2019 IEEE 3rd Information Technology,Networking,Electronic and Automation Control Conference (ITNEC 2019)

Protecting Data Privacy for Permissioned

Blockchains using Identity-Based Encryption
Meng Zhang∗† , Shen Wang† , Pan Zhang† , Li He† , Xiao Li† , Shenshen Zhou†
∗ School of Mathematical Sciences, Peking University, Beijing 100871, China
† Aisino Corporation, Beijing 100195, China

[email protected]
[email protected]

Abstract—Blockchain is an emerging decentralized architec- The heart of a blockchain network is a distributed ledger that
ture and distributed public ledger technology underlying Bitcoin, records all the transactions that take place on the network. In
and has recently attracted intensive attention from governments, addition, the information recorded to a blockchain is append-
financial institutions and high-tech enterprises. It is believed that
blockchain can improve efficiency, reduce costs and enhance data only, using cryptographic techniques that guarantee that once a
security, but it is still in the face of serious privacy issues which transaction has been added to the ledger, it cannot be modified.
may hinder the wide application of blockchain. In this paper, This property of immutability makes it simple to assure that
We present a practical scheme by adding the Identity-Based data has not been changed after the fact.
encryption system, which effectively improves the data privacy Bitcoin cryptocurrency is the first and most widely recog-
for non-transaction applications. Analyses show that our proposal
has a high security level which can prevent both disguise and nized application of blockchain, then Ethereum took a dif-
passive attacks, and is functional, effective and practical in many ferent approach, integrating many of the same characteristics
applications for non-transactional scenarios. as Bitcoin but adding smart contracts to create a platform for
Index Terms—Permissioned Blockchain, Privacy Protection, distributed applications. Bitcoin and Ethereum fall into a class
Bilinear Map, Identity-Based Encryption of public permissionless blockchain technology. Basically,
these are public networks, open to anyone, where participants
I. I NTRODUCTION interact anonymously.
Blockchain is a distributed public ledger technology in In a permissionless blockchain, virtually anyone can partic-
peer-to-peer network characterized by decentralization and de- ipate, and every participant is anonymous. In order to mitigate
trusting, and it has witnessed a growing interest from different the absence of trust, permissionless blockchains typically
domains and use cases. In general terms, a blockchain is an employ a “mined” native cryptocurrency or transaction fees to
immutable transaction ledger, maintained within a distributed provide economic incentive to offset the extraordinary costs of
network of peer nodes. These nodes each maintain a copy of participating in a form of byzantine fault tolerant consensus
the ledger by applying transactions that have been validated based on “proof of work”.
by a consensus protocol, grouped into blocks that include a Permissioned blockchains, on the other hand, run a
hash that bind each block to the preceding block. The typical blockchain among a set of known, identified participants.
structure of blockchain is shown in Fig 1. A permissioned blockchain provides a way to secure the
interactions among a group of entities that have a common
goal but which do not fully trust each other, such as businesses
that exchange funds, goods, or information. By relying on
the identities of the peers, a permissioned blockchain can use
traditional Byzantine-fault tolerant consensus.
In this paper, we aim to achieve data privacy in permissioned
blockchains. We present a scheme by adding Identity-Based
encryption (ID-Based encryption) system, which effectively
improves the data privacy for non-transaction applications.
Analyses show that our proposal is secure and practical.
II. P ERMISSIONED BLOCKCHAINS AND P RIVACY I SSUES
With the further development of blockchain technology, the
applications of blockchain have gradually converted from the
transactions of cryptocurrencies to real economy. Accordingly,
permissioned blockchains are getting more and more attention.
In the field of real economy, it is valuable to integrate
Fig. 1. The basic structure of blockchain diverse systems without having to build a centralized solution

978-1-5386-6243-4/19/$31.00 ©2019 IEEE 602

and to bring a level of trust among untrusting parties. A without random oracles, has short public parameters and has
permissioned blockchain is highly suitable for such cases a tight security reduction. By now, all the practical ID-based
that require authenticated participants. Each node in a per- encryption schemes are based on the theory of bilinear maps.
missioned network can be owned by different organizations. Bilinear Maps. We briefly review bilinear maps, using the
Tax administration, copyright, insurance, and food safety[3] following standard notation [5]:
are examples of permissioned blockchain applications where • G1 , G2 , Gτ are three cyclic groups of prime order p
participants benefit compared to the existing loosely coupled • g1 ∈ G1 , g2 ∈ G2 is the generator of G1 and G2
centralized systems. Thus, the rise in popularity of permis- respectively
sioned blockchain platforms in recent time is significant. One • e(·, ·) : G1 × G2 → Gτ is a bilinear map.
of the most successful permissioned blockchain projects is
then a bilinear map is a map e(·, ·) : G1 × G2 → Gτ with the
Hyperledger Fabric hosted by the Linux Foundation[1].
following properties:
However, in such a blockchain system, all the data on
• Bilinear: for all u ∈ G1 , v ∈ G2 and a, b ∈ Z, we have
the chain must be disclosed to all participating nodes in the
whole network, which can be problematic for many cases. For e(ua , v b ) = e(u, v)ab .
• Non-degenerate: e(g, g) = 1
example, in a network of electronic invoice blockchain, any
user hopes to keep his data private, otherwise he is at the Next, we present our ID-based encryption scheme which
risk of leaking trade secrets. It can be seen that permissioned can be used in privacy protection for non-transactional per-
blockchain technology must solve the problem of privacy missioned blockchain, and we describe our scheme by the ID-
protection before it becomes practical. based system proposed by Boneh and Franklin in 2001 [5].
Several privacy protection technology used in blockchain
have been studied in literatures, such as ring signature, A. Initialization
homomorphic encryption and zero-knowledge proofs, which Construct two elliptic curve group G1 , G2 such that |G1 | =
can be referred to [9], [10], [11], [12], [13], [14], [15]. |G2 | = q, e(·, ·) : G1 × G1 → G2 is a bilinear map, P ∈ G1
As far as we know, most of these works are emphasizing is a generator.
the privacy challenges on the anonymity and confidentiality Also, s ∈ Zq ∗ is randomly selected where s is defined as a
of transaction data on the decentralized cryptocurrencies. master key, then Ppub = s · P can be computed. Choose three
However, for many applications in real economy, such as cryptographic hash function h : {0, 1}n → G1 , h1 : G2 →
quality tracking, copyright and supply chain finance, what {0, 1}n and h2 : {0, 1}n → Zq ∗ .
is needed is only data transfer, which means operations in Publish the system parameters as
consensus are primarily the consolidation of data. We focus
on the private protection for such non-transactional scenarios {G1 , G2 , e(·, ·), n, q, P, Ppub , h(·), h1(·), h2(·)}
in permissioned blockchain from here on. B. Extract public key and private key
III. O UR C ONSTRUCTION 1) User A registers on the client, and fills in personal
To meet the needs of enhancing the data privacy in information including ID number and cellphone number.
blockchain, it is necessary to use encryption technology to 2) The client generates public key based on A’s identity ID,
transform the plaintext to the ciphertext, and the encryption which outputs
algorithm should be carefully designed to avoid broking the QID = h(ID)
process of consensus. However, for non-transaction case, all
3) The client use A’s phone number to bind identity infor-
operations in consensus don’t involve mathematical opera-
mation, which will be used as a second verification.
tions. Therefore, as long as solving the key management
4) PKG computes the A’s private key as
problem, we can make sure that sensitive data encrypted while
recording on the blockchain. SID = s · QID ,
In this section, we construct a simple ID-based encryption
privacy protection scheme, which can be well applied to non- then passes it to A through a secure channel.
transaction scenarios in permissioned blockchain.
ID-based Encryption. In 1984, Shamir [4] asked for a C. Put data into the blockchain
public key encryption scheme in which the public key can 1) User A prepares private data m and logs into the client.
be an arbitrary string and the private key can be generated by 2) A encrypts private data M as follows:
the trusted third party PKG (Private Key Generator). Since randomly choosing r ∈ Zq ∗ , then computing
the problem was posed in 1984, there have been several
proposals for ID-Based encryption schemes. However, we can gID = e(QID , Ppub )
considerer that the first practical IBE scheme was introduced U =r·P
by Boneh and Franklin in 2001 [5]. Since 2001, several V = m ⊕ h1 (gID r )
schemes have been introduced [6], [7], [8]. Especially in [8],
Gentry proposed the first IBE system that is fully secure 3) A puts (U, V ) into the blockchain.

603
D. Query data from blockchain G. Verify a signature
1) User A logs into the client and issues a query instruction. Anyone can verify A’s signature by A’s ID and public key,
2) System sends verification code to A’s reserved cellphone he only needs to verify the following equation:
number.
3) A input the verification code to the system: e(P, V ) = e(Ppub , U + r1 · QIDA )
a) if the validation passes, go to next step
b) otherwise identity verification fails, query request • if the equation is true, then signature verification passes
is rejected • otherwise, signature verification fails
4) System sends encrypted data (U, V ) to A The reason why the equation holds is as below:
5) A decrypts data as follows:
e(Ppub , U + r1 · QIDA )
m = V ⊕ h1 (e(SID , U )),
= e(s · P, U + r1 · QIDA )
where m is just the plaintext. = e(P, s · (U + r1 · QIDA ))
The reason why it can be decrypted in (5) is as below: = e(P, s · r · QIDA + r1 · s · QIDA )
= e(P, r · SIDA + r1 · SIDA )
V ⊕ h1 (e(SID , U ))
= e(P, V )
= (m ⊕ h1 (gID r )) ⊕ h1 (e(s · QID , r · P ))
r
= (m ⊕ h1 (e(QID , Ppub ) )) ⊕ h1 (e(s · QID , r · P )) H. Add a supervisor
r r
= (m ⊕ h1 (e(QID , s · P ) )) ⊕ h1 (e(s · QID , P ) )
In many cases, it needs a supervisor who can access all the
= m data on the blockchain. The supervisor may be the role of
government or the management of a enterprise. It’s very easy
E. Private information interaction
to fulfill this in this system, as we just need to give master
Occasionally, some users need to change private informa- key s to supervisor.
tion. We have proposed a privacy protection scheme using ID-
Take User A and B for example. If A wants to send B some Based encryption, in which a user’s public key is generated
private data, then A can do the following: by identity ID. This greatly simplifies the management and
1) A encrypts private data M through B’s ID number IDB : distribution of certificates in traditional PKI system. Any new
randomly choosing r ∈ Zq ∗ , then computing user joining the permissioned blockchain system can obtain
the encrypted key directly through his unique identity, which
gIDB = e(QIDB , Ppub ) is much more convenient compared to PKI system.
U =r·P
V = m ⊕ h1 (gIDB r ) IV. S ECURITY ANALYSIS

2) A sends (U, V ) to B through open channel. A. Security of master key

After B receives (U, V ), he can decrypts ciphertext by his In the ID-based system, the master key is of the most
own private key: importance. Once the master key is compromised, the entire
m = V ⊕ h1 (e(SIDB , U )), system is destroyed. As a result, it should be carefully saved.
In many systems, the master key is managed by a single
Even if others receives (U, V ), they can’t obtain any infor- PKG, which brings problems of centralization and security.
mation without B’s private key SIDB . At this point, a threshold secret sharing scheme can be used.
By constructing a (t, n) threshold scheme, the master key is
F. Add user’s signature controlled by a multi-trusted PKG instead of a single PKG,
Before a user puts data into the blockchain, he needs to add thus any single PKG cannot recover the master key, which
signature as a certification. solves the problem of centralization and security .
If user A needs to sign the data m ∈ {0, 1}n , then
1) A randomly choose r ∈ Zq ∗ and compute: B. Disguise attack
In our system, whenever carrying out query operation, it
U = r · QIDA
is acquired to match ID number and cellphone number. A
r1 = h2 (m, U ) disguise attacker may get both of them, so he can pretend to
V = (r + r1 ) · SIDA be another user. However, even if he got the encrypt data, it’s
impossible for him to recover the plaintext without private key.
2) A adds (U, V ) as a signature. So it can resist disguise attack.

604
C. Passive attack [8] Gentry, C. Practical identity-based encryption without random oracles. In:
Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445C464.
Our system can resist passive attacks. The passive attacks Springer, Berlin, Germany (2006).
usually contain information monitoring and traffic analysis. In [9] Labs, Shen Noether Mrl. Ring confidential transactions. 2016.
[10] R. S. Wahby, I. Tzialla, A. Shelat, J. Thaler and M. Walfish. Doubly-
an original transaction, the attacker can access two kinds of Efficient zkSNARKs Without Trusted Setup. 2018 IEEE Symposium on
information from the users: the one is addresses, the other Security and Privacy (SP), San Francisco, CA, 2018, pp. 926-943.
is data. The address is a hash signature from the trader [11] B. Bnz J. Bootle D. Boneh A. Poelstra P. Wuille G. Maxwell. Bullet-
proofs: Efficient range proofs for confidential transactions”, IEEE S&P
which cannot be reversible. So the only potential information May 2018.
monitored by attackers is the plaintext information in data, and [12] A. Chiesa E. Tromer M. Virza. Cluster computing in zero knowledge,
that is what our system focused on. The ID-based encryption EUROCRYPT Apr. 2015.
[13] A. Chiesa M. A. Forbes N. Spooner. A zero knowledge sumcheck and
has been used to encrypt and protect the plaintext information its applications. CoRR abs1704.02086 2017.
shown in data, and what we can see is an unrecognized string [14] T. P. Pedersen et al. Non-interactive and information-theoretic secure
which can only be readable to the receiver with private key. verifiable secret sharing. in Crypto, vol. 91, pp. 129C140, Springer, 1991.
[15] P. Paillier et al. Public-key cryptosystems based on composite degree
The security of ciphers rely on chosen encryption system, residuosity classes. in Eurocrypt, vol. 99, pp. 223C238, Springer, 1999.
which is provably secure in the standard model.

V. C ONCLUSION
We have proposed an improved delicately scheme on top
of non-transactional cases in permissioned blockchain to im-
prove the privacy. Our scheme can hide the information by
encrypting the plaintext into the ciphertext, without using
advanced technologies such as ring signature, homomorphic
encryption and zero-knowledge proofs. Our scheme not only
avoids the complicated certificate management and issuance in
the traditional PKI system, but has a high security level which
can prevent both disguise and passive attacks, and is func-
tional, effective and practical for applications. This scheme
provides an inspiring way to achieve delicate confidentiality
of the transactions in many applications for non-transactional
scenarios.

ACKNOWLEDGMENT
The authors would like to thank the anonymous reviewers
for insightful comments and helpful suggestions. Shen Wang is
the corresponding author. Meng Zhang was partially supported
by the Natural Science Foundation of China (Grants No.
61672059, 61472016) and National Key R&D Program of
China, 2017YFB0802000.

R EFERENCES
[1] The Linux Foundation Helps Hyperledger Build the Most Vibrant Open
Source Ecosystem for Blockchain. http://www.linuxfoundation.org/.
[2] S. Omohundro. Cryptocurrencies, smart contracts, and artificial intelli-
gence. AI Matters, 1(2):19C21, Dec. 2014.
[3] D. D. Detwiler. One nations move to increase food safety with
blockchain. https://www.ibm.com/blogs/blockchain/2018/02/one-nations-
move-to-increase-food-safety-with-blockchain/,2018. [Online; accessed
1-May-2018].
[4] Shamir, A. Identity-based cryptosystems and signature schemes. In:
Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp.
47C53. Springer, Heidelberg (1985)
[5] Boneh, D., Franklin, M. Identity-based encryption from the Weil pairing.
In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213C229.
Springer, Berlin, Ger- many (2001)
[6] Boneh, D., Boyen, X. Efficient selective-ID secure identity based en-
cryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.)
EUROCRYPT 2004. LNCS, vol. 3027, pp. 223C238. Springer, Berlin,
Germany (2004)
[7] Boneh, D., Boyen, X. Secure identity based encryption without random
oracles. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, Springer,
Berlin, Germany (2004).

605