D}_i)$ to KGC.

8. MR Creates the user anonymous identity tracing table EIDList.

(3) $CreateRkey(PP)\to (P{K}_R=(n,g),S{K}_R=\lambda )$: Algorithm 3 is invoked by the regulatory authority. The authority randomly selects two large primes $p_1$ and $q_1$, computes $N=p_1\cdot q_1$, and $\lambda =lcm(p_1-1,q_1-1)$. A parameter g is chosen from $g\in Z_{n^2}^{*}$, where $Z_{n^2}^{*}$ is defined as the multiplicative group of integers modulo $n^2$ (see Section 3.2 for details). The parameter g must satisfy $\gcd (L(g^{\lambda }\mathrm{mod}{N}^2),N)=1$, where the function $L(x)$ is defined in Section 3.2. The regulatory authority generates the regulatory public key $P{K}_R=(n,g)$ and the regulatory private key $S{K}_R=\lambda$, and publishes $P{K}_R$.

Algorithm 3. Supervised key generation algorithm.

Input: PP

Output: $P{K}_R$, $S{K}_R$

1. The regulator chooses two large prime numbers $p_1$ and $q_1$.

2. Calculate $N=p_1\cdot q_1$.

3. Calculate $\lambda =lcm(p_1-1,q_1-1)$.

4. Choose the parameter g from $Z_{n^2}^{*}$ so that it satisfies $\gcd (L(g^{\lambda }\mathrm{mod}{N}^2),N)=1$.

5. Generate the supervisory public key $P{K}_R=(n,g)$ and the supervisory private key $S{K}_R=\lambda$.

6. Disclose the public key of supervision $P{K}_R$.

(4) $SetPartialKey(EI{D}_i)\to (P{K}_G=G_i,S{K}_G=d_i)$: Algorithm 4 is invoked by the KGC. The KGC randomly selects $g_i\in Z_q^{*}$, computes $G_i=g_{i}P$, and calculates the transaction user’s partial private key $d_i=g_i+h_{i,1}s$, where $h_{i,1}=H_1(EI{D}_i,G_i,P_{pub})$. Subsequently, the KGC sends $(G_i,d_i)$ and $EI{D}_i$ to the user through a secure channel.

The KGC generates partial key pairs $(G_A,d_A)$ and $(G_B,d_B)$ for Alice and Bob, respectively.

Algorithm 4. User partial key generation algorithm.

Input: PP, $I{D}_i$, $EI{D}_i$

Output: $(G_i,d_i)$

1. KGC randomly selectes $g_i\in Z_q^{*}$.

2. Calculate $G_i=g_{i}P$.

3. Calculate $h_{i,1}=H_1(EI{D}_i,G_i,P_{pub})$.

4. Calculate $d_i=g_i+h_{i,1}s$

5. Send $(G_i,d_i)$, $EI{D}_i$ to MR.

(5) $SetKey(EI{D}_i,(P{K}_G,S{K}_G))\to (P{K}_i=(G_i,X_i),S{K}_i=(x_i,d_i))$: Algorithm 5 is invoked by Alice and Bob separately. First, the user receives $(G_i,d_i)$, computes $h_{i,1}^{\prime }=H_1(EI{D}_i,G_i,P_{pub})$, and checks whether the equation $d_{i}P=G_i+h_{i,1}Ppub$ holds. If it holds, the user accepts $d_i$; otherwise, the user requests a new partial private key from the KGC. Subsequently, the user randomly selects $x_i\in Z_q^{*}$, computes $X_{\mathrm{i}}=x_{i}P$, and generates the complete key pair.

Alice and Bob, following the above method, select $x_A\in Z_q^{*}$ and $x_B\in Z_q^{*}$ respectively, compute $X_A=x_{A}P$ and $X_B=x_{B}P$, and obtain their complete key pairs: $(P{K}_A=(G_A,X_A),S{K}_A=(x_A,d_A))$, $(P{K}_B=(G_B,X_B),S{K}_B=(x_B,d_B))$.

Algorithm 5. User key generation algorithm.

Input: PP, $(G_i,d_i)$

Output: $(X_i,x_i)$, $(P{K}_i,S{K}_i)$

1. Calculate $h_{i,1}^{\prime }=H_1(EI{D}_i,G_i,P_{pub})$.

2. Calculate $d_{i}P=G_i+h_{i,1}{P}_{pub}$.

3. User randomly selectes $x_i\in Z_q^{*}$.

4. Calculate $X_{\mathrm{i}}=x_{i}P$.

5. Generate $(X_i,x_i)$.

6. Generate $(P{K}_i,S{K}_i)$.

(6) $CreateTx(EI{D}_{i_1},P{K}_{i_1},S{K}_{i_1},v_0,EI{D}_{i_2},P{K}_{i_2},P{K}_R)$ $\to t{x}_{send}$: Algorithm 6 is invoked by Alice. The transaction amount is encrypted using two methods: one is Paillier homomorphic encryption for transaction verification, where Alice randomly selects an integer $r_1\in Z_q^{*}$ and uses the regulatory public key $P{K}_R=(n,g)$ to compute $C_{A,1}=g^{v_0}{r}_1^n\mathrm{mod}{n}^2$; the other is certificateless signcryption for transaction updates, where Alice randomly selects $u_A\in Z_q^{*}$, computes $U_A=u_{A}P$, $T_A=u_A(X_B+G_B+h_{B,2}{P}_{pub})$, with $h_{B,2}=H_2(EI{D}_B,X_B,G_B,P_{pub})$, computes $C_{A,2}=v_0\oplus h_{A,3}$, with $h_{A,3}=H_3(U_A,T_A,X_B,G_B)$, and computes $S_A=u_A+h_{A,3}{x}_A+h_{A,4}{d}_A$, with $h_{A,4}=H_4(EI{D}_B,C_{A,2},X_B,U_A,t_A)$. The signature ${\sigma }_A=(U_A,S_A,C_{A,1},C_{A,2})$ for $v_0$ is generated, and the transaction $t{x}_{send}=(EI{D}_A,P{K}_A,{\sigma }_A,t_A)$ is sent on the blockchain. Additionally, Alice makes a commitment and proves to the miner nodes through a commitment proof that the encrypted amount is always positive.

Algorithm 6. Transaction creation algorithm.

Input: PP, $EI{D}_{i_1}$, $P{K}_{i_1}$, $S{K}_{i_1}$, $v_0$, $EI{D}_{i_2}$, $P{K}_{i_2}$, $P{K}_R$

Output: $t{x}_{send}$

1. Sender randomly selectes $r_1\in Z_q^{*}$.

2. Calculate $C_{i_1,1}=g^{v_0}{r}_1^n\mathrm{mod}{n}^2$.

3. Sender selectes $u_{i_1}\in Z_q^{*}$.

4. Calculate $U_{i_1}=u_{i_1}P$.

5. Calculate $h_{i_2,2}=H_2(EI{D}_{i_2},X_{i_2},G_{i_2},P_{pub})$.

6. Calculate $T_{i_1}=u_{i_1}(X_{i_2}+G_{i_2}+h_{i_2,2}{P}_{pub})$.

7. Calculate $h_{i_1,3}=H_3(U_{i_1},T_{i_1},X_{i_2},G_{i_2})$.

8. Calculate $C_{i_1,2}=v_0\oplus h_{i_1,3}$.

9. Calculate $h_{i_1,4}=H_4(EI{D}_{i_2},C_{i_1,2},X_{i_2},U_{i_1},t_{i_1})$.

10. Calculate $S_{i_1}=u_{i_1}+h_{i_1,3}{x}_{i_1}+h_{i_1,4}{d}_{i_1}$.

11. Generate a signature ${\sigma }_{i_1}=(U_{i_1},S_{i_1},C_{i_1,1},C_{i_1,2})$.

12. Send the transaction $t{x}_{send}=(EI{D}_{i_1},P{K}_{i_1},{\sigma }_{i_1},t_{i_1})$.

(7) $VerifyTx(t{x}_{send})\to b$: Algorithm 7 is invoked by the miner nodes and Alice. The miner nodes verify the correctness of $C_{A,1}$ and the signature σ. The correctness of σ is verified by checking whether the equation $S_{A}P=U_A+h_{A,3}{X}_A+$ $h_{A,4}(G_A+h_{A,1}{P}_{pub})$ holds. If it holds, $t{x}_{send}$ is considered valid and legitimate, and the output is $b=1$. The miner nodes then use a consensus algorithm to add the transaction record to the blockchain and broadcast it. Otherwise, the output is $b=0$, and the transaction is sent to the regulatory authority for auditing.

The correctness of $C_{A,1}$ is proved as follows:

Lemma 1.

For $\forall \theta \in {Z_{n^2}}^{*}$, the equation $L({\theta }^{\lambda }\mathrm{mod}{n}^2)=\lambda {[\theta ]}_{n+1}$ holds.

For any given base $g\in {Z_{n^2}}^{*}$ and $\theta \in {Z_{n^2}}^{*}$, $L({\theta }^{\lambda }\mathrm{mod}{n}^2)$ is invertible modulo n, and obtain

$${\displaystyle \frac{L({\theta }^{\lambda }\mathrm{mod}{n}^2)}{L(g^{\lambda }\mathrm{mod}{n}^2)}}={\displaystyle \frac{\lambda {[\theta ]}_{1+n}}{\lambda {[g]}_{1+n}}}={\displaystyle \frac{{[\theta ]}_{1+n}}{{[g]}_{1+n}}}={[\theta ]}_g\mathrm{mod}n$$

(6)

In the above equation, given $n,g,\theta$, computing ${[\theta ]}_g$ is computationally hard. However, if $\lambda$ is known, it is possible to compute any ${[\theta ]}_g$.

The correctness of $\sigma$ is proved as follows:

$$\begin{array}{cc}\hfill S_{i}P& =(u_i+h_{i,3}{x}_i+h_{i,4}{d}_i)\hfill \\ & =U_{\mathrm{i}}+h_{i,3}{X}_i+h_{i,4}(g_i+s{h}_{i,1})P\hfill \\ & =U_{\mathrm{i}}+h_{i,3}{X}_i+h_{i,4}(G_i+h_{i,1}{P}_{pub})\hfill \end{array}$$

(7)

Algorithm 7. Transaction verification algorithm.

Input: PP, $t{x}_{send}$

Output: $b$

1. Calculate ${\displaystyle \frac{L({\theta }^{\lambda }\mathrm{mod}{n}^2)}{L(g^{\lambda }\mathrm{mod}{n}^2)}}$ to verify the correctness of $C_{A,1}$.

2. Calculate $S_{i_1}P=U_{i_1}+h_{i_1,3}{X}_{i_1}+h_{i_1,4}(G_{i_1}+h_{i_1,1}{P}_{pub})$.

(8) $RenewalTx(EI{D}_{i_2},P{K}_{i_2},S{K}_{i_2},t{x}_{send},P{K}_R)\to t{x}_{rec}$: Algorithm 8 is invoked by the miner nodes and Bob, respectively. The miner nodes utilize the additive property of Paillier homomorphic encryption to update Bob’s ledger balance in ciphertext as:

$$\begin{array}{cc}\hfill C_B^{\prime }& =C_B\oplus C_{A,1}\hfill \\ & =C_B\ast C_{A,1}\hfill \\ & =(g^{v_B}\cdot r_2^n\mathrm{mod}{n}^2)(g^{v_0}\cdot r_1^n\mathrm{mod}{n}^2)\hfill \\ & =g^{v_B+v_0}\cdot {(r_1{r}_2)}^n\mathrm{mod}{n}^2\hfill \end{array}$$

(8)

Simultaneously, Bob uses his private key to compute $T_A^{\prime }=U_A(x_B+d_B)$, $h_{A,3}^{\prime }=H_3(U_A,T_A^{\prime },X_B,G_B)$ and $v_0=h_{A,3}^{\prime }\oplus C_{A,2}$, updating his local account balance to $v_B^{\prime }=v_B+v_0$. The algorithm outputs the received transaction $t{x}_{rec}=C_B^{\prime }$.

The correctness of the transaction amount is shown below:

$$\begin{array}{cc}\hfill T_A^{\prime }& =U_A(x_B+d_B)\hfill \\ & =U_A(x_B+g_B+h_{B,2}s)\hfill \\ & =u_A(X_B+G_B+h_{B,2}{P}_{pub})\hfill \end{array}$$

(9)

Algorithm 8. Transaction update algorithm.

Input: PP, $EI{D}_{i_2}$, $P{K}_{i_2}$, $S{K}_{i_2}$, $t{x}_{send}$, $\lambda$

Output: $t{x}_{rec}$

1. Calculate $C_{i_2}^{\prime }=C_{i_2}\oplus C_{i_1,1}$.

2. Calculate $T_{i_1}^{\prime }=U_{i_1}(x_{i_2}+d_{i_2})$.

3. Calculate $h_{i_1,3}^{\prime }=H_3(U_{i_1},T_{i_1}^{\prime },X_{i_2},G_{i_2})$.

4. Calculate $v_0=h_{i_1,3}^{\prime }\oplus C_{i_2,2}$.

5. Update the balance to $v_{i_2}^{\prime }=v_{i_2}+v_0$.

6. Accept transaction $t{x}_{rec}=C_{i_2}^{\prime }$.

(9) $TraceTx(S{K}_R,r,EIDList,t{x}_{send}/t{x}_{rec})\to (v_0,RI{D}_i)$: Algorithm 9 is invoked by the regulatory authority. In the event of anomalous transactions, no fewer than t subordinate regulators ($S{R}_i$) recover the private key $S{K}_R$ and compute the transaction amount $v_0^{\prime }=L(c_1^{\lambda }\mathrm{mod}{n}^2)\mu \mathrm{mod}n=L(g^{v_0}{r}_1^n\mathrm{mod}{n}^2)\mu \mathrm{mod}n$. Simultaneously, the MR retrieves the malicious user’s identity address $EI{D}_i$, queries the anonymous identity traceability table EIDList, and computes $RI{D}_i={\alpha }_i+rEI{D}_{i,1}$ or $RI{D}_i=EI{D}_{i,2}\oplus$ $H(rEI{D}_{i,1}||EI{D}_{i,1}||M_{pub}||V{M}_i)$ to recover the malicious user’s real identity $RI{D}_i$.

Algorithm 9. Transaction tracing algorithm.

Input: PP, ${\lambda }_1,{\lambda }_2,\dots ,{\lambda }_n$, $r$, $EI{D}_i$, EIDList, $t{x}_{send}/t{x}_{rec}$

Output: $v_0$, $RI{D}_i$

1. $S{R}_i$ restores the supervised private key $S{K}_R$.

2. Calculate $v_0^{\prime }=L(c_1^{\lambda }\mathrm{mod}{n}^2)\mu \mathrm{mod}n=L(g^{v_0}{r}_1^n\mathrm{mod}{n}^2)\mu \mathrm{mod}n$.

3. MR acquires $EI{D}_i$.

4. Query EIDList.

5. Calculate $RI{D}_i={\alpha }_i+rEI{D}_{i,1}$ or $RI{D}_i=EI{D}_{i,2}\oplus H(rEI{D}_{i,1}||EI{D}_{i,1}||M_{pub}||V{M}_i)$.

5.2. Transaction Verification

Considering the differences in transaction fee mechanisms across various blockchain platforms, this scheme temporarily excludes the execution costs associated with Ethereum and disregards processing fees. CLSC_SAT verifies the legality of transactions from two perspectives: First, it conducts a verification, ensuring that the sum of the transferred amount and the remaining account balance equals the original account balance. Second, it performs a legitimacy verification, confirming that the amount transferred is between 0 and the total account balance.

For the verification of the transaction amount being “sufficient”, the additive property of the Paillier algorithm is used. After the transaction, Alice and Bob’s account balances are updated to $v_A^{\prime }$ and $v_B^{\prime }$, respectively, by checking whether the following two equations are equal:

$$En{c}_{p{k}_R}(v_{A^{\prime }})\times En{c}_{p{k}_R}(v_0)=En{c}_{p{k}_R}(v_A)$$

(10)

$$En{c}_{p{k}_R}(v_B)\times En{c}_{p{k}_R}(v_0)=En{c}_{p{k}_R}(v_{B^{\prime }})$$

(11)

If the equations are equal, then the transaction amount is “sufficient” for successful verification.

The legality of the transaction is verified using the zero-knowledge range proof method based on FO commitments mentioned in reference [19], which will not be elaborated on here.

5.3. Transaction Supervision

The regulatory content of blockchain transactions encompasses transaction amounts and the authentic identity information of users. The CLSC_SAT model employs a multi-party collaboration framework for transaction supervision, where a primary regulator (MR) and n secondary regulators ($S{R}_i$) jointly oversee the entire transaction process to ensure transparency and compliance of all transactional data. The MR possesses a tracking key r and collaborates with $S{R}_i$ to maintain the regulatory key $\lambda$ through a threshold secret sharing scheme, enabling supervision of transaction content and identity tracing. The MR generates the regulatory key $\lambda$ and distributes it to n $S{R}_i$ by splitting $\lambda$ into fragments $\{{\lambda }_1,{\lambda }_2,\dots ,{\lambda }_n\}$ using a publicly verifiable threshold secret sharing scheme. During transactions, no single regulator, including the MR, can independently recover the key or conduct abnormal behavior tracing. The key distribution protocol is as follows:

(a)

Supervision Key Distribution

The MR selects a t − 1 degree polynomial $f(x)=({\displaystyle \sum _{i=0}^{t-1}{a}_i{x}^{i}modq)}$ over $Z_q^{*}$, sets $a_0=\lambda$, and distributes the shared secret $a_i=f(x_i)\mathrm{mod}q$ to $S{R}_i(i=1,2,\dots ,n)$. The threshold value is t, satisfying $1\le t\le n\le q$. The MR computes and broadcasts the commitment $c_i=g^{a_i}\in Z_q^{*},0\le i\le t-1$.

(b)

Supervision Key Verification

Each $S{R}_i$ verifies the validity of the received share by checking whether $g^{a_i}={\displaystyle \prod _{j=0}^{t-1}{c}_j^{i^j}modp,}(i=1,2,\dots ,n)$. If the equality fails, the share ${\alpha }_i$ is deemed invalid.

(c)

Supervision Key Recovery

When an abnormal transaction occurs, MR initiates a key recovery request to ensure that no less than t secondary regulator $S{R}_i$ is involved. When the shared ${\lambda }_i$ of all participating $S{R}_i$ is verified as valid, $S{R}_i$ uses the Lagrange polynomial interpolation method to calculate $f(x)={\displaystyle \sum _{i=1}^t{a}_i{\displaystyle \prod _{j=1,j\ne i}^t\frac{x-x_i}{x_i-x_j}}}$ to obtain $\lambda =f(0)$.

When an abnormal transaction is detected, the main regulator (MR) initiates a key recovery request. No less than t $S{R}_i$ recovers the regulatory key through the above process and calculates the transaction transfer amount:

$$\begin{array}{cc}\hfill v_0^{\prime }& =L(c_1^{\lambda }\mathrm{mod}{n}^2)\mu \mathrm{mod}n\hfill \\ & =L(g^{v_0}{r}_1^n\mathrm{mod}{n}^2)\mu \mathrm{mod}n\hfill \end{array}$$

(12)

Simultaneously, the MR retrieves the malicious user’s $EI{D}_i$ and ${\alpha }_i$ from the user anonymous identity traceability table EIDList (see Table 2). The MR uses the tracking private key $r$ to compute $RI{D}_i={\alpha }_i+rEI{D}_{i,1}$ or $RI{D}_i=EI{D}_{i,2}\oplus H(rEI{D}_{i,1}||EI{D}_{i,1}||M_{pub}$ $||V{M}_i)$ to recover the malicious user’s real identity $RI{D}_i$. This information is then uploaded to the smart contract to protect the legitimate rights and interests of other users. The supervision and tracing process is illustrated in Figure 2.

Table 2. User anonymous identity tracing list.

User	Anonymous Identity Index	Anonymous Identity Address
A	${\alpha }_A$	$EI{D}_A$
B	${\alpha }_B$	$EI{D}_B$
C	${\alpha }_C$	$EI{D}_C$
…	…	…
U	${\alpha }_U$	$EI{D}_U$

Figure 2. Process of supervision and tracing.

6. Scheme Analysis and Proof

6.1. Security Analysis

(1)

Anonymity: In the CLSC_SAT model, the real identity $RI{D}_i$ of a user can be traced in two ways. The first method is $RI{D}_i={\alpha }_i+rEI{D}_{i,1}$, where the user’s anonymous identity $EI{D}_i$ is composed of a secret value $e_i$ chosen by the user and the tracking key $r$. Only entities possessing $e_i$ or $r$ can compute $rEI{D}_i$. This process is equivalent to solving the CDH hard problem, i.e., given $M_{pub}=rP$ and $EI{D}_{i,1}=e_{i}P$, solving $rEI{D}_{i,1}=r{e}_{i}P$, which is computationally infeasible. The second method is $RI{D}_i=EI{D}_{i,2}\oplus H(rEI{D}_{i,1}||EI{D}_{i,1}||M_{pub}||V{M}_i)$. Since only the MR possesses $r$, other nodes cannot recover $RI{D}_i$ using this method. Additionally, $RI{D}_i$ is not stored in the EIDList. Even if an attacker A obtains $\{EI{D}_i,{\alpha }_i\}$ from the EIDList, they cannot reveal the user’s real identity $RI{D}_i$ without solving the CDH problem or stealing the tracking private key $r$. Therefore, the CLSC_SAT model satisfies anonymity.

(2)

Traceability: When signature verification fails or a miner node detects an anomalous transaction, the user’s $RI{D}_i$ is traced and revealed. The MR retrieves the anonymous identity $EI{D}_i=\{EI{D}_{i,1},EI{D}_{i,2}\}$ of the user involved in the anomalous transaction and uses the tracking key $r$ to compute $RI{D}_i={\alpha }_i+rEI{D}_{i,1}$ or $RI{D}_i=EI{D}_{i,2}\oplus H(rEI{D}_{i,1}||EI{D}_{i,1}||M_{pub}||V{M}_i)$ to recover $RI{D}_i$. The malicious user’s $RI{D}_i$ is then disclosed. Thus, the CLSC_SAT model satisfies traceability.

(3)

Forward and Backward Security: In the CLSC_SAT model, even if an adversary A obtains the signature information ${\sigma }_i=\{U_i,S_i,C_{i,1},C_{i,2}\}$, where $U_i=u_{i}P$, $S_i=(x_i+d_i)h_{i,4}+u_i$ and $h_{i,4}=H_4(EI{D}_B,C_i,U_i,X_B,t_i)$, the randomness of $u_i$ and $t_i$ ensures that each transaction’s signature is unique. It is impossible to infer the content of previously or subsequently sent messages using the current transaction’s signature information. Therefore, the CLSC_SAT model satisfies forward and backward security.

6.2. Security Proof

Suppose a probabilistic polynomial-time (PPT) adversary can perform $q_i$ queries to $H_i$ (for i = 1,2,3,4), $q_{psk}$ partial private key queries, $q_l$ private key queries, and $q_s$ signature queries.

(1) Confidentiality

The proof of confidentiality is based on the Computational Diffie–Hellman (CDH) problem.

Theorem 1.

Under the Random Oracle Model (ROM), if the Computational Diffie–Hellman (CDH) problem is intractable within polynomial time, then the proposed CLSC_SAT model is indistinguishable against Type I and Type II adversaries.

Theorem 1 is proven through Lemmas 2 and 3.

Lemma 2.

Under the ROM, if an adversary $A_I$ has a non-negligible advantage $\epsilon$ against the security of the proposed scheme under IND-CLSC-CCA2-G1 game, then there exists a challenger C that can solve the CDH hard problem in probabilistic polynomial time.

Proof. 

Suppose that an adversary $A_I$ could break the IND-CLSC-CCA2-G1 security of proposed CLSC_SAT scheme. Assume that C is a solver for the CDH problem. Given a CDH problem instance $(P,aP,bP)$, compute $abP$ through interaction with $A_I$.

The challenger C selects an identity $EI{D}_t$ as the challenge identity and maintains the lists: $L_1,L_2,L_3,L_4$ record queries and responses for hash functions $H_i(i=1,2,3,4)$. $L_u$ records user creation list. $L_{psk}$ records partial private key queries. $L_{uk}$ records private key queries. $L_{sc}$ records signcryption queries. All lists are initially empty. The interaction between A_I and C proceeds as follows.

(1)

Initialization Phase: C runs the initialization algorithm and sends the system public parameters $PP=\{G,q,P,P_{pub},M_{pub},H,H_1,H_2,H_3,H_4\}$ to $A_I$. C computes $P_{pub}=sP$ and secretly stores the master private key s.

(2)

Query Phase: Phase I. $A_I$ performs the following polynomial queries.

User Creation: The challenger C maintains an initially empty list $L_u$. When $A_I$ queries an identity $EI{D}_i$, C first checks whether $EI{D}_i$ exists in $L_u$. If it exists, C returns the public key $P{K}_i$ of $EI{D}_i$ to A_I. If $EI{D}_i$ does not exist and $EI{D}_i=EI{D}_t$, C randomly selects $g_i,x_i,h_{i,1}\in Z_q^{*}$, computes $G_i=g_{i}P$, $X_i=x_{i}P$, and $h_{i,1}=H_1(EI{D}_i,G_i,P_{pub})$, while $d_i=\perp$. If $EI{D}_i\ne EI{D}_t$, C randomly selects $d_i,x_i,h_{i,1}\in Z_q^{*}$, computes $G_i=d_{i}P-h_{i,1}{P}_{pub}$, $X_i=x_{i}P$, and $h_{i,1}=H_1(EI{D}_i,G_i,P_{pub})$. Finally, C sends the public key $P{K}_i$ to $A_I$ and appends $(EI{D}_i,G_i,X_i,d_i,x_i)$ to $L_u$.

• $H_1$ Query: $A_I$ queries with identity $EI{D}_i$ for $(EI{D}_i,G_i,P_{pub})$. C checks the $L_1$ list. If $(EI{D}_i,G_i,P_{pub})$ is in $L_1$, C sends it to $A_I$. Otherwise, C randomly selects $h_{i,1}\in Z_q^{*}$, returns it to $A_I$, and saves $(EI{D}_i,G_i,P_{pub},h_{i,1})$ in the $L_1$ list.
• $H_2$ Query: A_I queries with identity $EI{D}_i$ for $(EI{D}_i,X_i,G_i,P_{pub})$. C checks the $L_2$ list. If $(EI{D}_i,X_i,G_i,P_{pub})$ is in $L_2$, C sends it to A_I. Otherwise, C randomly selects $h_{i,2}\in Z_q^{*}$, returns it to $A_I$, and saves $(EI{D}_i,X_i,G_i,P_{pub},h_{i,2})$ in the $L_2$ list.
• $H_3$ Query: $A_I$ queries with identity $EI{D}_i$ for $(U_i,T_i,X_i,G_i)$. C checks the $L_3$ list. If $(U_i,T_i,X_i,G_i)$ is in $L_3$, C sends it to A_I. Othe rwise, C randomly selects $h_{i,3}\in Z_q^{*}$, returns it to A_I, and saves $(U_i,T_i,X_i,G_i,h_{i,3})$ in the $L_3$ list.
• $H_4$ Query: $A_I$ queries with identity $EI{D}_i$ for $(EI{D}_i,C_i,X_i,U_i,t_i)$. C checks the $L_4$ list. If $(EI{D}_i,C_i,X_i,U_i,t_i)$ is in $L_4$, C sends it to A_I. Otherwise, C randomly selects $h_{i,4}\in Z_q^{*}$, returns it to $A_I$, and saves $(EI{D}_i,C_i,X_i,U_i,t_i,h_{i,4})$ in the $L_4$ list.
• Partial Private Key Query: C maintains a list $L_{psk}=(EI{D}_i,G_i,d_i)$. When $A_I$ queries with identity $EI{D}_i$, if $EI{D}_i=EI{D}_t$, C terminates the simulation. Otherwise, C searches for the corresponding $(G_i,d_i)$ in the list $L_{uk}$. If it exists, C returns $(G_i,d_i)$ to $A_I$. If it does not exist, C randomly selects $g_i\in Z_q^{*}$, computes $G_i=g_{i}P$, $h_{i,1}=H_1(EI{D}_i,G_i,P_{pub})$, and $d_{i}P=G_i+h_{i,1}{P}_{pub}$. C then sends $(G_i,d_i)$ to $A_I$ and saves $(EI{D}_i,G_i,d_i)$ in the $L_{psk}$ list.
• Private Key Query: C maintains a list $L_{psk}=(EI{D}_i,G_i,d_i,x_i,X_i)$. When $A_I$ queries with identity $EI{D}_i$, C searches for the corresponding $(x_i,d_i)$ in the $L_{uk}$. If it exists, C returns $(x_i,d_i)$ to $A_I$. If it does not exist, C randomly selects $x_i\in Z_q^{*}$, computes $X_i=x_{i}P$, performs a partial private key query, saves $(G_i,d_i)$ in $L_{uk}$, and sends $(x_i,d_i)$ to A_I.
• Public Key Query: C maintains a list $L_{uk}=(EI{D}_i,G_i,d_i,x_i,X_i)$. When $A_I$ queries with identity $EI{D}_i$, C searches for the corresponding $(G_i,X_i)$ in the $L_{psk}$. If it exists, C returns $(G_i,X_i)$ to $A_I$. If it does not exist, C performs a partial private key query, saves $(G_i,d_i)$ in $L_{uk}$, and sends $(G_i,X_i)$ to $A_I$.
• Public Key Replacement Query: When $A_I$ queries with $(EI{D}_i,P{K}_i^{\prime })$, if $EI{D}_i=EI{D}_t$, C terminates the simulation. Otherwise, C finds $L_{uk}=(EI{D}_i,G_i,d_i,x_i,X_i)$ and replaces it with $(EI{D}_i,G_i^{\prime },\perp ,\perp ,X_i^{\prime })$.
• Signcryption Query: When A_I queries with $(EI{D}_i,v_0,EI{D}_j)$ for signcryption, if $EI{D}_i=EI{D}_t$, C retrieves $(EI{D}_i,G_i,P_{pub},h_{i,1})$ and $(EI{D}_i,G_i,X_i,d_i,x_i)$ from $L_1$ and $L_u$, where $x_i=\perp$. C chooses $u_i,h_{i,3},h_{i,4},r_1\in Z_q^{*}$, sets $S_i=u_i$ and computes $U_i=S_{i}P-(h_{i,3}{X}_i+h_{i,4}(G_i+h_{i,1}{P}_{pub}))$, $C_{i,1}=g^{v_0}{r}_1^n\mathrm{mod}{n}^2$, $C_{i,2}=v_0\oplus h_{i,3}$. Then returns ${\sigma }_i=\{U_i,S_i,C_{i,1},C_{i,2}\}$ to $A_I$.
  If $EI{D}_i\ne EI{D}_t$, C retrieves $h_{i,2},h_{i,3},h_{i,4}$ from $L_2,L_3,L_4$ respectively, and obtains $(G_j,X_j),(x_i,d_i)$ from $L_{uk}$. C randomly selects $u_i,r_1\in Z_q^{*}$, computes $U_i=u_{i}P$, $C_{i,1}=g^{v_0}{r}_1^n\mathrm{mod}{n}^2$, $C_{i,2}=v_0\oplus h_{i,3}$, $T_i=u_i(X_j+G_j+h_{j,2}{P}_{pub})$ and $S_i=x_i{h}_{i,3}+d_i{h}_{i,4}+u_i$. C generates the signature ${\sigma }_i=\{U_i,S_i,C_{i,1},C_{i,2}\}$ and returns ${\sigma }_i$ to $A_I$.
• Unsigncryption Query: When the adversary $A_I$ issues an unsigncryption query for $(EI{D}_i,{\sigma }_i,EI{D}_j)$. If $EI{D}_i=EI{D}_t$, C retrieves the tuples $(EI{D}_i,G_i,X_i,d_i,x_i)$ from $L_u$ and $(EI{D}_j,X_j,G_j,P_{pub},h_{j,2})$ from $L_2$. C verifies the signature and computes $v_0=C_{i,2}\oplus h_{i,3}$. Then sends $v_0$ to $A_I$. If $EI{D}_i\ne EI{D}_t$, C executes the actual unsigncryption algorithm. Then C decrypts the ciphertext and returns $v_0$ to $A_I$.

(3)

Challenge Phase: $A_I$ selects two transaction messages $v_0,v_1$ of equal length and a pair of identities $(EI{D}_i,EI{D}_j)$, where $EI{D}_i$ is the sender identity and $EI{D}_j$ is the receiver identity. If $EI{D}_i\ne EI{D}_t$, C aborts the game. If $EI{D}_i=EI{D}_t$, C randomly selects $\Omega \in \{0,1\}$ and performs the following steps:

• C retrieves $EI{D}_i^{*}$’s public key $P{K}_i^{*}$ from $L_{uk}$.
• Sets $U_i^{*}=b_{i}P$, where $bP$ is an instance of the CDH problem.
• Computes $T_i^{*}=b(X_j+G_j+h_{j,2}{P}_{pub})$, where $h_{j,2}=(EI{D}_j,X_j,G_j,P_{pub})$.
• Randomly selects $r_1,h_{i,3},h_{i,4}\in Z_q^{*}$ and computes $C_{i,1}^{*}=g^{v_{\Omega }}{r}_1^n\mathrm{mod}{n}^2$ and $C_{i,2}^{*}=v_{\Omega }\oplus h_{j,2}$.
• C obtains private keys $x_i^{*},d_i^{*}$ via private key queries and computes $S_i^{*}=u_i+h_{i,3}{x}_i^{*}+h_{i,4}{d}_i^{*}$.
• C sends ${\sigma }^{*}=\{U_i^{*},S_i^{*},C_{i,1}^{*},C_{i,2}^{*}\}$ to $A_I$.

Phase II. As same in Phase I, $A_I$ asks a series of questions that continue to interact with Challenger C, but $A_I$ cannot issue private key queries for $EI{D}_j$, nor can it issue unsigncryption queries on ${\sigma }^{*}$.

(4)

Guessing Phase: If $A_I$ can break the IND-CLSC-CCA2-G1 security of the scheme, it must have queried $H_3$ for the tuple $(U^{*},T^{*},X_j^{*},G_j^{*})$. If $A_I$ outputs a valid $T_i^{*}$, the challenger C extracts the solution to the CDH problem $sbP=(T_i-u_i{X}_j-u_i{G}_j)/h_{j,2}$, where $T_i=u_i(X_j+G_j+h_{j,2}{P}_{pub})=b(X_j+G_j+h_{j,2}sP)$ and $P_{pub}=sP$.

 □

Lemma 3.

Under the ROM, if an adversary $A_{II}$ has a non-negligible advantage $\epsilon$ against the security of the proposed scheme under IND-CLSC-CCA2-G2 game, then there exists a challenger C that can solve the CDH hard problem in probabilistic polynomial time.

Proof. 

Suppose that an adversary $A_{II}$ could break the IND-CLSC-CCA2-G2 security of proposed CLSC_SAT scheme. Assume that C is a solver for the CDH problem. Given a CDH problem instance $(P,aP,bP)$, compute $abP$ through interaction with $A_{II}$.

The challenger C selects an identity $EI{D}_t$ as the challenge identity and maintains the same lists $L_1,L_2,L_3,L_4,L_u,L_{psk},L_{uk},L_{sc}$ as in GAME1. All lists are initially empty. The interaction between $A_{II}$ and C proceeds as follows.

(1)

Initialization Phase: The challenger C runs the initialization algorithm and sends $PP=\{G,q,P,P_{pub},M_{pub},H,H_1,H_2,H_3,H_4\}$ $H_1,H_2,H_3,H_4\}$ and the master key s to the adversary $A_{II}$, computing $P_{pub}=sP$.

(2)

Query Phase: Phase I. $A_{II}$ performs the following polynomial queries.

User Creation: The challenger C maintains an initially empty list $L_u$. When $A_{II}$ queries an identity $EI{D}_i$, C first checks whether $EI{D}_i$ exists in $L_u$. If it exists, C returns the public key $P{K}_i$ of $EI{D}_i$ to $A_{II}$. If $EI{D}_i$ does not exist, C randomly selects $g_i,h_{i,1}\in Z_q^{*}$, computes $G_i=g_{i}P$, $d_i=g_i+h_{i,1}s\mathrm{mod}q$ and sets $h_{i,1}=H_1(EI{D}_i,G_i,P_{pub})$. If $EI{D}_i\ne EI{D}_t$, C randomly selects $x_i\in Z_q^{*}$, computes $X_i=x_{i}P$ and $h_{i,1}=H_1(EI{D}_i,G_i,P_{pub})$. If $EI{D}_i=EI{D}_t$, C sets $x_i=\perp$, $X_i=x_{i}P$. Finally, C sends the public key $P{K}_i$ to $A_{II}$ and appends $(EI{D}_i,G_i,X_i,d_i,x_i)$ to $L_u$.

• $H_1,H_2,H_3,H_4$: Same as Lemma 2.
• Partial Private Key Query: C maintains a list $L_{psk}=(EI{D}_i,G_i,d_i)$. When $A_{II}$ queries with identity $EI{D}_i$, if $EI{D}_i=EI{D}_t$, C terminates the simulation. Otherwise, C searches for the corresponding $(G_i,d_i)$ in the list $L_{psk}$. If it exists, C returns $(G_i,d_i)$ to $A_{II}$. If it does not exist, C randomly selects $g_i\in Z_q^{*}$, computes $G_i=g_{i}P$, $h_{i,1}=H_1(EI{D}_i,G_i,P_{pub})$ and $d_i=g_i+h_{i,1}s\mathrm{mod}q$. C then sends $(G_i,d_i)$ to $A_{II}$ and saves $(EI{D}_i,G_i,d_i)$ in the $L_{psk}$ list.
• Private Key Query: Same as GAME1.
• Public Key Query: C maintains a list $L_{uk}=(EI{D}_i,G_i,d_i,x_i,X_i)$. When $A_{II}$ executes t query with identity $EI{D}_i$, C searches the list for the corresponding $(G_i,X_i)$. If finds, C returns $(G_i,X_i)$ to $A_{II}$. Otherwise, if $EI{D}_i=EI{D}_i^{*}$, C randomly selects $g_i,h_{i,1}\in Z_q^{*}$, computes $G_i=g_{i}P$, $X_i=xP$, and sets $h_{i,1}=H_1(EI{D}_i,G_i,P_{pub})$. Then sends $(G_i,X_i)$ to $A_{II}$. And stores $(EI{D}_i,G_i,X_i,d_i,\perp )$ in $L_u$, stores $(EI{D}_i,G_i,P_{pub},h_{i,1})$ in $L_1$. If $EI{D}_i\ne EI{D}_t$, C randomly selects $g_i,h_{i,1},x_i\in Z_q^{*}$, computes $X_i=x_{i}P$, $G_i=g_{i}P$ and sets $h_{i,1}=H_1(EI{D}_i,G_i,P_{pub})$. Then sends $(G_i,X_i)$ to $A_{II}$. And stores $(EI{D}_i,G_i,X_i,d_i,x_i)$ in $L_u$, stores $(EI{D}_i,G_i,P_{pub},h_{i,1})$ in $L_1$.
• Public Key Replacement Query: When $A_{II}$ queries with $(EI{D}_i,P{K}_i^{\prime })$, if $EI{D}_i=EI{D}_t$, C terminates the simulation. Otherwise, C finds $L_{uk}=(EI{D}_i,G_i,d_i,x_i,X_i)$ and replaces it with $(EI{D}_i,G_i^{\prime },d_i,\perp ,X_{\prime }^i)$.
• Signcryption Query: Same as Lemma 2.
• Unsigncryption Query: Same as Lemma 2.
• Challenge Phase: Same as Lemma 2.

Phase II. As same in Phase I, $A_{II}$ asks a series of questions that continue to interact with Challenger C, but $A_{II}$ cannot issue a private key query for the receiver $EI{D}_j$, nor can it issue unsigncryption queries on ${\sigma }^{*}$.

(3)

Guess Phase: If $A_{II}$ can break the IND-CLSC-CCA2-G2 security of the scheme, it must have queried $H_3$ for the tuple $(U^{*},T^{*},X_j^{*},G_j^{*})$. If A_I outputs a valid $T_i^{*}$, the challenger C extracts the solution to the CDH problem $x_{j}bP=T_i-u_i{d}_{j}P$, where $T_i=U_i(x_j+d_j)=U_i(b+d_j)=b{x}_{j}P+U_i{d}_j$.

 □

(2) Unforgeability

Theorem 2.

Under the ROM, if the Elliptic Curve Discrete Logarithm Problem (ECDLP) is hard to solve in polynomial time, then the proposed CLSC_SAT model is unforgeable against adaptive chosen message attacks for both Type I and Type II adversaries.

Theorem 2 is proven through Lemmas 4 and 5.

Lemma 4.

Under the ROM, if an adversary $A_I$ has a non-negligible advantage $\epsilon$ against the security of the proposed scheme under EUF—CLSC—CMA-G3 game. Then there exists a challenger C that can solve the ECDLP hard problem in probabilistic polynomial time.

Proof. 

Suppose that an adversary $A_I$ could break the EUF—CLSC—CMA-G3 security of proposed CLSC_SAT scheme. Assume that C is a solver for the ECDLP problem. Given a ECDLP problem instance $P,Q=sP$, compute s through interaction with $A_I$.

(1)

Initialization Phase: Same as Lemma 2.

(2)

Query Phase: Same as Lemma 2.

(3)

Forgery Phase: $A_I$ outputs a forged signature message ${\sigma }^{*}=\{U_i^{*},S_i^{*},C_{i,1}^{*},C_{i,2}^{*}\}$. If $EI{D}_i^{*}\ne EI{D}_t$, then C terminates the simulation. Otherwise, C recovers $h_{i,1}^{*},h_{i,3}^{*},h_{i,4}^{*}$ from $L_1,L_3,L_4$ respectively, computes $S_i^{*}P=U_i^{*}+h_{i,3}^{*}{X}_i^{*}+h_{i,4}^{*}(G_i^{*}+h_{i,1}^{*}{P}_{pub})$. According to the forking lemma [20], within PPT, A_I choose another $h_{i,4}^{\prime *}$ and can obtain another valid signature ${{\sigma }^{\prime }}^{*}=\{U_i^{*},S_i^{\prime *},C_{i,1}^{*},C_{i,2}^{*}\}$, computes $S_i^{\prime *}P=(G_i^{*}+h_{i,1}^{*}{P}_{pub})h_{i,4}^{\prime *}+h_{i,3}^{*}{X}_i^{*}+U_i^{*}$. Subtracting the two equations yields $(S_i^{*}-S_i^{\prime *})P=(h_{i,4}^{*}-h_{i,4}^{\prime *})(G_i^{*}+h_{i,1}^{*}{P}_{pub})=(h_{i,4}^{*}-h_{i,4}^{\prime *})(g_i^{*}+h_{i,1}^{*}s)P$. Thus, $s={((S_i^{*}-S_i^{\prime *})(h_{i,4}^{*}-h_{i,4}^{\prime *}))}^{-1}-g_i^{*})/h_{i,1}^{*}$, and C outputs s as the solution to the given ECDLP instance.

 □

Lemma 5.

Under the ROM, if an adversary $A_{II}$ has a non-negligible advantage $\epsilon$ against the security of the proposed scheme under EUF—CLSC—CMA-G4 game. Then there exists a challenger C that can solve the ECDLP hard problem in probabilistic polynomial time.

Proof. 

Suppose that an adversary $A_{II}$ could break the EUF—CLSC—CMA-G4 security of proposed CLSC_SAT scheme. Assume that C is a solver for the ECDLP problem. Given a ECDLP problem instance $P,Q=xP$, compute x through interaction with $A_{II}$. In this phase, let $X_i^{*}=xP$.

(1)

Initialization Phase: Same as lemma 3.

(2)

Query Phase: Same as lemma 3.

(3)

Forgery Phase: $A_{II}$ outputs a forged signature message ${\sigma }^{*}=\{U_i^{*},S_i^{*},C_{i,1}^{*},C_{i,2}^{*}\}$. If $EI{D}_i^{*}\ne EI{D}_t$, then C terminates the simulation. Otherwise, C recovers $h_{i,1}^{*},h_{i,3}^{*},h_{i,4}^{*}$ from $L_1,L_3,L_4$ respectively, computes $S_i^{*}P=U_i^{*}+h_{i,3}^{*}{X}_i^{*}+h_{i,4}^{*}(G_i^{*}+h_{i,1}^{*}{P}_{pub})$. According to the forking lemma, within PPT, A_II choose another $h_{i,3}^{\prime *}$ and can obtain another valid signature ${{\sigma }^{\prime }}^{*}=\{U_i^{*},S_i^{\prime *},C_{i,1}^{*},C_{i,2}^{*}\}$, computes $S_i^{\prime *}P=(G_i^{*}+h_{i,1}^{*}{P}_{pub})h_{i,4}^{*}+h_{i,3}^{\prime *}{X}_i^{*}+U_i^{*}$. Subtracting the two equations yields $(S_i^{*}-S_i^{\prime *})P=(h_{i,3}^{*}-h_{i,3}^{\prime *})X_i^{*}=(h_{i,3}^{*}-h_{i,3}^{\prime *})xP$. Thus, $x=(S_i^{*}-S_i^{\prime *}){(h_{i,3}^{*}-h_{i,3}^{\prime *})}^{-1}$, and C outputs x as the solution to the given ECDLP instance.

 □

7. Experimental Analysis

7.1. Experimental Simulation

The feasibility verification of the CLSC_SAT model was conducted on a server running Ubuntu 20.04, equipped with an Intel i5-10210U 1.60 GHz CPU and 8 GB RAM. The model’s nine algorithms (Setup, CreateAddr, CreateRkey, SetPartialKey, SetPub/PrivKey, CreateTx, VerifyTx, RenewalTx, TraceTx) were implemented using the PBC library and C programming language. Each algorithm was executed 1000 times, and the average execution times are presented in Table 3.

Table 3. Time consumption of algorithms in CLSC_SAT.

Algorithm	Time/ms
Setup	1.591
CreateAddr	3.464
CreateRkey	0.014
SetPartialKey	1.616
SetKey	1.577
CreateTx	1.406
VerifyTx	0.032
RenewalTx	0.036
TraceTx	1.824

To further validate the feasibility of the model, the total transmission time, signature time, and verification time were tested for transaction volumes of 20, 40, 60, 80 and 100 in the account model, as shown in Figure 3. The experimental results indicate that as the number of transactions increases, the total transmission time grows linearly, aligning with the expected data transmission performance of the CLSC_SAT model under large-scale transactions. Additionally, the signature time is higher than the verification time, which is attributed to the greater complexity of the signature algorithm.

Figure 3. Time in different transactions under the account model.

This paper also analyzes the performance of CLSC_SAT model in terms of computing overhead and communication overhead.

7.2. Computational Overhead Analysis

In this study, a bilinear pairing $e:G_1\times G_1\to G_2$ was selected to achieve an 80-bit security level. Here, $G_1$ is a supersingular elliptic curve defined over the finite field $F_q$ with the equation $E:y^2=x^3+x\mathrm{mod}{q}_1$, where $p_1$ is a 512-bit large prime number and $q_1$ is a 160-bit large prime number. For the elliptic curve scheme, an elliptic curve $E:y^2=x^3+ax+b\mathrm{mod}{q}_2$ was chosen, with $a,b\in Z_q^{*}$. The execution time of cryptographic operations was calculated using the C language under the PBC library, with each operation executed 1000 times. The average time consumption for each operation is presented in Table 4.

Table 4. Average runtime for cryptographic operations in PBC library.

Operation	Description	Running Time/ms
$T_{bp}$	Bilinear pair pairing operation	3.049
$T_{bp}^{sm}$	Scalar multiplication based on pairing	1.136
$T_{bp}^{pa}$	Point addition based on pairing	0.007
$T_{ecc}^{sm}$	Scalar multiplication on elliptic curves	0.928
$T_{ecc}^{pa}$	Point addition on elliptic curves	0.006
$T_{mtp}$	Map_to_point hash function	2.440
$T_h$	One-way hash function	0.001

To evaluate the computational complexity, the computational overhead of the signature and verification algorithms in the CLSC_SAT model was compared with that of reference [21,22,23,24,25], focusing on the time consumption for signing and verifying signatures, as shown in Table 5. The results indicate that the CLSC_SAT model performs better in terms of computational cost. The signing algorithm time of reference [21] is close to that of the CLSC_SAT model, but its verification algorithm time is approximately three times that of the CLSC_SAT model. The signing and verification algorithm times of reference [22] are the same but are higher than those of the CLSC_SAT model. Reference [23], based on bilinear pairing operations, has the highest time consumption for both signing and verification algorithms. Although the verification algorithm time of reference [24] is the same as that of the CLSC_SAT model, its signing time is approximately three times that of the CLSC_SAT model. The signing and verification algorithm times of reference [25] are almost identical, but all of them are higher than the CLSC_SAT model. Therefore, the CLSC_SAT model improves signing efficiency by 33.18%, 45.29%, 33.22% and 33.5% compared to references [22,23,24,25], respectively, and improves verification efficiency by 66.81%, 66.64%, 94.29%, and 66.88% compared to references [21,22,23,24,25], respectively. The experiments demonstrate that the CLSC_SAT model achieves higher signing and verification efficiency while protecting identity privacy compared to other schemes.

Table 5. Comparison of computational costs.

Scheme	Signature Algorithm/ms	Verification Algorithm/ms
[21]	$2T_{ecc}^{sm}+2T_h\approx 1.858$	$3T_{ecc}^{sm}+3T_{ecc}^{pa}+3T_h\approx 2.805$
[22]	$3T_{ecc}^{sm}+T_{ecc}^{pa}+T_h\approx 2.791$	$3T_{ecc}^{sm}+T_{ecc}^{pa}+T_h\approx 2.791$
[23]	$3T_{bp}^{sm}+T_h\approx 3.409$	$3T_{bp}+2T_{bp}^{sm}+2T_{mtp}+T_h\approx 16.3$
[24]	$3T_{ecc}^{sm}+T_{ecc}^{pa}+3T_h\approx 2.793$	$T_{ecc}^{sm}+3T_h\approx 0.931$
[25]	$3T_{ecc}^{sm}+T_{ecc}^{pa}+4T_h\approx 2.806$	$3T_{ecc}^{sm}+4T_{ecc}^{pa}+3T_h\approx 2.811$
CLSC_SAT	$2T_{ecc}^{sm}+T_{ecc}^{pa}+3T_h\approx 1.865$	$T_{ecc}^{sm}+3T_h\approx 0.931$

The calculation cost of CLSC_SAT model with references [21,22,23,24,25] signature and verification is shown in Figure 4.

Figure 4. Comparison of signature generation and verification time [21,22,23,24,25].

7.3. Communication Overhead Analysis

The communication overhead of the CLSC_SAT model is primarily analyzed based on the size of the elements required for signature transmission, including the anonymous identity $EI{D}_{\mathrm{i}}$, public key $P{K}_i$, signature ${\sigma }_{\mathrm{i}}$, and timestamp $t_i$. In the elliptic curve constructed in this paper, the sizes of $q_1$ and $q_2$ are 64 bytes and 20 bytes, respectively. Therefore, elements in $G_1$ and $G$ occupy 128 bytes and 40 bytes, respectively. Assuming that elements in $Z_q^{*}$ occupy 20 bytes and the timestamp occupies 4 bytes, the space occupied by different types of data elements is shown in Table 6.

Table 6. Different types of elements occupy the space size.

Element	Size/Bytes	Description
$|G_1|$	128	Size occupied by elements in group $G_1$.
$|G|$	40	Size occupied by elements in group G.
$|Z_q^{*}|$	20	Size occupied by elements in $Z_q^{*}$.
$|T|$	4	Size occupied by timestamp.

To compare the commonalities of various schemes, this paper focuses solely on the size of the signatures. A comparison of communication overhead with the literature is presented in Table 7. It can be observed that the signature overhead in this study is the lowest, and the transmission overhead is only higher than that of reference [23].

Table 7. Comparison of communication cost.

Scheme	Signature Overhead/Bytes	Transmission Overhead/Bytes
[22]	$|G_1|+|Z_q^{*}|=148$	$2|G_1|+3|Z_q^{*}|+2|T|=324$
[23]	$|G_1|+|Z_q^{*}|=148$	$3|G_1|+2|Z_q^{*}|+2|T|=432$
[24]	$2|G|+2|Z_q^{*}|=120$	$4|G|+2|Z_q^{*}|=200$
[25]	$2|G|+|Z_q^{*}|+|T|=104$	$4|G|+4|Z_q^{*}|+4|T|=252$
CLSC_SAT	$|G|+3|Z_q^{*}|=104$	$4|G|+4|Z_q^{*}|+2|T|=248$

In the CLSC_SAT model, $t{x}_{send}=(EI{D}_i,P{K}_i,{\sigma }_i,t_i)$, where $EI{D}_i$ occupies $|G|+|Z_q^{*}|+|T|=64$ bytes, $P{K}_i$ occupies $2|G|=80$ bytes, ${\sigma }_i$ occupies $|G|+3|Z_q^{*}|=100$ bytes, and $t_i$ occupies $|T|=4$ bytes. Therefore, the total transmission signature overhead is $4|G|+4|Z_q^{*}|+2|T|=248$ bytes. Similarly, taking references [22,23] as examples, in reference [22], $t{x}_{send}=({\sigma }_i,QI{D}_i,FI{D}^i,T_i)$, where $QI{D}_i$ occupies $|Z_q^{*}|=20$ bytes, $FI{D}^i$ occupies $|G_1|+|Z_q{|}^{*}+|T|=152$ bytes, ${\sigma }_i$ occupies $|G_1|+|Z_q^{*}|=148$ bytes, and $T_i$ occupies $|T|=4$ bytes. Thus, the total transmission signature communication overhead is $2|G_1|+3|Z_q^{*}|+2|T|=324$ bytes. In reference [23], $t{x}_{send}=(PI{D}_i,vp{k}_i,{\sigma }_i,t_i)$, where $PI{D}_i$ occupies $|G_1|+|Z_q^{*}|+|T|=152$ bytes, $vp{k}_i$ occupies $|G_1|=128$ bytes, ${\sigma }_i$ occupies $|G_1|+|Z_q^{*}|=148$ bytes, and $t_i$ occupies $|T|=4$ bytes. Therefore, the total transmission signature overhead is $3|G_1|+2|Z_q^{*}|+2|T|=432$ bytes. A comparison of communication overhead between this work and references [22,23,24,25] is illustrated in Figure 5.

Figure 5. Comparison of communication cost [22,23,24,25].

7.4. Security Requirement Analysis

The CLSC_SAT model is compared with other blockchain privacy protection schemes in terms of functions, including transaction model, anonymity [26], transaction amount protection and controllability, etc. The specific results are shown in Table 8. The results show that the CLSC_SAT model can meet more security requirements.

Table 8. Performance comparison of different privacy protection schemes.

Scheme	Transaction Model	Anonymity		Transaction Amount	Regulability
		Sender	Receiver		Single Supervision	Hierarchical Supervision
[2]	UTXO	√	√	×	√	-
[11]	Account	×	×	√	-	-
[27]	UTXO	√	√	√	√	-
CLSC_SAT	Account	√	√	√	-	√

Explanations: “√” indicates the presence of the feature. “×” indicates the absence of the feature. “-” indicates not applicable.

8. Conclusions

In order to study the issues of transaction privacy protection and regulation in a blockchain account model, this paper designs a supervised anonymous transaction model based on a certificateless public key signcryption algorithm, which does not require bilinear pairing. While achieving transaction privacy protection, it supports identity accountability and decentralized regulatory authority, ensuring the transparency and security of transactions. In terms of anonymity, the model generates user anonymous transaction identifiers through a certificateless signcryption algorithm without bilinear pairing, ensuring strong anonymity of user identities. It also uses the signcryption algorithm along with the Paillier homomorphic encryption algorithm to encrypt transaction amounts separately, ensuring the confidentiality of transactions and verifying them. For regulation, a publicly verifiable secret threshold sharing scheme is adopted to decentralize regulatory authority, thereby reducing the risks of single points of failure and power abuse associated with a single regulator storing the regulatory key. The CLSC_SAT model demonstrates superior performance in terms of anonymity, traceability, forward security, and backward security, while also achieving high signing efficiency and low communication overhead, making it suitable for blockchain transaction systems under account models. Future work will focus on exploring the feasibility of the proposed model in electronic voting scenarios, integrating it into mainstream blockchain platforms (e.g., Ethereum), and incorporating cryptographic accumulator techniques to optimize the efficiency of transaction history verification, thereby advancing the practical deployment of blockchain-based privacy-preserving technologies.