Received August 29, 2019, accepted October 3, 2019, date of publication October 11, 2019, date of current version

October 24, 2019.

Digital Object Identifier 10.1109/ACCESS.2019.2946983

SoK of Used Cryptography in Blockchain

MAYANK RAIKWAR , DANILO GLIGOROSKI , AND KATINA KRALEVSKA
Department of Information Security and Communication Technologies, Norwegian University of Science and Technology (NTNU), 7491 Trondheim, Norway
Corresponding author: Mayank Raikwar ([email protected])
This work was supported by the NTNU Research Project under Grant 81771158.

ABSTRACT The underlying fundaments of blockchain are cryptography and cryptographic concepts that
provide reliable and secure decentralized solutions. Although many recent papers study the use-cases
of blockchain in different industrial areas, such as finance, health care, legal relations, IoT, information
security, and consensus building systems, only few studies scrutinize the cryptographic concepts used in
blockchain. To the best of our knowledge, there is no Systematization of Knowledge (SoK) that gives a
complete picture of the existing cryptographic concepts which have been deployed or have the potential
to be deployed in blockchain. In this paper, we thoroughly review and systematize all cryptographic
concepts which are already used in blockchain. Additionally, we give a list of cryptographic concepts which
have not yet been applied but have big potentials to improve the current blockchain solutions. We also
include possible instantiations of these cryptographic concepts in the blockchain domain. Last but not
least, we explicitly postulate 21 challenging problems that cryptographers interested in blockchain can
work on.

INDEX TERMS Blockchain, cryptography, hash function, proof-of-work, consensus, signature, encryption,
zero-knowledge proofs, access control, accumulator.

I. INTRODUCTION In parallel, in 1990’s we saw the development of sev-

Blockchain, a distributed ledger managed by a peer-to-peer eral cryptographic ideas not directly connected but somehow
network collectively adhering to some consensus protocol, still related to the ideas of using cryptography in finan-
is arguably considered as a new and disruptive technology. cial transactions. We mention some of them such as the
Both academia and industry are profoundly affected by new proposal on how to combat junk email [4] by Dwork and
solutions to some old problems which are based on this Naor that was published in 1992, and which used compu-
new technology. The success of the blockchain concept is tationally expensive functions. Then in 1996, there was a
ultimately connected with the financial success of Bitcoin [1] proposal for time-lock cryptographic puzzles [5] by Rivest,
that was developed just one decade ago, and the subsequent Shamir, and Wagner by using RSA based CPU expensive
avalanche of more than 2140 other crypto-currencies that all computations. At the end of 90’s and early 2000’s several
together built a financial market worth around $285 billion patent free cryptographic concepts were proposed, imple-
(as of 16 June 2019) [2]. mented and released as open source projects by an online
We can trace the origins of the ideas to use cryptography for movement and a community of cryptographers and program-
secure and private transactions for paying access to databases, mers known as ‘‘Cypherpunks’’ [6]. Those cryptographic
paying for services such as online games, transferring money concepts and implementations include Adam Back’s ‘‘hash-
over the Internet, Internet shopping and other commercial cash’’ proposal for a currency based on the hardness of
activities back in 1990’s with David Chaum’s eCash sys- finding partial hash collisions [7], Wei Dai’s ‘‘b-money’’ [8]
tem [3]. One of the negative aspects of eCash was that it and Nick Szabo’s1 ‘‘Bitgold’’ proposal [9]. These concepts
was a centralized system, controlled by a trusted third party. have been the basis of the Satoshi Nakamoto’s decentralized
Another hurdle for a broader acceptance of eCash was the cryptocurrency, nowadays known as Bitcoin [1], [10]. As a
fact that it was covered by a long list of patented algorithms – recognition of their pioneering activities in the decentralized
something that is considered as a big obstacle to acceptance cryptocurrencies, Ethereum [11] – the second most popular
among the crypto community.
The associate editor coordinating the review of this manuscript and
approving it for publication was Yunlong Cai . 1 Nick Szabo was also part of the eCash development team in late 90’s.

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see http://creativecommons.org/licenses/by/4.0/
148550 VOLUME 7, 2019
M. Raikwar et al.: SoK of Used Cryptography in Blockchain

cryptocurrency – named the three of its denominations as ing cryptocurrencies and it lacks many of the cryptographic
‘‘Wei’’, ‘‘Szabo’’ and ‘‘Finney’’ [12].2 protocols which are used in blockchain.
The underlying core technology in Bitcoin is blockchain.
Blockchain is a distributed ledger maintaining a continuously A. OUR CONTRIBUTION
growing list of data records that are confirmed by all of the In this study, we classify cryptographic concepts based on
participating nodes. The data is recorded in this public ledger their use in blockchain.3 We have divided them into two cat-
in a form of blocks of valid transactions, and this public ledger egories: 1. Concepts which are well used in blockchain, and
is shared and available to all nodes. 2. Concepts which are promising but not yet implemented in
Blockchain is envisioned as a promising and powerful blockchain. This categorization does not have a clear bound-
technology but it still encounters many research challenges. ary. We classify some cryptographic concepts as promising
Some of the main challenges are constant improvement ones, and that requires further research and scrutiny in order
of its security and privacy, key management, scalability, to be deployed in blockchain. As a result, the following
analysis of new attacks, smart contract management, and points are the main contributions of our Systematization of
incremental introduction of new cryptographic features in Knowledge (SoK) paper:
existing blockchains. These challenges arise due to the net- • We provide a description of cryptographic concepts
work structure and the underlying consensus mechanisms which have been applied in the blockchain field. We also
and cryptographic schemes used within the blockchains. include instantiation of these concepts in blockchain.
To overcome these challenges and to find enhanced solu- • We provide a list of cryptographic concepts which are
tions, many of the cryptographic concepts such as signature rarely used or have not been used in blockchain but they
schemes, zero-knowledge proofs, and commitment proto- have the potential to be applied in this field. These con-
cols are scrutinized and applied. As cryptography is a vast cepts open many possible research directions and they
research field, there is always a scope to find new cryp- can be examined in different blockchain applications.
tographic schemes in order to improve the solutions in • We identified 21 research challenges that we formu-
blockchain. late as Research Problem. Some of them are rephrased
The majority of the ongoing research in Blockchain research challenges already published in the litera-
focuses on finding and identifying improvements to the cur- ture and some of them are newly formulated research
rent processes and routines, mostly in industries that rely problems.
on intermediaries, including banking, finance, real estate, In this study, we do not claim that we have exhausted
insurance, legal system procedures, and healthcare. The study all of the cryptographic concepts which are employed in
on business innovation through blockchain [14] presents blockchain, but we have tried to cover the concepts which
some blockchain enabled business applications and their we felt are propitious for the blockchain domain. We also
instantiations. These blockchain enabled applications still describe each cryptographic concept along with its associ-
need a proper way for selecting the cryptographic technique ated properties and its instantiation in the blockchain field.
employed in their respective solution in order to meet the Additionally, in order to give one unified presentation about
business requirements. Not only these blockchain applica- blockchain, we give a brief explanation about:
tions but also the research community will benefit from an
• Enabling concepts of blockchain such as hash function,
overview in a form of systematization of the current state
consensus protocol, network architecture.
of knowledge of all available cryptographic concepts which
• Layered architecture of blockchain and emphasis
have been applied or can be applied in existing and future
on some of the major challenges associated with
blockchain solutions. To the best of our knowledge, this
blockchain.
is the first systematization of knowledge that gives a com-
plete picture of the existing cryptographic concepts related
B. ORGANIZATION OF THE PAPER
to blockchain. We have tried to depict most of the crypto-
graphic concepts in the blockchain domain. Although there The rest of the paper is organized as follows. Section II
are various works about specific cryptographic concepts used presents the research methodology. Section III explains the
in blockchain, there are only few works which merge all these main pillars of blockchain such as hash functions, con-
atomic works and present them in a single paper. Most of the sensus mechanisms, network infrastructure and types of
review and survey works such as [15], [16] discuss security, blockchain. Section IV gives an overview of some critical
privacy, consensus or other challenges in blockchain. A recent challenges faced by existing blockchains. Section V reviews
work of Wang et al. [17] gives a comprehensive analysis already used cryptographic concepts in blockchain and
of cryptographic primitives in blockchain. Their analysis presents the basic idea of each cryptographic concept with
presents the functionality and the usage of these primitives available instantiation in blockchain. Section VI presents
in blockchain. However, the analysis is based only on exist- cryptographic concepts which have not been employed or
implemented in blockchain yet, but look very promising for
2 Hal Finney was a cypherpunk and the receiver of the first Bitcoin 3 A continuously updated version of cryptographic concepts is available
transaction of 10 Bitcoins from the anonymous Satoshi Nakamoto [13]. on this github repository http://bit.do/fchb5

VOLUME 7, 2019 148551

 M. Raikwar et al.: SoK of Used Cryptography in Blockchain

blockchain. Finally, Section VII concludes this SoK and gives • Is the cryptographic concept implemented in blockchain?
possible future work directions. If not, is it possible to implement it and will it be more
efficient than the existing solution?
II. RESEARCH METHODOLOGY • Is there any security analysis or does the implemented
To perform a systematization of knowledge of the existing concept rely on another underlying platform?
cryptographic concepts related to blockchain, we established • Are the fundamental concept and its related properties
and followed a methodology that we explain in this Section. adequately described?
Since the invention of Bitcoin, there has been a growing
interest in blockchain from both academia and industry. The III. SUPPORTING AND ENABLING CONCEPTS OF
number of publications in the blockchain field has been BLOCKCHAIN
rapidly increasing in recent years. Not all of these publi- As previously mentioned, blockchain is a way to encap-
cations are research works; some of these works discuss sulate transactions in the form of blocks where blocks are
different use-cases of blockchain. Therefore, to review these linked through the cryptographic hash, hence forming a chain
many papers in the blockchain field, we pursued a research of blocks. Figure 1 shows the basic blockchain structure.
methodology which defines the inclusion criteria, a search Each block in the blockchain contains a block header and a
strategy to search for respective publications and a data col- representation of the transaction. For instance, in Figure 1,
lection mechanism to accumulate the relevant publications. each block consists of its hash, the hash of the previous
The collected data is later processed based on inclusion and block, a timestamp and some other block fields (e.g., version,
exclusion criteria. The publications which meet the inclusion nonce). This depends from the block design. Merkle root
criteria go through one final step of quality assessment. Once hash represents the set of transactions in the Merkle tree,
a publication passes the quality assessment, it is included in and this representation of transactions varies according to the
our systematization. design of the blockchain implementation. Figure 2 depicts the
We use keyword search to make the first selection of Bitcoin blockchain data structure showing in details the block
potentially relevant scientific publications. For the keyword format.
search, we typed keywords such as <cryptographic concept
name> <in blockchain> or <use of> <cryptographic concept
name> <in blockchain>. We use Google Scholar as our
primary source to search for the relevant literature, but as
Google Scholar does not exhaust all of the available literature,
we also searched in databases such as: 1) IACR eprint archive,
2) IEEE Xplore, 3) ACM Digital Library, 4) ScienceDirect,
and 5) Springer Link.
The inclusion criteria for this study is based on the follow-
ing questions:
FIGURE 1. Basic blockchain structure.
• Is the elaborated cryptographic concept useful in
blockchain? The usefulness of the cryptographic con- Blockchain relies on different constituents which serve
cept is measured as whether we achieve some essential different purposes. In this Section, we give an overview of
properties in blockchain by using the concept or whether the main underlying concepts used to build a blockchain.
the cryptographic concept can be beneficial for some A detailed technical explanation of all these concepts is out
use-case compared to an already implemented concept. of the scope of this paper, but we have tried to cover the
• Which properties can be achieved by using the crypto- essentials of their functionality.
graphic concept in blockchain?
• Is there any instantiation of the cryptographic concept A. CRYPTOGRAPHIC HASH FUNCTION
in a blockchain study or application? If not, is there any A hash function H is a function which takes an input of an
potential? arbitrary size and maps it to a fixed size output. Cryptographic
The criteria for excluding a paper is: hash functions have some additional properties such as:
a) collision resistance - it is hard to find two inputs a and b
• Informal literature discussing some cryptographic con-
such that H (a) = H (b); b) preimage resistance - for a given
cepts in blockchain.
output y it is hard to find an input a such that H (a) = y;
• Literature which claims on using a cryptographic con-
and c) second preimage resistance - for a given input a and
cept but it does not give any guarantees about the feasi-
output y = H (a) it is hard to find a second input b such that
bility and prospects of a potential implementation.
H (b) = y. Readers interested in an extensive cover of the
The quality of the papers that meet the inclusion criteria field of cryptographic hash functions are referred to [18].
is assessed. For quality assessment, we apply the following Cryptographic hash functions in blockchain are used for
questions: various purposes such as:

148552 VOLUME 7, 2019

M. Raikwar et al.: SoK of Used Cryptography in Blockchain

FIGURE 2. Blockchain data structure with block format.

1) solving cryptographic puzzles (the Proof of Work blockchain. The puzzle looks like this:
(PoW) in Bitcoin [1]);
2) address generation (for public and private keys); SHA256d(Ver||HashPrevBlock|| . . . ||Nonce) ≤ T (2)
3) shortening the size of the public addresses; where T is 256-bit target value.
4) message digests in signatures. Looking into the fraction of SHA256d outputs that are less
The most popular cryptographic hash functions used than the target value T for different values of T in Table 1
in blockchains are SHA-2 [19] (especially the variant helps us to understand why mining is hard in PoW. Namely,
SHA256 - a variant that produces outputs of 256 bits), and the probability of finding a nonce that will cause the whole
some of the well analyzed hash functions from the NIST block to have a hash that is less than the target value is
SHA-3 competition and standardization that went to the later T
stages of that process (final 5 proposals or some of the Pr[SHA256d(Block) ≤ T ] ≈ . (3)
2256
14 proposals from the second phase [20]). Some of the exist-
ing blockchain designs such as IOTA constructed their own
‘‘homebrewed’’ cryptographic hash function called Curl-P, TABLE 1. Fraction of SHA256d outputs with respective target value.
that was received very critically and negatively by the crypto
community [21], [22].
A typical way how cryptographic hash functions are used
in blockchain designs is in a form of a mode of operation,
i.e., a combination of several invocations of a same or differ-
ent hash functions. For example, in Bitcoin [1], SHA256 is
used twice and that construction is called SHA256d, i.e.,

SHA256d(message) = SHA256(SHA256(message)). (1)

We next discuss the research and innovative activities in
Mining is a process of creating a new block of transactions the area of cryptographic hash functions that were either
through solving a cryptographic puzzle, and the participant remotely or directly connected and inspired by the trends in
who solves the puzzle first is called a miner of the block. If blockchain.
we look at the Bitcoin PoW puzzle, we can see that a miner Several years after the launch of the Bitcoin and its
has to find a Nonce (similar to Hashcash protocol [7] that we source code being published as an open source on Github,
discuss in the next subsection) to create the next block in the blockchain designers started to clone and fork its basic

VOLUME 7, 2019 148553

 M. Raikwar et al.: SoK of Used Cryptography in Blockchain

code, and started to introduce different variants and inno- participants. In order to maintain the ledger in a decentral-
vations. One of the earliest forks from 2011 that is still ized way, many consensus mechanisms have been proposed.
popular nowadays is Litecoin [23]. The basic idea by the The first introduction of the use of a consensus mechanism
Litecoin design was to use a different hash function for in blockchain is implicitly given by Bitcoin. Bitcoin uses
its proof of work puzzles. The motivation came from the Proof of Work (PoW) mechanism as consensus where the idea
fact that even in 2011 there were trends to build special- came from Hashcash Protocol [7]. The objective of Hash-
ized application-specific integrated circuit (ASIC) hardware cash was to prevent spam in public databases. The Hashcash
implementations of SHA256d that will mine the blocks sev- Protocol is as follows. Suppose an email client wants to send
eral orders of magnitude faster than ordinary CPUs and an email to an email server. In the beginning, the client and
GPUs. Instead of SHA256d, Litecoin uses Scrypt [24] - a the server both agree on a cryptographic hash function H
memory-intensive compilation of use of the HMAC [25] which maps an input string to an n length output string. Then,
construction instantiated with SHA256 and use of the stream the email server sends a challenge string c to the client. Now
cipher Salsa20/8 [26]. The idea was that the use of Scrypt the client has to find a string x such that H (c||x) starts with k
will be impractical to implement it in ASIC, thus, giving zeros. Since H has pseudorandom outputs, the probability of
chances of individual owners of regular computers and GPUs success in a single trial is
to become a significant mining community. While with no
2n−k 1
doubts we can say that Litecoin is a very successful alterna- = k.
tive cryptocurrency, we can for sure claim that its initial goal 2n 2
to be ASIC resistant blockchain design was not successful. Here x corresponding to c is considered as PoW and the
Nowadays, you can find commercial products for Litecoin process of finding that x is called mining. PoW is difficult to
hardware mining.4 generate but easy to verify.
Actually, we can say that the 10 years of history of Many literature studies on consensus mechanisms, for
blockchain, in general, and cryptocurrencies, in particular, instance, the survey by Wang et al. [16] and ‘‘SoK: Con-
is a history of failed attempts to construct a sustainable sensus in the age of blockchains’’ [32], have been carried
blockchain that will prevent the appearance of profitable out in the past few years. Since consensus mechanisms have
ASIC miners that can mine the blocks with hash computing already been thoroughly studied in the literature, in this paper,
rates that are several orders of magnitude higher than the we present the basic idea about how consensus mechanisms
ordinary users of CPUs and GPUs. In that short history, work and their classification.
we can mention Ethash used in Ethereum [11] for which In a consensus protocol, depending on the network archi-
there are now commercially available ASIC miners by at least tecture and blockchain type, some or all of the participants
two companies. In 2013, QuarkCoin [27] introduced the idea take part and maintain the ledger by adding a block consisting
of using a chain of six hash functions (five SHA-3 finalists of transactions to their ledger. However, the creation of a new
BLAKE, Grøstl, JH, Keccak and Skein [28]) and the second block to be added to the ledger is performed by a partici-
round hash function Blue Midnight Wish [29]. One of the pant who is known as a leader of the consensus protocol in
motivations behind the QuarkCoin PoW function was to be that particular execution. This leader is elected by different
more ASIC resistant than SHA256d. The cascading idea of mechanisms of leader election process, and some of these
QuarkCoin was later extended to a cascade of eleven hash mechanisms are given in Table 2.
functions in Darkcoin (later renamed DASH [30]). Needless
TABLE 2. Leader election in consensus protocols.
to say, nowadays there are commercially available ASIC
miners for X11 as well.
The frictions between ASIC miners and the cryptocurrency
community seem to remain to the present days, and are some-
what evolving and inspiring novel proposals in blockchain
protocols. The latest is the Programmatic Proof-of-Work
(ProgPoW) initiative for Ethereum blockchain ecosystem that
aims to make ASIC mining less efficient and to give some
advantages to graphics processing units (GPU) mining [31].

B. CONSENSUS MECHANISMS
Consensus is the key component of blockchain to synchronize After the leader is elected and the new block is created
or update the ledger by reaching an agreement among the in order to achieve consensus or agreement on this block,
two types of voting mechanisms are followed: explicit and
4 One such a product that can compute 580 billion Scrypt hashes per sec- implicit. In explicit voting, multiple rounds of voting occur
ond, is offered by the company Bitmain and is called ‘‘Antminer L3++’’. and then based on the votes, consensus is reached. However,
As of the time of writing this article, this product was advertised at
https://shop.bitmain.com/ for a price of $213.00 and for a 10 days delivery in implicit voting, the new block created by the leader is
(2 June 2019). accepted by others who implicitly vote for the new block

148554 VOLUME 7, 2019

M. Raikwar et al.: SoK of Used Cryptography in Blockchain

contrary, in the permissioned blockchain, as there are restric-

tions and privileges associated with the peers, there is a strict
control on the synchronization among the peers. Byzantine
fault-tolerant protocols are usually adopted in permissioned
blockchains to provide consensus properties such as valid-
ity, agreement, and termination. Practical Byzantine Fault
Tolerant (PBFT) [47], Proof of Elapsed Time [40], Ripple
consensus [48] are some of the consensus protocols used in
permissioned blockchains. Recently, Facebook launched its
own global cryptocurrency Libra [43] which works as a per-
missioned blockchain and provides users to do transactions
with nearly zero fee. Libra blockchain comes with a new
programming language Move and a new consensus protocol
called LibraBFT.

1) MINING, POOL MINING AND INCENTIVE MECHANISMS

In Proof of Work based blockchains, the addition of new
transactions in the blockchain is performed by the mining
process. In the Bitcoin mining process, a puzzle is solved by
FIGURE 3. Blockchain consensus scenario. computing many hashes repeatedly (Equation 2) by putting
different values for the nonce to satisfy the condition. When
a miner successfully solves the puzzle first among all of the
and add it to their ledgers. A leader election through PoW
miners, it gets a monetary incentive for solving the puzzle.
puzzle competition (e.g., PoW puzzle 2 in Bitcoin) followed
Because of this incentive process, all consensus nodes or
by an implicit voting to reach an agreement is also called
miners follow the rules of the blockchain state transition
‘‘Nakamoto Consensus’’.
during the puzzle competition. Mining is a resource-intensive
Consensus mechanisms also determine the performance
process where the main resources are computational power
of the blockchain network in terms of consensus final-
and memory. Mining can be performed either by a solo miner
ity, throughput, scalability, and robustness against various
or by a group of miners, called a mining pool, who collec-
attacks. In some manner, consensus orchestrates the state of
tively try to solve the puzzle. Mining pools may operate on
the programs executed in the blockchain network nodes by
different mining techniques and incentive mechanisms. These
providing a runtime environment to collectively verify the
incentive mechanisms can vary based on the used mining
same program and hence reach to a finality. There is no
technique or the decision of the pool operator. Reference [16]
exact classification of consensus mechanisms, but in general
gives a brief idea about the mining strategy management
they can be classified as consensus protocols with proof of
in blockchain networks, while reference [49] provides a
concept and consensus protocols with byzantine fault-tolerant
strategic study of mining through stochastic games. Different
replication. These consensus protocols can be chosen based
incentive mechanisms are proposed and tested in blockchains.
on the blockchain network and type. Most of the proof
Reference [50] analyzes Bitcoin pooled mining reward sys-
of concept consensus protocols are used in permissionless
tems, and a reward system based on information propagation
blockchains. There are many proof of concept schemes which
in blockchain network is presented in [51].
have been proposed and implemented, e.g., Proof of Work
(PoW) [44], Proof of Stake (PoS) [45], Equihash [46], having
Masternodes in Dash [42], etc. As described in Section III- C. NETWORK INFRASTRUCTURE
A, in PoW puzzle based consensus protocols, miners try to Blockchain is maintained by a peer-to-peer (P2P) network.
solve the cryptographic puzzle by mining and these miners P2P network is an overlay network which is built on the top
are also responsible for verification of the transactions, and of the Internet. This P2P blockchain network can be mod-
an incentive (reward) is given to the first miner who solves eled as structured, unstructured or hybrid based on several
the puzzle. parameters such as the consensus mechanism and the type of
In case of a permissionless network, as there is no blockchain. Regardless of the representation of the network,
authentication and no proper synchronization, the underlying a blockchain network should quickly disseminate the newly
consensus algorithm should be able to handle the synchro- generated block so that the global view of the blockchain
nization problem, scale well and mitigate different attacks in remains consistent. Consequently, a synchronization protocol
order to maintain canonical blockchain state in P2P network. is needed, but a routing protocol might or might not be
To solve this synchronization issue, most of the blockchains needed. A traditional P2P network uses a routing protocol
use ‘‘Longest chain rule’’ to have a consistent canonical to route the information through multihop; however, in many
state of blockchain in this P2P blockchain network. On the blockchains (e.g., Bitcoin), routing is not required because

VOLUME 7, 2019 148555

 M. Raikwar et al.: SoK of Used Cryptography in Blockchain

a peer can get information through at most one hop, so no privileges. From an academic point of view, they have been
routing table is maintained. classified as ‘‘public’’ and ‘‘private’’. While from the admin-
Almost all cryptocurrencies and blockchains such as Bit- istrative point of view, they are described as ‘‘permissioned’’
coin [1], Ethereum [11], Litecoin [23] use unstructured P2P and ‘‘permissionless’’. Nevertheless, these terms are used
network where the idea is to have equal privileges for all of interchangeably in most of the blockchain studies and appli-
the nodes and to create an egalitarian network. A P2P net- cations in industries, which is not the correct way to use these
work can follow flat or hierarchical organization for building terms. Even though the classification of blockchains is not
a random graph among the peers. This graph is not fully very clearly specified in the literature, we can still classify
connected, but in order to receive all of the communication blockchains by coupling public, private, permissioned and
and to maintain the ledger, each peer maintains a list of peer permissionless.
addresses. Thus, if any peer propagates a message in the 1) Permissionless Public: In this type of blockchain,
network, eventually all peers receive it through their avail- anyone can join or leave the network at any time
able connections. In an unstructured network, techniques like and participate in consensus as well to maintain the
flooding and random walk are used to make new connections ledger. Everyone also has read and write access to the
with the peers. In the unstructured network, peers can leave blockchain. Thus, it provides minimum trust among
and join at any time. This can be exploited by an adversary the participants, but it still achieves maximum trans-
that can join and see the messages floating in the network parency. Most of the cryptocurrencies and blockchain
and can further do source spoofing, reordering or injecting of platforms are permissionless public, e.g., Bitcoin [1],
messages. Zerocash [52] and Monero [53].
Blockchain can also use structured P2P network where 2) Permissioned Public: This type of blockchain allows
nodes are organized in a specific topology and thus find- everyone to read the blockchain state and data, but in
ing any resource/information becomes easier. In this struc- order to write the data and take part in consensus, there
tured P2P network, an identifier is assigned to each node are permissions/privileges associated with the partici-
to route the messages in a more accessible way. Each node pants provided by the network administrator which in
also maintains a routing table. A structured P2P network a certain way makes the system not fully decentralized.
maintains a distributed hash table (DHT) where (key, value) In this type of blockchain once a participant has some
pairs are stored corresponding to the peers which help in privileges, based on that it can become a validator as
the resource discovery. Ethereum has started the adoption well. Examples for permissioned public blockchain are
of structured P2P network by using Kademlia protocol [60]. Ripple [54], EOS [55] and the newest Libra [43].
However, most of the blockchain networks are unstructured, 3) Permissionless Private: This type of a blockchain
and moreover, if the blockchain is public where no restriction allows organizations to collaborate without the need
to join or leave the network is enforced, then many possible of sharing information publicly. Being permissionless,
attacks can happen. Thus, the security of blockchain depends allows anyone to join or leave the blockchain at any
heavily on the network architecture. A propagation delay or time, which is also acknowledged by other nodes as
a synchronization problem in a P2P network can affect the well. The smart contracts on these networks also define
consensus protocol of blockchain, leading to a non-consistent who is allowed to read the contract and the related
global view in blockchain. In addition to these problems, data, not only just who is allowed to perform the
an adversary can cause several attacks in a P2P network, actions. Some permissionless private blockchains use
where few of the main attacks are as following: Federated byzantine agreement as a consensus proto-
• Netsplit (Eclipse) attack: An adversary monopolizes all col. LTO [56] network is an example of a permission-
of the connections of a node and splits that node from the less private blockchain which creates ‘‘live contract’’
entire network. Further, the node cannot participate in on the network.
consensus or validation protocol and this causes incon- 4) Permissioned Private: These blockchains are mostly
sistency in the network [61]. used in organizations where data/information is stored
• Routing attack: A set of participants are isolated from in the blockchain with permissioned access control by
the blockchain network by the adversary and thus the members of the organization. The membership in the
block propagation is delayed in the network [62]. network is provided by the network administrator or
• Distributed Denial-Of-Service (DDOS) attack: An some membership authority. Read and write access to
adversary exhausts the network resources and targets the data is also provided by the network administrator.
honest nodes so that honest nodes do not get the Hyperledger fabric [57], Monax [58], Multichain [59]
services or information which they are supposed to are examples of permissioned private blockchains.
receive [63], [64]. Table 3 proffers a clear picture of the classification
of blockchains with associated advantages, challenges and
D. TYPES OF BLOCKCHAIN application domains. However, in general, permissionless
Blockchains can be classified depending on the implementa- public blockchains are commonly referred to as pub-
tion design, administration rules, data availability, and access lic blockchains and permissioned private blockchains are

148556 VOLUME 7, 2019

M. Raikwar et al.: SoK of Used Cryptography in Blockchain

TABLE 3. Blockchain classification.

TABLE 4. Layered architecture of blockchain.

referred to as fully private blockchains. A combination of per- 1) Less energy consumption;

missioned public and permissionless private makes ‘‘consor- 2) More efficient consensus achievements;
tium blockchain’’ which is also called a federated blockchain. 3) Better security than the existing consensus mecha-
A consortium blockchain is neither completely public nor nisms.
completely private, and it makes blockchain as partially However, further in the paper when we identify a more
decentralized. In consortium blockchain, the consensus is concrete and focused research challenge, we formulate it
reached by a selected group of participants. Nowadays most in a form of a Research Problem. For example, from the
of the organizations have embraced consortium blockchains discussion given in the III-A we can formulate the following:
for their blockchain enabled solutions. Research Problem 1: Construct sustainable blockchain sys-
tems that have one of the following properties:
1) They are provably resistant to give mining advantages
IV. CHALLENGES IN BLOCKCHAIN
to ASIC miners as opposite to GPU and CPU miners;
Blockchain as an emerging technology comes with many
2) They are provably resistant to give mining advantages
challenges. In order to solve these challenges, various solu-
to ASIC and GPU miners as opposite to CPU miners.
tions have been proposed and implemented in the blockchain.
The proliferation of cryptocurrencies across multiple pay- If we observe the blockchain as a layered architecture,
ment systems brings many risks in social, economic and we can identify the challenges that occur in each layer. Table 4
technical terms. Blockchain encounters many challenges due shows blockchain as a stack of five layers. These five layers
to network architecture, underlying consensus protocol and serve the following purposes:
applied cryptographic primitives. Some of these major chal- • Smart contract layer processes contract data and send
lenges are security and privacy associated with blockchain, the result data to the transaction layer.
scalability of blockchain, and resource consumption (compu- • Transaction layer creates the transactions and sends
tational power, memory, network bandwidth). An insightful those to consensus layer.
analysis on the research perspectives and challenges for bit- • Consensus layer runs the consensus algorithm and adds
coin and other cryptocurrencies [65] has been presented in the the transactions to the block.
past and gives a nice overview of scalability, security, privacy • Network layer deals with all P2P communication
and consensus of cryptocurrencies. among blockchain nodes.
We can summarize our discussion in Section III-B, in a • Database layer stores the blockchain data in a respec-
form of generic research problems and research challenges tive database used by respective blockchain platform.
in the area of blockchain consensus mechanisms as fol- Table 4 gives a glimpse of blockchain layered architec-
lows. Construct a new blockchain consensus mechanism ture and also mentions some of the cryptographic techniques
that is better than the existing ones from the following to achieve properties like security and privacy. In Table 4,
perspectives: the first column defines the layers of blockchain, and the

VOLUME 7, 2019 148557

 M. Raikwar et al.: SoK of Used Cryptography in Blockchain

first row illustrates the properties which can be accom- practically infeasible. Most of the current blockchains grant
plished in the different layer using different cryptographic limited scalability.
techniques. Thus to understand, each cell corresponds to One proposal how to address the scalability problems of
the deployed cryptographic method to attain the property in the blockchain ledger is so called: ‘‘SPV, Simplified Payment
the corresponding column in the respective blockchain layer Verification’’ [66]. It verifies if particular transactions are
(corresponding row). For example, encryption can be used valid but without downloading the entire ledger. This method
to achieve confidentiality in smart contract layer, Message is used by some wallet and lightweight Bitcoin clients, and
Authentication Code (MAC) can be used to achieve integrity its security was first analyzed in [67]. Another proposal to
in the network layer of blockchain. Table 4 names few of achieve high scalability is to use erasure codes in blockchain
the techniques used in the blockchain but there are more by encoding validated blocks into small number of coded
available cryptographic techniques which can be employed in blocks. A recent work [68] proposes the use of fountain
blockchain. ‘‘–’’ in Table 4 represents that the corresponding codes (a class of erasure codes) to reduce the storage cost of
property for the corresponding layer does not make much blockchain by the order of magnitude and hence achieving
sense. Some of the significant challenges of blockchain are high scalability. Applying other types of erasure codes for
as follows. distributed storage, such as regenerating codes [69], [70],
locally repairable codes [71], [72] or a combination of both
A. SECURITY AND PRIVACY types of codes [73], [74], may reduce even further the storage
For any blockchain, a key evaluation parameter is how well and communication costs.
the security and privacy conditions meet the requirement of Another issue in connection with the scalability is the issue
the blockchain. Analyzing the security and privacy issues of the interoperability. Namely, it is a fact that the number
of blockchain is a broad research area, and some studies of different public ledgers is increasing rapidly. While some
have been conducted in this area. Here we do not cover sort of a rudimentary interoperability has been implemented
those details, instead we only define these terms. Security is in cryptocurrencies exchange platforms [75], the risks and
defined as three components: confidentiality, integrity, and insecurities with these platforms are vast and well docu-
availability. In a generic context, (i) confidentiality is a set mented [76].
of rules that limits access to information, (ii) integrity is Research Problem 3: Construct a new blockchain mecha-
the assurance that the information is trustworthy and accu- nism that periodically prunes its distributed ledger (reduces
rate, and (iii) availability is a guarantee of reliable access to its size), producing a fresh but equivalent ledger, while prov-
the information by authorized people. However, in case of ably keeping correct state of all assets that are subject of the
blockchain, the term Information used in the above context ledger transactions.
can have multiple meanings such as data in the database, Research Problem 4: Construct secure protocols for
smart contract data or transactions. Privacy can be defined as blockchain interoperability.
data privacy and user privacy (anonymity). Table 4 includes A recent reference [77] strongly supports our research
some cryptographic mechanisms for achieving security and problem 3 since it admits that Ethereum blockchain is almost
privacy of information subjected to different blockchain lay- full now and hence the scalability is a big bottleneck.
ers.
In the light of recent increased number of incidents with C. FORKING
the security of the different layers of blockchain platforms A blockchain fork is essentially caused when two miners find
and the theft of millions of dollars worth cryptocurrencies, a block at almost the same time due to a software update or
we formulate the following research problem. versioning. In a blockchain network, each device or computer
Research Problem 2: Construct a penetration testing tool is considered as ‘‘a full node’’ which runs software to keep
irrespective of the blockchain platform to test the security the blockchain secure by verifying the ledger. The software
and privacy requirements for each layer of any blockchain is updated to adjust some parameters and to install new
platform. features in the blockchain. This updated software may not
be compatible with the old software. Consequently, the old
nodes which have not updated their software and the new
B. SCALABILITY ISSUES
nodes which have performed a software update can cause a
The size5 of blockchain is continuously growing, and scala-
fork in the blockchain when they create new blocks. There
bility is becoming a big problem in the blockchain domain.
are two types of forks: one which is not compatible with
Scalability depends on the underlying consensus, network
previous software version, called a hard fork, and another one
synchronization and architecture. To scale the blockchain,
which is compatible with the previous version (backward-
the computational power and the bandwidth capabilities
compatible), called a soft fork. A hard fork happens when
should be high for each node in the blockchain, which is
there is a significant change in the software such as change of
block parameters or change of consensus mechanism. In the
5 https://bitinfocharts.com gives most of the statistics (including size) of case of Ethereum, a hard fork will occur when it will migrate
popular cryptocurrencies. from Proof of Work to Proof of Stake. One example of a soft

148558 VOLUME 7, 2019

M. Raikwar et al.: SoK of Used Cryptography in Blockchain

fork is Segregated Witness (SegWit) which was implemented than 1000 registered nodes that handle the micropayments
in Bitcoin by changing the transaction format. Recently, pri- for that alternative cryptocurrency. Many other solutions were
vacy coin Beam [78] (an implementation of Mimblewimble proposed to solve the scalability issue, similar to the Light-
privacy protocol) conducted its first hard fork away from ning off-chain computation and off-chain state channels, such
ASICS. Figure 4 depicts a blockchain forking scenario where as Sharding [81], Plasma [82], Liquid [83] and the recent
the correct chain can be any of these two forked chains Channel Factories [84].
depending on the case of the hard or soft fork. As the Lightning network has gained popularity, new
research challenges emerge as explained in [85], and here we
rephrase one of their research challenges.
Research Problem 6: [85]: Develop scalable protocols that
will perform multi-hop payment-channel and path-based
transactions with strong privacy guarantees even against an
adversary that has network-level control.
Addressing Problem 6, many works have been done in the
past but all those works are mostly compatible with Bitcoin or
Ethereum blockchain. Recent works [86], [87] on multi-hop
payment channel provide value privacy and security but only
FIGURE 4. Blockchain forking. for Bitcoin-compatible blockchains. Instead of supporting
only payments like Lightning network, there are off-chain
Research Problem 5: Construct Forking-free consensus state channels, like Celer Network [88], which support gen-
mechanism for permissionless public blockchain. eral state updates while providing significant improvement in
terms of cost and finality.
D. THROUGHPUT Research Problem 7: Develop fully functional state channel
It is a measure of the number of blocks appended in with strong security and privacy guarantee.
blockchain per second which effectively means the num-
ber of transactions processed per second. Throughput E. ENERGY CONSUMPTION
depends on many factors such as underlying consensus The mining process of blockchain (e.g., bitcoin mining)
algorithm, number of nodes participating in consensus, net- consumes a lot of energy. Most of the PoW puzzle based
work structure, node behavior, block parameters and the consensus protocols waste a huge amount of energy.6
complexity of the contract (in case of smart contract sup- Many alternative consensus algorithms are introduced which
ported blockchains). The complexity of a smart contract use less energy than Bitcoin’s PoW such as PoS [45],
depends on whether the programming language of the Equihash [46], and PBFT [47]. Energy is also consumed
blockchain is turing-complete or not. However, regarding during communication over the network. Some cryptographic
turing-completeness of blockchains [79], there is always a mechanisms also consume high energy so the selection of a
division between the blockchain community. Considering proper cryptographic mechanism should be based not only on
these primary factors, attaining high throughput is a bit the memory requirement and the computational load but also
hard in blockchain. However, for value-asset blockchains to on the amount of energy consumption. The use of blockchain
achieve high throughput, the size of the transaction can be should be energy efficient and to fulfill that 1) PoS-like
reduced by excluding some information from the transaction consensus should be used and 2) proper energy management
and the throughput can be increased by increasing the block techniques should be utilized, for example in the case of
size and the bandwidth of the network till a certain level. Internet-of-Things (IoT).
The number of transactions per second was recognized
as a serious problem in Bitcoin network. While in the F. INFRASTRUCTURE DEPENDENCIES
peak holiday period Visa and MasterCard can handle up The blockchain infrastructure is built with several elements
to 50,000 transactions per second worldwide, the Bitcoin of network protocols, cryptographic concepts, and mining
network can handle just 7 transactions. One proposal how hardware. All these elements depend on each other in some
to address this scalability issue is the ‘‘The Bitcoin Light- sense. If we look into the layered architecture of blockchain
ning Network’’ [80]. It is a network that handles instantly in Table 4, each layer is dependent on its upper and lower lay-
the Bitcoin transactions off the main ledger. It establishes a ers for some input/output. Thus, there are many infrastructure
network of micropayment channels that addresses the mal- dependencies in blockchain. For instance, the data from the
leability by using Bitcoin multi-signatures 2-of-2. Special smart contract layer is an input to the transaction layer that
nodes are needed for these micropayment networks and as outputs actual transactions; the data from the consensus layer
of June 2019, there were around 4,500 nodes. The first
financial transaction via the Lightning network was reported 6 https://digiconomist.net/bitcoin-energy-consumption depicts Bitcoin
in January 2018. Litecoin decided to follow the Bitcoin energy consumption index charts in TWh per year. It also shows the energy
Lightning network, and as of March 2019 there were more consumption per country.

VOLUME 7, 2019 148559

 M. Raikwar et al.: SoK of Used Cryptography in Blockchain

results in an input to the network layer through a communi-

cation protocol; and the data from the network layer data is
sent to the database through database storage management.
These dependencies must be taken into account while build-
ing a comprehensive blockchain framework for any use case;
otherwise, some of the blockchain functionalities will not be
fulfilled.
From the blockchain infrastructure perspective, we have
to mention here one evolving and enabling technology that
will be very important in the next decade: 5G. 5G will
connect hundreds of billions of IoT devices, but that vast
number of devices can be governed securely only by strong FIGURE 5. Signing process of blockchain transaction/block.
decentralized mechanisms offered by the blockchain tech-
nologies [89], [90]. We formulate this debate as the following.
Research Problem 8: Construct efficient, scalable, inexpen-
sive and sustainable blockchain systems capable to handle
and securely manage up to billions of IoT devices connected
via the 5G network infrastructure.

V. OVERVIEW OF USED CRYPTOGRAPHIC CONCEPTS

IN BLOCKCHAIN
From the cryptographic point of view, many of the crypto-
graphic techniques have already been exhibited and heavily
employed in various blockchain platforms and blockchain
use-cases [17]. As the spectrum of the cryptographic concepts FIGURE 6. Verification of digitally signed transaction/block.

is vast, there is always a scope to dig out some of the existing

cryptographic schemes and use them in blockchain services.
In Table 5 we give a comprehensive summary of all cryp- valid or not using the signer’s public key. Blockchain applies
tographic concepts that we will cover in this and in the next different signature schemes to provide additional features
Section. It serves as a handy overview and quick reference like privacy, anonymity, and unlinkability. Signature scheme
table for our systematization of the cryptographic knowledge can also be applied to generate constant size signature using
used in blockchain. signature aggregation. Schnorr Signatures are a form of sig-
Following are some of the cryptographic concepts which nature aggregation and it has been used in Bitcoin instead
have already been well analyzed and implemented in of P2SH [125] for scalability [126]. Some of the signature
blockchain. schemes applied in blockchain are:
1) Multi-Signature: In a multi-signature scheme, a group
A. SIGNATURE SCHEME of users signs a single message. In a blockchain net-
A standard digital signature is a mathematical scheme based work, when a transaction requires a signature from
on public-key cryptography that aims to produce short codes a group of participants, it might be advantageous to
called signatures of digital messages by the use of a private use a multi-signature scheme. Blockchain platforms
key, and where those signatures are verifiable by the use of the such as Openchain [127] and MultiChain [59] support
corresponding public key. In this context, digital signatures M −of−N multi-signature scheme which reduces the
guard against tampering and forgeries in digital messages. risk of theft by tolerating compromise of up to M -1
A signature scheme is used in blockchain to sign the cryptographic keys. Boneh et al. also designed compact
transaction, hence, authenticating the intended sender and multi-signatures for smaller blockchains [128].
providing transaction integrity as well as non-repudiation 2) Blind Signature: In this scheme [129], signatures
of the sender. Many of the signature schemes are widely are employed in privacy-related protocols where the
accepted to employ integrity and anonymity in blockchain. signer and the message authors (transaction in case
The digital signature is one of the most important cryp- of blockchain) are different parties. Blind signatures
tographic primitives that makes blockchain to be publicly are used to provide unlinkability and anonymity of the
verifiable and with achievable consensus. Signature schemes transaction. In a blockchain setup, a blind signature
are used in almost every blockchain. Figure 5 represents a might be helpful to provide anonymity and unlink-
general example about how a blockchain user (signer) creates ability where the transacting party and the signing
a digitally signed transaction or block using his private key. party are different. Blind signatures have been used in
Moreover, figure 6 shows how other blockchain nodes (veri- BlindCoin [130] distributed mixing network to provide
fier) verify whether the signature on the transaction or block is the unlinkability of transactions. Blind signatures are

148560 VOLUME 7, 2019

M. Raikwar et al.: SoK of Used Cryptography in Blockchain

TABLE 5. Summary of Cryptographic Concepts in Blockchain.

also tested in Bitcoin to provide the anonymity for the While digital signatures produced with the keys used in
Bitcoin on-chain and off-chain transactions [131]. Public Key Infrastructure (PKI) are well legally regulated and
3) Ring Signature: This scheme [132] uses a protocol can be used in different types of legal disputes, it is a big
where a signature is created on a message by any challenge how to achieve similar regulations with all types of
member of a group on behalf of the group while digital signatures used in the existing blockchain solutions.
preserving the identity of the individual signer of Additionally, in the physical world if an asset is stolen (for
the signature. Ring signatures are used to achieve example an expensive car, or an expensive watch), it can be
anonymity of the signing party in the blockchain net- traced back to its legal owner.
work. CryptoNote [119] technology uses a ring sig- Research Problem 9: Develop security protocols that merge
nature scheme to create untraceable payments in the the existing standardized and legalized PKI systems with
cryptocurrencies. A trustless tumbling platform [133] some of the developed blockchain systems.
also uses ring signature for anonymity. Research Problem 10: Design an anti-theft blockchain sys-
4) Threshold Signature: This signature scheme is a (t, n) tem, i.e., a system that guarantees a return of stolen assets
threshold signature where n parties receive a share back to their legitimate owners.
of the secret key to create the signature and t out Regarding Research Problem 10, recently the Vault pro-
of n parties create a signature over any message. posal was re-launched. Its purpose is to shield the bitcoin
As the parties directly construct the signature from wallet from theft without the need for hard forking [138].
the shares, the key is never revealed in the entire However, for other blockchain systems, no such proposal or
scheme. Threshold signature can be helpful to pro- solution exists.
vide anonymity in the blockchain network. Coin-
Party [134] uses a threshold signature scheme for B. ZERO-KNOWLEDGE PROOFS
multi-party mixing of Bitcoins. A recent work about In Zero-knowledge proofs [139], two parties, a prover
coin mixer, ShareLock [135], uses threshold ECDSA and a verifier, participate. First, the prover asserts some
(Elliptic Curve Digital Signature Algorithm [136]) to statement and proves its validity to the verifier without
provide privacy-enhancing solution for cryptocurren- revealing any other information except the statement. Thus,
cies. However threshold ECDSA signatures are com- a zero-knowledge proof proves the statement as ‘transfer
plex due to the intricacies of the signing algorithm. of an asset is valid’ without revealing anything about the
Other signature schemes, such as EdDSA (Edwards- asset. Zero-knowledge protocols are extremely useful cryp-
curve Digital Signature Algorithm [137]) using the tographic protocols for achieving secrecy in the applica-
Edwards25519 curve, are efficient threshold signa- tions. They can be used to provide the confidentiality of
tures. Libra [43] blockchain applies this EdDSA during an asset (transaction data) in the blockchain while keeping
new account address generation. the asset in the blockchain. Some of the public blockchains

VOLUME 7, 2019 148561

 M. Raikwar et al.: SoK of Used Cryptography in Blockchain

use zero-knowledge proofs such as Zerocoin [124] or The access can be a read/write access or an access to
Zerocash [52] for untraceable and unlinkable transactions. participate in a blockchain protocol. There are many differ-
Zerocoin is a decentralized mix and extension to Bitcoin ent access control mechanisms such as role-based, attribute-
for providing anonymity and unlinkability of transactions by based, organizational-based access control which can be used
applying zero-knowledge proofs. In Zerocoin protocol, a user in blockchain. Recent incidents show security breaches and
who has Bitcoins can generate an equal value of Zerocoins data theft from certain blockchain platforms, which can be
without the need of any third party mixing set. A user can tackled and prevented by access control. The privacy of
spend his/her Bitcoin by 1) producing a secure commit- data can be ensured in blockchains by using access con-
ment (i.e., Zerocoin), 2) recording it in the blockchain, and trol [91], [92]. Nowadays, access control techniques are pro-
3) broadcasting a transaction and a zero-knowledge proof foundly used in blockchain based medical applications [143]
for the respective Zerocoin. Hence, other users can vali- or blockchains for the insurance industry where the data is
date the Zerocoin recorded in the blockchain and verify the sensitive information that must be accessible to only trusted
transaction along with the proof. Here zero-knowledge proof and authorized parties. There are different types of access
protects the linking of Zerocoin to a user, yet Zerocoin is a control mechanisms which can be utilized in blockchain
costly protocol due to its high complexity and large proof applications.
size. 1) Role-based Access Control (RBAC): RBAC is an
To reduce the complexity and the proof size, a variant of approach for restricting the system view to the users
zero-knowledge proof known as Zero-Knowledge Succinct of the system according to their roles in the sys-
Non-Interactive Argument of Knowledge (zk-SNARK) [140] tem. Thus, it can be applied in a blockchain frame-
is used by Zerocash protocol. zk-SNARK hides the infor- work where access is provided according to the user
mation about the amount and the receiver address in a roles. RBAC is used in a blockchain based solution
transaction. The main idea of zk-SNARK is any compu- for healthcare [144]. A simple example depicted in
tational condition can be represented by an arithmetic cir- Figure 8 describes the role-based access control in a
cuit, which takes some data as input and gives true or private healthcare blockchain. Based on the role, each
false in response. zk-SNARK reduces the proof size and the entity in the blockchain system has its own access
computational effort compared to the basic zero-knowledge rights. A Patient can ask for his personal medical data,
proofs. An enterprise-focused version of Ethereum, Quorum however only the Doctor associated with the patient
blockchain platform [141] also uses zk-SNARK for transac- can enter or modify the patient’s health record in the
tion privacy and anonymity. Figure 7 illustrates an interactive blockchain. A Research Company on the other hand
protocol of zero-knowledge where the prover has a statement, can ask for patients’ data for any disease for research
and he/she wants to prove that the statement is correct without purpose.
revealing any information related to the statement. In the 2) Attribute-based Access Control (ABAC): In ABAC,
interactive protocol, the verifier asks many questions related the access control rules are based on the attribute
to the statement and the prover answers these questions in structure. These attributes can be user specific,
such a way where the prover proves the statement and does environment-specific or object specific. For exam-
not reveal any necessary information. ple, in a blockchain setup for the insurance industry,
’department’ could be an attribute through which the
access of the blockchain data is restricted, which means
the claims handling department would have a different

FIGURE 7. An interactive zero-knowledge protocol.

C. ACCESS CONTROL
It is a selective restriction on information or resource based
on some policy or criteria. These mechanisms [142] can be
enforced to put a restriction or access in the blockchain. FIGURE 8. Role-based access control in healthcare blockchain.

148562 VOLUME 7, 2019

M. Raikwar et al.: SoK of Used Cryptography in Blockchain

view of the blockchain compared to the audit depart- The main idea of SMPC scheme is to jointly compute a
ment. ABAC can be used in a fair access blockchain function by parties over their inputs without disclosing their
model [91] by keeping attributes in policy. inputs. For example, a group of people can compute the
3) Organization-based Access Control (OrBAC): OrBAC average salary of the group without disclosing their actual
is one of the richest access control models. OrBAC individual salaries. The blockchain platform Enigma [117]
consists of three entities (subject, action, object) which leverages the concept of SMPC to achieve strong privacy.
define that some subject has the permission to realize In Enigma platform, a blockchain network is combined with
some action on some object. OrBAC has already been SMPC network, where the blockchain network contains the
used in blockchain for IoT in a fair access blockchain hashes and SMPC network contains the data corresponding
model [91] and in dynamic access control model on to those hashes which split is among different nodes. For
blockchain [145]. each node, the view over SMPC network differs as everyone
Other access control mechanisms such as context-based has a different piece of information. Specifically, each node
access control and capability-based access control (pro- contains a random piece of data, and no single party ever has
posed in blockchain solutions for autonomous vehicles, smart access to the entire data.
cities, IoT [146]) can also be useful for different blockchain A blockchain model Hawk [118] for privacy-preserving
solutions. smart contracts also specifies the use of SMPC to minimize
the trust in the generation of common reference string in
D. ENCRYPTION SCHEME SNARK proof used in the model. SMPC can also be exercised
It is a process of encoding a piece of information by which for private data storage in a decentralized system, such as
only authorized parties can access it. It can be used to achieve Keep [151]. Keep provides a privacy-focused storage solution
confidentiality of blockchain data by encrypting it. There are for Ethereum. In this system, network nodes collaborate to
many encryption schemes which can be used in blockchain. provide secure decentralized data containers, called keeps,
Symmetric-key Encryption is used in Hyperledger fabric for which can be accessed from smart contracts on Ethereum.
confidentiality of smart contract [57] and Blockchain for An application of SMPC can also be seen in the
Smart Home [147]. Although searching and computation Wanchain [116] Cross-Chain network. Figure 9 reflects the
over an encrypted data is a big challenge, there are many SMPC idea in cross-chain transfer model. In Wanchain net-
existing techniques which can be used for that purpose. work, if user A wants to send an asset (say ETH) from
Some of these techniques such as searchable encryption for one blockchain (say Ethereum blockchain) to user B on
searching on encrypted data in the cloud is already used in Wanchain blockchain, then at first the asset value is locked
permissioned blockchain [148], and for computation over in an account on its original chain using smart contract. This
encrypted data, fully homomorphic encryption and functional locked account holds control of the funds. The equivalent
encryption can also be utilized in blockchain. Monero cryp- token WETH is sent to another user B of the Wanchain
tocurrency [53] uses (half) additive homomorphic encryption network. When user B wants to convert its WETH to ETH,
together with range proof techniques, yet supporting only the locked amount is released from the locked account and
value transactions. sent to user B, and the equivalent portion of WETH is burned.
In order to assure simultaneously confidentiality and These locking and unlocking of asset value (ETH) happen
authenticity of data, an authenticated encryption can be used using SMPC. Wanchain has a concept of Storeman nodes
in blockchain. In authenticated encryption, two peers estab-
lish a connection, they both share their public keys and com-
pute the shared secret which is used as the symmetric key for
the authenticated encryption algorithm. The recently finished
cryptographic competition CAESAR [149] has identified a
portfolio of six ciphers for authenticated encryption. So far,
as of this writing (June 2019), none of those ciphers has been
deployed in some blockchain system.
Broadcast encryption can be used in blockchain to provide
the anonymity of blockchain receiver nodes. [150] gives a
proposal to use for Availability and Accountability for IoT
by blockchain. It has as every user in the group receives
the encrypted message, although only users with the correct
permission or key can decrypt it.

E. SECURE MULTI-PARTY COMPUTATION (SMPC)

Secure Multi-party Computation enables parties to act
together in a way that no single party has an access to all of
the data, and hence no one can leak any secret information. FIGURE 9. Cross-Chain transfer mechanism of blockchain using SMPC.

VOLUME 7, 2019 148563

 M. Raikwar et al.: SoK of Used Cryptography in Blockchain

which work together and perform locking and unlocking of G. COMMITMENT SCHEME
account. These Storeman nodes jointly work together to cre- A commitment scheme is a digital analog of a sealed envelop.
ate public and private key pair of the related locked account. It is a two-phase game between two parties where the phases
This shared account private key is scattered among the Store- are commit and open. Commit phase involves hiding and
man nodes as pieces of the key. To unlock the account, M out binding of a secret by the first party and send it to the second
of N (M ≤ N) Storeman nodes contribute their shares of the party; while open is to prove that the first party did not cheat
private key to generate the signature using MPC jointly. the second party in the commit phase. Therefore, a commit-
ment scheme satisfies the aforementioned two security prop-
F. SECRET SHARING erties: hiding and binding. Hiding ensures that the receiver
In this concept, a secret is divided into multiple parts among cannot see the message before the open phase, while binding
the participants, and it is reconstructed by using a mini- ensures that the sender cannot change the message after
mum number of parts. These parts are called shares and the commit phase. The following example shows a binding
they are unique for each participant. Secret sharing is used commitment:
to secure sensitive information. Secret sharing scheme is 1) Pick a secret value s to commit from 0 to p − 1 where
advantageous in SMPC for distributing the shares among p is a large prime number;
parties. Shamir’s secret sharing [152] is already being used to 2) Calculate the value c = gs mod p;
distribute transaction data, without a significant loss in data 3) Publish the value c as a commitment.
integrity in blockchain [153]. Decentralized Autonomous In the above example, the binding property follows as it is
Organizations (DAO) can take advantage of secret sharing infeasible for the sender to find any other value y which
by distributing the shares of information among the system gives the same c. Here finding the value s from known c, p
nodes rather than storing full information in each node. Secret and g is a computationally hard problem of discrete loga-
sharing in DAO can be practiced in consensus where each rithm but any party can verify the commitment value c if
participating node stores a set of shares of the system state s is provided. There are many commitment schemes such
rather than storing full system state. These shares are points as Pedersen commitment [155] and elliptic curve Pedersen
on polynomials which make up part of the state. commitment. Zerocoin [124] uses Pedersen commitment to
Secret sharing schemes are also used in different off-chain bind a serial number s to Zerocoin z. The commitment c is
and on-chain bitcoin wallets to safeguard the private keys given as follows:
of the crypto holders. For example, suppose an organization
wants to store its bitcoin with a single master private key. c = gs hz mod p.
In that case, secret sharing scheme helps to store the same key
among multiple people. A simple example of this scenario Here g, h, and p are known to everyone, and the user chooses
will be sharing a bitcoin wallet key among three people by s, z and computes and publishes the commitment c. These
distributing the shares of the key. These individual shares do s, z cannot be computed from c even if one is provided.
not convey any information about the actual key. However, As a consequence, in Zerocoin when the serial number s
any 2 of 3 people can reconstruct the key using their shares is published, the user can prove his/her ownership by pro-
as presented in Figure 10. Secret sharing schemes can also viding z. Pedersen commitment has also been used to build
benefit blockchain by storing secret information in a decen- blockchain-oriented range proof system, Bulletproof [95] and
tralized way so that unauthorized parties cannot access it. its elliptic curve version is also successfully implemented in
Secret sharing is used in blockchain for different purposes Monero [53], [96]. A switch commitment scheme is designed
such as secret share-based fair and secure voting protocol for confidential transactions in blockchain [156].
(SHARVOT) [115] and new cryptocurrency based on mini
blockchain [154]. H. ACCUMULATOR
An accumulator is a one-way function which gives a mem-
bership proof without revealing individual identity in the
underlying set. This can be used in blockchain to build other
cryptographic primitives such as commitment, ring signa-
tures, and zero-knowledge proofs. Merkle tree, used in many
cryptocurrencies, fits under a more comprehensive class of
cryptographic accumulators which is space and time efficient
data structure to test for set membership. Figure 11 shows
how blockchain transactions are represented in the Merkle
tree, and the Merkle root is stored in the block structure of the
blockchain. Non-Merkle accumulators are classified as RSA
accumulators and elliptic curve accumulators.
FIGURE 10. Secret-Sharing-Scheme 2-of-3 for a cryptocurrency wallet In Zerocoin [124], an accumulator A is computed by
private key. the network overall coin commitments (c1 , c2 , . . . , cn ) along

148564 VOLUME 7, 2019

M. Raikwar et al.: SoK of Used Cryptography in Blockchain

4) S computes four square roots of a mod N and chooses

one of the roots y at random and sends it to R.
5) R checks whether y2 ≡ a mod N and if y 6≡ ±x
mod N , then R will be able to factor N and, hence,
be able to decrypt c to recover M .
1
2 -OT is complete for secure multi-party computation.
Oblivious transfer has been realized in secure multiparty
computation to create private and verifiable smart contracts
on blockchain [158]. Oblivious transfer can also be utilized
for exchange of secrets, private information retrieval, and
building protocols for signing contracts. There has been loads
of work done in oblivious transfer, and some of these works
FIGURE 11. Merkle tree of blockchain transactions.
have been applied in blockchains such as Searchain [107]
and APDB [108] (for automated penalization of data breaches
using crypto-augmented smart contracts).
with the appropriate membership witnesses for each item in
the set. The witness w is computed by the accumulation coins J. OBLIVIOUS RAM (ORAM)
with the exception of one. In this way, during Zerocoin spend Oblivious RAM is a cryptographic protocol through which a
transaction, a user proves the knowledge of one coin by using client can safely store his/her data in an untrusted server. The
that witness. This witness w and accumulator A are publicly client performs read and write operations remotely. ORAM
verifiable without any trusted third party. Accumulator A in hides the memory access pattern from the server as well
Zerocoin is defined as: as from outside entities accessing to that part of the data.
A = uc1 c2 c3 ... c ... cn
mod N , Therefore, if a client performs two operations of equal
length, then the polynomial-bounded adversarial server can-
where the integers A, u and N are known to everyone. The not distinguish between these operations. ORAM bestows
coin c is a Pedersen commitment of a coin serial number s freshness, confidentiality of data and integrity so it can
and the random number z. Zerocoin uses Random Number be used in various blockchain use-cases and applications.
Generator (RNG) to generate different s and z to find c using Solidus [105], a protocol for confidential transactions on
Pedersen commitment until c is prime. The witness w of a public blockchain, uses oblivious RAM. Solidus framework
coin c is defined as the accumulation of all coins with the operates on a modest number of banks where each bank
exception of c: maintains a large number of user accounts. Solidus introduces
c3 ... cn a new primitive called Publicly Verifiable Oblivious RAM
w = uc1 c2 mod N .
Machine (PVORM). Most of the previous usage of Oblivious
Accumulators can also be employed for range proofs in RAM is performed by a single client to outsource storage.
blockchain. Accumulators are used in [93] to design a state- In Solidus, ORAM is used to store user account balances
less blockchain where in order to participate in consensus, and uses PVORM to verify the valid transaction set of a
the node only needs a constant amount of storage. bank. Oblivious RAM is also used in the client-server ORAM
protocol [106], Externally Verifiable Oblivious RAM, where
I. OBLIVIOUS TRANSFER (OT) Ethereum’s automated crypto-currency contracts adjudicate
Oblivious Transfer is a two-party protocol between a sender the disputes occurred due to the malicious server by penaliz-
S and a receiver R. The general
type of oblivious transfer is ing the server.
k-out-of-n oblivious transfer kn -OT , where k < n, in which
S holds n messages and R retrieves simultaneously k of them K. PROOF OF RETRIEVABILITY (POR)
without letting S know about which k out of n messages R With the advent of cloud computing, a client might outsource
received. Oblivious transfer is introduced by Rabin [157] in his/her data to the cloud, but still, the client needs a guar-
which a sender sends a message to a receiver with probabil- antee that the old data has not been modified or deleted.
ity 21 . The protocol is called as 12 -OT , and it is as following: This can be achieved by using proof of retrievability [159]
1) Sender S chooses two large primes p, q and computes which is an interactive mechanism between a client (ver-
N = pq and then the sender generates RSA public key ifier) and a server (prover) where the server provides a
(e, N ) such that e is relatively prime to (p − 1)(q − 1). compact proof to the client that his/her data is intact and
2) S computes cipher text c over message M as c = he/she can recover the data at any point of time. In this
E(e,N ) (M ) = M e mod N and sends e, N , c to direction, to verify the proof, the client should be equipped
receiver R. with devices having some computational power and network
3) R chooses a random x ∈ ZN ∗ and sends a = x 2 access. This requirement hinders the large-scale adoption of
mod N to S. POR by cloud users. To solve this issue, outsource proof of

VOLUME 7, 2019 148565

 M. Raikwar et al.: SoK of Used Cryptography in Blockchain

retrievability (OPOR) [160] is introduced where external used ones, but that is based on Post-Quantum cryptographic
auditors verify the POR with the cloud provider on behalf of schemes.
the clients. OPOR protocol specification uses Bitcoin func-
tionalities for the building blocks.
M. LIGHTWEIGHT CRYPTOGRAPHY
Permacoin [112] uses proof of retrievability. The primary
goal of Permacoin is the distributed storage of archival data. Conventional cryptographic methods such as RSA and
As in Bitcoin’s mining mechanism, the client continuously SHA256, work well on systems having reasonable memory
invests his/her computational power, and in addition to the and processing power, but these methods are not suitable
computational power, his/her storage is invested. As a conse- for devices constrained with memory, physical size, and bat-
quence, Permacoin requires storage overhead and high band- tery. Conventional cryptographic methods are challenging to
width consumption. To solve these issues, Retricoin [113] is implement in resource-constrained devices due to implemen-
proposed to repurpose the mining work in order to ensure the tation size, large key size, throughput, speed, and energy
retrievability of a large file at any point of time. Retricoin consumption. Nevertheless, to solve these issues, lightweight
also proposes a new algorithm for miners to mine collec- cryptography has evolved. Lightweight cryptography targets
tively. Storj [114] also uses POR to prove the existence of sensor networks, embedded systems and other variety of
a fresh copy of a shard on the storer side. As a result, POR resource-constrained devices such as IoT end nodes and
can be employed in many cryptocurrencies and blockchain RFID tags. Lightweight cryptography is simpler and faster
applications. than conventional cryptography but less secure (suffers from
many attacks). In IoT, embedded devices having sensors are
L. POST-QUANTUM CRYPTOGRAPHY interconnected through a public or private network. As these
Recent advances in quantum computing pose a severe threat are resource-constrained devices, lightweight cryptography
to classical cryptography, as most of the widely used cryp- solves the issues of communication, memory, and power
tography is based on the hardness of some problem which consumption, but still lacks security. To provide better secu-
can be efficiently solved using quantum computers. Thus, rity, blockchain can be used in conjunction with the sensor
research in the Post-Quantum cryptography [161] has taken network.
a massive leap. The security impact of breaking public key Reference [167] reinforces our point to use lightweight
cryptography by quantum computers would be tremendous. cryptography and blockchain for IoT devices to improve
Elliptic curve cryptography (ECC), which is an approach to security (confidentiality and integrity of IoT device data).
public key cryptography, is mostly used in blockchain appli- A lightweight scalable blockchain (LSB) [102] is also intro-
cations. Using a variant of Shor’s algorithm [162], a quantum duced to improve IoT security and privacy. LSB uses a
computer can easily forge an elliptic curve signature that lightweight hash function and lightweight consensus algo-
underpins the security of each transaction in blockchain and rithm in order to achieve scalability, security, and privacy.
so breaking of ECC will affect blockchain in terms of broken Blockchain is also used to cater security in electric vehi-
keys, hence, digital signatures. cles, cloud and edge computing [103] which use lightweight
Research in this field is in the rise to create Post-Quantum cryptographic primitives like lightweight symmetric key
resistant digital signatures (BPQS) [163] which is a encryption.
hash-based signature and uses one-time signature (OTS)
schemes as a building block. OTS does not depend on N. VERIFIABLE RANDOM FUNCTION (VRF)
any number-theoretic hard problem, and it requires only a This cryptographic primitive [168] is a pseudorandom func-
secure cryptographic hash function, hence, it is not vul- tion which gives a public verifiable proof of its output based
nerable to Shor’s algorithm. BPQS has advantages like on public input and private key. In short, it maps inputs
shorter signatures, faster key generations, and customiz- to verifiable pseudorandom outputs. VRFs can be used to
able property. Post-Quantum cryptography is also used to provide deterministic precommitments which can be revealed
design Post-Quantum blockchain [109] using one-time sig- later using proofs. VRFs are resistant to pre-image attacks
nature chains or to create secure crypto-currency based on unlike traditional digital signature. VRF is a triple of the
Post-Quantum blockchain [110]. following algorithms:
For the quantum proof solutions, research is now focused
on Lattice-based cryptography [164], multivariate cryptog- • KeyGen(r)→(VK,SK). Key generation algorithm gener-
raphy [165], hash-based cryptography [161], and code-based ates verification key VK and secret key SK on random
cryptography [166]. Most of the developed primitives within input r.
these areas offer either signatures or public keys that are • Eval(SK,M)→(O,π). Evaluation algorithm takes secret
orders of magnitude bigger than the currently used ones, and key SK and message M as input and produces pseudo-
that is really a hard research challenge that we formulate as: random output string O and proof π.
Research Problem 11: Construct a new blockchain mech- • Verify(VK,M,O,π)→0/1. Verification algorithm takes
anism that has comparably efficient public key addresses input as verification key VK, message M, output string O,
and comparably small digital signatures as the currently and proof π. It outputs 1 if and only if it verifies that O is

148566 VOLUME 7, 2019

M. Raikwar et al.: SoK of Used Cryptography in Blockchain

the output produced by the evaluation algorithm on input

secret key SK and message M, otherwise it outputs 0.
In context of blockchain, many Proof of Stake blockchains
use VRF to perform secret cryptographic sortition such
that electing leader and committee as part of underlying
consensus protocol. Proof of Stake blockchain protocols
given in [169] use VRF to elect block proposers and vot-
ing committee members. Algorand [37] and Witnet net-
work protocol [170] also employ VRF to conduct secret
cryptographic sortition. Ouroboros Praos [121] uses VRF on
current timestamp and nonce to determine whether a partic-
ipant is eligible to issue a block. Dfinity [122] network is
a decentralized cloud computing resource which uses VRF
FIGURE 12. An example of smart contract obfuscation.
to generate stream of outputs over time. Thus, the usage of
verifiable random function brings many advantages to be
exploited in blockchain and opportunities for more research.
showed that there is an interest in obfuscation in Blockchain,
O. OBFUSCATION and that subject is a viable research area.
Obfuscation is a way of transforming a program P into a Research on obfuscation in Bitcoin [104] has been con-
‘‘Black-box’’ equivalent of the program Q = O(P) so that P ducted and can be compiled for other cryptocurrencies
and Q give the same output when the given inputs are same. and blockchain applications. Obfuscation is also used in
It should be hard to find out the internal logic or structure blockchain for power grid consumption [171] where noise
of the program once it is obfuscated. Obfuscation aims to is added to the user’s electricity consumption data through
make reverse engineering difficult by making the program obfuscation, and the electricity consumption data is divided
unintelligible while preserving its functionality. Finding a into random and non-random obfuscated data.
perfect black-box obfuscation is mathematically impossible. As noted in [172] the definition and characteristics of some
Along these lines, a weaker solution is to find an ‘‘Indis- languages determine how easy is to obfuscate programs writ-
tinguishability Obfuscation’’ so that one cannot determine ten in those languages. For example C, C++, Java and Perl
whether the generated output is from the original program are languages that offer easier program obfuscation. What
or the obfuscated program. A very simplified example for about scripting languages used in Blockchain? We reformu-
understanding the Indistinguishability Obfuscation, is the fol- late this question as a research problem:
lowing: There are two equivalent programs P = x ∗ (y + z) Research Problem 12: Study the easiness/hardness of
and P0 = x ∗ y + x ∗ z. They are obfuscated such that we have obfuscating programs written in the scripting languages used
O(P) and O0 (P0 ). We say that the obfuscated programs O and in the current blockchain systems. Study the feasibility of
O0 are indistinguishable if on a received output o one cannot applying some of the developed obfuscation techniques in C,
determine which of the programs O, O0 gave that output. C++, Java and Perl for the blockchain scripting languages.
Obfuscation can be applied for witness encryption, func-
tional encryption, and restricted use of software. It can be VI. PROMISING BUT YET NOT EMPLOYED
applied in blockchain to turn smart contract into a black- CRYPTOGRAPHIC PRIMITIVES IN BLOCKCHAIN
box. An obfuscated smart contract can also possess a secret This Section construes some cryptographic concepts which
key to decrypt an encrypted input to the smart contract. As a are promising candidates to be utilized in blockchain. These
result, publicly running contracts can possess secret data cryptographic concepts are not yet well-studied and fully
inside it by obfuscating the smart contract. Figure 12 depicts applied in blockchain but constitute of some excellent
an obfuscated smart contract which stores the private key properties which overlap with some desired properties of
corresponding to a public key which is used to encrypt the blockchain. Therefore, some use cases and blockchain ser-
transaction data. It is hard to get the corresponding private vices can benefit from these concepts. The included concepts
key because of the obfuscated smart contract. in this Section have either not at all been studied for use in
One of the very first successful attempts to offer a very lim- blockchain or have been studied but not implemented yet.
ited variant of obfuscation in Bitcoin was the standardization We include references which show some initial ideas how to
of the ‘‘Pay to script hash (P2SH) transactions’’ [125]. The use these concepts in blockchain, but these references do not
amounts of Bitcoins in P2SH transactions are sent to a script give any details about concrete implementation.
hash instead of a public key hash. We say that it was a limited
variant of obfuscation because in order to spend Bitcoins A. AGGREGATE SIGNATURE
received via P2SH, the recipient must provide a script that An aggregate signature allows creating a single compact
matches the script hash. Still, the successful acceptance of signature from k signatures on k distinct messages from
the P2SH transactions without causing a hard fork in Bitcoin k distinct signers. It provides faster verification as well

VOLUME 7, 2019 148567

 M. Raikwar et al.: SoK of Used Cryptography in Blockchain

as reduction in storage and bandwidth. As in blockchain, third parties that distribute the private keys to the users can
the requirement of storage and computation is high; aggregate take the role to be IBE PKG. Another variant could be a
signatures can be used for reduction in storage and computa- smart contract layer being responsible for the generation of
tion. Aggregate signatures are the non-trivial generalization public-private key pairs inside the PKG using IBE.
of multi-signatures (where all users sign the same message). We identified that the use of IBE within blockchain has
There are two primary mechanisms of signature aggregation: started in [100] as well as in supply chain management [101].
general and sequential aggregation. In order to describe these Still, there are a lot of challenges and opportunities for other
mechanisms, assume a set of k users having public-private blockchain applications and services.
key pair (PKi , SKi ) and user i wants to sign message Mi . Research Problem 14: Construct an IBE based (or IBE
1) In general signature aggregation scheme, each user i related) permissioned blockchain network.
(from the group of k users) creates signature σi on
C. VERIFIABLE DELAY FUNCTION (VDF)
his/her message Mi . Now to create aggregate signature,
anyone can run public aggregation algorithm to take all Verifiable Delay Function (VDF) is a function f : X →
k signatures σ1 , σ2 , . . . , σk and compress them into a Y which takes a prescribed number of sequential steps to
single signature σ . compute; however, the output can be easily verifiable by
2) In sequential signature aggregation scheme, user anyone. This delay function prevents malicious miners from
1 signs M1 to obtain σ1 ; user 2 then combines σ1 and computing the random output, and it also provides a short
M2 to obtain σ2 ; and so on. The final signature σ is proof which is used during the verification of the output along
generated by user k which binds Mk and the signature with previously generated public parameters. Boneh et al.
σk−1 . Sequential signature aggregation can only take described the concept of VDF [179] as well as illustrated the
place during the signing process. idea about how it can be applicable to blockchain. VDF can
be efficiently used as a way to add a delay in decentralized
Techniques for aggregating signatures are known for a applications. VDF can be used in the application of decentral-
variety of signature schemes such as DSA, Schnorr, pairing- ized systems such as in leader election process of consensus
based, and lattice-based. Aggregate signature schemes should mechanisms, constructing randomness beacons and proofs of
restrict any adversary from creating a valid aggregate signa- replication.
ture on his/her own. Aggregate signatures have been proposed Delay function was initially implemented in Ethereum
for Bitcoin [94], and they can be applied to other cryptocur- prototype [180] where the main idea was verification of
rencies and blockchain designs. delay functions through smart contract by using a multi-round
Research Problem 13: Construct an efficient new signature protocol. After this prototype implementation, the concept
scheme based on aggregate signatures, that is specifically of verifiable delay function was proposed by Boneh et al.
tailored for blockchain transactions. Nowadays several blockchain industries are trying to use
VDF in their consensus mechanisms. Chia Network [120]
B. IDENTITY-BASED ENCRYPTION (IBE) which is open source blockchain is trying to use VDF in its
Identity-Based Encryption first proposed as idea in [173] and ‘‘Proof of space and time’’ consensus mechanism. Ethereum
later realized as complete cryptographic primitive in [174], is also trying to develop a pseudorandom number generator
allows the encrypting party to use any known (or supposedly using VDF. In this way, VDF brings opportunities to dig
known) identity of any receiving party as its public key. deeper and to be applied in the blockchain domain.
Upon receiving the encrypted message, the receiving party Research Problem 15: [181]: Finding a post-quantum
asks a trusted third party ‘‘Private Key Generator (PKG)’’ secure simple VDF for the use of blockchain.
to generate the corresponding private key. Then the receiver
decrypts the message using the private key received by PKG. D. PRIVATE INFORMATION RETRIEVAL (PIR)
Nowadays, by using identity-based encryption, public keys It is a cryptographic primitive in which a client queries to
can be generated using the social identities (Facebook, Twit- a server and retrieves the corresponding response from the
ter, LinkedIn). server without exposing query terms as well as response.
There are many flavors and extensions of IBE such as It is a weaker version of 1-out-of-n oblivious transfer. It can
Hierarchical IBE [175], Attribute-based encryption [176], facilitate private blockchain queries to fetch transaction data
Decentralized attribute-based encryption [177], Functional privately from blockchain. Accordingly, it can be used to find
encryption [178] to name a few. out whether a particular transaction has been appended in the
One of the specifics of IBE is that it replaced the role blockchain or can be used to check the transactions associ-
of the Public-Key Infrastructure with the trusted third party ated with the set of public keys and find out the remaining
PKG. The presence of a trusted third party somehow defeats balances. In addition, PIR can be helpful to query transaction
the purpose to use it in permissionless blockchain, but still data in simplified payment verification (SPV) clients without
there is a scope to use it in the distributed ledger. Namely, compromising privacy. PIR requires an adequate amount of
it seems that IBE can be used in permissioned blockchain processing, but in the future there might be efficient PIR
network. In permissioned blockchain a consortium of trusted techniques which can be implemented in blockchain. PIR has

148568 VOLUME 7, 2019

M. Raikwar et al.: SoK of Used Cryptography in Blockchain

also been applied in distributed storage [182] which can be challenge of implementing a cryptographic algorithm in soft-
further investigated and adopted in blockchain. ware in such a way that cryptographic assets remain secure
Paper [85] sets several research problems in the area even when subject to white-box attacks. A white-box cryp-
of blockchain transactions privacy and private information tographic implementation must resist black-box (the attacker
retrieval. We rephrase some of the research challenges pos- has access to only input and output of algorithm), grey-box
tulated there: (side-channel), and also white-box attacks. White-box cryp-
Research Problem 16: [85]: Develop protocols where tography is a way to implement cryptographic algorithms like
non-anonymous users can publish transactions that cannot be RSA and AES so that the keys remain hidden all the time even
linked to their network addresses or to their other transac- during the execution. In some white-box implementations,
tions. the key is baked into the code and further concealed to use
Research Problem 17: [85]: Develop protocols where it in a cryptographic algorithm. In blockchain, it can be used
non-anonymous users can fetch details of specific transac- to hide the private key inside the smart contract, and that key
tions without revealing which transactions they seek. can be unlocked when smart contract executes and further it
Research Problem 18: [85]: Develop efficient and scal- can be used to create a signature.
able protocols for anonymous publishing on permis- White-box cryptography can be orchestrated in blockchain
sioned blockchains, by combining the asynchronous to establish trust and privacy of assets. As in blockchain,
Byzantine-tolerant consensus protocols for agreeing on trans- key and seed secrets are a single point of compromise; these
actions with the process of mixing users’ announcements. are the highly vulnerable and lucrative targets when stored
in memory. To safely store the key, it can be obfuscated
E. DECENTRALIZED AUTHORIZATION in white-box cryptography and further used for encryp-
Authorization and/or hiding sensitive data and actions are tion/decryption. The implementation of white-box cryptog-
essential concepts of resource sharing in open and collabo- raphy should be strong enough to facilitate the key storage
rative environments such as the Internet. Furthermore, in a in blockchain. It has been used in runtime self-protection in a
decentralized form of authorization, parties have full control trusted blockchain-inspired ledger [123] and can be promoted
over their resources and authority to delegate it whether in other blockchain applications and services.
entirely or in part to other parties. An authorization system
should provide only as little access to the users as possible to G. INCREMENTAL CRYPTOGRAPHY
perform their jobs. The idea behind incremental cryptography [184] is if there
Traditional access control is a centralized authorization is a modification to some document M to M 0 , then the
server which imposes a problem of single point of failure. The time to update the result upon modification of M should
centralized authorization scheme has different methods of be ‘‘proportional’’ to the ‘‘amount of modification’’ done
authorization such as access control list or role-based access. to M . Incremental cryptography can be used in incremental
In comparison, decentralized authorization is more effi- collision free-hashing or incremental digital signature. The
cient and easier in terms of time, resource and quality. initial idea proposed for incremental cryptography uses the
A decentralized authorization system should be well admin- example of a digital signature. The idea was to have a digital
istrated to give access privileges to the users. On the negative signature which is easy to update upon the modification of
side, having in mind that the auditing is also a key component the underlying message. Suppose M is a message and σ
of authorization, in a decentralized manner, it is hard to is the corresponding signature. If M is changed to M 0 by
efficiently implement it and to enforce it. adding/deleting any block, then the time to update the signa-
By using blockchain smart contract, some decentralized ture from σ to σ 0 should be ‘‘proportional’’ to the ‘‘amount
authorization systems have been designed, e.g., of modification’’ done to get M 0 from M .
BlendCAC [97] and WAVE [98]. WAVE introduces an autho- A proposal for construction of an incremental hash func-
rization layer for the name spaces and resources. Moreover, tion based on SHA-3 is given in [185], and a private
for the outside entities, a delegation of trust is used to obtain blockchain ‘‘Kadena’’ [99] proposes the use of either Merkle
permission on a resource. Decentralized authorization and tree or incremental hashing for transaction verification. The
blockchain can be used to grow each other by combining one concept of incremental hashing in Kadena blockchain is to
another in a specific way. update the distributed log among the blockchain nodes.
Research Problem 19: Construct a decentralized authoriza- Research Problem 20: Construct a new blockchain mecha-
tion protocol for permissioned blockchain that will provide nism that uses an incremental hash function for updates of the
access privileges as well as a delegation of these access to the distributed ledger.
users.
H. IDENTITY-BASED BROADCAST ENCRYPTION (IBBE)
F. WHITE-BOX CRYPTOGRAPHY IBBE scheme [186] can be considered as a generalization
White-box attack is a threat model where the attacker has full of identity-based encryption scheme (Section VI-B) where
visibility of the internal data flow and can modify the data instead of having one receiver, there are multiple receivers.
and code. White-box cryptography [183] aims to address the In broadcast encryption the users are recognized by their

VOLUME 7, 2019 148569

 M. Raikwar et al.: SoK of Used Cryptography in Blockchain

identities rather than by their public keys. In a multi-receiver be used in blockchain for secure communication
setting, IBBE proves as a powerful method to provide data among parties. ECDHM address is shared between
security and privacy. In this scheme, a sender broadcasts the the sender and the receiver as secret shares, and they
encrypted message to an intended set of users called privilege use this shared secret to derive anonymous transacting
set. There can be many privilege sets with different cardi- addresses of each other. This address may only be
nalities. A revocable IBEE scheme [187] shows a scenario exposed once they have the share to construct these
of IBEE in which the involved players are the key authority, addresses. In this way, it can be used for the privacy
revoked and non-revoked users. In this setting, the decryption of transaction data.
key is updated through the release of a key update material 5) Verifiable Secret Shuffle: It is a variant of a
by the key authority. These decryption keys are updated only zero-knowledge proofs (an honest-verifier zeroknowl-
for the non-revoked users. In this scheme, a membership is edge) proposed in [194]. An initial application of ver-
revoked for a user if he/she is found malicious or his/her ifiable shuffles has been proposed as a mixing service
keys are compromised. This RIBBE scheme is further imple- for Ethereum [195].
mented in Charm framework [188].
As blockchain is a multi-receiver setting, IBBE can be a VII. CONCLUSION
propitious candidate to provide transaction data security and The goal of this work was to offer a systematic study of
privacy. It can also be used in a permissioned blockchain to available cryptographic concepts and to identify different
certify blocks of membership operation logs. RIBBE scheme research directions and problems. Based on these reviewed
as being very efficient in terms of computational complexity concepts and associated properties, we hope that the paper
and communication can work efficiently as well in the case will help cryptographers interested in blockchain to choose a
of blockchain. challenging research problem and for practitioners to choose
Research Problem 21: Develop protocols to certify the a suitable concept for their particular use case.
blocks of membership operation logs in permissioned Current transitions to blockchain enabled solutions by dif-
blockchain setting. ferent industries give rise to more research on this tech-
nology. Academic and industrial research is focused on
I. OTHER TECHNIQUES making blockchain cost efficient in terms of computational
1) Message Authentication Code (MAC): It is a short piece power, memory requirements and security. Many existing
of information (known as a tag) to authenticate a mes- cryptographic concepts have been embraced for blockchain
sage which states that the message comes from the use. This paper systematizes the current state-of-the-art
stated sender and it has not been changed. It can be used knowledge of existing cryptographic concepts used in the
in blockchain to provide integrity of smart contracts blockchain. It also gives a brief description of the used crypto-
or network data. A blockchain-based system for secure graphic concept and points to the available blockchain models
mutual authentication (BSeIn) [189] uses MAC for the that are using that concept. The paper also identifies some
authentication. concepts which have not yet been used in blockchain but
2) Non-Interactive Witness Indistinguishability (NIWI): can be beneficial if applied in the blockchain. Apart from
These are proof systems which are weaker variants of existing cryptographic concepts, the paper also presents the
Non-Interactive zero-knowledge (NIZK) proofs. Wit- basic building blocks of blockchain and how these building
ness Indistinguishable property states that the verifier blocks are dependent on each other.
cannot distinguish which witness is used to prove the Table 5 summarizes all of the cryptographic concepts (used
statement by the prover, considering the case of exis- or with potentials to be used in blockchain) presented in this
tence of many witnesses. NIWI has been used to con- work.
struct NIZK over POS based blockchain protocol [190]
as well as recently, a new construction of publicly REFERENCES
verifiable NIWI proofs from blockchain [191] is also [1] S. Nakamoto. (2009). Bitcoin: A Peer-to-Peer Electronic Cash System.
proposed. Hence NIWI proofs bring a new direction to [Online]. Available: http://bitcoin.org/bitcoin.pdf
be exploit within the blockchain domain. [2] CoinMarketCap. (May 2019). Total Market Capitalization.
3) Position-based Cryptography: In this cryptographic Accessed: Jun. 16, 2019. [Online]. Available: https://coinmarketcap.
com/charts/
protocol [192], the identity or the credentials of a [3] D. Chaum, ‘‘Blind signatures for untraceable payments,’’ in Advances in
party are derived from his/her geographical location. Cryptology, D. Chaum, R. L. Rivest, and A. T. Sherman, Eds. Boston,
These credentials can be further used for position-based MA, USA: Springer, 1983, pp. 199–203.
[4] C. Dwork and M. Naor, ‘‘Pricing via processing or combatting junk mail,’’
secure communication and position-based authentica- in Proc. Annu. Int. Cryptol. Conf. Springer, 1992, pp. 139–147.
tion. Position-based cryptography has not been applied [5] R. L. Rivest, A. Shamir, and D. A. Wagner, ‘‘Time-lock puzzles and
in blockchain yet, but it looks promising. timed-release crypto,’’ Massachusetts Inst. Technol., Cambridge, MA,
USA, Tech. Rep. MIT/LCS/TR-684, 1996.
4) Elliptic Curve Diffie-Hellman Merkle (ECDHM)
[6] E. Hughes. (1993). A Cypherpunk’s Manifesto. Accessed: Apr. 18, 2019.
addresses: These addresses [193] can be used to [Online]. Available: https://www.activism.net/cypherpunk/manifesto.
exchange messages privately in the blockchain. It can html

148570 VOLUME 7, 2019

M. Raikwar et al.: SoK of Used Cryptography in Blockchain

[7] A. Back, The Hashcash Proof-of-Work Function, document Draft- [33] I. Eyal, A. E. Gencer, E. G. Sirer, and R. van Renesse, ‘‘Bitcoin-NG:
Hashcash-back-00, Internet-Draft Created, Jun. 2003. A scalable blockchain protocol,’’ in Proc. NSDI, 2016, pp. 45–59.
[8] W. Dai. (1998). B-Money. Accessed: Apr. 18, 2019. [Online]. Available: [34] V. Buterin and V. Griffith, ‘‘Casper the friendly finality gadget,’’ 2017,
http://www.weidai.com/bmoney.txt arXiv:1710.09437. [Online]. Available: https://arxiv.org/abs/1710.09437
[9] N. Szabo. (2005). Bit Gold. Accessed: Apr. 18, 2019. [Online]. Available: [35] L. Ren, ‘‘Proof of stake velocity: Building the social currency of the
https://unenumerated.blogspot.com/2005/12/bit-gold.html digital age,’’ White Paper, 2014, pp. 1–13. [Online]. Available: http://
[10] N. Satoshi. (Jul. 2010). RE: They Want to Delete the Wikipedia Arti- reddcoin.com
cle. Accessed: Apr. 18, 2019. [Online]. Available: https://bitcointalk. [36] J. Kwon. (2014). Tendermint: Consensus Without Mining. [Online].
org/index.php?topic=342.msg4508#msg4508 Available: https://tendermint.com/static/docs/tendermint.pdf
[11] G. Wood, ‘‘Ethereum: A secure decentralised generalised transaction [37] Y. Gilad, R. Hemo, S. Micali, G. Vlachos, and N. Zeldovich, ‘‘Algo-
ledger,’’ Ethereum, Yellow Paper 1e18248, 2014. rand: Scaling byzantine agreements for cryptocurrencies,’’ in Proc. 26th
[12] Ether Foundation. (Jan. 2016). The Ether Denominations are Symp. Oper. Syst. Princ. (SOSP), New York, NY, USA, 2017, pp. 51–68.
Called Finney, Szabo, and Wei. What/Who are These Named After? doi: 10.1145/3132747.3132757.
Accessed: Apr. 30, 2019. [Online]. Available: https://ethereum. [38] A. Kiayias, I. Konstantinou, A. Russell, B. David, and R. Oliynykov,
stackexchange.com/questions/253/ ‘‘A provably secure proof-of-stake blockchain protocol,’’ in Proc. IACR
[13] H. Finney. (Mar. 2013). Bitcoin and Me (Hal Finney). Cryptol. ePrint Arch., 2016, p. 889.
Accessed: Apr. 30, 2019. [Online]. Available: https://bitcointalk.org/ [39] M. Milutinovic, W. He, H. Wu, and M. Kanwal, ‘‘Proof of luck: An effi-
index.php?topic=155054.0 cient blockchain consensus protocol,’’ in Proc. 1st Workshop Syst. Softw.
[14] V. Morabito, Business Innovation Through Blockchain. Cham, Trusted Execution (SysTEX), 2016, pp. 2:1–2:6. doi: 10.1145/3007788.
Switzerland: Springer, 2017. 3007790.
[15] M. Conti, E. S. Kumar, C. Lal, and S. Ruj, ‘‘A survey on security and [40] L. Chen, L. Xu, N. Shah, Z. Gao, Y. Lu, and W. Shi, ‘‘On security analysis
privacy issues of bitcoin,’’ IEEE Commun. Surveys Tuts., vol. 20, no. 4, of proof-of-elapsed-time (PoET),’’ in Stabilization, Safety, and Security
pp. 3416–3452, 4th Quart., 2018. of Distributed Systems, P. Spirakis and P. Tsigas, Eds. Cham, Switzerland:
[16] W. Wang, D. T. Hoang, P. Hu, Z. Xiong, D. Niyato, P. Wang, Y. Wen, and Springer, 2017, pp. 282–297.
D. I. Kim, ‘‘A survey on consensus mechanisms and mining strategy man- [41] I. Bentov, R. Pass, and E. Shi, ‘‘Snow white: Provably secure proofs of
agement in blockchain networks,’’ 2018, arXiv:1805.02707. [Online]. stake,’’ in Proc. IACR Cryptol. ePrint Arch., 2016, p. 919.
Available: https://arxiv.org/abs/1805.02707 [42] E. Duffield, H. Schinzel, and F. Gutierrez. (2014). Transaction Lock-
[17] L. Wang, X. Shen, J. Li, J. Shao, and Y. Yang, ‘‘Cryptographic prim- ing and Masternode Consensus: A Mechanism for Mitigating Double
itives in blockchains,’’ J. Netw. Comput. Appl., vol. 127, pp. 43–58, Spending Attacks. CryptoPapers.info. Accessed: Jun. 3, 2019. [Online].
Feb. 2019. [Online]. Available: http://www.sciencedirect.com/science/ Available: https://cryptopapers.info/assets/pdf/instasend.pdf
article/pii/S108480451830362X [43] Libra Association. (Jun. 2019). The Libra Blockchain. Accessed:
[18] B. Preneel, ‘‘The state of cryptographic hash functions,’’ in School orga- Jun. 24, 2019. [Online]. Available: https://developers.libra.org/
nized by the European Educational Forum. Berlin, Germany: Springer, docs/assets/papers/the-libra-blockchain.pdf
1998, pp. 158–182. [44] J. Garay, A. Kiayias, and N. Leonardos, ‘‘The bitcoin backbone protocol:
[19] P. Gallagher and A. Director, ‘‘Secure hash standard (SHS),’’ FIPS PUB, Analysis and applications,’’ in Advances in Cryptology—EUROCRYPT
vol. 180, p. 183, Mar. 1995. 2015, E. Oswald and M. Fischlin, Eds. Berlin, Germany: Springer, 2015,
[20] A. Regenscheid, R. Perlner, S.-J. Chang, J. Kelsey, M. Nandi, and S. Paul, pp. 281–310.
‘‘Status report on the first round of the SHA-3 cryptographic hash algo- [45] I. Bentov, A. Gabizon, and A. Mizrahi, ‘‘Cryptocurrencies without proof
rithm competition,’’ Inf. Technol. Lab., Nat. Inst. Standards Technol., of work,’’ in Proc. Int. Conf. Financial Cryptogr. Data Secur. Berlin,
Gaithersburg, MD, USA, Tech. Rep. NISTIR 7620, 2009. Germany: Springer, 2016, pp. 142–157.
[21] E. Heilman, N. Narula, G. Tanzer, J. Lovejoy, M. Colavita, M. Virza, [46] A. Biryukov and D. Khovratovich, ‘‘Equihash: Asymmetric proof-of-
and T. Dryja, ‘‘Cryptanalysis of curl-P and other attacks on the IOTA work based on the generalized birthday problem,’’ Ledger J., vol. 2,
cryptocurrency,’’ in Proc. IACR Cryptol. ePrint Arch., 2019, p. 344. pp. 1–30, Apr. 2017.
[22] E. Heilman, N. Narula, T. Dryja, and M. Virza, ‘‘Iota vulnerability report: [47] M. Castro and B. Liskov, ‘‘Practical Byzantine fault tolerance,’’ in Proc.
Cryptanalysis of the curl hash function enabling practical signature OSDI, vol. 99, 1999, pp. 173–186.
forgery attacks on the iota cryptocurrency,’’ Tech. Rep., 2017. [48] D. Schwartz, N. Youngs, and A. Britto, ‘‘The Ripple protocol consensus
[23] C. Lee. (2011). Litecoin. [Online]. Available: https://litecoin.org algorithm,’’ Ripple Labs, San Francisco, CA, USA, White Paper 5, 2014.
[24] C. Percival, ‘‘Stronger key derivation via sequential memory-hard func- [49] A. Kiayias, E. Koutsoupias, M. Kyropoulou, and Y. Tselekounis,
tions,’’ BSDCan, Ottawa, ON, Canada, Tech. Rep., 2009. ‘‘Blockchain mining games,’’ in Proc. ACM Conf. Econ. Comput.
[25] H. Krawczyk, M. Bellare, and R. Canetti, ‘‘HMAC: Keyed-hashing for (EC), New York, NY, USA, 2016, pp. 365–382. doi: 10.1145/2940716.
message authentication,’’ Netw. Work. Group RFC, Tech. Rep., 1997. 2940773.
[26] D. J. Bernstein, ‘‘The Salsa20 family of stream ciphers,’’ in New Stream [50] M. Rosenfeld, ‘‘Analysis of bitcoin pooled mining reward sys-
Cipher Designs. Berlin, Germany: Springer, 2008, pp. 84–97. tems,’’ 2011, arXiv:1112.4980. [Online]. Available: https://arxiv.org/
[27] V. Buterin, QuarkCoin: Noble Intentions, Wrong Approach. Nashville, abs/1112.4980
TN, USA: Bitcoin Magazine, Dec. 2013. Accessed: Jun. 3, 2019. [51] M. Babaioff, S. Dobzinski, S. Oren, and A. Zohar, ‘‘On bitcoin and red
[28] M. S. Turan, R. A. Perlner, L. E. Bassham, W. E. Burr, D. H. Chang, balloons,’’ in Proc. 13th ACM Conf. Electron. Commerce (EC), New York,
S.-J. Chang, M. J. Dworkin, J. M. Kelsey, S. Paul, and R. C. Peralta, NY, USA, 2012, pp. 56–73. doi: 10.1145/2229012.2229022.
‘‘Status report on the second round of the SHA-3 cryptographic hash [52] E. B. Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, and
algorithm competition,’’ NIST Interagency, Gaithersburg, MD, USA, M. Virza, ‘‘Zerocash: Decentralized anonymous payments from bitcoin,’’
Tech. Rep. 7764, 2011. in Proc. IEEE Symp. Secur. Privacy, May 2014, pp. 459–474.
[29] D. Gligoroski, V. Klima, S. J. Knapskog, M. El-Hadedy, and J. Amundsen, [53] The Monero Project. (2014). Monero. [Online]. Available: https://web.
‘‘Cryptographic hash function blue midnight wish,’’ in Proc. 1st Int. getmonero.org
Workshop Secur. Commun. Netw., May 2009, pp. 1–8. [54] R. F. A. Britto and D. Schwartz. (2012). Ripple. [Online]. Available:
[30] E. Duffield and D. Diaz. (2018). Dash: A Payments-Focused Cryp- https://ripple.com
tocurrency. Accessed: Jun. 3, 2019. [Online]. Available: https://github. [55] EOS. IO. (2017). EOS. IO Technical White Paper.
com/dashpay/dash/wiki/Whitepaper Accessed: Dec. 18, 2017. [Online]. Available: https://github.com/EOSIO/
[31] Open Source Community at Github. (2018). ProgPoW—A Program- Documentation
matic Proof of Work. Accessed: Jun. 3, 2019. [Online]. Available: [56] LTO Network. (2014). Blockchain for Decentralized Workflows. [Online].
https://github.com/ifdefelse/ProgPOW Available: https://www.lto.network
[32] S. Bano, A. Sonnino, M. Al-Bassam, S. Azouvi, P. McCorry, [57] E. Androulaki et al., ‘‘Hyperledger fabric: A distributed operating system
S. Meiklejohn, and G. Danezis, ‘‘Consensus in the age of blockchains,’’ for permissioned blockchains,’’ in Proc. 13th EuroSys Conf., New York,
2017, arXiv:1711.03936. [Online]. Available: https://arxiv.org/abs/ NY, USA, 2018, pp. 30:1–30:15.
1711.03936 [58] (2014). Monax. [Online]. Available: https://monax.io/

VOLUME 7, 2019 148571

 M. Raikwar et al.: SoK of Used Cryptography in Blockchain

[59] G. Greenspan. (2015). MultiChain Private Blockchain. [Online]. Avail- [82] J. Poon and V. Buterin, ‘‘Plasma: Scalable autonomous smart contracts,’’
able: https://www.multichain.com/download/MultiChain-White-Paper. White Paper, 2017, pp. 1–47. [Online]. Available: http://plasma.io
pdf [83] A. Back, M. Corallo, L. Dashjr, M. Friedenbach, G. Maxwell, A. Miller,
[60] P. Maymounkov and D. Mazières, ‘‘Kademlia: A peer-to-peer infor- A. Poelstra, and J. Timón, and P. Wuille. (2014). Enabling Blockchain
mation system based on the XOR metric,’’ in Peer-to-Peer Systems, Innovations With Pegged Sidechains. [Online]. Available: http://www.
P. Druschel, F. Kaashoek, and A. Rowstron, Eds. Berlin, Germany: opensciencereview.com/papers/123/enablingblockchain-innovations-
Springer, 2002, pp. 53–65. with-pegged-sidechains
[61] E. Heilman, A. Kendler, A. Zohar, and S. Goldberg, ‘‘Eclipse [84] C. Burchert, C. Decker, and R. Wattenhofer, ‘‘Scalable funding of bitcoin
attacks on bitcoin’s peer-to-peer network,’’ in Proc. 24th USENIX micropayment channel networks,’’ Roy. Soc. Open Sci., vol. 5, no. 8, 2018,
Secur. Symp. (USENIX Secur.), Washington, DC, USA, 2015, Art. no. 180089.
pp. 129–144. [Online]. Available: https://www.usenix.org/conference/ [85] R. Henry, A. Herzberg, and A. Kate, ‘‘Blockchain access privacy: Chal-
usenixsecurity15/technical-sessions/presentation/heilman lenges and directions,’’ IEEE Security Privacy, vol. 16, no. 4, pp. 38–45,
[62] M. Apostolaki, A. Zohar, and L. Vanbever, ‘‘Hijacking bitcoin: Routing Jul./Aug. 2018.
attacks on cryptocurrencies,’’ in Proc. IEEE Symp. Secur. Privacy (SP), [86] C. Egger, P. Moreno-Sanchez, and M. Maffei, ‘‘Atomic multi-channel
May 2017, pp. 375–392. updates with constant collateral in bitcoin-compatible payment-channel
[63] J. Mirkovic and P. Reiher, ‘‘A taxonomy of DDoS attack and DDoS networks,’’ in Proc. Cryptol. ePrint Arch., 2019, pp. 1–27. [Online].
defense mechanisms,’’ ACM SIGCOMM Comput. Commun. Rev., vol. 34, Available: https://eprint.iacr.org/2019/583
no. 2, pp. 39–53, Apr. 2004. doi: 10.1145/997150.997156. [87] G. Malavolta, P. Moreno-Sanchez, C. Schneidewind, A. Kate, and
[64] M. Vasek, M. Thornton, and T. Moore, ‘‘Empirical analysis of denial-
M. Maffei, ‘‘Anonymous multi-hop locks for blockchain scalability and
of-service attacks in the bitcoin ecosystem,’’ in Financial Cryptography
interoperability,’’ in Proc. NDSS, 2019, pp. 1–30.
and Data Security, R. Böhme, M. Brenner, T. Moore, and M. Smith, Eds.
[88] M. Dong, Q. Liang, X. Li, and J. Liu, ‘‘Celer network: Bring Internet
Berlin, Germany: Springer, 2014, pp. 57–71.
scale to every blockchain,’’ 2018, arXiv:1810.00037. [Online]. Available:
[65] J. Bonneau, A. Miller, J. Clark, A. Narayanan, J. A. Kroll, and
https://arxiv.org/abs/1810.00037
E. W. Felten, ‘‘SoK: Research perspectives and challenges for Bitcoin
[89] N. Kshetri, ‘‘5G in E-commerce activities,’’ IEEE IT Prof., vol. 20, no. 4,
and cryptocurrencies,’’ in Proc. IEEE Symp. Secur. Privacy, May 2015,
pp. 73–77, Jul. 2018.
pp. 104–121.
[66] Bitcoin. (2012). SPV, Simplified Payment Verification. [90] R. H. N. J. Dewey and R. Plasencia, ‘‘Blockchain and 5G-enabled Internet
Accessed: Jun. 8, 2019. [Online]. Available: https://bitcoin.org/en/ of Things (IoT) will redefine supply chains and trade finance,’’ in Proc.
glossary/simplified-payment-verification Secured Lender, Jan/Feb. 2018, pp. 43–45.
[67] R. Skudnov. (2012). Bitcoin Clients. [Online]. Available: https://www. [91] A. Ouaddah, A. A. Elkalam, and A. A. Ouahman, ‘‘FairAccess: A new
theseus.fi/bitstream/handle/10024/47166/Skudnov_Rostislav.pdf blockchain-based access control framework for the Internet of Things,’’
[68] S. Kadhe, J. Chung, and K. Ramchandran, ‘‘SeF: A secure foun- Secur. Commun. Netw., vol. 9, no. 18, pp. 5943–5964, 2016. [Online].
tain architecture for slashing storage costs in blockchains,’’ 2019, Available: https://onlinelibrary.wiley.com/doi/abs/10.1002/sec.1748
arXiv:1906.12140. [Online]. Available: https://arxiv.org/abs/1906.12140 [92] A. Ouaddah, A. A. Elkalam, and A. A. Ouahman, ‘‘Towards a novel
[69] A. G. Dimakis, P. B. Godfrey, Y. Wu, M. J. Wainwright, and privacy-preserving access control model based on blockchain technology
K. Ramchandran, ‘‘Network coding for distributed storage systems,’’ in IoT,’’ in Europe and MENA Cooperation Advances in Information and
IEEE Trans. Inf. Theory, vol. 56, no. 9, pp. 4539–4551, Sep. 2010. Communication Technologies, Á. Rocha, M. Serrhini, and C. Felgueiras,
[70] K. Kralevska, D. Gligoroski, R. E. Jensen, and H. Øverby, ‘‘Hashtag Eds. Cham, Switzerland: Springer, 2017, pp. 523–533.
erasure codes: From theory to practice,’’ IEEE Trans. Big Data, vol. 4, [93] D. Boneh, B. Bünz, and B. Fisch, ‘‘Batching techniques for accumulators
no. 4, pp. 516–529, Dec. 2018. with applications to IOPs and stateless blockchains,’’ Cryptol. ePrint
[71] P. Gopalan, C. Huang, H. Simitci, and S. Yekhanin, ‘‘On the local- Arch., Tech. Rep. 2018/1188, 2018.
ity of codeword symbols,’’ IEEE Trans. Inf. Theory, vol. 58, no. 11, [94] Y. Zhao, ‘‘Aggregation of gamma-signatures and applications to bitcoin,’’
pp. 6925–6934, Aug. 2012. Cryptol. ePrint Arch., Tech. Rep. 2018/414, 2018. [Online]. Available:
[72] K. Kralevska, D. Gligoroski, and H. Øverby, ‘‘Balanced locally repairable https://eprint.iacr.org/2018/414
codes,’’ in Proc. Int. Sym. Turbo Codes Iterative Inf. Process. (ISTC), [95] B. Bünz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, and G. Maxwell,
Sep. 2016, pp. 280–284. ‘‘Bulletproofs: Short proofs for confidential transactions and more,’’ in
[73] G. M. Kamath, N. Prakash, V. Lalitha, and P. V. Kumar, ‘‘Codes with local Proc. IEEE Symp. Secur. Privacy (SP), May 2018, pp. 315–334. [Online].
regeneration and erasure correction,’’ IEEE Trans. Inf. Theory, vol. 60, Available: https://ieeecomputersociety.org/10.1109/SP.2018.00020
no. 8, pp. 4637–4660, Aug. 2014. [96] G. Maxwell and A. Poelstra. (2015). Borromean Ring Signatures.
[74] D. Gligoroski, K. Kralevska, R. E. Jensen, and P. Simonsen, ‘‘Repair dual- Accessed: Jun. 8, 2019. [Online]. Available: https://raw.
ity with locally repairable and locally regenerating codes,’’ in Proc. IEEE githubusercontent.com/Blockstream/borromean_paper/master/borromean
15th Int. Conf. Dependable, Autonomic Secure Comput., 15th Int. Conf. _draft_0.01_34241bb.pdf
Pervasive Intell. Comput., 3rd Int. Conf. Big Data Intell. Comput. Cyber [97] R. Xu, Y. Chen, E. Blasch, and G. Chen, ‘‘BlendCAC: A blockchain-
Sci. Technol. Congr. (DASC/PiCom/DataCom/CyberSciTech), Nov. 2017, enabled decentralized capability-based access control for iots,’’ 2018,
pp. 979–984. arXiv:1804.09267. [Online]. Available: https://arxiv.org/abs/1804.09267
[75] L. H. White, ‘‘The market for cryptocurrencies,’’ Cato J., vol. 35, no. 2,
[98] M. P. Andersen, J. Kolb, K. Chen, G. Fierro, D. E. Culler, and R. A. Popa,
p. 383, 2015.
‘‘Wave: A decentralized authorization system for iot via blockchain
[76] B. McLannahan, ‘‘Bitcoin exchange MT GOX files for bankruptcy pro-
smart contracts,’’ Dept. Elect. Eng. Comput. Sci., Univ. California,
tection,’’ Financial Times, vol. 28, Feb. 2014.
[77] M. Huillet. (Aug. 2019). Vitalik Buterin Talks Scalability: Ethereum Berkeley, Berkeley, CA, USA, Tech. Rep. UCB/EECS-2017-234,
Blockchain is Almost Full. [Online]. Available: https://cointelegraph. Dec. 2017. [Online]. Available: http://www2.eecs.berkeley.edu/Pubs/
com/news/vitalik-buterin-talks-scalability-ethereum-blockchain-is- TechRpts/2017/EECS-2017-234.html
almost-full [99] W. Martino, ‘‘Kadena: The first scalable, high performance private
[78] Beam Development Team. Beam. 2019. [Online]. Available: https://www. blockchain,’’ Kadena, Okinawa, Japan, Tech. Rep., 2016.
beam.mw [100] S. Wei, S. Li, P. Liu, and M. Liu, ‘‘BAVP: Blockchain-based access veri-
[79] T. Rolfe. (Feb. 2019). Turing Completeness and Smart Contract fication protocol in LEO constellation using IBE keys,’’ Secur. Commun.
Security. [Online]. Available: https://medium.com/kadena-io/turing- Netw., vol. 2018, pp. 1–14, May 2018.
completeness-and-smart-contract-security-67e4c41704c [101] S. Bose, M. Raikwar, D. Mukhopadhyay, A. Chattopadhyay, and
[80] J. Poon and T. Dryja. (2016). The Bitcoin Lightning Network: Scal- K.-Y. Lam, ‘‘BLIC: A blockchain protocol for manufacturing and sup-
able Off-Chain Instant Payments. Accessed: Jun. 8, 2019. [Online]. ply chain management of ICS,’’ in Proc. IEEE Int. Conf. Internet
Available: https://www.bitcoinlightning.com/wp-content/uploads/2018/ Things (iThings) IEEE Green Comput. Commun. (GreenCom) IEEE
03/lightning-network-paper.pdf Cyber, Phys. Social Comput. (CPSCom) IEEE Smart Data (SmartData),
[81] L. Luu, V. Narayanan, C. Zheng, K. Baweja, S. Gilbert, and P. Saxena, Jul./Aug. 2018, pp. 1326–1335.
‘‘A secure sharding protocol for open blockchains,’’ in Proc. ACM [102] A. Dorri, S. S. Kanhere, R. Jurdak, and P. Gauravaram, ‘‘LSB:
SIGSAC Conf. Comput. Commun. Secur. (CCS), New York, NY, USA, A lightweight scalable blockchain for IoT security and privacy,’’ 2017,
2016, pp. 17–30. doi: 10.1145/2976749.2978389. arXiv:1712.02969. [Online]. Available: https://arxiv.org/abs/1712.02969

148572 VOLUME 7, 2019

M. Raikwar et al.: SoK of Used Cryptography in Blockchain

[103] H. Liu, Y. Zhang, and T. Yang, ‘‘Blockchain-enabled security in elec- [127] F. Charlon. Openchain. [Online]. Available: https://www.openchain.org/
tric vehicles cloud and edge computing,’’ IEEE Netw., vol. 32, no. 3, [128] D. Boneh, M. Drijvers, and G. Neven, ‘‘Compact multi-signatures for
pp. 78–83, May 2018. smaller blockchains,’’ in Advances in Cryptology—ASIACRYPT 2018,
[104] A. Narayanan and M. Möser, ‘‘Obfuscation in bitcoin: Techniques and T. Peyrin and S. Galbraith, Eds. Cham, Switzerland: Springer, 2018,
politics,’’ 2017, arXiv:1706.05432. [Online]. Available: https://arxiv. pp. 435–464.
org/abs/1706.05432 [129] D. Chaum, Blind Signature System. Boston, MA, USA: Springer, 1984,
[105] E. Cecchetti, F. Zhang, Y. Ji, A. Kosba, A. Juels, and E. Shi, ‘‘Solidus: p. 153.
Confidential distributed ledger transactions via PVORM,’’ in Proc. ACM [130] L. Valenta and B. Rowan, ‘‘Blindcoin: Blinded, accountable mixes for
SIGSAC Conf. Comput. Commun. Secur. (CCS), New York, NY, USA, bitcoin,’’ in Financial Cryptography and Data Security, M. Brenner,
2017, pp. 701–717. doi: 10.1145/3133956.3134010. N. Christin, B. Johnson, and K. Rohloff, Eds. Berlin, Germany: Springer,
[106] J. Gancher, A. Groce, and A. Ledger, ‘‘Externally verifiable oblivious 2015, pp. 112–126.
ram,’’ Proc. Privacy Enhancing Technol., vol. 2017, no. 2, pp. 149–171, [131] E. Heilman, F. Baldimtsi, and S. Goldberg, ‘‘Blindly signed contracts:
2017. [Online]. Available: https://content.sciendo.com/view/journals/ Anonymous on-blockchain and off-blockchain bitcoin transactions,’’
popets/2017/2/article-p149.xml in Financial Cryptography and Data Security, J. Clark, S. Meikle-
[107] P. Jiang, F. Guo, K. Liang, J. Lai, and Q. Wen, ‘‘Searchain: john, P. Y. Ryan, D. Wallach, M. Brenner, and K. Rohloff, Eds. Berlin,
Blockchain-based private keyword search in decentralized storage,’’ Germany: Springer, 2016, pp. 43–60.
Future Gener. Comput. Syst., to be published. [Online]. Available: [132] F. Zhang and K. Kim, ‘‘Id-based blind signature and ring signature from
http://www.sciencedirect.com/science/article/pii/S0167739X17318630 pairings,’’ in Advances in Cryptology—ASIACRYPT 2002, Y. Zheng, Ed.
[108] E. V. Mangipudi, K. Rao, J. Clark, and A. Kate, ‘‘Automated penaliza- Berlin, Germany: Springer, 2002, pp. 533–547.
tion of data breaches using crypto-augmented smart contracts,’’ Cryp- [133] S. Meiklejohn and R. Mercer, ‘‘Möbius: Trustless tumbling for trans-
tol. ePrint Arch., Tech. Rep. 2018/1050, 2018. [Online]. Available: action privacy,’’ Proc. Privacy Enhancing Technol., vol. 2018, no. 2,
https://eprint.iacr.org/2018/1050 pp. 105–121, 2018.
[109] W. van der Linde, P. Schwabe, A. Hülsing, and Y. Yarom, ‘‘Post-quantum [134] J. H. Ziegeldorf, F. Grossmann, M. Henze, N. Inden, and K. Wehrle,
blockchain using one-time signature chains,’’ Radboud Univ., Nijmegen, ‘‘CoinParty: Secure multi-party mixing of bitcoins,’’ in Proc. 5th ACM
The Netherlands, Tech. Rep., 2018. Conf. Data Appl. Secur. Privacy, New York, NY, USA, 2015, pp. 75–86.
[110] Y.-L. Gao, X.-B. Chen, Y.-L. Chen, Y. Sun, X.-X. Niu, and Y.-X. Yang, [135] O. Shlomovits and I. A. Seres, ‘‘ShareLock: Mixing for cryptocurrencies
‘‘A secure cryptocurrency scheme based on post-quantum blockchain,’’ from multiparty ECDSA,’’ Cryptol. ePrint Arch., Tech. Rep. 2019/563,
IEEE Access, vol. 6, pp. 27205–27213, 2018. 2019. [Online]. Available: https://eprint.iacr.org/2019/563
[111] D. Aggarwal, G. K. Brennen, T. Lee, M. Santha, and M. Tomamichel, [136] D. Johnson, A. Menezes, and S. Vanstone, ‘‘The elliptic curve digital
‘‘Quantum attacks on bitcoin, and how to protect against them,’’ 2017, signature algorithm (ECDSA),’’ Int. J. Inf. Secur., vol. 1, no. 1, pp. 36–63,
arXiv:1710.10377. [Online]. Available: https://arxiv.org/abs/1710.10377 Aug. 2001. doi: 10.1007/s102070100002.
[112] A. Miller, A. Juels, E. Shi, B. Parno, and J. Katz, ‘‘Permacoin: Repur- [137] S. Josefsson and I. Liusvaara, Edwards-Curve Digital Signature Algo-
posing bitcoin work for data preservation,’’ in Proc. IEEE Symp. rithm (EDDSA), document RFC 8032, Internet Research Task Force,
Secur. Privacy (SP), May 2014, pp. 475–490. [Online]. Available: Crypto Forum Research Group, 2017.
https://ieeecomputersociety.org/10.1109/SP.2014.37 [138] B. Dale. (Aug. 2019). The Vaul is Back: Coder Revives Plan to Shield
[113] B. Sengupta, S. Bag, S. Ruj, and K. Sakurai, ‘‘Retricoin: Bitcoin based Bitcoin Wallets From Theft. [Online]. Available: https://www.coindesk.
on compact proofs of retrievability,’’ in Proc. 17th Int. Conf. Distrib. com/the-vault-is-back-bitcoin-coder-to-revive-plan-to-shield-wallets-
Comput. Netw. (ICDCN), New York, NY, USA, 2016, pp. 14:1–14:10. from-theft
doi: 10.1145/2833312.2833317. [139] O. Goldreich and Y. Oren, ‘‘Definitions and properties of zero-knowledge
[114] S. Wilkinson, T. Boshevski, J. Brandoff, and V. Buterin, ‘‘Storj a peer-to- proof systems,’’ J. Cryptol., vol. 7, no. 1, pp. 1–32, Dec. 1994.
peer cloud storage network,’’ Storj Labs, Atlanta, GA, USA, Tech. Rep., doi: 10.1007/BF00195207.
2014. [140] E. Ben-Sasson, A. Chiesa, E. Tromer, and M. Virza, ‘‘Succinct
[115] S. Bartolucci, P. Bernat, and D. Joseph, ‘‘SHARVOT: Secret SHARe- non-interactive zero knowledge for a von neumann architecture,’’ in
based VOTing on the blockchain,’’ 2018, arXiv:1803.04861. [Online]. Proc. 23rd USENIX Secur. Symp. (USENIX Secur.), San Diego, CA,
Available: https://arxiv.org/abs/1803.04861 USA, 2014, pp. 781–796. [Online]. Available: https://www.usenix.org/
[116] (2018). Wanchain. [Online]. Available: https://www.wanchain.org conference/usenixsecurity14/technical-sessions/presentation/ben-sasson
[117] G. Zyskind, O. Nathan, and A. Pentland, ‘‘Enigma: Decentralized com- [141] J. P. Morgan. (2016). Quorum. [Online]. Available: https://github.com/
putation platform with guaranteed privacy,’’ 2015, arXiv:1506.03471. jpmorganchase/quorum
[Online]. Available: https://arxiv.org/abs/1506.03471 [142] R. S. Sandhu and P. Samarati, ‘‘Access control: Principle and practice,’’
[118] A. Kosba, A. Miller, E. Shi, Z. Wen, and C. Papamanthou, ‘‘Hawk: IEEE Commun. Mag., vol. 32, no. 9, pp. 40–48, Sep. 1994.
The blockchain model of cryptography and privacy-preserving smart [143] A. Azaria, A. Ekblaw, T. Vieira, and A. Lippman, ‘‘MedRec: Using
contracts,’’ in Proc. IEEE Symp. Secur. Privacy (SP), May 2016, blockchain for medical data access and permission management,’’ in
pp. 839–858. Proc. 2nd Int. Conf. Open Big Data (OBD), Aug. 2016, pp. 25–30.
[119] N. van Saberhagen. (2013). Cryptonote. [Online]. Available: https:// [144] X. Yue, H. Wang, D. Jin, M. Li, and W. Jiang, ‘‘Healthcare data
cryptonote.org/whitepaper.pdf gateways: Found healthcare intelligence on blockchain with novel pri-
[120] B. Cohen. (2017). Chia Network. [Online]. Available: https://www. vacy risk control,’’ J. Med. Syst., vol. 40, no. 10, p. 218, Aug. 2016.
chia.net doi: 10.1007/s10916-016-0574-6.
[121] B. David, P. Gaži, A. Kiayias, and A. Russell, ‘‘Ouroboros praos: [145] A. Outchakoucht, J. P. Leroy, and H. Es-Samaali, ‘‘Dynamic access
An adaptively-secure, semi-synchronous proof-of-stake blockchain,’’ control policy based on blockchain and machine learning for the Internet
in Advances in Cryptology—EUROCRYPT 2018, J. B. Nielsen and of Things,’’ Int. J. Adv. Comput. Sci. Appl., vol. 8, no. 7, pp. 417–424,
V. Rijmen, Eds. Cham, Switzerland: Springer, 2018, pp. 66–98. 2017.
[122] T. Hanke, M. Movahedi, and D. Williams, ‘‘DFINITY technology [146] S. H. Hashemi, F. Faghri, and R. H. Campbell, ‘‘Decentralized
overview series, consensus system,’’ 2018, arXiv:1805.04548. [Online]. user-centric access control using pubsub over blockchain,’’ 2017,
Available: https://arxiv.org/abs/1805.04548 arXiv:1710.00110. [Online]. Available: https://arxiv.org/abs/1710.00110
[123] C. Liem, E. AbdAllah, C. Okoye, J. O’Connor, M. S. Ul Alam, and [147] A. Dorri, S. S. Kanhere, R. Jurdak, and P. Gauravaram, ‘‘Blockchain for
S. Janes, ‘‘Runtime self-protection in a trusted blockchain-inspired IoT security and privacy: The case study of a smart home,’’ in Proc. IEEE
ledger,’’ in Proc. ESCAR Eur., Nov. 2017, pp. 1–10. Int. Conf. Pervas. Comput. Commun. Workshops (PerCom Workshops),
[124] I. Miers, C. Garman, M. Green, and A. D. Rubin, ‘‘Zerocoin: Anonymous Mar. 2017, pp. 618–623.
distributed e-cash from bitcoin,’’ in Proc. IEEE Symp. Secur. Privacy, [148] S. Tahir and M. Rajarajan, ‘‘Privacy-preserving searchable encryp-
May 2013, pp. 397–411. tion framework for permissioned blockchain networks,’’ in Proc.
[125] Bitcoin. (2012). Pay to Script Hash. Accessed: Jun. 8, 2019. [Online]. IEEE Proc. iThings, GreenCom, CPSCom SmartData, Jul./Aug. 2018,
Available: https://en.bitcoin.it/wiki/Pay_to_script_hash pp. 1628–1633.
[126] C. Coverdale. (2018). Scaling Bitcoin: Schnorr Signatures. [Online]. [149] D. J. Bernstein. (2014). CAESAR: Competition for Authenticated
Available: https://bitcointechtalk.com/scaling-bitcoin-schnorr- Encryption: Security, Applicability, and Robustness. [Online]. Available:
signatures-abe3b5c275d1 https://competitions.cr.yp.to/caesar.html

VOLUME 7, 2019 148573

 M. Raikwar et al.: SoK of Used Cryptography in Blockchain

[150] A. Boudguiga, N. Bouzerna, L. Granboulan, A. Olivereau, F. Quesnel, [174] D. Boneh and M. Franklin, ‘‘Identity-based encryption from the Weil pair-
A. Roger, and R. Sirdey, ‘‘Towards better availability and accountability ing,’’ in Advances in Cryptology—CRYPTO 2001, J. Kilian, Ed. Berlin,
for IoT updates by means of a blockchain,’’ in Proc. IEEE Eur. Symp. Germany: Springer, 2001, pp. 213–229.
Secur. Privacy Workshops (EuroS PW), Apr. 2017, pp. 50–58. [175] D. Boneh, X. Boyen, and E.-J. Goh, ‘‘Hierarchical identity based encryp-
[151] M. Luongo and C. Pon, ‘‘The keep network: A privacy layer for public tion with constant size ciphertext,’’ in Proc. Annu. Int. Conf. Theory Appl.
blockchains,’’ Keep Netw., Tech. Rep., 2018. [Online]. Available: https:// Cryptograph. Techn. Berlin, Germany: Springer, 2005, pp. 440–456.
keep.network/whitepaper [176] V. Goyal, O. Pandey, A. Sahai, and B. Waters, ‘‘Attribute-based encryp-
[152] A. Shamir, ‘‘How to share a secret,’’ Commun. ACM, vol. 22, no. 11, tion for fine-grained access control of encrypted data,’’ in Proc. 13th ACM
pp. 612–613, Nov. 1979. doi: 10.1145/359168.359176. Conf. Comput. Commun. Secur., 2006, pp. 89–98.
[153] R. K. Raman and L. R. Varshney, ‘‘Distributed storage meets secret [177] A. Lewko and B. Waters, ‘‘Decentralizing attribute-based encryption,’’
sharing on the blockchain,’’ in Proc. Inf. Theory Appl. Workshop (ITA), in Proc. Annu. Int. Conf. Theory Appl. Cryptograph. Techn. Berlin,
Feb. 2018, pp. 1–6. Germany: Springer, 2011, pp. 568–588.
[154] B. F. França, ‘‘Homomorphic mini-blockchain scheme,’’ Tech. Rep., [178] S. Agrawal, S. Gorbunov, V. Vaikuntanathan, and H. Wee, ‘‘Functional
2015. encryption: New perspectives and lower bounds,’’ in Proc. Annu. Cryptol.
[155] T. P. Pedersen, ‘‘Non-interactive and information-theoretic secure Conf. Berlin, Germany: Springer, 2013, pp. 500–518.
verifiable secret sharing,’’ in Advances in Cryptology—CRYPTO’91, [179] D. Boneh, J. Bonneau, B. Bünz, and B. Fisch, ‘‘Verifiable delay func-
J. Feigenbaum, Ed. Berlin, Germany: Springer, 1992, pp. 129–140. tions,’’ in Advances in Cryptology—CRYPTO 2018, H. Shacham and
[156] T. Ruffing and G. Malavolta, ‘‘Switch commitments: A safety switch for A. Boldyreva, Eds. Cham, Switzerland: Springer, 2018, pp. 757–788.
confidential transactions,’’ in Proc. Int. Conf. Financial Cryptogr. Data [180] B. Bünz, S. Goldfeder, and J. Bonneau, ‘‘Proofs-of-delay and randomness
Secur. Cham, Switzerland: Springer, 2017, pp. 170–181. beacons in ethereum,’’ in Proc. IEEE Secur. Privacy Blockchain (IEEE
[157] M. O. Rabin, ‘‘How to exchange secrets with oblivious transfer,’’ in Proc. S&B), Apr. 2017, pp. 1–11.
IACR Cryptol. ePrint Arch., 2005, p. 187. [181] D. Boneh, B. Bünz, and B. Fisch, ‘‘A survey of two verifiable delay
[158] D. C. Sánchez, ‘‘Raziel: Private and verifiable smart contracts on functions,’’ in Proc. IACR Cryptol. ePrint Arch., 2018, p. 712.
blockchains,’’ 2018, arXiv:1807.09484. [Online]. Available: https://arxiv. [182] S. Kumar, E. Rosnes, and A. G. I. Amat, ‘‘Private information retrieval in
org/abs/1807.09484 distributed storage systems using an arbitrary linear code,’’ in Proc. IEEE
[159] A. Juels and B. S. Kaliski, Jr., ‘‘PORs: Proofs of retrievability for Int. Symp. Inf. Theory (ISIT), Jun. 2017, pp. 1421–1425.
large files,’’ in Proc. 14th ACM Conf. Comput. Commun. Secur. [183] S. Chow, P. Eisen, H. Johnson, and P. C. Van Oorschot, ‘‘White-box
(CCS), New York, NY, USA, 2007, pp. 584–597. doi: 10.1145/1315245. cryptography and an AES implementation,’’ in Proc. Int. Workshop Sel.
1315317. Areas Cryptogr. Berlin, Germany: Springer, 2002, pp. 250–270.
[160] F. Armknecht, J.-M. Bohli, G. O. Karame, Z. Liu, and C. A. Reuter, ‘‘Out- [184] M. Bellare, O. Goldreich, and S. Goldwasser, ‘‘Incremental cryptography:
sourced proofs of retrievability,’’ in Proc. 2014 ACM SIGSAC Conf. Com- The case of hashing and signing,’’ in Proc. Annu. Int. Cryptol. Conf.
put. Commun. Secur. (CCS), New York, NY, USA, 2014, pp. 831–843. Berlin, Germany: Springer, 1994, pp. 216–233.
doi: 10.1145/2660267.2660310. [185] H. Mihajloska, D. Gligoroski, and S. Samardjiska, ‘‘Reviving the idea of
[161] D. J. Bernstein, Introduction to Post-Quantum Cryptography. Berlin, incremental cryptography for the zettabyte era use case: Incremental hash
Germany: Springer, 2009, pp. 1–14. functions based on SHA-3,’’ in Proc. Int. Workshop Open Problems Netw.
[162] A. Ekert and R. Jozsa, ‘‘Quantum computation and shor’s factoring Secur. Cham, Switzerland: Springer, 2015, pp. 97–111.
algorithm,’’ Rev. Mod. Phys., vol. 68, no. 3, p. 733, 1996. [186] C. Delerablée, ‘‘Identity-based broadcast encryption with constant size
[163] K. Chalkias, J. Brown, M. Hearn, T. Lillehagen, I. Nitto, and T. Schroeter, ciphertexts and private keys,’’ in Advances in Cryptology—ASIACRYPT
‘‘Blockchained post-quantum signatures,’’ in Proc. IACR Cryptol. ePrint 2007, K. Kurosawa, Ed. Berlin, Germany: Springer, 2007, pp. 200–215.
Arch., 2018, p. 658. [187] A. Ge and P. Wei, ‘‘Identity-based broadcast encryption with efficient
[164] O. Regev, ‘‘Lattice-based cryptography,’’ in Proc. Annu. Int. Cryptol. revocation,’’ Cryptol. ePrint Arch., Tech. Rep. 2019/038, 2019. [Online].
Conf. Berlin, Germany: Springer, 2006, pp. 131–141. Available: https://eprint.iacr.org/2019/038
[165] J. Ding and B.-Y. Yang, ‘‘Multivariate public key cryptography,’’ in Post- [188] J. A. Akinyele, C. Garman, I. Miers, M. W. Pagano, M. Rushanan,
Quantum Cryptography. Berlin, Germany: Springer, 2009, pp. 193–241. M. Green, and A. D. Rubin, ‘‘Charm: A framework for rapidly proto-
[166] R. Overbeck and N. Sendrier, ‘‘Code-based cryptography,’’ in Post- typing cryptosystems,’’ J. Cryptograph. Eng., vol. 3, no. 2, pp. 111–128,
Quantum Cryptography. Berlin, Germany: Springer, 2009, pp. 95–145. 2013. doi: 10.1007/s13389-013-0057-3.
[167] M. A. Khan and K. Salah, ‘‘IoT security: Review, blockchain solu- [189] C. Lin, D. He, X. Huang, K.-K. R. Choo, and A. V. Vasilakos,
tions, and open challenges,’’ Future Gener. Comput. Syst., vol. 82, ‘‘BSeIn: A blockchain-based secure mutual authentication with fine-
pp. 395–411, May 2018. [Online]. Available: http://www.sciencedirect. grained access control system for industry 4.0,’’ J. Netw. Comput.
com/science/article/pii/S0167739X17315765 Appl., vol. 116, pp. 42–52, Aug. 2018. [Online]. Available: http://www.
[168] S. Micali, M. Rabin, and S. Vadhan, ‘‘Verifiable random functions,’’ in sciencedirect.com/science/article/pii/S1084804518301619
Proc. 40th Annu. Symp. Found. Comput. Sci., Oct. 1999, pp. 120–130. [190] R. Goyal and V. Goyal, ‘‘Overcoming cryptographic impossibility results
[169] W. Li, S. Andreina, J.-M. Bohli, and G. Karame, ‘‘Securing proof-of-stake using blockchains,’’ in Theory of Cryptography, Y. Kalai and L. Reyzin,
blockchain protocols,’’ in Data Privacy Management, Cryptocurren- Eds. Cham, Switzerland: Springer, 2017, pp. 529–561.
cies and Blockchain Technology, J. Garcia-Alfaro, G. Navarro-Arribas, [191] A. Scafuro, L. Siniscalchi, and I. Visconti, ‘‘Publicly verifiable proofs
H. Hartenstein, and J. Herrera-Joancomartí, Eds. Cham, Switzerland: from blockchains,’’ in Public-Key Cryptography—PKC 2019. Cham,
Springer, 2017, pp. 297–315. Switzerland: Springer, 2019, pp. 374–401.
[170] A. S. de Pedro, D. Levi, and L. I. Cuende, ‘‘Witnet: A decentralized [192] N. Chandran, V. Goyal, R. Moriarty, and R. Ostrovsky, ‘‘Position based
oracle network protocol,’’ 2017, arXiv:1711.09756. [Online]. Available: cryptography,’’ in Advances in Cryptology—CRYPTO 2009, S. Halevi,
https://arxiv.org/abs/1711.09756 Ed. Berlin, Germany: Springer, 2009, pp. 391–407.
[171] Z. Guan, G. Si, X. Zhang, L. Wu, N. Guizani, X. Du, and Y. Ma, ‘‘Privacy- [193] Notes on Bitcoin Privacy Technology, Open Bitcoin Privacy
preserving and efficient aggregation based on blockchain for power grid Project. (2019). ECDHM Address. [Online]. Available: http://wiki.
communications in smart communities,’’ IEEE Commun. Mag., vol. 56, openbitcoinprivacyproject.org/topics:ecdhm-address
no. 7, pp. 82–88, Jul. 2018. [194] C. A. Neff, ‘‘A verifiable secret shuffle and its application to
[172] A. Binstock. (2003). Obfuscation: Cloaking Your Code From Prying e-voting,’’ in Proc. 8th ACM Conf. Comput. Commun. Secur., 2001,
Eyes. [Online]. Available: https://web.archive.org/web/20080420165109/ pp. 116–125.
and http://www.devx.com/microsoftISV/Article/11351 [195] I. A. Seres, D. A. Nagy, C. Buckland, and P. Burcsi, ‘‘MixEth: Effi-
[173] A. Shamir, ‘‘Identity-based cryptosystems and signature schemes,’’ in cient, trustless coin mixing service for ethereum,’’ Cryptol. ePrint
Adv. Cryptol., G. R. Blakley and D. Chaum, Eds. Berlin, Germany: Arch., Tech. Rep. 2019/341, 2019. [Online]. Available: https://eprint.
Springer, 1985, pp. 47–53. iacr.org/2019/341

148574 VOLUME 7, 2019

M. Raikwar et al.: SoK of Used Cryptography in Blockchain

MAYANK RAIKWAR was born in Uttar Pradesh, KATINA KRALEVSKA was born in Skopje, Mace-
India, in 1994. He received the B.Tech. degree donia, in 1987. She received the B.Sc. and
in computer science and engineering from Uttar M.Sc. degrees in telecommunications from Ss.
Pradesh Technical University, in 2013, and the Cyril and Methodius University-Skopje, Macedo-
M.Tech. degree in computer science from the nia, in 2010 and 2012, respectively, and the Ph.D.
Indian Statistical Institute, India, in 2016. He is degree from the Norwegian University of Science
currently pursuing the Ph.D. degree with the and Technology (NTNU), in December 2016.
Department of Information Security and Com- In 2017, she was a Postdoctoral Researcher
munication Technology, Norwegian University of with the Department of Information Security and
Science and Technology (NTNU), since 2019. Communication Technology, NTNU. In 2018, she
In 2017, he joined the Department of Computer Science, Nanyang Techno- became an Associate Professor with the same department. Since 2019, she
logical University, Singapore, as a Research Engineer. His research interests has been the Deputy Head of the Department of Information Security and
are in cryptography, blockchain, cryptocurrencies, and security. Communication Technology. Her research interests include coding theory,
blockchain, and mobile and wireless communications. She is an author of
more than 25 scientific publications and more than eight inventions.

DANILO GLIGOROSKI was born in Skopje,

Republic of Macedonia, in 1967. He received the
B.S. and M.S. degrees in applied mathematics
from Ss Cyril and Methodius University in Skopje,
and the Ph.D. degree in computer science from
Ss Cyril and Methodius University in Skopje,
in 1997.
From 1997 to 2008, he was an Assistant Profes-
sor with the Faculty of Natural Sciences, Skopje
University. Since 2008, he has been a Professor
of information security and cryptography with the Norwegian University of
Science and Technology (NTNU). He is an author of more than 180 scientific
publications and more than 10 inventions. His main research interests are
in application of various algebraic structures in cryptography, information
security, and coding theory.

VOLUME 7, 2019 148575