The Cryptographic Complexity of Anonymous Coins: A Systematic Exploration

Abstract

The modern financial world has seen a significant rise in the use of cryptocurrencies in recent years, partly due to the convincing lure of anonymity promised by these schemes. Bitcoin, despite being considered as the most widespread among all, is claimed to have significant lapses in relation to its anonymity. Unfortunately, studies have shown that many cryptocurrency transactions can be traced back to their corresponding participants through the analysis of publicly available data, to which the cryptographic community has responded by proposing new constructions with improved anonymity claims. Nevertheless, the absence of a common metric for evaluating the level of anonymity achieved by these schemes has led to numerous disparate ad hoc anonymity definitions, making comparisons difficult. The multitude of these notions also hints at the surprising complexity of the overall anonymity landscape. In this study, we introduce such a common framework to evaluate the nature and extent of anonymity in (crypto) currencies and distributed transaction systems, thereby enabling one to make meaningful comparisons irrespective of their implementation. Accordingly, our work lays the foundation for formalizing security models and terminology across a wide range of anonymity notions referenced in the literature, while showing how “anonymity” itself is a surprisingly nuanced concept, as opposed to existing claims that are drawn upon at a higher level, thus missing out on the elemental factors underpinning anonymity.

1. Introduction

Cryptocurrencies are undeniably one of the most attention-grabbing developments in security research of the last decade. They continue to open up new classes of inquiries for the crypto and distributed systems communities, while also arguably offering tangible financial benefits to the common man and woman. Consequently, their emergence as alternatives to traditional fiat currencies is reaching new heights [1,2].

Thanks to the blockchain technology, trust, the grease of financial transactions, can now be inferential rather than axiomatic. The decentralized nature, ease of conducting cross-border transactions, resistance to censure, and promises (or hopes) of privacy and anonymity are factors that have contributed towards this popularity. Bitcoin is the first and by far the most widely used true (By which we mean permissionless, fully decentralized, with democratic governance, and transparently operated—in other words, conducive to trust from first principles.) cryptocurrency at the time of this writing, and has attracted much attention with respect to its privacy and anonymity aspects.

Anonymity, from a broad perspective, means that with respect to a given group of entities, it is not possible to uniquely identify one entity from the rest in that group. This concept of anonymity has been widely discussed in the context of anonymous communication and also in anonymous information sharing. Consequently, many theoretical models have been developed to model anonymity, such as k-Anonymity [3] and approaches based on modal logic [4]. Some such studies present formalized terminologies to capture different aspects of anonymity [5], while some propose metrics that could be used to measure a quantitative notion thereof, e.g., as a degree of anonymity [6]. For better or for worse, these available theoretical frameworks have been borrowed for discussing anonymity in cryptocurrencies.

The absence of an acceptable level of anonymity and privacy could hinder the effectiveness of any currency scheme. Many traditional currency schemes are centralized systems where customers depend on another party to preserve the privacy of related information. For example, in a banking model, banks are bound by regulation to preserve the confidentiality of customer information. If the transaction history of a particular individual or entity was exposed to an outsider, it could result in many undesirable consequences, from a subjective sense of betrayal, to more concrete abuses such as misuse of that information to gain undue advantages in contract bidding. Even worse, if currency units came attached with transaction histories, it could lead to the blacklisting of specific units based on their use in unlawful activities in the past, or their involvement in boycotted operations, even though the units may have had only uncontroversial uses afterwards. As such, it is paramount to have a tolerable level of anonymity in a currency scheme in order to ensure its fungibility.

In relation to the anonymity of Bitcoin, it has been argued that the current Bitcoin framework only provides a level of “pseudonymity”, in place of anonymity, as transactions are linked to payment addresses in a big graph that is visible to all [7,8]. Detailed analyses of public bitcoin transaction data have shown that it is possible to uncover behavior patterns of Bitcoin users and trace their identities in real life [9,10,11].

As a consequence of this tension between the need for, and the lack of, effective anonymity in cryptocurrencies, a lot of energy has been expended with the primary focus of fulfilling that demand. Some solutions are centered around improving the anonymity of the Bitcoin framework (e.g., Zcash), whereas other approaches have sought to revisit the blockchain machinery in the design of new cryptocurrency schemes (e.g., Monero). In spite of many such solutions making claims of “anonymity”, further studies have shown that a majority of them could still be subject to deanonymization [12,13].

As rationalized in [14], despite a large number of studies around the topic of cryptocurrency anonymity, no standardized means are available to evaluate the actual level of privacy achieved by different cryptocurrencies. Many studies have been conducted in isolation using different metrics, with the consequence that it is not feasible to compare and benchmark the anonymity landscape in a reliable manner across various constructions. To make matters worse, it turns out that the very notion of anonymity itself, in such complex multi-party systems as decentralized cryptocurrencies, has been until now very poorly understood, and is anything but clear-cut. It is replete with nooks and crannies of special cases and limitations that could turn into so many vulnerabilities.

1.1. Our Contribution

The present study was initially motivated by the works in [7,8,14,15], which lifted the veil on the multiplicity of anonymity notions for cryptocurrencies, but stopped short of actually providing a crisp formalism for defining and using those notions.

Over the course of this study, we identified a very fine-grained structure for the intuitive notion of payment anonymity, parameterized through qualitative distinct definitions, which can be shown to be sensible and justifiable in appropriate scenarios. Moreover, our definitions follow patterns that make them amenable to being brought to order according to a logical taxonomy.

Our purpose in this work, therefore, is to initiate a comprehensive formal study of fine-grained notions of anonymity in payment systems. While the multiplicity of notions is truly a by-product of the diversity and complexity of cryptographic cash systems (both existing or envisioned), our framework is general enough to capture familiar instances such as intermediated banking transactions and interpersonal physical payments. Note that we do not intend to address the anonymity of the underlying implementation of currency schemes in this work, i.e., consensus or communication mechanisms.

Our main contribution in this context is the formulation of a theoretical framework that can be used to provide a systematic categorization of terminology related to anonymity of (crypto) currencies and to model anonymity across different instances of such currency schemes.

Before we even start discoursing of anonymity, we create a flexible framework to abstract the generic functionality of nearly arbitrary payment systems, as long as certain basic consistency, security, and financial soundness properties that we define are satisfied. We model notions of spendability, balance, and indemnification, among others, considered either in an absolute universal sense for all inputs, or with respect to adversaries granted access to helper oracles.

On this foundation, we then analyze the multiple precise ways in which a broad notion of anonymity can be envisaged, and we provide a common game-based security template that consolidates a massive group of explicit attacker scenarios. Our framework is based around the fundamental notion of distinguishability, leading to a security concept of indistinguishability, likely familiar to readers from other security definitions, and a weaker notion of unlinkability. These notions are further particularized to certain subjects such as transaction value, sender, recipient and metadata, and parameterized across multiple dimensions based on which information and capabilities are given to the adversary, including (or not) the ability to see or set the initial state, to access or choose ancillary public/private keys, to query and/or manipulate the system as it runs, and to access or choose other transaction data.

Throughout this rather expansive exercise, we strive to identify similarities between related notions, which allows us in certain instances to “compress” or abstract them according to a common template, cutting size, and tedium while boosting descriptive power. Some of the resulting definitions are not distinct, others are mere tweaks in a common template, and yet others will require individual treatment. In order to encapsulate these dispersed scenarios, we present a set of theorems, underpinning the relationships among them.

The take-away message from our effort is that (financial) anonymity is not an all-or-nothing binary property; it is far more subtle. We fully intend that our framework be used to clearly spell out what aspects of privacy a certain coin does or does not satisfy, across diverse implementations. Of course, one could be content with asking for absolute fungibility (think: isotopically pure melted gold), but that is likely not to lead us anywhere, as no cryptocurrency in existence comes close to reaching that goal. This only makes the need for a (much) more refined model, all the more pressing.

1.2. Other Related Work

As mentioned at the outset, many early studies have focused on quantitative analysis of publicly available Bitcoin transaction data such as payment addresses and values as the Bitcoin blockchain records all transaction details publicly.

One of the early studies conducted by Reid et al. [16] on the anonymity of Bitcoin, presents a passive analysis on publicly available transaction data by constructing two topological structures based on the connectivity of users and transactions showing how these data can be analyzed in many different ways compromising the anonymity of users. Some have attempted to quantify such data as in [11], where behavioral patterns and transaction flows are studied at the user level. Meiklejohn et al. [17] present a different characterization of Bitcoin transaction data by clustering user accounts in terms of several heuristics, thereby highlighting the gap between expected vs. actual level of anonymity in the Bitcoin network. A similar work done by Spagnuolo et al. [18] proposes a framework (named BitIodine) to extract Bitcoin user information, mainly aiming for forensic purposes. These studies evidently place more emphasis on the quantitative analysis while we follow a qualitative approach.

On a different note, some have attempted to formalize the anonymity concepts in a theoretical manner. In this regard, a majority of the work conducted in the Bitcoin system evaluates the level of anonymity based on the notion of so-called linkability, yet with different interpretations. Androulaki et al. [10] conducted an analysis of Bitcoin privacy based on activity unlinkability and profile indistinguishability. In this work, unlinkability is defined in relation to addresses and transactions (independently) with respective users, whereas profile indistinguishability refers to clustering of users based on addresses or transactions. This interpretation of unlinkability has been applied in several subsequent studies related to the anonymity of Bitcoin [19,20,21]. From these studies, it is apparent that Bitcoin anonymity cannot be defined at the transaction layer as addresses and transactions are linkable by the construction itself.

As Bitcoin receives much criticism to that effect, new currency schemes have emerged more promising anonymity expectations, which has led to the need for more concrete formalization of anonymity concepts. Zcash is one such scheme which supports two types of transactions: “shielded” and “unshielded”. Shielded transactions are encrypted, and therefore conceal the addresses and values involved, thereby claiming to acquire improved levels of anonymity. However, users have the option to choose the transaction type, and thus they end up creating unshielded transactions at some point, where they work similar to Bitcoin transactions. Several experimental studies have shown that it is prone to linkability [22,23]. Linkability in this context is defined as the ability to link transactions and the corresponding payment addresses, and they claim that shielded transactions eventually end up in transparent addresses [23].

Cryptonote is one of the protocols based on which several currency systems have been constructed with improved anonymity claims. Saberhagen [24], in the original Cryptonote paper, states that a fully anonymous currency scheme should satisfy two properties with respect to anonymity: unlinkability and untraceability. Unlinkability in this work refers to the property that given two transactions, it is not possible to identify whether both transactions were intended to the same party, whereas untraceability is defined as the inability to identify the corresponding sender among a set of possible senders for a given transaction. Monero, which originated from the Cryptonote protocol, then claimed to provide untraceable transactions and untraceable payments. However, these two properties have fallen to deanonymization attacks in many subsequent studies through the analysis of Monero transaction data [13,25,26].

Fungibility, which is the property of every currency unit being identical, is regarded by many as an elementary requirement of any currency scheme, but it is a tall order. It is well accepted that Bitcoin is not fungible [8,27]. Although it has been claimed in [23] that Zcash achieves fungibility through its use of zk-SNARK (zero-knowledge Succinct Non-Interactive Argument of Knowledge) proofs, the survey study in [8] makes the countermanding claim that Mimblewimble is the only cryptocurrency scheme to do so. Even so, the original Mimblewimble is insecure, and the fix proposed in [28], by making it preserve a lot more data, reintroduces the coin history removed in the original fungibility claim [29].

A recent work by Biryukov et al. [30] presents an experimental analysis on deanonymization of sample transactions in several cryptocurrencies based on network analysis. The outcomes are presented in terms of anonymity degree, which provides an information-theoretic notion of anonymity as a metric external to the scheme being studied. The study, however, stresses the need for a common mechanism that could be used to measure the effectiveness of various techniques used by different currency schemes in their search of anonymity.

Cachin et al. [31] proposed a formal model for blockchain systems by modeling the transactions in terms of a graphical structure called Transaction Graphs, focusing on three different blockchain systems: Bitcoin, Ethereum, and Hyperledger Fabric. While this work focuses on the semantics of a blockchain, our model deviates from this as our emphasis is on modeling anonymity based on the functionality of a currency scheme, as opposed to the underlying construction.

With this background, many have attempted to evaluate and compare the level of anonymity achieved by different cryptocurrencies through diverse means. Among the academic literature, the survey conducted by Khalilov et al. [7] presents a comprehensive categorization on a wide range of cryptocurrencies. They attempted to group the underlying constructions of these schemes around three aspects of anonymity: untraceability, hidden values, and hidden IP addresses. A similar study was carried out by Conti et al. [8], which discusses the privacy aspects of Bitcoin and other cryptocurrencies as a comparison of advantages and disadvantages in terms of privacy and anonymity with respect to unlinkability, untraceability, deniability, and fungibility, yet without providing formal definitions. Further, the work in [14] presented a survey of several cryptocurrencies with respect to a set of qualitative anonymity properties such as fungibility, unlinkability, untraceability, hidden values, and unlinkability of IP addresses. Without formally defining those properties, they used them to compare cryptocurrencies over multiple dimensions. In a more recent survey paper, Alsalami et al. [15] presented a systematic grouping of a chosen set of cryptocurrencies in terms of four privacy tiers: pseudonymity, set anonymity, full anonymity, and confidential transactions, based on two characteristics: the ability to break links between transactions and hiding user identities. However, this categorization also, similar to the work in [7], provides a very high level picture of the anonymity levels based on the techniques used by the schemes, which is orthogonal to our work.

Nevertheless, these studies, mostly based on experimental analyses or specific constructions, do not necessarily facilitate the assessment and comparison of cryptocurrencies in terms of a common, fine-grained, formal qualitative model of anonymity. Table 1 compares the terminology used to model anonymity in above studies with our work.

Table 1. Comparison with similar work.

Paper/Study	Basis/Method	Type	Anonymity Notion/s	Applicable Cryptocurrencies
[16]	Experimental analysis	Quantitative	No formal notions	Bitcoin
[11]	Experimental analysis	Quantitative	No formal notions	Bitcoin
[17]	Experimental analysis	Quantitative	No formal notions	Bitcoin
[18]	Experimental analysis	Quantitative	No formal notions	BitIodine
[10,19,20,21]	Quantitative analysis	Quantitative	Activity unlinkability and user profile indistinguishability	Bitcoin
[22,23]	Experimental analysis	Quantitative	Linkability	Zcash
[13,24,25,26]	Implementation techniques	Qualitative	Untraceability, unlinkability	Cryptonote
[8]	Based on distinct properties	Qualitative	Internal/external unlinkability, untraceability, fungibility, deniability (no formal definitions)	Bitcoin variants, CoinJoin and Cryptonote based variants
[30]	Network analysis	Quantitative	Anonymity degree	Bitcoin, Zcash
[31]	A transaction model based on blockchain semantics	Qualitative	No formal notions	Bitcoin, Ethereum and Hyperledger Fabric blockchains
[15]	Techniques used for anonymisation	Qualitative	Pseudonymity, Set anonymity, full anonymity, confidential transactions (No formal definitions)	Bitcoin and variants, Ethereum, Cryptonote based variants
[14]	Based on existing literature	Qualitative	Unlinkability, fungibility, untraceability, hidden values, unlinkability of IP addresses (No formal definitions)	Bitcoin and variants, Cryptonote based variants
[7]	Anonymity/privacy improvement methods	Qualitative	untraceability of input/output addresses and transactions, hidden values, hidden IP addresses (No formal definitions)	Bitcoin and variants, CryptoNote based, Mimblewimble
Our work	Anonymity framework based on a comprehensive adversarial model	Qualitative	Indistinguishability and Unlinkability of senders, recipients, value and metadata (formal definitions)	Any decentralised cryptocurrency scheme

1.3. Research Question

As evident from the above, there is no existing means for modeling anonymity uniformly across diverse constructions. Further, the presence of a wide range of notions suggests that anonymity depends on a number of factors. As a result, current claims of anonymity cannot be apprehended in a qualitative manner. Accordingly, we formulate our research question as follows.

How can we achieve a fine-grained systematization of anonymity modeling suitable for massively decentralized systems such as modern cryptocurrencies?

As such, we follow the research methodology below to devise a suitable means to achieve the above.

1.3.1. Research Methodology

Our research methodology is focused around constructing a common unifying mathematical framework, which is able to capture all the multiple security nuances in all existing and future schemes, following the accepted approach in cryptography which is to define security properties in terms of “games” or conceptual experiments. We choose game-based definitions over the Universal Composability (UC) framework because the former are intuitive and can be agreed upon by non-specialists (much less non-cryptographers). This is essential as a bridge between theory and applications. Further, UC is a very nice theoretical methodology which is best suited for small primitives whose ideal functionalities may still have a clean description, which is certainly not the case in the context of cryptocurrencies.

The first step in this process is to define a generic cryptocurrency scheme which depicts the functionality of a typical decentralized currency scheme, while ensuring its correct and secure functionality. We do not consider the particulars of the underlying communication network or the consensus mechanism here as they may be unique to each scheme. Instead, we focus on the functionality which enables us to define a universal framework irrespective of the implementation-specific elements.

Based on this currency scheme, we then construct a comprehensive adversarial model, which encapsulates a wide range of attacker scenarios by investigating different security aspects. This lays the foundation for our conceptual framework, which is the essence of this work. Thereafter, we devise a game to model various settings affecting anonymity of a currency scheme, leading to a set of granular anonymity notions that are unique and precise, and are able to provide a unified framework for modeling anonymity.

1.3.2. Conceptual Framework

As already stated, this framework is formulated using game-based security modeling. It is a commonly accepted method in cryptography, which makes it easy to capture adversarial goals under well-defined adversarial capabilities. Each capability defines a unique attacker scenario, which is usually represented by a unique game (or a conceptual experiment). As in our case there are so many to consider, we came up with a methodology which involves defining a parametric experiment, which allows us to parameterize in terms of adversarial capabilities along multiple dimensions, each of which on a rising scale from no access to informational to manipulative to full control. Further details of this conceptual framework are discussed in Section 3 under Security.

1.4. Implication of the Research

As summarized in Table 1, the diversity of existing anonymity modeling methods highlights the inability to compare anonymity achieved by decentralized currency schemes. Conversely, our work uncovers the granularity of anonymity through a plethora of distinct definitions, each representing a different aspect of anonymity. While a multitude of separate definitions may seem absurdly excessive, we emphasize that these definitions arise naturally from considering the possible interactions between the adversary and the cryptocurrency. Indeed, our notions generalize many security notions familiar to cryptographers such as known vs. chosen plaintext, forward security, indistinguishability, active vs. passive adversaries, and so on. The fact that we consider all of these security dimensions simultaneously multiplies the number of definitions, but also allows us to meaningfully understand and compare the anonymity of systems that differ along multiple dimensions. As a consequence, this work provides a means for modeling anonymity in a precise and qualitative manner.

2. Proposed Model

We start by constructing a model for a cryptocurrency scheme in terms of a set of algorithms which depicts the overall functionality of a generic cryptocurrency scheme.

A currency scheme is defined in terms of a security parameter $\lambda \in {\mathbb{Z}}^{+}$ and the initial state of the system, is called the genesis state. The scheme consists of a set of payment addresses, each consisting of a private key and a public address or identity. A transaction takes place between multiple senders and recipients, and consists of a private and a public part. A minting operation collects unminted transactions at any given point in time and generates a new state. New currency units are generated as a result of the minting process, as per the underlying implementation of the scheme. The adjudicate operation selects the rightful new state of the system. A system state p is defined by the implementation and will typically record all payment addresses and transactions that are valid in that instance. In Bitcoin, for example, the blockchain is the state. Every valid state descends from a valid checkpoint state, which descends from another checkpoint state or the genesis state. Accordingly, consecutive states of the scheme form a partial ordering with respect to the internal system specifications. We use the notation given in Table 2 throughout the document in order to represent the scheme and its operations mathematically.

Table 2. Notation.

Description	Notation
Security parameter	$\lambda :\lambda \in {\mathbb{Z}}^{+}$
A system state/Current state	p
A set of states	P
$p_0$ is an earlier state in time than $p_1$ or $p_0=p_1$ i.e., $p_0$ is in $p_1$’s history	$p_0⪯p_1$
$p_0$ is not in the history of $p_1$	$p_0/⪯p_1$
$p_0⪯p_1\wedge p_0\ne p_1$	$p_0\prec p_1$
A payment address	a
Public key/Private key of a payment address	$a_{pk},a_{sk}$
Ordered tuple of one/more addresses (senders/recipients) of secret keys	$\overline{S},\overline{R}$
Ordered tuple of one/more addresses containing only public keys	$S,R$
Number of items in a tuple S	$\left|S\right|$
Public and private parts of a transaction	$t_p,t_s$
Ordered tuples of input and output values of a transaction	$V_{\mathit{old}},V_{\mathit{new}}$
Metadata for a transaction	m
Excess value of a transaction (fees + minted value)	$V_x$
A tuple of addresses of miners	$R_m$
Concatenation of tuples A and B, Set minus operation of tuples A, B	$A\parallel B$, $A\backslash B$
Empty set, empty tuple	$(\varnothing /\{\left\}\right),\left(\right)$
$a_{pk}$ is an element of tuple R	$a_{pk}\in R$
$a_{pk}$ is not an element of tuple R	$a_{pk}\notin R$
Every element in tuple $R^{{}^{\prime }}$ is in tuple R	$R^{{}^{\prime }}\subseteq R$
If $\left[\mathit{condition}\right]$ is false after $<\mathit{statement}>$, then return 1	$<\mathit{statement}>\left[\mathit{condition}\right]$
If $⟨\mathit{condition}⟩$ is false after $<\mathit{statement}>$, then return 0	$<\mathit{statement}>⟨\mathit{condition}⟩$
If $a=\perp$ then return c, else return b	$a?b:c$
If $a=\perp$ then return b, else return a	$a?\underline{}:b$
Return X if y, otherwise return 1	$X^y$
Standard operations on Associative Arrays	${\mathtt{Operation}}_{AA}$
Set of all possible system states	$\mathbb{P}$
Set of all possible addresses (both public and secret parts)	$\mathbb{A}$
Set of all possible transactions (both public and secret parts)	$\mathbb{T}$
Set of all possible transaction values of the form $(V_{\mathit{old}},V_{\mathit{new}},m)$	$\mathbb{V}$
Set of all possible mint data values of the form $(R_m,V_M)$	$\mathbb{M}$

2.1. A Generic Cryptocurrency Scheme

We define a generic cryptocurrency scheme as follows.

Definition 1.

A cryptocurrency scheme Π, is defined in terms of security parameter λ and with the functionality prescribed by means of a set of algorithms; {Init, CreateAddr, IsValidPubAddr, IsValidSecAddr, GetBalance, CreateTxn, IsValidPubTxn, IsValidSecTxn, ExtractSenderPubAddr, ExtractRecipientPubAddr, ExtractInputVal, ExtractOutputVal, IsMintable, Mint, Adjudicate, IsValidState, IsGenesisState, CreateCheckpointState, RetrieveCheckpointState}.

Functionality

Table 3 summarizes the structure of the algorithms of the scheme. The initial setup of the scheme is defined by the $\mathtt{Init}$ algorithm in terms of a security parameter $\lambda$, and this process generates the genesis state. The payment address creation process, $\mathtt{CreateAddr}$, takes an identity and some randomness, and generates a public–private key pair ($a_{pk},a_{sk}$) and a transaction, which can be minted to register the addresses. Public and private keys can be validated with respect to a given state, p. A transaction $(t_p,t_s)$ is created with unspent funds from one or more senders ($V_{\mathit{old}}$) and corresponding funds for recipients ($V_{\mathit{new}}$), together with transaction related metadata m such as corresponding IP addresses or other system-specific data. The validity of a transaction can be defined with respect to its public part as well as both public and private parts taken together. The difference between the total input value and the total output value is considered as transaction fees. Further, transaction-related data (input–output values and public keys of senders and recipients) can be extracted from a given transaction, if both public and private parts of the transaction are known.

Table 3. Functions.

Algorithm	Syntax
$\mathtt{Init}$	$p_0\leftarrow {\mathtt{Init}}_{\pi }\left(1^{\lambda }\right)$
$\mathtt{CreateAddress}$	$\perp \vee (a_{pk},a_{sk},t_p,t_s)\leftarrow {\mathtt{CreateAddr}}_{\pi }(p,d;\rho )$
$\mathtt{IsValidPubAddr}$	$\{0,1\}\leftarrow {\mathtt{IsValidPubAddr}}_{\pi }(a_{pk},p)$
$\mathtt{IsValidSecAddr}$	$\{0,1\}\leftarrow {\mathtt{IsValidSecAddr}}_{\pi }(a_{pk},a_{sk},p)$
$\mathtt{GetBalance}$	$\perp \vee \mathit{Bal}\leftarrow {\mathtt{GetBalance}}_{\pi }(a_{pk},a_{sk},p)$
$\mathtt{CreateTxn}$	$\perp \vee (t_s,t_p)\leftarrow {\mathtt{CreateTxn}}_{\pi }(R,V_{\mathit{new}},\overline{S},V_{\mathit{old}},m,p,\rho )$
$\mathtt{IsValidPubTxn}$	$\{0,1\}\leftarrow {\mathtt{IsValidPubTxn}}_{\pi }(t_p,p)$
$\mathtt{IsValidSecTxn}$	$\{0,1\}\leftarrow {\mathtt{IsValidSecTxn}}_{\pi }(t_p,t_s,p)$
$\mathtt{ExtractSenderPubAddr}$	$\perp \vee S\leftarrow {\mathtt{ExtractSenderPubAddr}}_{\pi }(t_p,t_s,p)$
$\mathtt{ExtractRecipientPubAddr}$	$\perp \vee R\leftarrow {\mathtt{ExtractRecipientPubAddr}}_{\pi }(t_p,t_s,p)$
$\mathtt{ExtractInputVal}$	$\perp \vee V_{\mathit{old}}\leftarrow \mathtt{ExtractInputVal}(t_p,t_s,p)$
$\mathtt{ExtractOutputVal}$	$\perp \vee V_{\mathit{new}}\leftarrow \mathtt{ExtractOutputVal}(t_p,t_s,p)$
$\mathtt{IsMintable}$	$\{0,1\}\leftarrow {\mathtt{IsMintable}}_{\pi }(\left\{t_p\right\},p)$
$\mathtt{Mint}$	$\perp \vee (p^{{}^{\prime }},V_x)\leftarrow {\mathtt{Mint}}_{\pi }(\left\{t_p\right\},R_m,p)$
$\mathtt{Adjudicate}$	$p^{{}^{\prime }}\in P:p\vee p^{{}^{\prime }}\leftarrow {\mathtt{Adjudicate}}_{\pi }(P,p)$
$\mathtt{IsValidState}$	$\{0,1\}\leftarrow {\mathtt{IsValidState}}_{\pi }(p,\lambda )$
$\mathtt{IsGenesisState}$	$\{0,1\}\leftarrow {\mathtt{IsGenesisState}}_{\pi }(p,\lambda )$
$\mathtt{RetrieveCheckpointState}$	$\perp \vee p_c\leftarrow {\mathtt{RetrieveCheckpointState}}_{\pi }\left(p\right)$
$\mathtt{CreateCheckpointState}$	$\perp \vee p_c\leftarrow {\mathtt{CreateCheckpointState}}_{\pi }\left(p\right)$
$\mathtt{AdditionalFunctionality}$	$\left(\mathit{outputs}\right)\leftarrow \mathtt{AdditionalFunctionality}\left(\mathit{inputs}\right)$

A minting operation takes place on a set of public parts of transactions $\left\{t_p\right\}$ and new currency units may be generated through this process, whose value is decided by the implementation specifications, internally. These minted currency units and respective transaction fees, collectively termed as excess value ($V_x$), are collected by the miners. The preferred state out of a set of candidate states is chosen to be the subsequent state of the system through the $\mathtt{Adjudicate}$ operation by preserving the precedence of states. The $\mathtt{IsValidState}$ algorithm checks the validity of a given state with respect to a given security parameter. A given state can be designated as a checkpoint state through the $\mathtt{CreateCheckpointState}$ function based on the particulars of the state, which can be retrieved later through the $\mathtt{RetrieveCheckpointState}$ operation. The genesis state is considered as the first checkpoint and the algorithm $\mathtt{IsGenesisState}$ can be used to identify the genesis state corresponding to a given security parameter.

Note that we model only the generic functionality of a cryptocurrency scheme in this scheme. Therefore, we do not consider the specifics of the underlying consensus mechanism or the network in this work. However, there may be additional functionality associated with real world cryptocurrency systems, e.g., Smart contracts with Ethereum. In order to capture such additional features, we define a supplementary function $\mathtt{AdditionalFunctionality}$. This enables us to realize the security implications of functionality of a scheme that may be outside our base model.

3. Correctness

The correctness of our model is established in terms of a set of experiments, which collectively ensure the expected functionality of the currency scheme.

Correctness Properties

We define several experiments in order to ensure the correctness of the currency scheme for all valid parameter values of $\lambda$ and $\rho$ (Table 4). Experiments corresponding to these properties are listed in Appendix A. Accordingly, the correctness of the proposed scheme is defined as follows.

Table 4. List of experiments for correctness.

Correctness Property	Experiment
Correctness of state initialisation	${\mathtt{Exp}}_{\pi }^{\mathit{init}}$
Correctness of address creation	${\mathtt{Exp}}_{\pi }^{\mathit{create}-\mathit{addr}}$
Correctness of transaction creation	${\mathtt{Exp}}_{\pi }^{\mathit{create}-\mathit{txn}}$
Correctness of minting	${\mathtt{Exp}}_{\pi }^{\mathit{mint}}$
Correctness of extracting transaction data	${\mathtt{Exp}}_{\pi }^{\mathit{extract}-\mathit{txn}-\mathit{data}}$
Correctness of adjudicate operation	${\mathtt{Exp}}_{\pi }^{\mathit{adjudicate}}$
Correctness of checkpoint creation	${\mathtt{Exp}}_{\pi }^{\mathit{create}-\mathit{checkpoint}}$
Correctness of the verification of genesis state	${\mathtt{Exp}}_{\pi }^{\mathit{genesis}-\mathit{state}}$
Monotonicity of checkpoint states	${\mathtt{Exp}}_{\pi }^{\mathit{checkpoint}-\mathit{monotonicity}}$
Monotonicity of states with respect to adjudicate operation	${\mathtt{Exp}}_{\pi }^{\mathit{adj}-\mathit{monotonicity}}$
Correctness of the checkpoint retrieval	${\mathtt{Exp}}_{\pi }^{\mathit{retrieve}-\mathit{checkpoint}}$

Definition 2 (Correctness of the Cryptocurrency Scheme).

A currency scheme Π is correct if, for all security parameters $\lambda \in {\mathbb{Z}}^{+}$, for all sufficiently long bit strings $\rho \in {\left({\{0,1\}}^{*}\right)}^{*}$, and for all $X\in$ {init, create-addr, create-txn, extract-txn-data, mint, adjudicate, adj-monotinicty, create-checkpoint, retrieve-checkpoint, genesis-state, checkpoint-monotinicity}, ${\mathtt{Exp}}_{\pi }^X(\lambda ,\rho )$ returns 1.

4. Security

We establish the security requirements for the proposed framework through a game-based approach. For this purpose, we define a comprehensive adversarial model to accommodate a wide range of capabilities on the part of the adversary. Then, we define security requirements for the functionality of the proposed currency scheme. Anonymity aspects, although related to security, are discussed in a separate section as it is the main focus of this paper.

4.1. Adversarial Model

In game-based security modeling, the first task is to establish the adversarial objective corresponding to each security property. Then, we identify the factors affecting the adversary’s actions, which we term as adversarial capabilities. Both objectives and capabilities together form the variables in this model and are independent in their own right. Further, adversarial capabilities can be grouped in terms of what information the adversary knows (adversarial knowledge) and what actions the adversary can execute (adversarial power). Combining the objective and capabilities of the adversary, we formulate a conceptual game, which mimics an instance of a given system between the adversary and a challenger, specifying the conditions on which the adversary can win the game. The adversary’s advantage of winning the game (or its success probability) is the factor that decides whether the system under study facing an adversary with the specific capabilities and objectives is secure. In this case, we can consider this advantage as the dependent variable in this framework. If the advantage is non-negligible, then we say that the system is not secure against that adversary.

In the context of cryptocurrencies, adversarial capabilities depend on a number of factors, which collectively results in a series of unique attacker scenarios. The adversary’s knowledge of public/secret keys of senders and recipients, value and metadata of a given transaction, and other transaction data correspond to adversarial knowledge. The ability to setup the initial state, to manipulate the state, and to cause minting to fail are the variables corresponding to adversarial power. Further, the adversarial objective can also be manifold, and we consider indistinguishability and unlinkability with respect to anonymity of senders, recipients, transactions etc. (we discuss these notions in detail in subsequent sections). Each adversarial goal, when combined with different capabilities, results in a large number of attacker scenarios. We construct a single parametric experiment to capture all possible adversarial capabilities, with each parameter combination resulting in a distinct security definition. This conceptualization is illustrated in Figure 1.

Figure 1. Conceptual diagram of the adversarial model.

We introduce a set of parameters to represent the above-stated variables. Adversary’s access to knowledge is parameterized by $\psi$, where access to specific information is represented by a subscript corresponding to entities, sender (${\psi }_s$), recipient (${\psi }_r$), value (${\psi }_v$), and metadata (${\psi }_m$). With regards to the adversarial power, parameter $\alpha$ represents how the state initialization in the experimental setup is handled. The parameter $\delta$ represents the ability to manipulate the state. In addition, the parameter $\beta$ denotes whether the adversary has the ability to cause minting to fail. Further, we introduce additional parameters later to represent adversarial goals to study anonymity considerations.

The adversary’s access to knowledge $\psi$ is modeled in terms of different levels of access to information, ranging from no access to informational, manipulative, and full access, respectively. These parameter values start from 0, and increasing values represent increasing level of access. When any knowledge parameter has a value of 0, corresponding entity of that parameter is considered to be hidden from the adversary. We assume that the adversary has oracle access through opaque handles to those hidden entities using which desired activities can be initiated through relevant oracles. A value of 1 in these parameters represents the situation where the adversary learns the corresponding entity at the end of the game, just before he makes his choice. Beyond that point, the adversary is not allowed to create or mint any transactions involving those entities. With the parameter ${\psi }_t$ on the other hand, the public part of the transaction $t_p$ is revealed to the adversary when ${\psi }_t=1$. When ${\psi }_t=2$, the secret part of the transaction $t_s$ is revealed and with ${\psi }_t=3$, the randomness of the actual coins is revealed. Further, when ${\psi }_t=4$, the adversary gets to choose the randomness for the transaction and finally the adversary gets to create the transactions when ${\psi }_t=5$. For other $\psi$ parameters, with a value of 2, relevant information is known to the adversary throughout the game in real time via appropriate oracle access. However, for all those cases, the adversary does not have control over the entities. Conversely, for any value higher than 2, the adversary has some form of control over the relevant entity as explained in Table 5.

Table 5. Parameters of the adversarial model.

Parameter Value	Adversarial Knowledge					Adversarial Power
	Sender Public/Secret Keys	Recipient Public/Secret Keys	Transaction Value	Transaction Metadata	Transaction	State Manipulation	State Initialisation	Cause Mint to Fail
	${\mathbf{\psi }}_{{\mathit{pk}}_{\mathbf{s}}}/{\mathbf{\psi }}_{{\mathit{sk}}_{\mathbf{s}}}$	${\mathbf{\psi }}_{{\mathit{pk}}_{\mathbf{r}}}/{\mathbf{\psi }}_{{\mathit{sk}}_{\mathbf{r}}}$	${\mathbf{\psi }}_{\mathbf{v}}$	${\mathbf{\psi }}_{\mathbf{m}}$	${\mathbf{\psi }}_{\mathbf{t}}$	$\mathbf{\delta }$	$\mathbf{\alpha }$	$\mathbf{\beta }$
0	Hidden	Hidden	Hidden	Hidden	Hidden	Hidden	Hidden randomness honest Init (HIDH)	Not allowed
1	Hidden but revealed at the end	Hidden but revealed at the end	Hidden but revealed at the end	Hidden but revealed at the end	Revealed	Can view the state	Public randomness honest Init (PUBH)	Allowed
2	Access public keys through oracle	Access secret keys through oracle	Chosen by Oracle and known	Chosen by oracle and known	$t_s$ is revealed	Can manipulate the state	Public randomness adversarial Init (PUBA)	-
3	Adversary chooses the identity, the oracle creates addresses	Adversary chooses the randomness, the oracle creates addresses	Adversary chooses the values	Adversary chooses metadata	Randomness of the coins revealed, oracle creates transaction	-	Hidden randomness adversarial Init (HIDH)	-
4	Adversary generates the address	Adversary generates the address	-	-	Adversary chooses the randomness	-	-	-
5	-	-	-	-	Adversary creates the transaction	-	-	-

In the case where $\alpha =0$, the state initialization is performed honestly with hidden randomness. A value of 1 represents a scenario where an honest state initialization takes place with public randomness. For values $\alpha >1$, the adversary has some control over the state initialization as listed in Table 5. With $\delta =0$, the system state is hidden from the adversary. Similar to the state initialization, the adversary has control over the state when $\delta >1$. The parameter $\beta$ on the other hand, only takes two values 0 and 1 to say whether the adversary can cause minting to fail.

With this parameterization, we can capture a wide range of adversaries ranging from passive (with all parameters equal to zero) to static (with $\delta$, $\beta$$\le 1$) and adaptive adversaries (with parameter values greater than 1).

4.2. Helper Functions

We define a group of oracle functions to provide the adversary with access to honest functionality during the execution of the game (Figure 2). These include ${\mathcal{O}}_{addr}$ for creating addresses, ${\mathcal{O}}_{hidaddr}$ for creating hidden addresses, ${\mathcal{O}}_{txn}$ for creating transactions, and ${\mathcal{O}}_{mint}$ for minting. Another oracle is defined to generate hidden metadata (${\mathcal{O}}_{\mathit{hidMdata}}$). The history of the activities of the oracles are maintained globally within the games, i.e., $A_{\mathcal{O}},T_{\mathcal{O}}$ as associative arrays and $M_{\mathcal{O}}$ as a set to store all addresses, transactions, and minting history, respectively. In addition, $A_{\mathcal{O}}^{*},T_{\mathcal{O}}^{*}$, and $D_{\mathcal{O}}^{*}$ are maintained as sets to store hidden addresses, transactions, and metadata, whereas $T_{\mathcal{O}}^{\prime }$ stores the randomness of the coins spent in transactions. In order to cater for the addresses created with different adversarial inputs, the oracle keeps track of different groups of addresses in $A_{{\mathcal{O}}_{jk}}$ with binary values j and k, and a value of 0 representing adversarial identity and adversarial randomness, respectively. ${\mathcal{O}}_{mint}$ sets the flag $f_{\mathcal{O}}=1$ globally, if a minting operation fails, in which case the adversary loses the game, unless $\beta$ = 1. The adversary has access to all available oracles, unless specifically mentioned with a specific subscript in the games. Table 6 summarizes the variables used by the oracles.

Figure 2. Oracle functions.

Table 6. A summary of oracle variables.

Variable	Description
$A_{\mathcal{O}}$	All addresses created by the oracle, i.e., all ($a_{pk},a_{sk}$)
$A_{\mathcal{O}}^{*}$	All hidden addresses created by the oracle, i.e., all hidden $a_{pk}$
$A_{{\mathcal{O}}_{11}}$	All addresses created by the oracle with randomly chosen d and $\rho$
$A_{{\mathcal{O}}_{10}}$	All addresses created by the oracle with adversarial randomness ($\rho$)
$A_{{\mathcal{O}}_{01}}$	All addresses created by the oracle with adversarial identity (d)
$A_{{\mathcal{O}}_{00}}$	All addresses created by the oracle with adversarial identity (d) and randomness ($\rho$)
$T_{\mathcal{O}}$	All transactions created by the oracle
$T_{\mathcal{O}}^{*}$	All hidden transactions created by the oracle
$T_{\mathcal{O}}^{\prime }$	Randomness of the coins involved in transactions created by the oracle
$D_{\mathcal{O}}^{*}$	All hidden metadata generated by the oracle
$M_{\mathcal{O}}$	Minting details of all mint operations performed by the oracle
$p_{\mathcal{O}}$	Current state

Further, the current state of the system is denoted by $p_{\mathcal{O}}$ for these games. It is assumed that $p_{\mathcal{O}}$ is updated as the state evolves within the game (e.g., through oracle calls with side effects, which is what the subscript $\mathcal{O}$ tries to convey), except where a new state is generated through a mint operation, in which case the new state is denoted with a different subscript, e.g., $p_1$.

Additionally, we also define a set of helper functions to be used in the security games as given in Figure 3 to improve the clarity of the games. The $\mathtt{SetupState}$ function performs the state initialization based on INIT, whereas the $\mathtt{RunAdversary}$ function executes an instance of the adversary $\mathcal{A}$ denoted by different subscripts based on ACT. $\mathtt{LookupPubAddr}$ and $\mathtt{LookupSecAddr}$ functions are used to obtain public keys and private keys from hidden addresses, respectively. In addition, $\mathtt{LookupPubTxn}$ outputs the $t_p$ corresponding to a hidden transaction when $\psi$${}_t=0$. $\mathtt{GenerateTxnVals}$ function is used when $\psi$${}_v\in \{0,1\}$, to generate required input and output transaction values, based on the the maximum transaction value given by the adversary. Further, $\mathtt{GenerateMetadata}$ function generates metadata values required for a transaction when ${\psi }_m=0$ while $\mathtt{LookupMdata}$ is used to obtain hidden metadata when $\psi$${}_m\in \{0,1\}$.

Figure 3. Helper functions.

4.3. Security Properties

First, we define a set of properties to ensure the functional security of the proposed scheme. These are defined by means of game-based experiments around several attributes: Unforgeability, Transaction binding property, Spendability, Balance property, Descendency, and Anonymity. Each property is demonstrated with respect to attacker’s goals and we construct appropriate games to model adversarial behavior explained earlier.

The unforgeability property ensures that it is not possible to spend the funds associated with a payment address without the knowledge of the secret key corresponding to that payment address. The transaction binding property establishes the requirement that the secret part of a transaction $t_s$ cannot be tampered with and ensures that $t_s$ binds with a unique $t_p$, i.e., a given $t_s$ cannot correspond to two different $t_p$s. Spendability guarantees that the funds associated with a payment address (a) cannot decrease unless the corresponding secret keys are known, i.e., ${\mathtt{Balance}}_{\mathit{aft}}\left(a\right)<{\mathtt{Balance}}_{\mathit{bef}}\left(a\right)$ only if secret key of a$\left(a_{sk}\right)$ is known $\forall a$. The property of Indemnification requires that fund balances associated with the payment addresses that are not involved in a transaction should remain unchanged.

The balance property requires that the fund balances of participants in a transaction are updated correctly. Further, the balances of miners’ addresses should also be updated correctly with relevant transaction fees and mint values ($V_x$). These goals can be summarized for a set of transactions involved in one minting operation as follows:

$$\sum _{a\in \overline{S}}{V}_{\mathit{old}}\left(a\right)-\sum _{a\in \overline{R}}{V}_{\mathit{new}}\left(a\right)+\mathit{Minted}\mathit{units}=\sum _{a\in {\overline{R}}_m}{V}_{\mathit{x}}\left(a\right)$$

(1)

$${\mathtt{Balance}}_{\mathit{bef}}\left(a\right)+V_{\mathit{new}}\left(a\right)-V_{\mathit{old}}\left(a\right)={\mathtt{Balance}}_{\mathit{aft}}\left(a\right)\forall a\in \overline{S},\overline{R}$$

(2)

$${\mathtt{Balance}}_{\mathit{bef}}\left(a\right)+\mathtt{Excess}\left(a\right)={\mathtt{Balance}}_{\mathit{aft}}\left(a\right)\forall a\in {\overline{R}}_m$$

(3)

A single experiment is defined to capture all three goals, so that the balances cannot be manipulated by an adversary.

Positivity ensures that the fund balance corresponding to each payment address in the system is non-negative at all times. The descendancy property requires that an adversary should not be able to produce a valid system state, which does not descend from the genesis state.

We construct individual games (i.e., conceptual experiments) to represent all the above properties, and relevant details are included in Appendix B. Accordingly, we formally define the security of a currency scheme constructed as per Definition 1 in terms of those experiments as follows.

Definition 3 (Security of the currency scheme).

For $Y\in$ {unforgeability, txn-binding, spendability, balance, indemnification, positivity, descendancy}, a currency scheme Π is said to be $(\psi ,\delta ,\alpha ,\beta )$-secure with respect to Y if for every PPT adversary $\mathcal{A}=({\mathcal{A}}_1,{\mathcal{A}}_2,{\mathcal{A}}_3)$ and for all possible values of $\psi ,\delta ,\alpha$ and β, the advantage of winning the security experiment ${\mathtt{Exp}}_{\Pi ,\mathcal{A},\mathcal{O},\psi ,\delta ,\alpha ,\beta }^Y\left(\lambda \right)$is negligible in $\lambda \in {\mathbb{Z}}^{+}$, i.e.,

$${\mathbf{Adv}}_{\Pi ,\mathcal{A},\mathcal{O},\psi ,\delta ,\alpha ,\beta }^Y=\left|\mathbf{Pr}({\mathbf{Exp}}_{\Pi ,\mathcal{A},\mathcal{O},\psi ,\delta ,\alpha ,\beta }^Y\left(\lambda \right)=1)\right|\le \epsilon \left(\lambda \right)$$

where ε is a negligible function ($\forall \mathit{positive}\mathit{polynomials}p\left(\lambda \right),\exists N\mathit{such}\mathit{that}\forall \lambda >N,\epsilon \left(\lambda \right)\le 1/p\left(\lambda \right)$) in λ, ${\psi }_{\mathit{pk}}, {\psi }_{\mathit{sk}}\in \{0,1,2,3,4\}$, ${\psi }_v,{\psi }_m,\gamma \in \{0,1,2,3\}$, ${\psi }_t\in \{0,1,2,3,4,5\}$, $\beta \in \{0,1\}$ and $\delta \in \{0,1,2\}$.

5. Anonymity

In this section, we demonstrate how we can model different aspects of anonymity of a currency scheme, in terms of the proposed framework. First, we formulate a parametric game to capture different attacker scenarios, each of which represents a different aspect of anonymity. Then, we provide a group of definitions for several anonymity properties stemming from the fundamental concept of indistinguishability. The term indistinguishability means that it is not possible to distinguish between two known entities in a given situation, e.g., inability to distinguish the sender of a transaction from two possible sender addresses.

We also define a weaker notion of anonymity, unlinkability, which is similar to indistinguishability, except the two entities to choose between are not known to the attacker explicitly, but rather by their history in previous transactions. For example, value unlinkability refers to the inability to decide which of two transactions has the same value as a transaction of interest.

We define these anonymity notions around a set of entities in a typical currency scheme. These entities can be categorized as topological and non-topological where topological entities directly correspond to entities in the transaction graph of the scheme. Senders and recipients form the topological category whereas value and other relevant metadata are categorized as non-topological entities, without having a direct relationship to the transaction graph. We parameterize different scenarios where an attacker can manipulate these entities at various levels.

5.1. Anonymity Game

In order to facilitate the execution of the Anonymity game in a more transparent manner, we define a few additional helper functions to check the adversarial conditions of inputs at the start of the game ($\mathtt{CheckAdvConditions}$) and to reveal data to the adversary at the end ($\mathtt{RevealData}$) based on the parameter $\psi$ (Figure 4). Note that for a particular security notion, $\psi$ is constant. Moreover, we also introduce another variable, $\omega$, to represent test variable/s. We define $\omega =\left({\omega }_s{\omega }_r{\omega }_v{\omega }_m\right)$ with each ${\omega }_x\in \{0,1\}$ to indicate which entity (sender/recipient/value/metadata) is being tested in a given instance of the game, based on which the transaction data are varied. The adversarial inputs to the game are crafted based on $\psi$. We now define a common game to capture all possible attacker scenarios in this setting. Figure 5 illustrates the game.

Figure 4. Additional helper functions for the Anonymity game.

Figure 5. Anonymity game.

Execution of the Game

The game is executed as follows. The state initialization takes place at the beginning of the execution of the game based on $\alpha$ (line 3). The game continues if the returned state $p_{\mathcal{O}}$ is valid. Here, we use ‘$⟨\mathit{condition}⟩$’ notation to check this condition. In this notation, if the condition inside the brackets is false, then the game terminates and the adversary loses the game. In this case, if the state is valid, the adversary provides a set of data (to be used in creating transactions, minting, etc.) to the challenger, based on the values of $\psi$ parameters with respect to senders, recipients, values, and metadata. These data include two sets of senders $S_0$, $S_1$, recipients $R_0$, $R_1$, input/output values $V_{\mathit{old}}$, $V_{\mathit{new}}$, miners’ addresses $R_m$, metadata $m_0$, $m_1$, a set of transactions T (to be minted), two additional transactions $t_0$, $t_1$, two sets of randomness of coins ${\rho }_0$, ${\rho }_1$, together with the current state $p_{\mathcal{O}}$ (line 4). If sender/recipient addresses are hidden, respective outputs $S/R$ should be handles to those hidden addresses created by the oracle, i.e., $\psi$${}_{{\mathit{pk}}_s}$, $\psi$${}_{{\mathit{sk}}_s}$, $\psi$${}_{{\mathit{pk}}_r}$, $\psi$${}_{{\mathit{sk}}_r}\in \{0,1\}$. The adversary can make corresponding oracle calls to create hidden addresses, and opaque handles to those addresses are given in return. In addition, if transaction values are hidden (i.e., $\psi$${}_v\in \{0,1\}$), then the adversary provides maximum values for respective input and output values (through $V_{\mathit{old}}$, $V_{\mathit{new}}$), and the oracle chooses appropriate transaction values accordingly. If $\psi$${}_m\in \{0,1\}$, then adversary returns a handle for hidden metadata. The transactions $t_0$ and $t_1$ represent two transactions created by the adversary when $\psi$${}_t=5$. For other values of $\psi$${}_t$, these will remain null. The inputs ${\rho }_0$ and ${\rho }_1$ provide the randomness (of coins) required to create the transactions when $\psi$${}_t=4$, or will be empty, otherwise. According to the values of $\psi$, the challenger checks whether the values returned by the adversary meet the expected criteria (through the $\mathtt{CheckAdvConditions}$ function) and terminates the game if any of the inputs are invalid (line 7). Upon submission of valid inputs, the adversary continues to evolve the current state through appropriate oracle queries.

Next, the challenger checks whether ${\psi }_t=5$, in which case the adversary produces the required transactions (which will be considered as $t_{p_0}$ and $t_{p_1}$). Otherwise, the challenger creates a transaction $t_{p_0}$, using the input values through the oracle ${\mathcal{O}}_{txn}$ as given in step 13. Based on the entity/entities being tested as defined by $\omega$, a second transaction $t_{p_1}$ is also created as appropriate (line 14). If the transactions are not mintable and the parameter $\beta =0$ (i.e., failed mint operations are not allowed), then the game is terminated and the adversary loses the game. We use the notation “$⟨{\mathtt{IsMintable}}_{\pi }{(\left\{t_{p_1}\right\}\cup T,p_{\mathcal{O}})}^{\overline{\beta }}⟩$” to represent this condition. In this case, when $\beta$$=0$, $\overline{\beta }=1$, and the game continues if $\mathtt{IsMintable}\left(\right)=1$. When $\beta =1$, $\overline{\beta }=0$, and thus $\mathtt{IsMintable}{\left(\right)}^0=1$ always and hence the game proceeds.

Subsequently, the challenger picks a bit b and chooses to mint $t_{p_b}$ together with the list of transactions T returned by the adversary (line 15). Next, the challenger calls the $\mathtt{RevealData}$ function to prepare the information that needs to be revealed to the adversary based on $\psi$, and this information is then passed to the adversary. At this point, the adversary is not allowed to create any further transactions involving the revealed addresses. Then, he/she makes a guess ($b^{{}^{\prime }}$) for the bit b, based on the revealed data U, minted state $p_1$, and the adversarial state s. The challenger checks whether the guess is correct, subject to the condition $\beta \vee (f_{\mathcal{O}}\ne 1)$. The adversary wins the game if his/her guess is correct.

Unsurprisingly, there are over 600,000 different combinations of $\omega$, $\psi$, $\delta$, and $\alpha$ alone, resulting in different attacker scenarios, which reveal the atomicity of anonymity in a currency system. This game helps one to assess which combinations are satisfied by a given currency scheme, by proving that the attacker has negligible advantage of winning the game. In order to simplify this task, in the next section, we come up with a set of anonymity notions which can be linked to the terminology discussed in the literature.

5.2. Notions of Anonymity

As previously mentioned, different combinations of the parameters in the Anonymity Game yields a large number of unique scenarios with respect to anonymity. While some notions may not result in apprehensible real-world scenarios, others may assist in assessing different levels in achievable anonymity. In this section, we identify a set of some useful anonymity notions with respect to indistinguishability (IND) and unlinkability (ULK) of entities, senders (S), recipients (R), value (V), and metadata (M) in a currency scheme.

We define each notion in terms of a unique adversary, based on the adversary’s goal, knowledge and power as GOAL-KNOWL-POWER, which is also represented as a unique parameter vector $\omega$ − $\psi$ − $(\delta ,\alpha ,\beta )$. The strongest adversary is modeled with the highest power (to manipulate the state initialization and the state, and to make minting to fail) and the maximum knowledge (full knowledge of secret keys of senders/recipients, values, and metadata), which we name as a FULL-FULL adversary. The weakest adversary has no power and no knowledge of transaction data, hence we name as a NIL-NIL adversary. Other intermediate adversaries are named accordingly to emphasize the capabilities in power and knowledge specific to a given setting. Therefore, the highest level of anonymity modeled by the game is the notion ALL-IND-FULL-FULL and the weakest is the notion of NIL-IND-NIL-NIL. Accordingly, Table 7 lists some useful anonymity notions and their corresponding parameter vectors.

Table 7. Some useful anonymity notions.

Goal	Adversarial Knowledge	Adversarial Power	Parameter Vector
ALL-IND	FULL	FULL	${\left(1_s{1}_r{1}_v{1}_m\right)}_{\omega }$ − ${({(4,4)}_s,{(4,4)}_r,3_v,3_m,5_t)}_{\psi }$ − ($2_{\delta }$,$3_{\alpha }$,$1_{\beta }$)
S-IND	PUBS	ACTIVE	${\left(1_s{0}_r{0}_v{0}_m\right)}_{\omega }$ − ${({(3,0)}_s,{(4,4)}_r,3_v,3_m,5_t)}_{\psi }$ − $(2_{\delta },3_{\alpha },0_{\beta })$
S-ULK	NILS	ACTIVE	${\left(1_s{0}_r{0}_v{0}_m\right)}_{\omega }$ − ${({(3,0)}_s,{(4,4)}_r,3_v,3_m,5_t)}_{\psi }$ − ($2_{\delta }$,$3_{\alpha }$,$0_{\beta }$)
R-IND	PUBR	ACTIVE	${\left(0_s{1}_r{0}_v{0}_m\right)}_{\omega }$ − ${({(4,4)}_s,{(3,0)}_r,3_v,3_m,5_t)}_{\psi }$ − ($2_{\delta }$,$3_{\alpha }$,$0_{\beta }$)
R-ULK	NILR	ACTIVE	${\left(0_s{1}_r{0}_v{0}_m\right)}_{\omega }$ − ${({(4,4)}_s,{(0,0)}_r,3_v,3_m,5_t)}_{\psi }$ − ($2_{\delta }$,$3_{\alpha }$,$0_{\beta }$)
V-IND	PUBSRV	ACTIVE	${\left(0_s{0}_r{1}_v{0}_m\right)}_{\omega }$ − ${({(3,0)}_s,{(3,0)}_r,2_v,3_m,5_t)}_{\psi }$ − ($2_{\delta }$,$3_{\alpha }$,$0_{\beta }$)
V-ULK	PUBSR-NILV	FULL	${\left(0_s{0}_r{1}_v{0}_m\right)}_{\omega }$ − ${({(3,0)}_s,{(3,0)}_r,0_v,3_m,5_t)}_{\psi }$ − ($2_{\delta }$,$3_{\alpha }$,$1_{\beta }$)
M-IND	PUBM	ACTIVE	${\left(0_s{0}_r{0}_v{1}_m\right)}_{\omega }$ − ${({(4,4)}_s,{(4,4)}_r,3_v,2_m,5_t)}_{\psi }$ − ($2_{\delta }$,$3_{\alpha }$,$0_{\beta }$)
M-ULK	NILM	ACTIVE	${\left(0_s{0}_r{0}_v{1}_m\right)}_{\omega }$ − ${({(4,4)}_s,{(4,4)}_r,3_v,0_m,5_t)}_{\psi }$ − ($2_{\delta }$,$3_{\alpha }$,$0_{\beta }$)
NIL-IND	NIL	VIEW	${\left(0_s{0}_r{0}_v{0}_m\right)}_{\omega }$ − ${({(0,0)}_s,{(0,0)}_r,0_v,0_m,0_t)}_{\psi }$ − ($1_{\delta }$,$1_{\alpha }$,$0_{\beta }$)
NIL-IND	NIL	NIL	${\left(0_s{0}_r{0}_v{0}_m\right)}_{\omega }$ − ${({(0,0)}_s,{(0,0)}_r,0_v,0_m,0_t)}_{\psi }$ − ($0_{\delta }$,$0_{\alpha }$,$0_{\beta }$)

5.2.1. Topological Entities

As already mentioned, the identification of topological entities such as senders and recipients participating in a transaction can directly contribute towards constructing the corresponding relationships among those entities. As a result, one can trace the flow of transactions of a particular entity, affecting the level of anonymity. Several studies have been conducted in this regard, especially in the case of Bitcoin, where a transaction graph could be built using publicly available data related to senders and recipients [20]. As such, topological entities play a vital role in the achievable level of anonymity of a currency scheme. Therein, we define a set of useful anonymity properties around these entities in this section (Figure 6).

Figure 6. Topological anonymity notions. (Dashed outline: addresses with hidden secret keys, double-dashed outline: addresses with hidden public/private keys, Solid outline: both keys known). (a) Sender Indistinguishability (S-IND); (b) Recipient Indistinguishability (R-IND); (c) Sender Unlinkability (S-ULK); (d) Recipient Unlinkability (R-ULK).

Sender Indistinguishability (S-IND)

We define this property to represent a case where given two possible senders and a transaction, it is not possible to distinguish the correct sender. Figure 6a illustrates this scenario. In the anonymity game, only the public keys of the senders will be known to the adversary with ${\psi }_{{\mathit{pk}}_s}=3$ and ${\psi }_{{\mathit{sk}}_s}=0$ (PUBS knowledge) with same transaction values and other metadata, and the challenger will create two transactions $t_{p_0}$ and $t_{p_1}$ with same value and metadata if ${\mathrm{KNW}}_t\ne 5$ (otherwise, the adversary provides the transactions). Based on the chosen bit b, the challenger mints the transaction $t_{p_b}$ and the adversary gets to see the data related to the minted transaction, based on ${\psi }_t$, and has to guess the challenger’s choice. The knowledge of recipient addresses can vary based on ${\psi }_{{\mathit{pk}}_r}$ and ${\psi }_{{\mathit{sk}}_r}$.

We can see that the game represents the strongest attacker scenario when the recipient addresses are fully controlled by the adversary in a setting with an adversarial hidden state initialization and the ability to manipulate the state, as well as with the highest knowledge of the transaction (i.e., ${\psi }_t=5$). However, having $\beta$ = 1 enables the adversary to craft messages in a manner so that failed mint operations can be used to learn about account balances, etc., thus revealing the transaction graph, which will be trivial and thus we consider an adversary with ACTIVE power (i.e., $\delta =2,\alpha =3,\beta =0$). Accordingly, the strongest notion of this property is S-IND-PUBS-ACTIVE, which is represented by “${\left(1_s{0}_r{0}_v{0}_m\right)}_{\omega }$ − $({(3,0)}_s,{(4,4)}_r,3_v,3_m,$$5_t{)}_{\psi }$ − ($2_{\delta },3_{\alpha },0_{\beta }$)” in the Anonymity game with the following formal definition.

Definition 4 (S-IND-PUBS-ACTIVE).

A currency scheme Π is said to satisfy the anonymity notion S-IND-PUBS-ACTIVE with respect to Sender Indistinguishability against an adversary $\mathcal{A}$, if $\mathcal{A}$’s advantage of winning the Anonymity game defined by the parameter vector ${\left(1_s{0}_r{0}_v{0}_m\right)}_{\omega }$ − $({(3,0)}_s,{(4,4)}_r,$$3_v,3_m,$$5_t{)}_{\psi }$ − ($2_{\delta },3_{\alpha },0_{\beta }$) is negligible, i.e.,

$${\mathbf{Adv}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{S-IND}=|\mathbf{Pr}\left[{\mathbf{Exp}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{Anonymity}\left(\lambda \right)=1\right]-1/2|\mathit{is}\mathit{negligible}\mathit{in}\lambda .$$

Sender Unlinkability (S-ULK)

The notion of sender unlinkability is defined to be the property that it is not possible to link a transaction with its corresponding sender in a given setting. As Figure 6c illustrates, the adversary has to guess the correct transaction as with S-IND scenario, but without knowing both public/private keys of the senders, i.e., Senders in this case are hidden with ${\psi }_{{\mathit{pk}}_s},{\psi }_{{\mathit{sk}}_s}=0$. The strongest notion in this sense is given by S-ULK-NILS-ACTIVE with the parameter vector “${\left(1_s{0}_r{0}_v{0}_m\right)}_{\omega }$ − ${({(0,0)}_s,{(4,4)}_r,3_v,3_m,5_t)}_{\psi }$ − ($2_{\delta },3_{\alpha },0_{\beta }$)” and the corresponding formal definition is as follows.

Definition 5 (S-ULK-NILS-ACTIVE).

A currency scheme Π is said to satisfy the anonymity notion S-ULK-NILS-ACTIVE with respect to Sender Unlinkability against an adversary $\mathcal{A}$, if $\mathcal{A}$’s advantage of winning the Anonymity game defined by the parameters ${\left(1_s{0}_r{0}_v{0}_m\right)}_{\omega }$ − $({(0,0)}_s,{(4,4)}_r,3_v$, $3_m,5_t{)}_{\psi }$ − ($2_{\delta },$$3_{\alpha },0_{\beta }$) is negligible, i.e.,

$${\mathbf{Adv}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{S-ULK}=|\mathbf{Pr}\left[{\mathbf{Exp}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{Anonymity}\left(\lambda \right)=1\right]-1/2|\mathit{is}\mathit{negligible}\mathit{in}\lambda .$$

Recipient Indistinguishability (R-IND)

This notion is similar to sender indistinguishability, except with recipient addresses. Therefore, it is defined to be one’s inability to distinguish the correct recipient out of two given recipients in a given situation. As shown in the Figure 6b, public keys of the recipients (${\psi }_{{\mathit{pk}}_r}=3,{\psi }_{{\mathit{sk}}_r}=0$) are known and the senders could be hidden or known as per the parameters ${\psi }_{{\mathit{pk}}_s}$ and ${\psi }_{{\mathit{sk}}_s}$. The two transactions $t_{p_0}$ and $t_{p_1}$ both carry the same sender, values, and metadata, yet have two different recipients. The adversary needs to guess which transaction out of $t_{p_0}$ and $t_{p_1}$ was minted. The strongest adversarial scenario in this case is R-IND-PUBR-ACTIVE, denoted as “${\left(0_s{1}_r{0}_v{0}_m\right)}_{\omega }$ − ${({(4,4)}_s,{(3,0)}_r,3_v,3_m,5_t)}_{\psi }$ − ($2_{\delta },0_{\alpha },0_{\beta }$)”. We define the notion formally as below.

Definition 6 (R-IND-PUBR-ACTIVE).

A currency scheme Π is said to satisfy the anonymity notion R-IND-PUBR-ACTIVE with respect to Recipient Indistinguishability against an adversary $\mathcal{A}$, if $\mathcal{A}$’s advantage of winning the Anonymity game defined by the parameters ${\left(0_s{1}_r{0}_v{0}_m\right)}_{\omega }$ − $({(4,4)}_s,{(3,0)}_r,3_v,$$3_m,5_t{)}_{\psi }$ − ($2_{\delta },0_{\alpha },0_{\beta }$) is negligible, i.e.,

$${\mathbf{Adv}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{R-IND}=|\mathbf{Pr}\left[{\mathbf{Exp}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{Anonymity}\left(\lambda \right)=1\right]-1/2|\mathit{is}\mathit{negligible}\mathit{in}\lambda .$$

Recipient Unlinkability (R-ULK)

This property is referred to as the inability to link a transaction to the correct recipient. Figure 6d shows the basic setup for this game where the adversary needs to guess the correct transaction out of the two options $t_{p_0}$ and $t_{p_1}$, without any knowledge about the corresponding recipients, i.e., ${\psi }_{{\mathit{pk}}_r}$,${\psi }_{{\mathit{sk}}_r}=0$. The strongest notion in this setting is represented as R-ULK-NILR-ACTIVE given by the vector “${\left(0_s{1}_r{0}_v{0}_m\right)}_{\omega }$ − ${({(4,4)}_s,{(0,0)}_r,3_v,3_m,5_t)}_{\psi }$ − ($2_{\delta },3_{\alpha },0_{\beta }$)” and the formal definition is given below.

Definition 7 (R-ULK-NILR-ACTIVE).

A currency scheme Π is said to satisfy the anonymity notion R-ULK-NILR-ACTIVE with respect to Recipient Unlinkability against an adversary $\mathcal{A}$, if $\mathcal{A}$’s advantage of winning the Anonymity game defined by the parameters ${\left(0_s{1}_r{0}_v{0}_m\right)}_{\omega }$ − $({(4,4)}_s,$${(0,0)}_r$, $3_v,3_m,5_t{)}_{\psi }$ − ($2_{\delta },3_{\alpha },0_{\beta }$) is negligible.

$${\mathbf{Adv}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{R-ULK}=|\mathbf{Pr}\left[{\mathbf{Exp}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{Anonymity}\left(\lambda \right)=1\right]-1/2|\mathit{is}\mathit{negligible}\mathit{in}\lambda .$$

5.2.2. Non-Topological Entities

As opposed to topological entities, non-topological entities such as value and metadata in a currency scheme do not directly affect the structure of the transaction graph. However, if made public, these entities could also hinder the privacy of users. Therefore, these entities can also be regarded as equally important in determining the level of anonymity in a currency scheme. In this section, we provide formal definitions for major anonymity notions involving non-topological entities: value and metadata (Figure 7).

Figure 7. Non-topological Anonymity notions. (a) Value/Metadata indistinguishability. (b) Value/Metadata unlinkability (hidden values/metadata).

Value Indistinguishability (V-IND)

The notion of indistinguishability with respect to transaction values refers to the fact that it is impossible to distinguish the correct value from two given values for a given transaction. In the game, the challenger creates two transactions, $t_{p_0}$ and $t_{p_1}$, with two different values, $v_0$ and $v_1$, while having other entities the same (Figure 7a). In this case, the adversary knows what the two values are and other entities can vary according to their $\psi$ values. The challenger then picks a bit b and mints the transaction $t_{p_b}$ and the adversary has to guess which transaction it is. We represent the strongest adversary as PUBSR-ACTIVE as the knowledge of secret keys would leak information about the value. Therefore, the strongest notion in this scenario is given by V-IND-PUBSR-ACTIVE, which is represented by the vector “${\left(0_s{0}_r{1}_v{0}_m\right)}_{\omega }$ − $({(3,0)}_s,{(3,0)}_r,3_v,3_m$$,5_t{)}_{\psi }$ − ($2_{\delta },3_{\alpha },0_{\beta }$)” with the following formal definition.

Definition 8 (V-IND-PUBSR-ACTIVE).

A currency scheme Π is said to satisfy V-IND-PUBSR-ACTIVE with respect to Value Indistinguishability against an adversary $\mathcal{A}$, if $\mathcal{A}$’s advantage of winning the Anonymity game defined by the parameters ${\left(0_s{0}_r{1}_v{0}_m\right)}_{\omega }$ − $({(3,0)}_s$, ${(3,0)}_r,3_v,3_m$$,5_t{)}_{\psi }$ − ($2_{\delta },3_{\alpha },0_{\beta }$) is negligible, i.e.,

$${\mathbf{Adv}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{V-IND}=|\mathbf{Pr}\left[{\mathbf{Exp}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{Anonymity}\left(\lambda \right)=1\right]-1/2|\mathit{is}\mathit{negligible}\mathit{in}\lambda .$$

Value Unlinkability (V-ULK)

We define the property of unlinkability related to transaction value as the inability to correctly identify value of the minted transaction from two possible hidden values. In order to realize this scenario, failed minting operations have to be allowed in the game with the parameter $\beta$set to 1, as it would be impossible for the adversary to win the game otherwise. As ${\psi }_v=0$, the adversary gives maximum values for $V_{\mathit{new}}$ and $V_{\mathit{old}}$ values from which the challenger generates corresponding values required for the transaction using the $\mathtt{GenerateTxnVals}$ helper function (Figure 3). Further, as in the case of V-IND, we restrict the knowledge of secret keys of senders/recipients as otherwise the transaction is trivial. As shown in Figure 7b, in this context the challenger creates two transactions $t_{p_0}$ and $t_{p_1}$ with hidden transaction values $v_0$ and $v_1$, respectively. The challenger then picks a bit b and mints the transaction $t_{p_b}$ and the adversary makes a guess to identify the correct scenario. Accordingly, we have “${\left(0_s{0}_r{1}_v{0}_m\right)}_{\omega }$ − ${({(3,0)}_s,{(3,0)}_r,0_v,3_m,5_t)}_{\psi }$ − ($2_{\delta },3_{\alpha },1_{\beta })$” as the combination of parameters required to achieve the strongest level of anonymity notion V-ULK-PUBSR-NILV-FULL in this sense and the corresponding definition is as follows.

Definition 9 (V-ULK-PUBSR-NILV-FULL).

A currency scheme Π is said to satisfy the anonymity notion V-ULK-PUBSR-NILV-FULL with respect to Value Unlinkability against an adversary $\mathcal{A}$ under a hidden adversarial initialisation, if $\mathcal{A}$’s advantage of winning the Anonymity game defined by the parameters ${\left(0_s{0}_r{1}_v{0}_m\right)}_{\omega }$ − ${({(3,0)}_s,{(3,0)}_r,0_v,3_m,5_t)}_{\psi }$ − ($2_{\delta },3_{\alpha },1_{\beta }$) is negligible, i.e.,

$${\mathbf{Adv}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{V-ULK}=|\mathbf{Pr}\left[{\mathbf{Exp}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{Anonymity}\left(\lambda \right)=1\right]-1/2|\mathit{is}\mathit{negligible}\mathit{in}\lambda .$$

Metadata Indistinguishability (M-IND)

Other transaction-related data such as scripts, IP addresses, etc. also pose a risk to anonymity as they can be linked to addresses or transactions in many different ways. Although such metadata can be specific to a given implementation, it might be useful in modeling the effects imposed by the other layers of implementations such as the consensus scheme. Therefore, in this case, we discuss metadata in general without linking to any specific data, for the completeness of this work.

In this context, we define Metadata Indistinguishability to represent the scenario where it is not possible to correctly identify the metadata corresponding to a given transaction, between two given possibilities. Similar to the value indistinguishability scenario, the challenger creates two transactions with different metadata values (already known to the adversary) and mints only one transaction leaving the adversary make a guess as to what it is. The following vector represents the strongest scenario as “${\left(0_s{0}_r{0}_v{1}_m\right)}_{\omega }$ − ${({(4,4)}_s,{(4,4)}_r,3_v,2_m,5_t)}_{\psi }$ − ($2_{\delta },3_{\alpha },0_{\beta }$)” as per the notion M-IND-PUBM-ACTIVE and it is formally defined below.

Definition 10 (M-IND-PUB-ACTIVE).

A currency scheme Π is said to satisfy the anonymity notion M-IND-PUB-ACTIVE with respect to Metadata Indistinguishability against an adversary $\mathcal{A}$, if $\mathcal{A}$’s advantage of winning the Anonymity game defined by the parameters ${\left(0_s{0}_r{0}_v{1}_m\right)}_{\omega }$ − $({(4,4)}_s,{(4,4)}_r,3_v,3_m,$$5_t{)}_{\psi }$ − ($2_{\delta },$$3_{\alpha },0_{\beta }$) is negligible, i.e.,

$${\mathbf{Adv}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{M-IND}=|\mathbf{Pr}\left[{\mathbf{Exp}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{Anonymity}\left(\lambda \right)=1\right]-1/2|\mathit{is}\mathit{negligible}\mathit{in}\lambda .$$

Metadata Unlinkability (M-ULK)

We define the property of unlinkability of metadata with a close analogy to value unlinkability, i.e., given a transaction, it is not possible to correctly identify the metadata from two given hidden metadata values. Here, we use the $\mathtt{GenerateMetadata}$ helper function to generate the data required for the game (Figure 3). Accordingly, we have the corresponding notion M-ULK-NILM-ACTIVE parameterized by, “${\left(0_s{0}_r{0}_v{1}_m\right)}_{\omega }$ − $({(4,4)}_s,{(4,4)}_r,$$3_v,0_m,5_t{)}_{\psi }$ − ($2_{\delta },3_{\alpha },0_{\beta }$)” representing the strongest case in this sense. The formal definition follows.

Definition 11 (M-ULK-NILM-ACTIVE).

A currency scheme Π is said to satisfy the anonymity notion M-ULK-NILM-ACTIVE with respect to Metadata Unlinkability against an adversary $\mathcal{A}$, if $\mathcal{A}$’s advantage of winning the Anonymity game defined by the parameters ${\left(0_s{0}_r{0}_v{1}_m\right)}_{\omega }$ − $({(4,4)}_s$, ${(4,4)}_r,$$3_v,0_m,$$5_t{)}_{\psi }$ − ($2_{\delta },3_{\alpha },0_{\beta }$) is negligible, i.e.,

$${\mathbf{Adv}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{M-ULK}=|\mathbf{Pr}\left[{\mathbf{Exp}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{Anonymity}\left(\lambda \right)=1\right]-1/2|\mathit{is}\mathit{negligible}\mathit{in}\lambda .$$

5.2.3. Other Useful Anonymity Notions

Further to above notions, we also formally define the strongest and weakest anonymity notions modeled in this framework as they are useful in benchmarking the anonymity landscape.

Strongest Anonymity (ALL-IND)

In this setting, the game models two senders and two recipients. The challenger creates two transactions $t_{p_0}$ and $t_{p_1}$ as before, but each transaction is created using distinct set of data, i.e., different sender, recipient, value, and metadata (Figure 8a). The strongest adversary in this scenario has the FULL knowledge and FULL power given by ALL-IND-FULL-FULL notion and parameterized by the vector ${\left(1_s{1}_r{1}_v{1}_m\right)}_{\omega }$ − $({(4,4)}_s$, ${(4,4)}_r,$$3_v,3_m,$$5_t{)}_{\psi }$ − ($2_{\delta },3_{\alpha },1_{\beta }$). This setting models the highest level of anonymity achievable by a currency scheme and can be considered as “absolute fungibility”. We provide the following formal definition in this connection.

Figure 8. Strongest and weakest anonymity games. (a) ALL-IND game; (b) NILL-IND game.

Definition 12 (ALL-IND-FULL-FULL).

A currency scheme Π is said to satisfy the anonymity notion ALL-IND-FULL-FULL with respect to indistinguishability against an adversary $\mathcal{A}$, if $\mathcal{A}$’s advantage of winning the Anonymity game defined by the parameters ${\left(1_s{1}_r{1}_v{1}_m\right)}_{\omega }$ − $({(4,4)}_s$, ${(4,4)}_r,$$3_v,3_m,$$5_t{)}_{\psi }$ − ($2_{\delta },3_{\alpha },1_{\beta }$) is negligible, i.e.,

$${\mathbf{Adv}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{ALL-IND}=|\mathbf{Pr}\left[{\mathbf{Exp}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{Anonymity}\left(\lambda \right)=1\right]-1/2|\mathit{is}\mathit{negligible}\mathit{in}\lambda .$$

Weakest Anonymity (NIL-IND)

Here, we consider the weakest adversary that can be modeled in our game. In this case, the game produces two identical transactions as opposed to the strongest scenario above (Figure 8b). These transactions differ only in their randomness and the adversary has to identify the correct transaction. Therefore, the weakest adversary in this case is a NIL-NIL adversary with no knowledge nor power, which is a passive adversary. This means that even $\delta$ = 0, meaning that the scheme has a hidden private state, which however may not be the case for most cryptocurrency schemes. Yet, we provide the following formalization for comparison.

Definition 13 (NIL-IND-NIL-NIL).

A currency scheme Π is said to satisfy the anonymity notion NIL-IND-NIL-NIL with respect to indistinguishability against an adversary $\mathcal{A}$, if $\mathcal{A}$’s advantage of winning the Anonymity game defined by the parameters ${\left(0_s{0}_r{0}_v{0}_m\right)}_{\omega }$ − $({(0,0)}_s$, ${(0,0)}_r,$$0_v,0_m,$$0_t{)}_{\psi }$ − ($0_{\delta },0_{\alpha },0_{\beta }$) is negligible, i.e.,

$${\mathbf{Adv}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{NIL-IND1}=|\mathbf{Pr}\left[{\mathbf{Exp}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{Anonymity}\left(\lambda \right)=1\right]-1/2|\mathit{is}\mathit{negligible}\mathit{in}\lambda .$$

As many cryptocurrency schemes have public states, we can see that at the very least, the adversary can view the state, meaning that we can set $\delta$ = 1 in our model for most schemes. This will model an adversary with VIEW power with other parameters being zero. Therefore, we define a slightly less weaker notion in this sense, which can be useful to model anonymity in some real world constructions.

Definition 14 (NIL-IND-NIL-VIEW).

A currency scheme Π is said to satisfy the anonymity notion NIL-IND-NIL-VIEW with respect to indistinguishability against an adversary $\mathcal{A}$, if $\mathcal{A}$’s advantage of winning the Anonymity game defined by the parameters ${\left(0_s{0}_r{0}_v{0}_m\right)}_{\omega }$ − $({(0,0)}_s$, ${(0,0)}_r,$$0_v,0_m,$$0_t{)}_{\psi }$ − ($1_{\delta },$$0_{\alpha },0_{\beta }$) is negligible, i.e.,

$${\mathbf{Adv}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{NIL-IND2}=|\mathbf{Pr}\left[{\mathbf{Exp}}_{\Pi ,\mathcal{A},\mathcal{O},\omega ,\psi ,\delta ,\alpha ,\beta }^{Anonymity}\left(\lambda \right)=1\right]-1/2|\mathit{is}\mathit{negligible}\mathit{in}\lambda .$$

5.2.4. Representation of Anonymity Notions

In order to clearly represent above anonymity notions, we construct graphical illustrations as shown in Figure 9 and Figure 10. These diagrams are useful in comparing anonymity landscape across different implementations while illustrating the complex multidimensional diversity of adversarial parameters.

Figure 9. Strongest anonymity notion: ALL-IND-FULL-FULL (red). Weakest notion: NIL-IND-NIL-NIL (cyan).

Figure 10. Anonymity notions S-IND-PUBS-ACTIVE (green) and S-ULK-NILS-ACTIVE (blue).

Figure 9 represents a comparison between the strongest anonymity notion ALL-IND-FULL-FULL against the weakest notion NIL-IND-NIL-NIL in our anonymity game. All other notions lay within the area bounded by these two notions. The larger the area covered by the graph of a given notion, the stronger is the level of anonymity. This is evident from the Figure 10, which represents two more anonymity notions related to S-IND and S-ULK corresponding to Definitions 4 and 5, and shows that S-IND is stronger than S-ULK.

5.3. Theorems

As is apparent from the definitions presented in the previous section, we can utilize the Anonymity game to realize a multitude of potential different attacker scenarios. Identifying the relationships among these is a worthwhile exercise in order to discern the meaningful aspects of anonymity captured by them.

Note that as we vary different security parameters in our model, their correlations result in a non-trivial lattice form as depicted in Figure 11 and Figure 12. These relations are interpreted as implications, equivalences, and separations. The arrow “↦” represents an implication in the direction of the arrow and a separation in the opposite direction, whereas the double arrow “↔” shows an equivalence relation. In order to formalize these relationships, we define a set of theorems that will simplify the process of assessing the anonymity of a currency scheme and we present the same below. Relevant proofs of these theorems are available in Appendix C.

Figure 11. Relationship of anonymity notions for different sender addresses ${({\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}})}_s$.

Figure 12. Relationships among notions based on $\alpha$, $\delta$, $\psi$${}_v$, $\psi$${}_m$, $\psi$${}_t$, and $\beta$.

Theorem 1.

For a currency scheme Π and for a given combination of ω, δ, α, ${\psi }_{{\mathit{sk}}_s}$, ${({\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}})}_r$, ${\psi }_v$, ${\psi }_m$, ${\psi }_t$, and β, the notion resulting from increasing the value of ${\psi }_{{\mathit{pk}}_s}$ while holding others is strictly stronger than the former for the following scenarios.

i. 

given that Π is secure in $\omega -\psi \left({(\mathbf{3},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )$, Π is also secure in $\omega -$$\psi \left({(\mathbf{2},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )$, $\omega -\psi \left({(\mathbf{1},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )$ and $\omega -\psi \left({(\mathbf{0},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({(\mathbf{3},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({(\mathbf{2},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({(\mathbf{1},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi$$\left({(\mathbf{0},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )$

ii. 

given that Π is secure in $\omega -\psi \left({(\mathbf{3},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )$, Π is also secure in $\omega -$$\psi \left({(\mathbf{2},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )$ and $\omega -\psi \left({(\mathbf{1},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({(\mathbf{3},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({(\mathbf{2},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({(\mathbf{1},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )$

iii. 

given that Π is secure in $\omega -\psi \left({(\mathbf{3},\mathbf{2})}_s\right)-(\delta ,\alpha ,\beta )$, Π is also secure in $\omega -$$\psi \left({(\mathbf{2},\mathbf{2})}_s\right)-(\delta ,\alpha ,\beta )$,

i.e.,$\omega -\psi \left({(\mathbf{3},\mathbf{2})}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({(\mathbf{2},\mathbf{2})}_s\right)-(\delta ,\alpha ,\beta )$

iv. 

given that Π is secure in $\omega -\psi \left({(\mathbf{3},\mathbf{3})}_s\right)-(\delta ,\alpha ,\beta )$, Π is also secure in $\omega -$$\psi \left({(\mathbf{2},\mathbf{3})}_s\right)-(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({(\mathbf{3},\mathbf{3})}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({(\mathbf{2},\mathbf{3})}_s\right)-(\delta ,\alpha ,\beta )$

v. 

given that Π is secure in $\omega -\psi \left({(\mathbf{4},\mathbf{4})}_s\right)-(\delta ,\alpha ,\beta )$, Π is also secure in $\omega -$$\psi \left({(\mathbf{3},\mathbf{3})}_s\right)-(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({(\mathbf{4},\mathbf{4})}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({(\mathbf{3},\mathbf{3})}_s\right)-(\delta ,\alpha ,\beta )$

where $\omega \in {\{1,0\}}^4$, ${\psi }_{{\mathit{pk}}_r},{\psi }_{{\mathit{sk}}_r}\in \{0,1,2,3,4\},{\psi }_v,{\psi }_m,\gamma \in \{0,1,2,3\},{\psi }_t\in \{0,1,2,3,4,5\},\beta \in \{0,1\}$ and $\delta \in \{0,1,2\}$ (Figure 11).

Theorem 2.

For a currency scheme Π and for a given combination of ω, δ, α, ${\psi }_{{\mathit{pk}}_s}$, ${({\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}})}_r$, ${\psi }_v$, ${\psi }_m$, ${\psi }_t$, and β, the notion resulting from increasing the value of ${\psi }_{{\mathit{sk}}_s}$ while holding others is strictly stronger than the former for the following scenarios:

i. 

given that Π is secure in $\omega -\psi \left({(\mathbf{0},\mathbf{3})}_s\right)-(\delta ,\alpha ,\beta )$, Π is also secure in $\omega -$$\psi \left({(\mathbf{0},\mathbf{2})}_s\right)-(\delta ,\alpha ,\beta )$, $\omega -\psi \left({(\mathbf{0},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )$ and $\omega -\psi \left({(\mathbf{0},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({(\mathbf{0},\mathbf{3})}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({(\mathbf{0},\mathbf{2})}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({(\mathbf{0},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi$$\left({(\mathbf{0},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )$

ii. 

given that Π is secure in $\omega -\psi \left({(\mathbf{1},\mathbf{3})}_s\right)-(\delta ,\alpha ,\beta )$, Π is also secure in $\omega -$$\psi \left({(\mathbf{1},\mathbf{2})}_s\right)-(\delta ,\alpha ,\beta )$ and $\omega -\psi \left({(\mathbf{1},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({(\mathbf{1},\mathbf{3})}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({(\mathbf{1},\mathbf{2})}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({(\mathbf{1},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )$

iii. 

given that Π is secure in $\omega -\psi \left({(\mathbf{2},\mathbf{3})}_s\right)-(\delta ,\alpha ,\beta )$, Π is also secure in $\omega -$$\psi \left({(\mathbf{2},\mathbf{2})}_s\right)-(\delta ,\alpha ,\beta )$, $\omega -\psi \left({(\mathbf{2},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )$ and $\omega -\psi \left({(\mathbf{2},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({(\mathbf{2},\mathbf{3})}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({(\mathbf{2},\mathbf{2})}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({(\mathbf{2},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi$$\left({(\mathbf{2},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )$

iv. 

given that Π is secure in $\omega -\psi \left({(\mathbf{3},\mathbf{3})}_s\right)-(\delta ,\alpha ,\beta )$, Π is also secure in $\omega -$$\psi \left({(\mathbf{3},\mathbf{2})}_s\right)-(\delta ,\alpha ,\beta )$, $\omega -\psi \left({(\mathbf{3},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )$ and $\omega -\psi \left({(\mathbf{3},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({(\mathbf{3},\mathbf{3})}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({(\mathbf{3},\mathbf{2})}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({(\mathbf{3},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi$$\left({(\mathbf{3},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )$

where $\omega \in {\{1,0\}}^4$, ${\psi }_{{\mathit{pk}}_r},{\psi }_{{\mathit{sk}}_r}\in \{0,1,2,3,4\},{\psi }_v,{\psi }_m,\gamma \in \{0,1,2,3\},{\psi }_t\in \{0,1,2,3,4,5\},\beta \in \{0,1\}$ and $\delta \in \{0,1,2\}$ (Figure 11).

Theorem 3.

For a currency scheme Π and for a given combination of ω, δ, α, ${({\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}})}_r$, ${\psi }_v$, ${\psi }_m$, ${\psi }_t$, and β, the resulting notion from increasing the value of ${\psi }_{s_{\mathit{pk}}}$ while holding others fixed, is equivalent to the former when ${\psi }_{{\mathit{pk}}_s}\le {\psi }_{{\mathit{sk}}_s}$ under the following scenarios:

i. 

given that Π is secure in $\omega -\psi \left({(0,1)}_s\right)-(\delta ,\alpha ,\beta )$, then Π is also secure in $\omega -$$\psi \left({(1,1)}_s\right)-(\delta ,\alpha ,\beta )$, and vice versa.,

i.e., $\omega -\psi \left({(0,1)}_s\right)-(\delta ,\alpha ,\beta )\leftrightarrow \omega -\psi \left({(1,1)}_s\right)-(\delta ,\alpha ,\beta )$

ii. 

given that Π is secure in $\omega -\psi \left({(0,2)}_s\right)-(\delta ,\alpha ,\beta )$, then Π is also secure in $\omega -$$\psi \left({(1,2)}_s\right)-(\delta ,\alpha ,\beta )$ and $\omega -\psi \left({(2,2)}_s\right)-(\delta ,\alpha ,\beta )$, and vice versa,

i.e., $\omega -\psi \left({(0,2)}_s\right)-(\delta ,\alpha ,\beta )\leftrightarrow \omega -\psi \left({(1,2)}_s\right)-(\delta ,\alpha ,\beta )\leftrightarrow \omega -\psi \left({(2,2)}_s\right)-(\delta ,\alpha ,\beta )$

iii. 

given that Π is secure in $\omega -\psi \left({(0,3)}_s\right)-(\delta ,\alpha ,\beta )$, then Π is also secure in $\omega -$$\psi \left({(1,3)}_s\right)-(\delta ,\alpha ,\beta )$ and $\omega -\psi \left({(2,3)}_s\right)-(\delta ,\alpha ,\beta )$, and vice versa,

i.e., $\omega -\psi \left({(0,3)}_s\right)-(\delta ,\alpha ,\beta )\leftrightarrow \omega -\psi \left({(1,3)}_s\right)-(\delta ,\alpha ,\beta )\leftrightarrow \omega -\psi \left({(2,3)}_s\right)-(\delta ,\alpha ,\beta )$

where $\omega \in {\{1,0\}}^4$, ${\psi }_{{\mathit{pk}}_r},{\psi }_{{\mathit{sk}}_r}\in \{0,1,2,3,4\},{\psi }_v,{\psi }_m,\gamma \in \{0,1,2,3\},{\psi }_t\in \{0,1,2,3,4,5\},\beta \in \{0,1\}$ and $\delta \in \{0,1,2\}$ (Figure 11).

Theorem 4.

For a currency scheme Π for a given combination of ω, δ, α, ${({\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}})}_r$, ${\psi }_v$, ${\psi }_m$, ${\psi }_t$, and β (with ${\psi }_t=1$), the notion resulting from decreasing the value of ${\psi }_{s_{\mathit{pk}}}$ while holding others is not necessarily stronger than the former for the following scenarios:

i. 

$\omega -\psi \left({(\mathbf{0},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({(\mathbf{1},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({(\mathbf{2},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({(\mathbf{3},\mathbf{0})}_s\right)$

$-(\delta ,\alpha ,\beta )$

ii. 

$\omega -\psi \left({(\mathbf{1},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({(\mathbf{2},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({(\mathbf{3},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )\nrightarrow$

iii. 

$\omega -\psi \left({(\mathbf{2},\mathbf{2})}_s\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({(\mathbf{3},\mathbf{2})}_s\right)-(\delta ,\alpha ,\beta )$

iv. 

$\omega -\psi \left({(\mathbf{2},\mathbf{3})}_s\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({(\mathbf{3},\mathbf{3})}_s\right)-(\delta ,\alpha ,\beta )$

v. 

$\omega -\psi \left({(\mathbf{3},\mathbf{3})}_s\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({(\mathbf{4},\mathbf{4})}_s\right)-(\delta ,\alpha ,\beta )$

where $\omega \in {\{1,0\}}^4$, ${\psi }_{{\mathit{pk}}_r},{\psi }_{{\mathit{sk}}_r}\in \{0,1,2,3,4\},{\psi }_v,{\psi }_m,\gamma \in \{0,1,2,3\},{\psi }_t=1,\beta \in \{0,1\}$, and $\delta \in \{0,1,2\}$ (Figure 11).

Theorem 5.

For a currency scheme Π for a given combination of ω, δ, α, ${({\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}})}_r$, ${\psi }_v$, ${\psi }_m$, ${\psi }_t$, and β (with ${\psi }_t\ne 0$), the notion resulting from decreasing the value of ${\psi }_{s_{\mathit{sk}}}$ while holding others is not necessarily stronger than the former for the following scenarios:

i. 

$\omega -\psi \left({(\mathbf{2},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({(\mathbf{2},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({(\mathbf{2},\mathbf{2})}_s\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({(\mathbf{2},\mathbf{3})}_s\right)$

$-(\delta ,\alpha ,\beta )$

ii. 

$\omega -\psi \left({(\mathbf{3},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({(\mathbf{3},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({(\mathbf{3},\mathbf{2})}_s\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({(\mathbf{3},\mathbf{3})}_s\right)$

$-(\delta ,\alpha ,\beta )$

iii. 

$\omega -\psi \left({(\mathbf{1},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({(\mathbf{1},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )$

where $\omega =\in {\{1,0\}}^4$, ${\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}}\in \{0,1,2,$$3,4\}$, ${\psi }_v,{\psi }_m\in \{0,1,2,3\},$${\psi }_t\in \{1,2,3,4,5\},\beta \in \{0,1\}$ and $\delta \in \{1,2\}$ (Figure 11).

Note that the Theorems 1–4 also hold for recipient addresses in the same manner.

Theorem 6.

For a currency scheme Π and for a given combination of ω, δ, ψ, and β, if α is decreased while holding the others, the former notion is strictly stronger than the resulting notion for the following scenarios:

i. 

given Π is secure in $\omega -\psi -(\delta ,{\mathbf{3}}_{\alpha },\beta )$, then Π is also secure in $\omega -\psi -(\delta ,{\mathbf{2}}_{\alpha },\beta )$,

i.e., $\omega -\psi -(\delta ,{\mathbf{3}}_{\alpha },\beta )\to \omega -\psi -(\delta ,{\mathbf{2}}_{\alpha },\beta )$

ii. 

given Π is secure in $\omega -\psi -(\delta ,{\mathbf{2}}_{\alpha },\beta )$, then Π is also secure in $\omega -\psi -(\delta ,{\mathbf{1}}_{\alpha },\beta )$,

i.e., $\omega -\psi -(\delta ,{\mathbf{2}}_{\alpha },\beta )\to \omega -\psi -(\delta ,{\mathbf{1}}_{\alpha },\beta )$

iii. 

given Π is secure in $\omega -\psi -(\delta ,{\mathbf{1}}_{\alpha },\beta )$, then Π is also secure in $\omega -\psi -(\delta ,{\mathbf{0}}_{\alpha },\beta )$,

i.e., $\omega -\psi -(\delta ,{\mathbf{1}}_{\alpha },\beta )\to \omega -\psi -(\delta ,{\mathbf{0}}_{\alpha },\beta )$

where $\omega \in {\{1,0\}}^4$, ${\psi }_{{\mathit{pk}}_r},{\psi }_{{\mathit{sk}}_r}\in \{0,1,2,3,4\},{\psi }_v,{\psi }_m,\gamma \in \{0,1,2,3\},{\psi }_t\in \{0,1,2,3,4,5\},\beta \in \{0,1\}$ and $\delta \in \{0,1,2\}$ (Figure 12d).

Theorem 7.

For a currency scheme Π and for a given combination of ω, δ, ψ, and β (with $\delta \in \{0,1\}$), if α is increased while holding the others, the system is necessarily secure in the resulting notion for the following scenarios:

i. 

Given that two currency schemes ${\Pi }_0$ and ${\Pi }_1$ exist such that ${\Pi }_1$ is secure in $\omega -\psi -(\delta ,{\mathbf{2}}_{\alpha },\beta )$ and ${\Pi }_0$ is not secure in $\omega -\psi -(\delta ,{\mathbf{2}}_{\alpha },\beta )$, then there exists a currency scheme Π which is secure in $\omega -\psi -(\delta ,{\mathbf{2}}_{\alpha },\beta )$ but not secure in $\omega -\psi -(\delta ,{\mathbf{3}}_{\alpha },\beta )$,

i.e., $\omega -\psi -(\delta ,{\mathbf{2}}_{\alpha },\beta )\nrightarrow \omega -\psi -(\delta ,{\mathbf{3}}_{\alpha },\beta )$

ii. 

Given that two currency schemes ${\Pi }_0$ and ${\Pi }_1$ exist such that ${\Pi }_1$ is secure in $\omega -\psi -(\delta ,{\mathbf{1}}_{\alpha },\beta )$ and ${\Pi }_0$ is not secure in $\omega -\psi -(\delta ,{\mathbf{1}}_{\alpha },\beta )$, then there exists a currency scheme Π which is secure in $\omega -\psi -(\delta ,{\mathbf{1}}_{\alpha },\beta )$ but not secure in $\omega -\psi -(\delta ,{\mathbf{2}}_{\alpha },\beta )$,

i.e., $\omega -\psi -(\delta ,{\mathbf{1}}_{\alpha },\beta )\nrightarrow \omega -\psi -(\delta ,{\mathbf{2}}_{\alpha },\beta )$

iii. 

Given that two currency schemes ${\Pi }_0$ and ${\Pi }_1$ exist such that ${\Pi }_1$ is secure in $\omega -\psi -(\delta ,{\mathbf{0}}_{\alpha },\beta )$ and ${\Pi }_0$ is not secure in $\omega -\psi -(\delta ,{\mathbf{0}}_{\alpha },\beta )$, then there exists a currency scheme Π which is secure in $\omega -\psi -(\delta ,{\mathbf{0}}_{\alpha },\beta )$ but not secure in $\omega -\psi -(\delta ,{\mathbf{1}}_{\alpha },\beta )$,

i.e., $\omega -\psi -(\delta ,{\mathbf{0}}_{\alpha },\beta )\nrightarrow \omega -\psi -(\delta ,{\mathbf{1}}_{\alpha },\beta )$

where $\omega \in {\{1,0\}}^4$, ${\psi }_{{\mathit{pk}}_r},{\psi }_{{\mathit{sk}}_r}\in \{0,1,2,3,4\},{\psi }_v,{\psi }_m,\gamma \in \{0,1,2,3\},{\psi }_t\in \{0,1,2,3,4,5\},\beta \in \{0,1\}$ and $\delta \in \{0,1,2\}$ (Figure 12d).

Theorem 8.

For a currency scheme Π and for a given combination of ω, α, ψ, and β, if δ is decreased while holding the others, the former notion is strictly stronger than the resulting notion for the following scenarios:

i. 

given Π is secure in $\omega -\psi -({\mathbf{2}}_{\delta },\alpha ,\beta )$ then Π is also secure in $\omega -\psi -({\mathbf{1}}_{\delta },\alpha ,\beta )$,

i.e., $\omega -\psi -({\mathbf{2}}_{\delta },\alpha ,\beta )\to \omega -\psi -({\mathbf{1}}_{\delta },\alpha ,\beta )$

ii. 

given Π is secure in $\omega -\psi -({\mathbf{1}}_{\delta },\alpha ,\beta )$ then Π is also secure in $\omega -\psi -({\mathbf{0}}_{\delta },\alpha ,\beta )$,

i.e., $\omega -\psi -({\mathbf{1}}_{\delta },\alpha ,\beta )\to \omega -\psi -({\mathbf{0}}_{\delta },\alpha ,\beta )$

where $\omega \in {\{1,0\}}^4$, ${\psi }_{{\mathit{pk}}_r},{\psi }_{{\mathit{sk}}_r}\in \{0,1,2,3,4\},{\psi }_v,{\psi }_m,\gamma \in \{0,1,2,3\},{\psi }_t\in \{0,1,2,3,4,5\},\beta \in \{0,1\}$ and $\delta \in \{0,1,2\}$ (Figure 12a).

Theorem 9.

For a currency scheme Π and for a given combination of ω, α, ψ, and β (with $\alpha \ne 0$), if δ is increased while holding the others, the resulting notion is not necessarily stronger than the former notion for the following scenarios:

i. 

given that two currency schemes ${\Pi }_0$ and ${\Pi }_1$ exists such that ${\Pi }_1$ is secure in $\omega -\psi -({\mathbf{1}}_{\delta },\alpha ,\beta )$ and ${\Pi }_0$ is not secure in $\omega -\psi -({\mathbf{1}}_{\delta },\alpha ,\beta )$, then there exists a currency scheme Π which is secure in $\omega -\psi -({\mathbf{1}}_{\delta },\alpha ,\beta )$ but not secure in $\omega -\psi -({\mathbf{2}}_{\delta },\alpha ,\beta )$,

i.e., $\omega -\psi -({\mathbf{1}}_{\delta },\alpha ,\beta )-\beta \nrightarrow \omega -\psi -({\mathbf{2}}_{\delta },\alpha ,\beta )$

ii. 

given that two currency schemes ${\Pi }_0$ and ${\Pi }_1$ exists such that ${\Pi }_1$ is secure in $\omega -\psi -({\mathbf{0}}_{\delta },\alpha ,\beta )$ and ${\Pi }_0$ is not secure in $\omega -\psi -({\mathbf{0}}_{\delta },\alpha ,\beta )$, there exists a currency scheme Π which is secure in $\omega -\psi -({\mathbf{0}}_{\delta },\alpha ,\beta )$ but not secure in $\omega -\psi -({\mathbf{1}}_{\delta },\alpha ,\beta )$,

i.e., $\omega -\psi -({\mathbf{0}}_{\delta },\alpha ,\beta )\nrightarrow \omega -\psi -({\mathbf{1}}_{\delta },\alpha ,\beta )$

where $\omega \in {\{1,0\}}^4$, ${\psi }_{{\mathit{pk}}_r},{\psi }_{{\mathit{sk}}_r}\in \{0,1,2,3,4\},{\psi }_v,{\psi }_m,\gamma \in \{0,1,2,3\},{\psi }_t\in \{0,1,2,3,4,5\},\beta \in \{0,1\}$ and $\delta \in \{0,1,2\}$ (Figure 12a).

Theorem 10.

For a currency scheme Π and for a given combination of ω, α, and ψ, if β is decreased while holding the others, the former notion is strictly stronger than the resulting notion for the following scenarios:

i. 

given Π is secure in $\omega -\psi -(\delta ,\alpha ,{\mathbf{1}}_{\beta })$ then Π is also secure in $\omega -\psi -(\delta ,\alpha ,{\mathbf{0}}_{\beta })$,

i.e., $\omega -\psi -(\delta ,\alpha ,{\mathbf{1}}_{\beta })\to \omega -\psi -(\delta ,\alpha ,{\mathbf{0}}_{\beta })$

where $\omega =\in {\{1,0\}}^4$, ${\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}}\in \{0,1,2,$$3,4\}$, ${\psi }_v,{\psi }_m\in \{0,1,2,3\},$${\psi }_t\in \{0,1,2,3,4,5\},\beta \in \{0,1\}$ and $\delta \in \{1,2\}$ (Figure 12a).

Theorem 11.

For a currency scheme Π and for a given combination of ω, α, and ψ, if β is decreased while holding the others, the former notion is strictly stronger than the resulting notion for the following scenarios:

i. 

given that Π is secure in $\omega -\psi -(\delta ,\alpha ,{\mathbf{0}}_{\beta })$ then Π is not necessarily secure in $\omega -\psi -(\delta ,\alpha ,{\mathbf{1}}_{\beta })$,

i.e., $\omega -\psi -(\delta ,\alpha ,{\mathbf{0}}_{\beta })\nrightarrow \omega -\psi -(\delta ,\alpha ,{\mathbf{1}}_{\beta })$

where $\omega =\in {\{1,0\}}^4$, ${\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}}\in \{0,1,2,$$3,4\}$, ${\psi }_v,{\psi }_m\in \{0,1,2,3\},$${\psi }_t\in \{0,1,2,3,4,5\},\beta \in \{0,1\}$ and $\delta \in \{1,2\}$ (Figure 12a).

Theorem 12.

For a currency scheme Π and for a given combination of ω, δ, α, ${({\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}})}_s$, ${\psi }_m$, ${\psi }_t$, and β, when the value of ${\psi }_v$ is decreased while holding others fixed, the former notion is strictly stronger than the resulting notion under the following scenarios:

i. 

given Π is secure in $\omega -\psi \left({\mathbf{3}}_v\right)-(\delta ,\alpha ,\beta )$, then Π is also secure in $\omega -\psi \left({\mathbf{2}}_v\right)-$$(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({\mathbf{3}}_v\right)-(\delta ,\alpha ,\beta )$→$\omega -\psi \left({\mathbf{2}}_v\right)-(\delta ,\alpha ,\beta )$

ii. 

given Π is secure in $\omega -\psi \left({\mathbf{2}}_v\right)-(\delta ,\alpha ,\beta )$, then Π is also secure in $\omega -\psi \left({\mathbf{1}}_v\right)-$$(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({\mathbf{2}}_v\right)-(\delta ,\alpha ,\beta )$→$\omega -\psi \left({\mathbf{1}}_v\right)-(\delta ,\alpha ,\beta )$

iii. 

given Π is secure in $\omega -\psi \left({\mathbf{1}}_v\right)-(\delta ,\alpha ,\beta )$, then Π is also secure in $\omega -\psi \left({\mathbf{0}}_v\right)-$$(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({\mathbf{1}}_v\right)-(\delta ,\alpha ,\beta )$→$\omega -\psi \left({\mathbf{0}}_v\right)-(\delta ,\alpha ,\beta )$

where $\omega \in {\{1,0\}}^4$, ${\psi }_{{\mathit{pk}}_r},{\psi }_{{\mathit{sk}}_r}\in \{0,1,2,3,4\},{\psi }_v,{\psi }_m,\gamma \in \{0,1,2,3\},{\psi }_t\in \{0,1,2,3,4,5\},\beta \in \{0,1\}$ and $\delta \in \{0,1,2\}$ (Figure 12e).

Theorem 13.

For a currency scheme Π and for a given combination of ω, δ, α, ${({\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}})}_s$, ${\psi }_m$, ${\psi }_t$, and β (with ${\psi }_t=1$), the resulting notion from increasing the value of ${\psi }_v$ while holding others fixed, the scheme is not necessarily secure in the resulting notion under the following scenarios:

i. 

given that two currency schemes ${\Pi }_0$ and ${\Pi }_1$ exist such that ${\Pi }_1$ is secure in $\omega -\psi \left({\mathbf{0}}_v\right)-(\delta ,\alpha ,\beta )$ and ${\Pi }_0$ is not secure in $\omega -\psi \left({\mathbf{0}}_v\right)-(\delta ,\alpha ,\beta )$, then there exists a currency scheme Π which is secure in $\omega -\psi \left({\mathbf{0}}_v\right)-(\delta ,\alpha ,\beta )$ but not secure in $\omega -\psi \left({\mathbf{1}}_v\right)-(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({\mathbf{0}}_v\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({\mathbf{1}}_v\right)-(\delta ,\alpha ,\beta )$

ii. 

given that two currency schemes ${\Pi }_0$ and ${\Pi }_1$ exist such that ${\Pi }_1$ is secure in $\omega -\psi \left({\mathbf{1}}_v\right)-(\delta ,\alpha ,\beta )$ and ${\Pi }_0$ is not secure in $\omega -\psi \left({\mathbf{1}}_v\right)-(\delta ,\alpha ,\beta )$, then there exists a currency scheme Π which is secure in $\omega -\psi \left({\mathbf{1}}_v\right)-(\delta ,\alpha ,\beta )$ but not secure in $\omega -\psi \left({\mathbf{2}}_v\right)-(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({\mathbf{1}}_v\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({\mathbf{2}}_v\right)-(\delta ,\alpha ,\beta )$

iii. 

given that two currency schemes ${\Pi }_0$ and ${\Pi }_1$ exist such that ${\Pi }_1$ is secure in $\omega -\psi \left({\mathbf{2}}_v\right)-(\delta ,\alpha ,\beta )$ and ${\Pi }_0$ is not secure in $\omega -\psi \left({\mathbf{2}}_v\right)-(\delta ,\alpha ,\beta )$, then there exists a currency scheme Π which is secure in $\omega -\psi \left({\mathbf{2}}_v\right)-(\delta ,\alpha ,\beta )$ but not secure in $\omega -\psi \left({\mathbf{3}}_v\right)-(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({\mathbf{2}}_v\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({\mathbf{3}}_v\right)-(\delta ,\alpha ,\beta )$

where $\omega =\in {\{1,0\}}^4$, ${\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}}\in \{0,1,2,$$3,4\}$, ${\psi }_v,{\psi }_m\in \{0,1,2,3\},$${\psi }_t\in \{0,1,2,3,4,5\},\beta \in \{0,1\}$ and $\delta \in \{1,2\}$ (Figure 12e).

Theorem 14.

For a currency scheme Π and for a given combination of ω, δ, α, ${({\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}})}_s$, ${\psi }_v$, ${\psi }_t$, and β, when the value of ${\psi }_m$ is decreased while holding others fixed, the former notion is strictly stronger than the resulting notion under the following scenarios:

i. 

given Π is secure in $\omega -\psi \left({\mathbf{3}}_m\right)-(\delta ,\alpha ,\beta )$, then Π is also secure in $\omega -\psi \left({\mathbf{2}}_m\right)-$$(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({\mathbf{3}}_m\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({\mathbf{2}}_m\right)-(\delta ,\alpha ,\beta )$

ii. 

given Π is secure in $\omega -\psi \left({\mathbf{2}}_m\right)-(\delta ,\alpha ,\beta )$, then Π is also secure in $\omega -\psi \left({\mathbf{1}}_m\right)-$$(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({\mathbf{2}}_m\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({\mathbf{1}}_m\right)-(\delta ,\alpha ,\beta )$

iii. 

given Π is secure in $\omega -\psi \left({\mathbf{1}}_m\right)-(\delta ,\alpha ,\beta )$, then Π is also secure in $\omega -\psi \left({\mathbf{0}}_m\right)-$$(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({\mathbf{1}}_m\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({\mathbf{0}}_m\right)-(\delta ,\alpha ,\beta )$

where $\omega \in {\{1,0\}}^4$, ${\psi }_{{\mathit{pk}}_r},{\psi }_{{\mathit{sk}}_r}\in \{0,1,2,3,4\},{\psi }_v,{\psi }_m,\gamma \in \{0,1,2,3\},{\psi }_t\in \{0,1,2,3,4,5\},\beta \in \{0,1\}$ and $\delta \in \{0,1,2\}$ (Figure 12f).

Theorem 15.

For a currency scheme Π and for a given combination of ω, δ, α, ${({\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}})}_s$, ${\psi }_m$, ${\psi }_t$, and β (with ${\psi }_t=1$), the resulting notion from increasing the value of ${\psi }_m$ while holding others fixed, the scheme is not necessarily secure in the resulting notion under the following scenarios:

i. 

given that two currency schemes ${\Pi }_0$ and ${\Pi }_1$ exist such that ${\Pi }_1$ is secure in $\omega -\psi \left({\mathbf{2}}_m\right)-(\delta ,\alpha ,\beta )$ and ${\Pi }_0$ is not secure in $\omega -\psi \left({\mathbf{2}}_m\right)-(\delta ,\alpha ,\beta )$, then there exists a currency scheme Π which is secure in $\omega -\psi \left({\mathbf{2}}_m\right)-(\delta ,\alpha ,\beta )$ but not secure in $\omega -\psi \left({\mathbf{3}}_m\right)-(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({\mathbf{2}}_m\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({\mathbf{3}}_m\right)-(\delta ,\alpha ,\beta )$

ii. 

given that two currency schemes ${\Pi }_0$ and ${\Pi }_1$ exist such that ${\Pi }_1$ is secure in $\omega -\psi \left({\mathbf{1}}_m\right)-(\delta ,\alpha ,\beta )$ and ${\Pi }_0$ is not secure in $\omega -\psi \left({\mathbf{1}}_m\right)-(\delta ,\alpha ,\beta )$, then there exists a currency scheme Π which is secure in $\omega -\psi \left({\mathbf{1}}_m\right)-(\delta ,\alpha ,\beta )$ but not secure in $\omega -\psi \left({\mathbf{2}}_m\right)-(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({\mathbf{1}}_m\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({\mathbf{2}}_m\right)-(\delta ,\alpha ,\beta )$

iii. 

given that two currency schemes ${\Pi }_0$ and ${\Pi }_1$ exist such that ${\Pi }_1$ is secure in $\omega -\psi \left({\mathbf{0}}_m\right)-(\delta ,\alpha ,\beta )$ and ${\Pi }_0$ is not secure in $\omega -\psi \left({\mathbf{1}}_m\right)-(\delta ,\alpha ,\beta )$, then there exists a currency scheme Π which is secure in $\omega -\psi \left({\mathbf{0}}_m\right)-(\delta ,\alpha ,\beta )$ but not secure in $\omega -\psi \left({\mathbf{1}}_m\right)-(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({\mathbf{0}}_m\right)-(\delta ,\alpha ,\beta )\nrightarrow \omega -\psi \left({\mathbf{1}}_m\right)-(\delta ,\alpha ,\beta )$

where $\omega =\in {\{1,0\}}^4$, ${\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}}\in \{0,1,2,$$3,4\}$, ${\psi }_v,{\psi }_m\in \{0,1,2,3\},$${\psi }_t\in \{0,1,2,3,4,5\},\beta \in \{0,1\}$ and $\delta \in \{1,2\}$ (Figure 12f).

Theorem 16.

For a currency scheme Π and for a given combination of ω, δ, α, ${({\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}})}_s$, ${({\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}})}_r$${\psi }_v$, ${\psi }_m$, and β, when the value of ${\psi }_t$ is decreased while holding others fixed, the former notion is strictly stronger than the resulting notion under the following scenarios:

i. 

given Π is secure in $\omega -\psi \left({\mathbf{5}}_t\right)-(\delta ,\alpha ,\beta )$, then Π is also secure in $\omega -\psi \left({\mathbf{4}}_t\right)-$$(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({\mathbf{5}}_t\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({\mathbf{4}}_t\right)-(\delta ,\alpha ,\beta )$

ii. 

given Π is secure in $\omega -\psi \left({\mathbf{4}}_t\right)-(\delta ,\alpha ,\beta )$, then Π is also secure in $\omega -\psi \left({\mathbf{3}}_t\right)-$$(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({\mathbf{4}}_t\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({\mathbf{3}}_t\right)-(\delta ,\alpha ,\beta )$

iii. 

given Π is secure in $\omega -\psi \left({\mathbf{3}}_t\right)-(\delta ,\alpha ,\beta )$, then Π is also secure in $\omega -\psi \left({\mathbf{2}}_t\right)-$$(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({\mathbf{3}}_t\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({\mathbf{2}}_t\right)-(\delta ,\alpha ,\beta )$

iv. 

given Π is secure in $\omega -\psi \left({\mathbf{2}}_t\right)-(\delta ,\alpha ,\beta )$, then Π is also secure in $\omega -\psi \left({\mathbf{1}}_t\right)-$$(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({\mathbf{2}}_t\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({\mathbf{1}}_t\right)-(\delta ,\alpha ,\beta )$

v. 

given Π is secure in $\omega -\psi \left({\mathbf{1}}_t\right)-(\delta ,\alpha ,\beta )$, then Π is also secure in $\omega -\psi \left({\mathbf{0}}_t\right)-$$(\delta ,\alpha ,\beta )$,

i.e., $\omega -\psi \left({\mathbf{1}}_t\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({\mathbf{0}}_t\right)-(\delta ,\alpha ,\beta )$

where $\omega =\in {\{1,0\}}^4$, ${\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}}\in \{0,1,2,$$3,4\}$, ${\psi }_v,{\psi }_m\in \{0,1,2,3\},$${\psi }_t\in \{0,1,2,3,4,5\},\beta \in \{0,1\}$ and $\delta \in \{1,2\}$ (Figure 12b).

Theorem 17.

For a currency scheme Π and for a given combination of ω, δ, α, ${({\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}})}_s$, ${\psi }_v$, ${\psi }_m$, and β the resulting notion from increasing the value of ${\psi }_t$ while holding others fixed, the scheme is not necessarily secure in the resulting notion under the following scenarios:

i. 

Given that there exists a currency scheme ${\Pi }_1$ which is secure in $\omega -\psi \left({\mathbf{0}}_t\right)-$$(\delta ,\alpha ,\beta )$, it does not necessarily imply that ${\Pi }_1$ is secure in $\omega -(\psi \left({\mathbf{1}}_t\right)-(\delta ,\alpha ,\beta )$,

i.e., $\omega -(\psi \left({\mathbf{0}}_t\right)-(\delta ,\alpha ,\beta )\nrightarrow {\Pi }_1$ is secure in $\omega -(\psi \left({\mathbf{1}}_t\right)-(\delta ,\alpha ,\beta )$.

ii. 

Given that there exists a currency scheme ${\Pi }_1$ which is secure in $\omega -\psi \left({\mathbf{1}}_t\right)-$$(\delta ,\alpha ,\beta )$, it does not necessarily imply that ${\Pi }_1$ is secure in $\omega -(\psi \left({\mathbf{2}}_t\right)-(\delta ,\alpha ,\beta )$,

i.e., $\omega -(\psi \left({\mathbf{1}}_t\right)-(\delta ,\alpha ,\beta )\nrightarrow {\Pi }_1$ is secure in $\omega -(\psi \left({\mathbf{2}}_t\right)-(\delta ,\alpha ,\beta )$.

iii. 

Given that there exists a currency scheme ${\Pi }_1$ which is secure in $\omega -\psi \left({\mathbf{2}}_t\right)-$$(\delta ,\alpha ,\beta )$, it does not necessarily imply that ${\Pi }_1$ is secure in $\omega -(\psi \left({\mathbf{3}}_t\right)-(\delta ,\alpha ,\beta )$,

i.e., $\omega -(\psi \left({\mathbf{2}}_t\right)-(\delta ,\alpha ,\beta )\nrightarrow {\Pi }_1$ is secure in $\omega -(\psi \left({\mathbf{3}}_t\right)-(\delta ,\alpha ,\beta )$.

iv. 

Given that there exists a currency scheme ${\Pi }_1$ which is secure in $\omega -\psi \left({\mathbf{3}}_t\right)-$$(\delta ,\alpha ,\beta )$, it does not necessarily imply that ${\Pi }_1$ is secure in $\omega -(\psi \left({\mathbf{4}}_t\right)-(\delta ,\alpha ,\beta )$,

i.e., $\omega -(\psi \left({\mathbf{3}}_t\right)-(\delta ,\alpha ,\beta )\nrightarrow {\Pi }_1$ is secure in $\omega -(\psi \left({\mathbf{4}}_t\right)-(\delta ,\alpha ,\beta )$

v. 

Given that there exists a currency scheme ${\Pi }_1$ which is secure in $\omega -\psi \left({\mathbf{4}}_t\right)-$$(\delta ,\alpha ,\beta )$, it does not necessarily imply that ${\Pi }_1$ is secure in $\omega -(\psi \left({\mathbf{5}}_t\right)-(\delta ,\alpha ,\beta )$,

i.e., $\omega -(\psi \left({\mathbf{4}}_t\right)-(\delta ,\alpha ,\beta )\nrightarrow {\Pi }_1$ is secure in $\omega -(\psi \left({\mathbf{5}}_t\right)-(\delta ,\alpha ,\beta )$

where $\omega =\in {\{1,0\}}^4$, ${\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}}\in \{0,1,2,$$3,4\}$, ${\psi }_v,{\psi }_m\in \{0,1,2,3\},$$\beta \in \{0,1\}]$, and $\delta \in \{1,2\}$ (Figure 12c).

Note that in some cases, the separations are not known to hold for all values of the unspecified parameters. Based on the above theorems, we also define the following corollaries.

Corollary 1

(Absolute Fungibility (ALL-IND-FULL-FULL)).Given that a currency scheme Π is secure in the strongest anonymity notion (i.e., secure against the strongest possible adversary), then Π is also secure in any other notion (any other adversary), i.e., ${\left(1111\right)}_{\omega }-{((4,4),(4,4),3,3,5)}_{\psi }-(2_{\delta },3_{\alpha },1_{\beta })\to$$\omega -({({\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}})}_s,{({\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}})}_r,{\psi }_v,{\psi }_m,{\psi }_t)-$$\delta -\alpha -\beta$ where $\omega \in {\{1,0\}}^4$, ${\psi }_{pk},{\psi }_{sk}\in \{0,1,2,3,4\},{\psi }_v,{\psi }_m,\alpha \in \{0,1,2,3\},{\psi }_t\in \{0,1,2,3,4,5\},\beta \in \{0,1\}$ and $\delta \in \{0,1,2\}$ (Figure 11).

Proof. 

(sketch) This follows from the above theorems as illustrated in Figure 11 and Figure 12 as this notion is the strongest among all. □

Corollary 2

(IND → ULK).For a currency scheme Π,

i. 

given Π is secure in S-IND-KNW-PWR for a given adversarial knowledge KNW of recipients, value and metadata, and given adversarial power PWR, then Π is also secure in S-ULK-KNW-PWR,

i.e., S-IND-KNW-PWR → S-ULK-KNW-PWR;

ii. 

given Π is secure in R-IND-KNW-PWR for a given adversarial knowledge KNW of senders, value and metadata, and given adversarial power PWR, then Π is also secure in R-ULK-KNW-PWR,

i.e., R-IND-KNW-PWR → R-ULK-KNW-PWR;

iii. 

given Π is secure in V-IND-KNW-PWR for a given adversarial knowledge KNW of senders, recipients and metadata, and given adversarial power PWR, then Π is also secure in V-ULK-KNW-PWR,

i.e., V-IND-KNW-PWR → V-ULK-KNW-PWR; and

iv. 

given Π is secure in M-IND-KNW-PWR for a given adversarial knowledge KNW of senders, recipients and value, and given adversarial power PWR, then Π is also secure in M-ULK-KNW-PWR,

i.e., M-IND-KNW-PWR → M-ULK-KNW-PWR

Proof. 

(sketch) (Part i) From the definitions of S-IND (Definition 4) and S-ULK (Definition 5), the difference between the two notions is that $({\psi }_{s_{\mathit{pk}}},{\psi }_{s_{\mathit{sk}}})=(2,0)$ in S-IND and it is $(0,0)$ in S-ULK. Then, from Theorem 1, it follows that ${(2,0)}_s\to {(0,0)}_s$ and hence the implication follows (Figure 13).

Figure 13. Relations between indistinguishability and unlinkability (Corollary 2).

(Part ii) Similarly, it follows from Theorem 1 with respect to recipients.

(Part iii) Follows from Theorem 12.

(Part iv) Follows from Theorem 14. □

Conversely, the weakest adversary is represented by the notion NIL-IND-NIL-NIL represented by the vector ${\left(0000\right)}_{\omega }$ − $({(0,0)}_s,$${(0,0)}_r,0_v,0_m,0_t{)}_{\psi }$ − $(0_{\delta },0_{\alpha },$$0_{\beta })$ with all entities hidden (Definition 13). Note that this notion is trivial in that no adversary can ever win the corresponding game as the transactions $t_0$ and $t_1$ are, aside from randomness, identical.

6. Discussion

Our objective in this work was to find a solution to our research question, i.e., to formulate a method to achieve a fine-grained systematization of anonymity modeling suitable for decentralized systems such as modern cryptocurrencies. To this effect, we have developed a comprehensive framework which depicts the generic functionality of a cryptocurrency scheme, irrespective of the underlying implementation. We have established the soundness of our model while ensuring the functional correctness and security against a wide range of adversaries. Through this model, we have constructed a unified means of analyzing the true level of anonymity achieved by any fully decentralized cryptocurrency system in a qualitative manner.

Our proposed anonymity model is centered around the idea of indistinguishability and it is elaborated around a group of entities related to cryptocurrency transactions, e.g., senders, recipients, values, and metadata. To this effect, we defined a comprehensive adversarial model encompassing a wide range of capabilities including knowledge and power. Adversarial knowledge is determined based on a range of access levels to the knowledge of secret/public keys of senders/recipients, transaction values, metadata, and transaction records. Power is defined based on different combinations of state initialization methods, ability to manipulate the state, and to cause minting to fail. These capabilities collectively represent an exhaustive adversarial model, which is capable of modeling anonymity at a much granular level, resulting in a vast number of different notions per each test case (defined by $\omega$). While some notions may not carry a meaningful realization in a real currency scheme, a majority leads to a multitude of attacker scenarios, which may not have been thought possible otherwise. One may wonder why we need such granularity in modeling anonymity in the context of cryptocurrencies, yet our model shows how a minute change such as varying one value in a single variable in the Anonymity game, could drastically affect the level of anonymity of a cryptocurrency. Thus, we have been able to achieve a fine-grained model as expected.

Building upon this model, we have provided formal definitions for a subset of anonymity notions that demonstrate baseline anonymity notions in indistinguishability, which is the fundamental property of anonymity. Inability to distinguish between two probable (known) entities related to a minted transaction under various adversarial settings was considered as the basis for these notions. Moreover, we also defined unlinkability, a weaker notion of indistinguishability, in order to define an intermediary level of anonymity. In this case, we considered the indistinguishability between two entities that are unknown to the adversary in a given scenario. However, even without formal definitions, other notions also play a significant role in performing a rigorous analysis of anonymity aspects of cryptocurrencies. As such, the anonymity notions resulting from this framework provide a universal systematization of anonymity across different implementations.

Taking a step further, we have attempted to understand the relationships and interdependencies among these myriad notions. Consequently, we have identified several implications, equivalences, and separations which provide useful comparisons in the multidimensional adversarial parameter model. While some correlations are trivial, there are others that may depend on the underlying constructions, all of which demonstrate the sophistication of anonymity in the context of cryptocurrencies. To this effect, we have formulated a set of theorems which is useful in investigating anonymity in decentralized cryptocurrency schemes and thus this formalization adds value to our framework. We have demonstrated how such complexity is evident in real-world cryptocurrency schemes in a separate work, which focuses on specific case studies based on a subset of the general framework described here [32].

In our attempt to grasp the anonymity landscape modeled by these notions, we saw that some familiar anonymity notions referenced in existing literature present similar interpretations to some notions in our model. As mentioned at the outset, the most widely referenced notion with respect to the anonymity of cryptocurrencies is the concept of unlinkability. In the context of Bitcoin, unlinkability is interpreted as linking addresses to transactions and to real world user identities [19,20,21,22]. Although this interpretation does not differentiate between senders and recipients, it closely relates to the sender and recipient unlinkability notions defined in our model. Conversely, ours present a more detailed conceptualization, where we model the level of knowledge of the payment addresses by varying different parameters in our notions, thereby representing many different variants of unlinkability in our notions. This clearly shows how our model is capable of covering more ground compared to very high-level notions discussed in the existing literature such as [22].

In the case of Monero, the unlinkability property has been discussed as the inability of deducing whether two transactions were intended to the same recipient addresses, which is closely analogous to the recipient unlinkability notion in our model [25,33]. On the other hand, the notion of traceability, which is widely discussed in the context of Monero, closely correlates to the sender unlinkability notion in our work [25,33]. In contrast, however, our notions are defined with respect to several dimensions addressing a wider scope of adversarial capabilities, and therefore capture even minor deviations in anonymity in this respect.

Further, the notion of k-anonymity has been utilized in some studies to visualize the anonymity landscape in terms of a quantitative measure where the parameter k denotes the size of the anonymity set (i.e., number of entities in a group) [7,25]. Our work here is orthogonal to this in the sense that ours provide a means for qualitative analysis of anonymity.

In essence, the notions we propose herein are in relation to the entities within a currency scheme, with a much wider span of attacker scenarios which helps to analyze anonymity in minute detail. As noted earlier, this study does not investigate the privacy aspects of the underlying consensus mechanism or the network of a cryptocurrency scheme. Yet, these layers may leak information independently from the currency scheme in which case it may affect the achievable level of anonymity, and this may be a future direction of study in this context.

Therein, our work shows the very complex nature of the level of anonymity demonstrated by any decentralized currency scheme through a fine-grained systematization. It is thus evident that existing claims for anonymity of different cryptocurrency schemes might only be anonymous in some aspects, e.g., a currency scheme which is claimed to possess unlinkability, might not demonstrate unlinkability with respect to all entities. Therefore, claims for anonymity cannot be made lightly in the presence of such granularity.

7. Conclusions

In this paper, we have presented a common framework that can be used to evaluate the level of anonymity associated with different cryptocurrency schemes, regardless of the implementation method. We provide a single formal experiment to capture a plethora of distinct security and privacy properties that we identify, and attempt to draw connections to existing terminology.

Our model defines a rigorous set of anonymity properties based on the fundamental property of indistinguishability, further particularized to varying security subjects and adversarial models. Together, these represent a precise and exhaustive recount of true anonymity achieved by a currency scheme.

Appendix B.1. Unforgeability

Appendix B.1.1. Game

In this game, the initial state is set up according to the input parameters, and the adversary $\mathcal{A}=({\mathcal{A}}_1,{\mathcal{A}}_2)$ outputs a transaction $(t_p,t_s)$ and the current state $p_{\mathcal{O}}$ based on the capabilities defined by the parameters $\delta$ and $\alpha$. The challenger verifies whether the given state is valid. Subsequently, the challenger extracts the public addresses of the senders from the given transaction and performs a check to see if those addresses were created by the oracle (i.e., to ensure that the adversary does not have the knowledge of any of the secret keys). Further, the challenger also checks whether the transaction was created by the oracle and also whether the transaction is valid. This experiment is listed in Figure A5.

Figure A5. Experiment for unforgeability.

Appendix B.1.2. Winning Condition

The adversary wins this game if he/she is able to produce a valid spending transaction (which is not a transaction created by the Oracle) with at least one sender address in S which was created by the oracle, for which he/she does not know the corresponding secret key $a_{sk}$.

Appendix B.2. Transaction Binding Property

Appendix B.2.1. Game

The game starts with the initial state generated as per the parameters. Then, the adversary $\mathcal{A}=({\mathcal{A}}_1,{\mathcal{A}}_2)$ outputs a secret part of a transaction $t_s$ and the current state $p_{\mathcal{O}}$ according to his capabilities. The challenger checks whether the current state is valid. Then, the challenger checks whether $t_s$ corresponds to a transaction created by the oracle with $t_p$ and the validity of transaction $t_s$ with respect to $t_p$. The corresponding game is listed in Figure A6.

Figure A6. Experiment for transaction binding property.

Appendix B.2.2. Winning Condition

If $t_s$ is present in the list of transactions created by the oracle with corresponding public part $t_p$ and $t_s$ is a valid binding with $t_p$ in the given state, then adversary wins the game.

Appendix B.3. Spendability

Appendix B.3.1. Game

After the initial setup, the adversary $A=(A_1,A_2,A_3)$ outputs the current state $p_{\mathcal{O}}$ to start the game. The challenger then records the fund balances of all addresses created by the oracle (all addresses in $A_{\mathcal{O}}$). In addition, the challenger obtains a list of unminted transactions created by the oracle and takes away all $V_{\mathit{new}}$ values from corresponding payment addresses in the stored balances, in order to ensure that the adversary cannot mint those transactions later (Figure A7). Then, the adversary evolves the state from that point onward, and the oracle does not create any new addresses or transactions during that period. The adversary has access to the minting oracle only. Subsequently, the adversary outputs the evolved state $p_{\mathcal{O}}$ and the challenger then checks the balances of each address in $A_{\mathcal{O}}$ again in that state and compares with the corresponding initial balances stored (Figure A8).

Figure A7. Function $\mathtt{ExtractUnmintedTxns}$.

Figure A8. Experiment for spendability.

Appendix B.3.2. Winning Condition

The adversary wins if there is at least one address in $A_{\mathcal{O}}$ for which the closing balance is less than the starting balance.

Appendix B.4. Balance Property

Appendix B.4.1. Game

In this game, the adversary $A=(A_1,A_2,A_3)$ outputs a tuple of sender addresses $\overline{S}$, a tuple of recipient addresses $\overline{R}$, and a tuple of miner addresses ${\overline{R}}_m$, together with the current state $p_{\mathcal{O}}$. The challenger records the balances of all addresses in the three groups of addresses and the minting history of the oracle $M_{\mathcal{O}}$. Then, the state evolves and the adversary outputs a set of transactions $\left\{(t_p,t_s)\right\}$ and the updated state $p_{\mathcal{O}}$. The challenger then records the new minting history $M_2$ and checks whether only one mint operation has taken place between $M_1$ and $M_2$, and also checks whether the minted transactions corresponds to the transactions returned by the adversary. In addition, another check is performed to see if the sender and recipient addresses involved in all transactions are the same as the sender and recipient addresses returned by the adversary. If any of these checks fail, the adversary loses the game. For each transaction returned by the adversary, $V_{\mathit{old}}$ and $V_{\mathit{new}}$ values are recorded separately with the corresponding addresses. In addition, $V_x$ values are also recorded with the miners’ address details. Finally, the challenger records respective balances of all involved addresses and checks whether above conditions are satisfied for all the addresses.

Appendix B.4.2. Winning Condition

The adversary wins the game if there is at least one address in which the individual balances do not satisfy the above three conditions, based on the formula below:

$${\mathtt{Balance}}_{bef}\left(a\right)+V_{\mathit{new}}\left(a\right)-V_{\mathit{old}}\left(a\right)+V_{\mathit{excess}}\left(a\right)={\mathtt{Balance}}_{aft}\left(a\right)\forall a\in \overline{S},\overline{R},{\overline{R}}_m$$

Figure A9 lists the corresponding game (${\mathtt{Exp}}_{\pi ,\mathcal{A},\mathcal{O},\psi ,\delta ,\alpha ,\beta }^{\mathit{balance}}$) which demonstrates this property.

Figure A9. Experiment for the Balance property.

Appendix B.5. Indemnification

Appendix B.5.1. Game

In this game, the adversary $A=(A_1,A_2,A_3)$ outputs the current state first. The challenger records the balances of all addresses in $A_{\mathcal{O}}$ in $B_{\mathit{bef}}$ and also records the mint history $M_1$. Then, the adversary evolves the state and outputs a set of transactions $\left\{(t_p,t_s)\right\}$ together with the current state $p_{\mathcal{O}}$, and the challenger ensures that there has been only one mint operation since the previous state, and also whether the set of transactions corresponding to that mint operation matches the transactions returned by the adversary. Then, the challenger records the sender and recipient addresses corresponding to the given transactions S and R. Subsequently, he/she checks the closing balances of all addresses in $A_{\mathcal{O}}$ and ensures none of these addresses are in S or R (Figure A10).

Figure A10. Experiment for indemnification.

Appendix B.5.2. Winning Condition

Adversary wins if the balance of at least one address in $A_{\mathcal{O}}$ has changed.

Appendix B.6. Positivity

Appendix B.6.1. Game

In this game, the adversary $A=(A_1,A_2)$ outputs an address $(a_{pk},a_{sk})$ and the state $p_{\mathcal{O}}$. The challenger checks whether the given address is valid and checks the corresponding balance of that address (Figure A11).

Figure A11. Experiment for positivity.

Appendix B.6.2. Winning Condition

The adversary wins if the given address is valid and has a negative balance.

Appendix B.7. Descendancy

Appendix B.7.1. Game

In this game, the adversary $A=(A_1,A_2)$ gives a state to the challenger. The challenger retrieves the checkpoint state of the given state and attempts to loop back to the genesis state by retrieving the checkpoint state iteratively (Figure A12).

Figure A12. Experiment for descendancy.

Appendix B.7.2. Winning Condition

Adversary wins if the loop ends up in an invalid state. Experiment for descendancy.

Appendix C.1. Proof of Theorem 1

Proof. 

(Part i) Assume a currency scheme $\Pi$ which is secure against the anonymity game defined by a given combination of ${\psi }_{{\mathit{pk}}_r},{\psi }_{{\mathit{sk}}_r},{\psi }_v,{\psi }_m,{\psi }_t,\alpha ,\beta$ and with (${\psi }_{{\mathit{pk}}_s},{\psi }_{{\mathit{sk}}_s}$) = ($3,0$). This means that senders’ addresses are created with respect to identity information controlled by the adversary and senders’ public keys are known throughout, yet secret keys are not known. Now consider a scenario with (${\psi }_{{\mathit{pk}}_s},{\psi }_{{\mathit{sk}}_s}$) = ($2,0$), while having other parameters fixed. This means that the adversary has access to the public keys of senders through the oracles and the addresses are honestly generated. When compared to the former case, the adversary has less control in the latter scenario. Therefore, we can conclude that if $\Pi$ is secure against a more powerful adversary, then it is also secure against a less powerful adversary, i.e., $\omega -\psi \left({(3,0)}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({(2,0)}_s\right)-(\delta ,\alpha ,\beta )$. Similarly, if we consider the case where (${\psi }_{{\mathit{pk}}_s},{\psi }_{{\mathit{sk}}_s}$) = ($1,0$) by only changing ${\psi }_{{\mathit{pk}}_s}$, then the adversary gets to know the public keys in the end with secret keys unknown throughout. In comparison with the case ($2,0$), the adversary has less knowledge about the keys in the case ($1,0$). Therefore, it is clear that if $\Pi$ is secure in ($2,0$), it is also secure in ($1,0$), i.e., $\omega -\psi \left({(2,0)}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({(1,0)}_s\right)-(\delta ,\alpha ,\beta )$. Similarly, ($0,0$) case provides even less knowledge to the adversary compared to ($1,0$). Therefore, if $\Pi$ is secure in ($1,0$), it is also secure in ($0,0$), i.e., $\omega -\psi \left({(1,0)}_s\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({(0,0)}_s\right)-(\delta ,\alpha ,\beta )$.

(Part ii) Similar to part i, we can see that in this case ${\psi }_{{\mathit{sk}}_s}=1$ is fixed. Therefore, ${\psi }_{{\mathit{sk}}_s}=3$ represents the strongest case, followed by ${\psi }_{{\mathit{pk}}_s}=2$ and ${\psi }_{{\mathit{pk}}_s}=1$. Following the same argument as above, we can see that ($3,1$) is more powerful than ($2,1$), followed by ($1,1$). Therefore, the implication relations follow from that.

(Part iii) In this case, ${\psi }_{{\mathit{sk}}_s}=2$ is fixed and it follows from above that ($3,2$) is more powerful than ($2,2$) as the adversary has the control over identity. Therefore, the equivalence relation follows.

(Part iv) This scenario represents the case where ${\psi }_{{\mathit{sk}}_s}=3$. As before, we see that ($3,3$) is stronger than ($2,3$) as, with the former case, the adversary has control over both the identity and the randomness over the latter case. Therefore, it follows that ($3,3$) → ($2,3$).

(Part v) Consider the case where (${\psi }_{{\mathit{pk}}_s},{\psi }_{{\mathit{sk}}_s}$) = ($4,4$), in which the adversary has full control over the senders. In comparison, in the ($3,3$) case, although the adversary gets to choose the identity and randomness, he/she does not have full control over the senders as the address creation is performed honestly. Therefore, ($4,4$) is more powerful than ($3,3$) and along the same line of argument as before, we can say that ($4,4$) → ($3,3$). □

Appendix C.2. Proof of Theorem 2

Proof. 

This proof is similar to the proof of Theorem 1 based on the fact that the knowledge of secret keys implies the knowledge of the public keys. □

Appendix C.3. Proof of Theorem 3

Proof. 

(Part i) Assume a currency scheme $\Pi$ which is secure against the anonymity game defined by a given combination of $\omega$, $\delta$, $\alpha$, ${({\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}})}_r$, ${\psi }_v$, ${\psi }_m$, ${\psi }_t$, $\beta$, and with (${\psi }_{{\mathit{pk}}_s},{\psi }_{{\mathit{sk}}_s}$) = ($0,1$). This means that senders’ public keys are hidden and the secret keys are also hidden, but will be revealed in the end (because ${\psi }_{{\mathit{pk}}_s}=1$) in the game. According to our construction, the knowledge of the secret keys implies the knowledge of the public keys. Therefore, this scenario can be simplified to a case in which both secret keys and public keys are revealed in the end. Now, consider the case where (${\psi }_{{\mathit{pk}}_s},{\psi }_{{\mathit{sk}}_s}$) = ($1,1$) while having all other parameters fixed. In this case, both secret keys and public keys are revealed in the end. As such, we can conclude that both cases represent the same amount of knowledge for the adversary (as all other parameters are constant) and hence both notions are equivalent. Thus, $\Pi$ is also secure in the case where (${\psi }_{{\mathit{pk}}_s},{\psi }_{{\mathit{sk}}_s}$) = ($1,1$), i.e., ${\omega }_{\overline{s}}-\psi \left({(\mathbf{0},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )\leftrightarrow {\omega }_{\overline{s}}-\psi \left({(\mathbf{1},\mathbf{1})}_s\right)-(\delta ,\alpha ,\beta )$.

(Part ii) Similar to part i, ${\psi }_{{\mathit{sk}}_s}=2$ in this case corresponds to the case where the addresses are honestly generated and secret keys are accessible by the adversary through the oracles during the game. This means that this case is the same irrespective of ${\psi }_{{\mathit{sk}}_s}$ in $(0,2)$, $(1,2)$ and $(2,2)$ through the same line of argument as before. Hence the equivalence relation follows.

(Part iii) As before, ${\psi }_{{\mathit{sk}}_s}=3$ models the case where the addresses are generated based on the randomness chosen by the adversary and the secret keys are already known to the adversary. Following the same argument, we can say that ($1,3$), ($1,3$) and ($2,3$) scenarios are equivalent and, thus, the above equivalence relation. □

Appendix C.4. Proof of Theorem 4

Proof. 

Consider a currency scheme where there is some special value associated with the public key of the addresses which could provide a hint about the secret key. For example, the hash of a value V that is related to the corresponding senders is associated with the public keys of the recipient addresses as a special value. Therefore, being able to view the public keys of recipients will give an adversary additional information about the transaction, as opposed to having hidden addresses.

Assume that there exists a currency scheme $\Pi$ which is secure in ${({\psi }_{\mathit{pk}},{\psi }_{\mathit{sk}})}_s=(0,0)$. This means that the scheme is secure against an adversary who is unable to view the public keys, i.e., These are hidden addresses created by the oracle. Consider a modified currency scheme ${\Pi }^{{}^{\prime }}$ derived from $\Pi$ such that the transaction creation process is modified as follows:

• ${\mathtt{CreateTxn}}_{{\Pi }^{{}^{\prime }}}(args,R,V)\{$
• $(t_p,t_s)\leftarrow {\mathtt{CreateTxn}}_{\Pi }\left(args\right)$
• $\mathbf{if}\mathtt{SpecialValue}\left(R\right)=\mathtt{Hash}\left(V\right)\mathbf{then}$
• $\mathbf{return}((t_p,args),t_s)$
• $\mathrm{return}((t_p,\varnothing ),t_s)$
• $\}$

All other operations in ${\Pi }^{{}^{\prime }}$ are of the form $f_{{\Pi }^{{}^{\prime }}}=f_{\Pi }$. In this case, with the modified $\mathtt{CreateTxn}$ operation, if the adversary knows the transaction, then the public keys can be known and details about senders could be obtained. When a bit b is chosen, the adversary simulates ${\Pi }^{{}^{\prime }}$ and if ${\psi }_t=1$, the adversary is able to obtain additional information about the senders and therefore it is not secure. Accordingly, this scheme is secure in $(0,0)$, but not necessarily secure in $(1,0)$, i.e., ${\omega }_{\overline{s}}-\psi \left({(\mathbf{0},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )\nrightarrow {\omega }_{\overline{s}}-\psi \left({(\mathbf{1},\mathbf{0})}_s\right)-(\delta ,\alpha ,\beta )$.

Following the same line of argument, we can construct counter examples to prove the same for other relations. □

Appendix C.5. Proof of Theorem 5

Proof. 

(Sketch) This proof is similar to the above proof of Theorem 4. □

Appendix C.6. Proof of Theorem 6

Proof. 

(Part i) We start with a currency scheme $\Pi$ that is secure against a $\omega -\psi -(\delta ,3_{\alpha },\beta )$ adversary. In this case, the adversary has the full control over the state initialization for the anonymity game. Now, consider an adversary for $\alpha =2$ with all other parameters the same. In this scenario, the adversary only has control to choose the randomness, but with an honest state initialization. Therefore, the adversary in the latter case is less powerful than the former. Thus, it follows that $\Pi$ is also secure against $\omega -\psi -(\delta ,2_{\alpha },\beta )$ given that $\Pi$ is secure against a more powerful adversary in $\omega -\psi -(\delta ,3_{\alpha },\beta )$.

(Part ii) Similar to part i, $\alpha =2$ adversary is more powerful than a $\alpha =1$ adversary as the adversary has no control over state initialisation in the latter case. Therefore, given that a scheme $\Pi$ is secure in $\omega -\psi -(\delta ,2_{\alpha },\beta )$, it is clear that $\Pi$ is also secure in $\omega -\psi -(\delta ,1_{\alpha },\beta )$.

(Part iii) Applying the same argument as before, the adversary has less information when $\alpha =0$ compared to $\alpha =1$. Hence, given that a currency scheme $\Pi$ is secure against $\omega -\psi -(\delta ,1_{\alpha },\beta )$, then $\Pi$ is also secure against a less powerful adversary, $\omega -\psi -(\delta ,0_{\alpha },\beta )$. □

Appendix C.7. Proof of Theorem 7

Proof. 

(Part i) Assume that there exist two currency schemes ${\Pi }_1$ and ${\Pi }_0$ such that ${\Pi }_1$ is secure in $\omega -\psi -(\delta ,2_{\alpha },\beta )$ and ${\Pi }_0$ is not secure in $\omega -\psi -(\delta ,2_{\alpha },\beta )$. In the case of $\gamma =2$, the state is initialized through an honest initialization based on the randomness chosen by the adversary whereas when $\gamma =3$, the adversary generates the initial state on his/her own with randomness of his/her choice. Consider a new currency scheme $\Pi$, where the state initialization process takes place based on the selection of a bit b. If $b=1$, then the initial state is decided by the honest behavior as follows:

$${\mathtt{Init}}_{\Pi }(\lambda ;r)=({\mathtt{Init}}_{{\Pi }_1}(\lambda ,r_1),1)$$

Otherwise, the adversary chooses to construct the initial state $p_0$ through $p_0=({\mathtt{Init}}_{{\Pi }_0}(\lambda ;r_1),0)$ simulating the insecure ${\Pi }_0$ protocol. Other functions in $\Pi$ will be of the following form depending on the value of b:

$$f_{\Pi }((p,b),\cdots )=f_{{\Pi }_b}(p,\cdots )$$

In the case of $b=1$, this construction returns ${\mathtt{Init}}_{{\Pi }_1}$ which makes $\Pi$ secure in $\omega -\psi -(\delta ,2_{\alpha },\beta )$. When $b=0$, the adversary chooses to output ${\mathtt{Init}}_{{\Pi }_0}$ simulating the insecure protocol ${\Pi }_0$. $\Pi$ is not secure in $\omega -\psi -(\delta ,3_{\alpha },\beta )$ in this case. This shows that $\omega -\psi -(\delta ,2_{\alpha },\beta )$→$\omega -\psi -(\delta ,3_{\alpha },\beta )$ is false. Therefore, we conclude that $\omega -\psi -(\delta ,2_{\alpha },\beta )$↛$\omega -\psi -(\delta ,3_{\alpha },\beta )$.

(Part ii) Assume there exist two currency schemes ${\Pi }_1$ and ${\Pi }_0$ such that ${\Pi }_1$ is secure in $\omega -\psi -(\delta ,1_{\alpha },\beta )$ and ${\Pi }_0$ is not secure in $\omega -\psi -(\delta ,1_{\alpha },\beta )$. $\gamma =1$ represents an honest state initialization with randomness over which the adversary does not have control, whereas when $\gamma =2$, the adversary chooses the randomness with an honest state initialization. Therefore the difference between the two cases is whether the randomness is chosen by the adversary as per the algorithm $\mathtt{SetupState}$. We now define a new currency scheme $\Pi$ where the initialization takes place upon a selection of a random string $r_2$ as follows depending on a bit b:

$${\mathtt{Init}}_{\Pi }(\lambda ,(r_1,r_2))=\left\{\begin{array}{c}({\mathtt{Init}}_{{\Pi }_1}(\lambda ,r_1),1),\mathrm{if}{r}_2\ne 0\cdots 0\hfill \\ ({\mathtt{Init}}_{{\Pi }_0}(\lambda ,r_1),0),\mathrm{if}{r}_2=0\cdots 0\hfill \end{array}\right.$$

Similarly, all functions in $\Pi$ need to be dependent on r, similar to part i above, i.e.,

$$f_{\Pi }(p,\cdots )=\left\{\begin{array}{c}{f}_{{\Pi }_1}(p,\cdots ),\mathrm{if}p=(.,1)\hfill \\ f_{{\Pi }_0}(p,\cdots ),\mathrm{if}p=(.,0)\hfill \end{array}\right.$$

According to this construction, in the honest scenario ($b=1$), $\Pi$ is secure in $\omega -\psi -(\delta ,1_{\alpha },\beta )$ with as it returns state initialization $({\mathtt{Init}}_{{\Pi }_1}\left(r\right),1)$ which is $\omega -\psi -(\delta ,1_{\alpha },\beta )$ secure. However, note that $r_2$ can be $00\cdots 0$ in the honest scenario also with a small probability of $1/2^{\lambda }$ which is negligible, and therefore we can assume that $\Pi$ is secure in $\omega -\psi -(\delta ,1_{\alpha },\beta )$ in the honest case. When $b=0$, the adversary can choose $r_2$ to be $0..0$ to simulate the insecure protocol ${\Pi }_0$ which makes $\Pi$ insecure in $\omega -\psi -(\delta ,2_{\alpha },\beta )$. This means that $\omega -\psi -(\delta ,1_{\alpha },\beta )$→$\omega -\psi -(\delta ,2_{\alpha },\beta )$ is false as $\Pi$ can be secure in $\omega -\psi -(\delta ,1_{\alpha },\beta )$ but not secure in $\omega -\psi -(\delta ,2_{\alpha },\beta )$. Thus we conclude that $\omega -\psi -(\delta ,1_{\alpha },\beta )$↛$\omega -\psi -(\delta ,2_{\alpha },\beta )$.

(Part iii) Assume there exist two currency schemes ${\Pi }_1$ and ${\Pi }_0$ such that ${\Pi }_1$ is secure in $\omega -\psi -(\delta ,0_{\alpha },\beta )$ and ${\Pi }_0$ is not secure in $\omega -\psi -(\delta ,0_{\alpha },\beta )$. In this scenario, an honest state initialization takes place and the adversary does not see the randomness involved whereas with $\gamma =1$ state initialization, the adversary is able to see the randomness.

Construct a new currency scheme $\Pi$ as explained previously.

$${\mathtt{Init}}_{\Pi }(\lambda ,(r_1,r_2))=({\mathtt{Init}}_{{\Pi }_0}(\lambda ,r_1),{\mathtt{Init}}_{{\Pi }_1}(\lambda ,r_1),r_2,1)$$

In the honest case, this will output $(p_0,p_1,1)$. Consider the $\gamma =0$ game where, immediately after the $\mathtt{RunAdversary}$ process is run for the first time, a transaction is run by the adversary which would reveal the randomness and the bit b, i.e., $(t_p,r,b)$. This would simulate a $\gamma =1$ scenario and if the bit $b=0$, then $f_{{\Pi }_0}$ will be chosen. However, ${\Pi }_0$ is not secure when $\gamma =0$, and thus it makes this situation insecure. Therefore, we claim that $\Pi$ is not secure with $\gamma =1$ in this case since ${\Pi }_0$ is not secure when $\gamma =0$. This shows that $\Pi$ can be secure in $\omega -\psi -(\delta ,0_{\alpha },\beta )$ but not secure in $\omega -\psi -(\delta ,1_{\alpha },\beta )$, i.e., $\omega -\psi -(\delta ,0_{\alpha },\beta )$↛$\omega -\psi -(\delta ,1_{\alpha },\beta )$. □

Appendix C.8. Proof of Theorem 8

Proof. 

$\delta =2$ represents the strongest adversary with the capability to manipulate the state whereas the adversary is only able to view the state when $\delta =1$, thus representing a weaker adversary. Similarly with $\delta =0$, the state is private and hence the adversary is the weakest in this respect, being unable to view the state. Using the same proof technique as in Theorem 6, we can see that $\omega -\psi -({\mathbf{2}}_{\delta },\alpha ,\beta )$ represents a more powerful attacker than $\omega -\psi -$$({\mathbf{1}}_{\delta },\alpha ,\beta )$ and also $\omega -\psi -({\mathbf{1}}_{\delta },\alpha ,\beta )$ is more powerful than $\omega -\psi -({\mathbf{0}}_{\delta },\alpha ,\beta )$, thus it is clear that both implications are true. □

Appendix C.9. Proof of Theorem 9

Proof. 

(Part i) The difference between the two scenarios where $\delta =1$ and $\delta =2$ is that with $\delta =2$, the adversary is able to modify the state whereas with $\delta =1$, he/she can only view the state. Suppose that two currency schemes ${\Pi }_0$ and ${\Pi }_1$ exist such that ${\Pi }_1$ is secure in $\omega -\psi -({\mathbf{1}}_{\delta },\alpha ,\beta )$ and ${\Pi }_0$ is not secure in $\omega -\psi -({\mathbf{1}}_{\delta },\alpha ,\beta )$. Assume that a currency scheme $\Pi$ is constructed as before in the proof of part (ii) of the Theorem 7. The initialization of the scheme $\Pi$ results in $(p_0,p_1,r,b)$ with functions $f_{{\Pi }_b}$. In the honest construction, we have $b=1$, with $f_{{\Pi }_1}$ and the adversary is only able to view the state which simulates a $\omega -\psi -({\mathbf{1}}_{\delta },\alpha ,\beta )$ scenario. ${\Pi }_1$ is already secure in $\omega -\psi -({\mathbf{1}}_{\delta },\alpha ,\beta )$ and thus $\Pi$ is also secure in $\omega -\psi -({\mathbf{1}}_{\delta },\alpha ,\beta )$. Now assume that the adversary gets to choose the bit $b=0$. In this case, functions $f_{{\Pi }_0}$ will be executed and therefore the adversary is now able to change the state through the functions $f_{{\Pi }_0}$ that return the state as $(p_0^{{}^{\prime }},p_1,r,0)$ which represent a $\omega -\psi -({\mathbf{2}}_{\delta },\alpha ,\beta )$ adversary. However, from the definition, ${\Pi }_0$ is not secure against this adversary as ${\Pi }_0$ is not secure in $\omega -\psi -({\mathbf{1}}_{\delta },\alpha ,\beta )$ and thus is not secure in $\omega -\psi -({\mathbf{2}}_{\delta },\alpha ,\beta )$ as well. Therefore, $\Pi$ is also not secure in $\omega -\psi -({\mathbf{2}}_{\delta },\alpha ,\beta )$ in this case.

(Part ii) Suppose that a currency scheme ${\Pi }_1$ is secure in $\omega -\psi -({\mathbf{0}}_{\delta },\alpha ,\beta )$ and another currency scheme ${\Pi }_0$ is not secure in $\omega -\psi -({\mathbf{0}}_{\delta },\alpha ,\beta )$. Define a new honest construction for a currency scheme $\Pi$ as described in the proof of part (ii) of the Theorem 7 with the same initialization and a modification to the $\mathtt{Mint}$ function, i.e., 1.1

• ${\mathtt{Init}}_{\Pi }(\lambda ,(r_1,r_2))=({\mathtt{Init}}_{{\Pi }_0}(\lambda ,r_1),({\mathtt{Init}}_{{\Pi }_1}(\lambda ,r_1),r_2,1))$
• ${\mathtt{Mint}}_{\Pi }((p_0,p_1,r,b),T,\mathit{args})=\{$
• $\mathbf{if}{p}_0\mathrm{and}{p}_1\mathrm{are}\mathrm{inital}\mathrm{states}\mathrm{and}b=1\mathrm{and}T=\left\{r\right\},$
• $\mathbf{then}\mathbf{return}((p_0,p_1,r,0),\mathit{outputs})$
• $\}$

In the honest case, ${\mathtt{Init}}_{\Pi }$ will output $(p_0,p_1,1)$ and all functions $f_{{\Pi }_1}$ will be executed. As the adversary cannot view the state now, this simulates $\omega -\psi -({\mathbf{0}}_{\delta },\alpha ,\beta )$. We claim that $\Pi$ is $\omega -\psi -({\mathbf{0}}_{\delta },\alpha ,\beta )$ secure in this case as the adversary has the same amount of information as for ${\Pi }_1$ and ${\Pi }_1$ is secure in $\omega -\psi -({\mathbf{0}}_{\delta },\alpha ,\beta )$. Then, immediately after the state initialization, the adversary mints $\left\{r\right\}$ which will return $(p_0,p_1,r,0)$, setting bit $b=0$. In this instance, the protocol simulates ${\Pi }_0$ which is not secure. Therefore, we can conclude that $\Pi$ is secure in $\omega -\psi -({\mathbf{0}}_{\delta },\alpha ,\beta )$ but not secure in $\omega -\psi -({\mathbf{1}}_{\delta },\alpha ,\beta )$. □

Appendix C.10. Proof of Theorem 10

Proof. 

Consider a currency scheme $\Pi$ which is secure in $\omega -\psi -(\delta ,\alpha ,{\mathbf{1}}_{\beta })$. In this case, the adversary is able to cause minting to fail so that failed mint operations may leak information about the corresponding transaction. On the other hand, $\beta =0$ represents a weaker adversary as no additional information is leaked in this case. As the scheme $\Pi$ is secure against a more powerful adversary with $\beta =1$, we can conclude that $\Pi$ is also secure against any weaker adversary, and an adversary with $\beta =0$, i.e., $\omega -\psi -(\delta ,\alpha ,{\mathbf{1}}_{\beta })\to \omega -\psi -(\delta ,\alpha ,{\mathbf{0}}_{\beta })$. □

Appendix C.11. Proof of Theorem 11

Proof. 

Assume that a currency scheme $\Pi$ is secure in $\omega$ − $\psi$ − ($\delta$,$\alpha$,$0_{\beta }$). Consider a construction ${\Pi }^{{}^{\prime }}$ similar to $\Pi$ except that the $\mathtt{Mint}$ operation is modified with an input bit b and a special value V which reveals additional information about the transaction when $b=1$ and when a mint operation fails, i.e.,

• ${\mathtt{Mint}}_{{\Pi }^{{}^{\prime }}}(args,b,V)\{$
• $\mathtt{if}({\mathtt{Mint}}_{\Pi }\left(args\right)=\perp )\wedge (b=1)\mathbf{then}$
• $\mathbf{return}V$
• $\mathbf{else}\mathbf{return}{\mathtt{Mint}}_{\Pi }\left(args\right)$
• $\}$

When the bit $b=0$, ${\Pi }^{{}^{\prime }}$ functions similar to $\Pi$, and thus is secure in $\omega$ − $\psi$ − ($\delta$,$\alpha$,$0_{\beta }$). However, when $b=1$, with the modified $\mathtt{Mint}$ function models a scenario for $\beta$$=1$ for ${\Pi }^{{}^{\prime }}$, yet ${\Pi }^{{}^{\prime }}$ is not secure here as the $\mathtt{Mint}$ operation leaks special information about the transaction in this case. Therefore, we conclude that $\omega -\psi -(\delta ,\alpha ,{\mathbf{0}}_{\beta })\nrightarrow \omega -\psi -(\delta ,\alpha ,{\mathbf{1}}_{\beta })$. □

Appendix C.12. Proof of Theorem 12

Proof. 

As before, we can say that ${\psi }_v=3$ represents a stronger adversary compared to ${\psi }_v=2$ and ${\psi }_v=2$ adversary is stronger than ${\psi }_v=1$ by our construction and ${\psi }_v=1$ adversary is stronger than ${\psi }_v=0$. Therefore, given that a currency scheme $\Pi$ is secure against a ${\psi }_v=3$ adversary, then $\Pi$ is also secure against ${\psi }_v=2$. Similarly, $\Pi$ is also secure in ${\psi }_v=1$ then in ${\psi }_v=0$. □

Appendix C.13. Proof of Theorem 13

Proof. 

(Sketch) The proof follows the same line of argument as the proof in Theorem 4, with the exception that the special value gives a hint about the transaction value instead of the senders. □

Appendix C.14. Proof of Theorem 14

Proof. 

Adhering to the same proofing methodology, we argue that ${\psi }_m=3$ adversary is more powerful than ${\psi }_m=2$ adversary, as the adversary has full control over metadata in the former case. Therefore, it follows that given a currency scheme which is secure against a ${\psi }_m=3$ adversary, the scheme is also secure against a less powerful ${\psi }_m=2$ adversary. Moreover, through the same line of argument, it follows that $\left({\psi }_m=2\right)\to \left({\psi }_m=1\right)$ and $\left({\psi }_m=1\right)\to \left({\psi }_m=0\right)$. □

Appendix C.15. Proof of Theorem 15

Proof. 

(Sketch)

The proof follows the same line of argument as the proof in Theorem 4, with the exception that the special value gives a hint about the transaction metadata instead of the senders. □

Appendix C.16. Proof of Theorem 16

Proof. 

(Part i) Consider a currency scheme $\Pi$ which is secure in $\omega -\psi \left({\mathbf{5}}_t\right)-(\delta ,\alpha ,\beta )$. With ${\psi }_t=5$, the adversary has the highest possible knowledge of the transaction as the adversary creates the transaction and thus is more powerful than any other adversary having the knowledge of ${\psi }_t<5$ (while having other parameters fixed). This means that if a currency scheme $\Pi$ is secure against a stronger adversary with ${\psi }_t=5$, then $\Pi$ is secure against less powerful adversaries, e.g., an adversary with ${\psi }_t=4$, i.e., $\omega -\psi \left({\mathbf{5}}_t\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({\mathbf{4}}_t\right)-(\delta ,\alpha ,\beta )$.

(Part ii) Similarly, $\omega -\psi \left({\mathbf{4}}_t\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({\mathbf{3}}_t\right)-(\delta ,\alpha ,\beta )$ also holds as being able to choose the randomness for the transaction (${\psi }_t=4$) leaks additional information about the transaction to the adversary earlier in the game compared to knowing that at the end of the game (${\psi }_t=3$), which models a weaker adversary.

(Part iii) With ${\psi }_t=3$, the knowledge of the randomness of the transaction (i.e., actual coins involved) provides more information to the adversary than just the secret part of the transaction $t_s$ (i.e., ${\psi }_t=2$). Therefore, $\omega -\psi \left({\mathbf{3}}_t\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({\mathbf{2}}_t\right)-(\delta ,\alpha ,\beta )$ holds.

(Part iv) With the same argument, ${\psi }_t=2$ represents a more powerful adversary than ${\psi }_1$ with the knowledge of just the public part of the transaction, i.e., $\omega -\psi \left({\mathbf{2}}_t\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({\mathbf{1}}_t\right)-(\delta ,\alpha ,\beta )$.

(Part v) In this case of ${\psi }_t=1$, the adversary is able to view the transaction whereas when ${\psi }_t=0$, the transaction is hidden. Therefore, the former case shows a more powerful adversary than the latter case. Accordingly, $\omega -\psi \left({\mathbf{1}}_t\right)-(\delta ,\alpha ,\beta )\to \omega -\psi \left({\mathbf{0}}_t\right)-(\delta ,\alpha ,\beta )$. □

Appendix C.17 Proof of Theorem 17

Proof. 

(Sketch)

This can be proven in a manner similar to Theorem 4, except that the special value leaks information about the transaction $t_p$ or $t_s$ in each scenario instead of sender addresses. □