Biochar is a carbon-rich stable substance, defined as charred organic matter, produced during biomass thermochemical decomposition, and its application is currently considered as a mean of enhancing soil productivity, which is an important requirement for increasing crop yields whereas, simultaneously, it improves the quality of contaminated soil and water. However, depending on pedoclimatic conditions, its applicability exhibits negative aspects as well. It can also support biofuel production, therefore helping in reducing the demand for fossil fuels. Biochar is providing ecosystem services such as immobilization and transformation of contaminants and mitigation of climate change by sequestering carbon and reducing the release of greenhouse gases such as nitrous oxide and methane. It can further reduce waste as it could be produced from everything that contains biomass thereby assisting in waste management. Due to such wide-ranging applications, this review was conceptualized to emphasize the importance of biochar as an alternative to classic products used for energy, environmental and agricultural purposes. Based on the detailed information on the factors impacting biochar properties, the benefits and limitations of biochar, and the potential application guidelines for growers, this work aimed to help in partial achievement of multiple environmental goals and a practical recommendation to growers although its large-scale application is still controversial.
Citation: Shahram Torabian, Ruijun Qin, Christos Noulas, Yanyan Lu, Guojie Wang. Biochar: an organic amendment to crops and an environmental solution[J]. AIMS Agriculture and Food, 2021, 6(1): 401-415. doi: 10.3934/agrfood.2021024
Related Papers:
[1]
Mohammed Alshehri .
Blockchain-assisted cyber security in medical things using artificial intelligence. Electronic Research Archive, 2023, 31(2): 708-728.
doi: 10.3934/era.2023035
[2]
Ge Wu, Longlong Cao, Hua Shen, Liquan Chen, Xitong Tan, Jinguang Han .
Cloud auditing for outsourced storage service in healthcare systems with static data transfer. Electronic Research Archive, 2025, 33(4): 2577-2600.
doi: 10.3934/era.2025115
[3]
Yunfei Tan, Shuyu Li, Zehua Li .
A privacy preserving recommendation and fraud detection method based on graph convolution. Electronic Research Archive, 2023, 31(12): 7559-7577.
doi: 10.3934/era.2023382
[4]
Youqun Long, Jianhui Zhang, Gaoli Wang, Jie Fu .
Hierarchical federated learning with global differential privacy. Electronic Research Archive, 2023, 31(7): 3741-3758.
doi: 10.3934/era.2023190
[5]
Seyha Ros, Prohim Tam, Inseok Song, Seungwoo Kang, Seokhoon Kim .
A survey on state-of-the-art experimental simulations for privacy-preserving federated learning in intelligent networking. Electronic Research Archive, 2024, 32(2): 1333-1364.
doi: 10.3934/era.2024062
[6]
Bochen Li, Ting Wang .
Identification of a FIR system with binary-valued observation under data tampering attack and differential privacy preservation. Electronic Research Archive, 2025, 33(6): 3989-4013.
doi: 10.3934/era.2025177
[7]
Qingjie Tan, Xujun Che, Shuhui Wu, Yaguan Qian, Yuanhong Tao .
Privacy amplification for wireless federated learning with Rényi differential privacy and subsampling. Electronic Research Archive, 2023, 31(11): 7021-7039.
doi: 10.3934/era.2023356
[8]
Sahar Badri .
HO-CER: Hybrid-optimization-based convolutional ensemble random forest for data security in healthcare applications using blockchain technology. Electronic Research Archive, 2023, 31(9): 5466-5484.
doi: 10.3934/era.2023278
[9]
Zhuang Wang, Renting Liu, Jie Xu, Yusheng Fu .
FedSC: A federated learning algorithm based on client-side clustering. Electronic Research Archive, 2023, 31(9): 5226-5249.
doi: 10.3934/era.2023266
[10]
Mengjie Xu, Nuerken Saireke, Jimin Wang .
Privacy-preserving distributed optimization algorithm for directed networks via state decomposition and external input. Electronic Research Archive, 2025, 33(3): 1429-1445.
doi: 10.3934/era.2025067
Abstract
Biochar is a carbon-rich stable substance, defined as charred organic matter, produced during biomass thermochemical decomposition, and its application is currently considered as a mean of enhancing soil productivity, which is an important requirement for increasing crop yields whereas, simultaneously, it improves the quality of contaminated soil and water. However, depending on pedoclimatic conditions, its applicability exhibits negative aspects as well. It can also support biofuel production, therefore helping in reducing the demand for fossil fuels. Biochar is providing ecosystem services such as immobilization and transformation of contaminants and mitigation of climate change by sequestering carbon and reducing the release of greenhouse gases such as nitrous oxide and methane. It can further reduce waste as it could be produced from everything that contains biomass thereby assisting in waste management. Due to such wide-ranging applications, this review was conceptualized to emphasize the importance of biochar as an alternative to classic products used for energy, environmental and agricultural purposes. Based on the detailed information on the factors impacting biochar properties, the benefits and limitations of biochar, and the potential application guidelines for growers, this work aimed to help in partial achievement of multiple environmental goals and a practical recommendation to growers although its large-scale application is still controversial.
1.
Introduction
Blockchain, as a type of decentralized and public computational paradigm using multi-party consensus, provides new solutions for data security and information sharing in many scenarios. Increasingly numerous assets have gradually appeared in the blockchain amid blockchain's wide application in various field such as the Internet of Things, smart grids and so on [1,2]. For example, many products' information is processed by blockchain for product traceability in the Internet of Things. Some blockchain-based data sharing schemes are also designed for sensitive information such as medical data and so on, that needs both privacy and some levels of data sharing[3,4,5]. Effective evaluation of privacy risk and ensuring privacy have always attracted broad attention[6,7,8,9]. In addition, many blockchain-based privacy preserving payment mechanisms for the Internet of Things have also been constructed to provide efficient and decentralized transactions[10,11]. Therefore, how to achieve privacy of transaction contents, making monetary assets and data assets hidden from observers, and how to achieve public verification of transactions to ensure monetary assets and data assets satisfy transaction rules are crucial and have been focused on.
Traditional ledger-based transaction schemes in blockchain, such as Bitcoin, etc., lack of privacy. All transaction information, including transaction values that are permanently recorded on the blockchain is public, and it can be obtained by attackers for malicious using and spreading. Therefore, in order to hide transaction contents to make blockchain-based transactions more reliable, many cryptographic solutions have been used to offer privacy enhancing schemes in cryptocurrency which is based on the public blockchain. For example, Monero achieves hiding of transaction amounts by using Pedersen commitments. It also uses the homomorphic property of commitments and Bulletproofs to verify transactions. Zcash introduces one time encryption to protect transaction contents privacy and uses zero-knowledge Succinct Non-interactive ARgument of Knowledge (zk-SNARK) to ensure the transaction compliance. However, these solutions provide strong privacy guarantees that give users potential to circumvent regulatory controls, such as money laundering without authorities, evasion, fraud and many illicit activities that create many regulatory concerns. Enforcing reliable auditing in a blockchain-based transaction system is crucial[12], and especially in a system that offers privacy protection of transaction information, it is more challenging and essential.
Therefore, there are many challenging concerns about blockchain transaction privacy, effective auditing and public verification, as we mentioned above. More concretely, in terms of data assets such as the quantity of goods in supply chains, and sensitive information of patients in medical data sharing, many schemes do not pay attention to the public verification for data compliance while preserving privacy. For monetary assets in the unspent transaction output (UTXO) model, there is a lack of flexible transaction schemes that can both preserve privacy and achieve auditing of a transaction amount for a single transaction. How to simultaneously preserve privacy, keep a public ledger and reliably audit is challenging. Also, as there are extra leger space requirements in the UTXO model with the generation of transaction outputs and deletion of transaction inputs, how to save storage space of ledger and achieve efficiency gains for the user should be taken into consideration. Aiming to address these challenges, we focus on designing and constructing an efficient blockchain-based privacy preserving transaction scheme with public verification and reliable auditing. The main contributions of our paper are summarized as follow shows:
● We propose a privacy-preserving transaction scheme in blockchain. Our scheme offers privacy preserving both for monetary assets and data assets based on homomorphic encryption. We decoupled transaction identity information from transaction contents for the convenience of combining with different blockchain identity privacy protection schemes, which is more flexible.
● We propose and design a multiplicative zero-knowledge proof to prove the encrypted values (C1,C2,C3) corresponding to (v1,v2,v3) satisfy multiplicative relationship v1⋅v2=v3. It can be widely used in blockchain based financial applications, blockchain based supply chains and many other scenarios to achieve data compliance and preserve privacy. We give formal security analysis of the proposed multiplicative zero-knowledge proof.
● We achieve public verification of hidden transaction contents based on zero-knowledge proof in our privacy preserving transaction scheme. We define several types of verification rules. For monetary assets, it achieves the balance verification relied on the signature of knowledge. For data assets, it achieves multiplicative verification by applying the proposed multiplicative zero-knowledge proof, which can also be used to save transaction computation and storage cost in the specific scenario in UTXO model.
● We also achieve reliable auditing of hidden transaction contents. In our scheme, we introduce the auditor. It can audit transaction values of each transaction instead of total transaction amounts, which is different from many existing schemes. There is also a verification of the audit zero-knowledge proof to ensure the audit reliability.
● We give formal security analysis of our blockchain-based privacy preserving transaction scheme. We also aggregate the balance proofs and audit proofs to save the ledger space. We implement the proposed scheme and evaluate its performance, and then we make a functional comparison between our scheme and others.
The rest of the paper is organized as follows. The related work is presented in Section 2. We give a brief introduction about background knowledge in Section 3. In Section 4, we present the proposed multiplicative zero-knowledge proof. We present our blockchain-based privacy-preserving transaction scheme in Section 5. Section 6 gives the security analysis of the proposed scheme. In Section 7, we give the performance analysis of the proposed scheme. Conclusions are drawn in Section 8.
2.
Related work
Blockchain is a new concept that involves a consensus mechanism and distributed data storage. It was put forward as Bitcoin[13] in 2008. All transactions in Bitcoin are public and transparent. It cannot satisfy the confidentiality requirement of some applications. In 2014, Monero[14], which is a cryptocurrency deriving from Bitcoin, was proposed. It uses linkable ring signature, stealth address and RingCT to hide sensitive information of transactions such as transaction contents and user identities. Other cryptocurrencies that focus on privacy protection are Zerocash[15] and Zerocoin[16]. Zerocash leverages encryption and zk-SNARKs[17] to achieve strong privacy guarantees of transactions. Zerocoin provides strong user anonymity and coin security based on RSA accumulators and non-interactive zero-knowledge proofs. Mimblewimble [18] is also a privacy-enhancing cryptocurrency using confidential transactions[19] which is based on the Pedersen commitments[20] to hide transaction amount. Though these solutions achieve privacy protection of blockchain, neither of them satisfies the auditability, which is not compatible with illegal behaviors and is essential in financial applications.
In [21], the first distributed ledger system with auditing is proposed. In this system, commitments are used to hide transaction amount. They also provide a rough audit about the sums of transaction values. However, it needs some auditors to keep online and make queries to the system users to achieve audit, which leads auditors and all users to communicate with each other sequentially and significantly reduces the efficiency. In [22], the authors achieve an advance zero-knowledge ledger by proposing an efficient range-proof technique based on the improved inner product based zero-knowledge proofs. The reducing of proof size greatly improves the system efficiency. In [23], a private, authenticated and auditable blockchain is proposed. It achieves privacy protection and auditability in terms of user identity and transaction contents based on additive homomorphic encryption and BBS group signature. In [24], the authors propose a decentralized system framework using the blockchain and IPFS system to provide high security for sharing and exchanging the multimedia file system. They use the secure authentication protocol which is based on zero-knowledge proofs to guarantee multimedia data user privacy. In [25], the authors achieve anonymity of users and privacy of transaction amount. As for regulation, the system can regulate the total amount of transactions in a certain time. Also, there are some auditable solutions based on the account model[26,27,28].
We give the analysis and functional comparison between our scheme and other comparable schemes in Table 1 in aspects of transaction model (TM), transaction confidentiality (TC), balance verification (BV), multiplicative verification decoupled user identity and transaction contents (DIC), audit reliability (AR) and audit of each transaction (AoET). In summary, as we can see in Table 1, the above papers provide various privacy protections in terms of both identity and transaction contents, and they rarely achieve precise auditing of transactions, which is essential in financial applications. In particular, they mainly focus on transfer transactions, as blockchain has been widely applied in supply chains, data sharing and many other fields; and it is also quite necessary to provide efficient verifications for those scenarios with both monetary assets and data assets, which has been ignored.
Table 1.
Functional comparison between our scheme and others.
In this section, we introduce some related techniques that are used in this paper.
3.1. UTXO model
At present, there are many decentralized payment systems, such as Bitcoin, RSCoin[29], Fabcoin in Hyperledger fabric[30] and so on, that are based on the UTXO model, in which each transaction is formed by a set of inputs and a set of outputs. It is different from the traditional account model used by Ethereum, where the transaction value is specified and moved from one account to another. The UTXO model is shown in Figure 1. It represents some amount of monetary assets that have been authorized by one user to be spent by another. Details of monetary assets' flowS in transactions with the UTXO model are recorded in the blockchain ledger.
Pedersen commitment is used to achieve transaction confidentiality in Bitcoin. It can be described as follows.
● setup(1λ): This algorithm takes the security parameter λ as input, and it generates the cyclic group G with q order. G is the generator of group G. H is the random element of G. It outputs the public parameter pp={G,G,H,q}.
● Cm(pp,v): This algorithm takes the public parameter pp, commitment c, the value v and the blind element r as input. It computes c=rG+vH as the commitment of v.
● Open(pp,c,v,r): This algorithm takes the public parameter pp, commitment c, the value v and the blind element r as input. It checks whether c=rG+vH holds or not.
3.3. Hard problems and complexity assumptions
Definition 1.(Discrete logarithm (DL) problem). Let G be a cyclic group. Given a random instance (P,aP), where P∈G, and a∈Z∗p, computation of a is computationally hard by a polynomial time algorithm. The probability that a polynomial time algorithm A can solve the DL problem is defined as AdvDLA(λ).
Definition 2.(Discrete logarithm assumption). For any probabilistic polynomial time algorithm A, AdvDLA(λ) is negligible; that is, AdvDLA(λ)≤ϵ, for some negligible function ϵ.
3.4. A variant of ElGamal encryption
There is a homomorphic encryption based on ElGamal encryption called twisted ElGamal[28], which is zero-knowledge friendly. Given a cyclic group G with order q, let P and H be two random generators of G. So, pp={G,P,H,q}. Then, it consists of the following algorithms:
keygen: It takes pp as input and randomly chooses x∈Z∗q as secret key. It computes public key Y=xP, and then it outputs (X,Y).
enc: It takes the public key Y and message m as input. It randomly chooses s∈Z∗q, computes C1=sP, C2=mH+sP and outputs C={C1,C2}.
dec: It takes the ciphtertext C and secret key as input. It computes mH=C2−x−1⋅C1 to obtain m.
3.5. Non-interactive zero-knowledge proof
A non-interactive zero-knowledge (NIZK) proof[31] is a protocol that the prover can use to convince the verifier that it indeed has the knowledge of a secret value by some public information without revealing the secret value. The non-interactive zero-knowledge proof has properties of completeness, soundness, and zero-knowledge[32]. We introduce a non-interactive zero-knowledge proof that is the signature of knowledge of the discrete logarithm (SKDL)[33,34]. Let G be a cyclic group. P,G∈G. A pair (c,s)∈{0,1}k×Z∗n satisfying c=H0(P,Y,sP+cY) is a signature of the knowledge of the discrete logarithm of Y∈G to the base P. It is denoted as SKDL{(a)∣Y=aP}. It is as follows:
(1) The prover randomly chooses r∈Z∗q, then it computes T=rP, c=H0(P,Y,T) and s=r−ca. The prover sends (c,s) to the verifier.
(2) The verifier verifies whether c=H0(P,Y,sP+cY) holds. If the equation holds, it means that the prover knows the knowledge of the discrete logarithm of Y to the base P.
4.
Proposed multiplicative zero-knowledge proof
Our proposed multiplicative zero-knowledge proof aims to convince the verifier that v3 encrypted in C3 is actually the product of v1 and v2, encrypted respectively in C1 and C2, i.e., v1⋅v2=v3. It mainly contains three steps that are as follows:
setup: Let G be a cyclic group with q order, where q is λ bits. P and H are two random generators of G. Then, the public parameter is pp={G,P,H,q}.
prove: The prover randomly chooses s1,s2,s3∈Z∗q, and then it computes C1=v1H+s1P, C2=v2H+s2P and C3=v3H+s3P. The prover randomly chooses y1,y2,y3,s′1,s′2,s′3∈Z∗q, and then it computes d1=y1H+s′1P, d2=y2H+s′2P, d3=y3H+s′3P and d4=y2C21+s′4P. The prover sends the generated C1, C2, C3, d1, d2, d3, d4 to the verifier. The verifier randomly chooses a challenge c∈Z∗q and returns it to the prover. Then, the prover computes u1=y1+v1c, u2=y2+v2c, u3=y3+v3c, θ1=s′1+s1c, θ2=s′2+s2c, θ3=s′3+s3c and θ4=s′4+(s3−s1v2)c. The prover sends the generated u1, u2, u3, θ1, θ2, θ3, θ4 to the verifier.
verify: The verifier computes d′1=θ1P+u1H−cC1, d′2=θ2P+u2H−cC2, d′3=θ3P+u3H−cC3, d′4=θ4P+u2C1−cC3, and then it checks whether d′1=d1, d′2=d2, d′3=d3 and d′4=d4 holds. If the above equations hold, it outputs 1. Otherwise, it outputs 0.
According to the above steps, the prover proves that C1,C2,C3 are encrypted values of v1,v2,v3 satisfying v1⋅v2=v3. In addition, the above proof can turn to be non-interactive by applying the Fiat-Shamir heuristic[35]. Particularly, there are some applications in blockchain for the proposed multiplicative zero-knowledge proof to be used in variants of scenarios, no matter for monetary assets and data assets. We give explanations about it in Section 7.
Theorem 1.The proposed multiplicative proof is a zero-knowledge proof under the Discrete logarithm assumption, which means that it satisfies correctness, zero knowledge (can be simulated) and a proof of knowledge (has an extractor).
As we can see from the above equations, Eqs (4.1)–(4.4) hold. Therefore, the verifier always accepts the proof, and then the proposed multiplicative zero-knowledge proof satisfies correctness.
Lemma 2.The proposed multiplicative zero-knowledge proof can be simulated under the Discrete logarithm assumption.
Proof of Lemma 2. We describe a simulator that can outputs the proof. It randomly chooses a set of values v1,v2,v3 and computes C1=v1H+s1P, C2=v2H+s2P, C3=v3H+s3P. The distribution of these values generated by the simulator is indistinguishable from the distribution output by the prover. In the remainder of the simulation, it does not assume knowledge of v1,v2,v3.
The simulator randomly chooses a challenge c∈Z∗q and u1, u2, u3, θ1, θ2, θ3, θ4. It computes d1=θ1P+u1H−cC1, d2=θ2P+u2H−cC2, d3=θ3P+u3H−cC3 and d4=u2C1+θ4P−cC3 that satisfy Eqs (4.1)–(4.4). Moreover, these values have the same distribution as those in the real proof. The simulator outputs c, u1, u2, u3, θ1, θ2, θ3, θ4, d1, d2, d3, d4 that are indistinguishable from the real proof in the multiplicative proof. Therefore, the proposed multiplicative zero-knowledge proof can be simulated under the Discrete logarithm assumption.
Lemma 3.The proposed multiplicative zero-knowledge proof has an extractor.
Proof of Lemma 3. Suppose there exits an extractor that enables one to rewind a prover in the multiplicative proof we proposed above to the point before it generates c. To the challenge value c, there is (u1,u2,u3,θ1,θ2,θ3,θ4). For challenge value c′≠c, the prover responds with (u′1,u′2,u′3,θ′1,θ′2,θ′3,θ′4). If the prover is convincing, then all Eqs (4.1)–(4.4) hold.
So, we have Δc=c−c′, Δu1=u1−u′1, and Δu2, Δu3, Δθ1, Δθ2, Δθ3, Δθ4 are similar with Δu1. Considering Eq (4.1), we have ΔcC1=Δθ1P+Δu1H, so let v∗1=Δu1/Δc and let s∗1=Δθ1/Δc. Similarly, from Eqs (4.2)–(4.4), we obtain v∗2, s∗2, v∗3, s∗3 and s∗=Δθ4/Δc. We have (v∗1v∗2−v∗3)H=(s∗3−s∗−v∗2s∗1)P. Therefore, the extractor obtains a Discrete logarithm problem solution logPH=(s∗3−s∗−v∗2s∗1)/(v∗1v∗2−v∗3). Therefore, the proposed multiplicative zero-knowledge proof has an extractor.
We propose a blockchain-based transaction scheme with privacy-preserving that enables reliable auditing and different verification rules. There are four roles in our scheme that are described as follows:
● Trusted Center: It initializes the whole scheme.
● Users: It includes payer and payee that involves in the blockchain based transactions. It also contains users that transact, share and store data assets through blockchain.
● Auditor: It audits encrypted transactions in the scheme.
As we can see in Figure 3, the transaction overflow of our privacy preserving transaction scheme is summarized as follows:
(1) Setup: The trusted center makes an initialization and generates an audit key pair for auditor.
(2) Transact: Users generate transactions, and they send transactions to validators.
(3) Verify: Validators receive transaction and verify whether it satisfies verification rules and audit reliability.
(4) Aggregate: Balance and audit zero-knowledge proofs in transaction are aggregated and sent to committing nodes.
(5) Chain: committing nodes make verifications of the aggregated information. If they pass verifications, transactions are committed to the blockchain.
(6) Audit: The auditor audit transaction contents. It does not need to be online all the time and can achieves audit transaction contents of each transaction.
Notations in our paper are summarized in Table 2. In our scheme, transaction tx is used to record the encrypted payment process between payers and payees for monetary assets, and it is used to record the encrypted data transaction for data assets. Transactions are finally recorded in the ledger of the blockchain. The structure of transaction tx is tx={tx.in,tx.out,tx.data,πbl,πrp,πpro,πau}. tx.in is the encrypted inputs of the transaction, and tx.out is the encrypted outputs of the transaction. tx.data is the encrypted data of data assets. πbl is the balance proof generated by users for balance verification. πrp is the range proof to prove the transaction value is in a certain range [0,vmax], where vmax is a system parameter. πpro is the multiplicative proof that can prove transaction values satisfy product relationship, and πau is the audit proof to prove the auditor can reliably audit the transaction.
More concretely, tx.in includes n inputs of a transaction such that tx.in={Cini∣Cini={Cin1i,Cin2i},i∈[1,n]}. The value of each input Cini is vini. tx.out includes n′ outputs of a transaction and the change Cc, which can be presented as tx.out={Coutj,Cc∣Coutj={Cout1j,Cout2j},j∈[1,n′],Cc={C1c,C2c}. The value of each output Coutj is voutj, and the change value is vc. tx.out includes encrypted data tx.data={C1={C11,C21},C2={C12,C22},C3={C13,C23},...}, where C1,C2,C3 are encrypted data of some values v1,v2,v3.
5.2. Security model
Our scheme is designed to satisfy the security requirements of transaction confidentiality, public verification and audit reliability.
Definition 3.(Transaction confidentiality). Transaction confidentiality means the plaintext of transaction contents such as payment value or data assets cannot be obtained by an attacker in our system.
We define the transaction confidentiality of our scheme by the following transaction confidentiality experiment. The adversary A is a user in the system, and it has the UTXO that belongs to him.
in which the definitions of the oracles Opre and OGenCT are as follows:
● Opre: On input ((Cini,vini,sini),vρ), run ptx←pretx(pp,Cini,vini,sini,vρ,Y) and store {(Cini,vini,sini),vρ,Y,ptx} into the list L.
● OGenCT: On input (ptx.rmdr), search L, run tx.out←tx(pp,ptx.rmdr,Y) and πau←au(pp,ptx.out,πpau,Y), and then return tx.out and πau.
Public verification means that transactions in our scheme can be publicly verified by validators to satisfy various verification rules. We design two types of verification rules, and they are transaction balance and transaction multiplicative relationship that are defined as follows.
Definition 4.(Transaction balance). For monetary assets, it satisfies balance verification such that the sum of inputs' values is equal to the sum of outputs' values.
We define the transaction balance of our scheme by the following transaction balance experiment. The adversary A is a user in the system, and it has the UTXO that belongs to him.
in which the definitions of the oracles Opre and Obal are as follows:
● Opre: On input ((Cini,vini,sini),vρ), run ptx←pretx(pp,Cini,vini,sini,vρ,Y) and store {(Cini,vini,sini),vρ,Y,ptx} into the list L.
● Obal: On input ptx.rmdr, run tx.out←tx(pp,ptx.rmdr,Y), search L to find the corresponding πpbp and Pb, then run πbl←bl(pp,πpbp,Pb), and return tx.out and πbl.
Definition 5.(Transaction multiplicative relationship). For data assets, the validator can publicly verify whether some values v1,v2,v3 satisfy multiplicative relationship such as v1⋅v2=v3.
We define the transaction multiplicative relationship of our scheme by the following transaction multiplicative relationship experiment. The adversary A is a user in the system.
in which the definitions of the oracles Opro are as follows:
● Opro: On input v1,v2,v3, run (C1,C2,C3)←tx(pp,v1,v2,v3,Y) and πpro←pro(pp,v1,v2,v3,C21,C22,C23), and return C1,C2,C3 and πpro.
Definition 6.(Audit reliability). Audit reliability means they can be reliably audited by the auditor.
We define the audit reliability of our scheme by the following audit reliability experiment. The adversary A is a user in the system and it has the UTXO that belongs to him.
It consists of six phases, including Setup, Transact, Verify, Aggregate, Chain and Audit.
Setup: In the setup phase, the trusted center generates public parameters and audit key pair. First, it executes the setup(1λ) algorithm, where λ is the security parameter. G is a cyclic group which is q order, where q is λ bits. P and H are two random generators of G. H0, H1, H2 and H3 are hash functions that satisfy H0:=G×G→Zq, H1:=G×G×G×G→Zq, H2:G×G×G×G×G×G×G→Zq, H3:=G×......2n′+2×G→Zq. Second, it executes the keygen(pp) algorithm. It randomly chooses x∈Zq as the audit secret key X, and then it computes the audit public key Y=x⋅P. At last, the trusted center outputs the audit public key Y and the public parameters pp={G,P,H,q,H0,H1,H2,H3}.
Transact: In the transact phase, the payee and the payer generate transaction that preserves privacy of the transaction contents that can be audited by the auditor. In addition, they also generate proofs to ensure the transaction satisfy verification rules and reliable audit. In this phase, they provide balance proof that ensures the sum of outputs is equal to the sum of inputs, range proof that ensures the transaction value is greater than zero, multiplicative proof that ensures that some transaction data satisfies the multiplicative relationship and audit proof that guarantees the audit reliability. In this phase, there are five algorithms that are described as follows:
(1) The pretx(pp,Cini, vini,sini,vρ,Y) algorithm is executed by the payer. It takes as input the public parameters pp, transaction inputs Cini, value vini, randomness sini, transfer value vρ and the audit public key Y. It outputs the pre-transaction ptx as the following shows:
● The payer selects n inputs Cini of total value v=∑ni=1vini≥vρ. Let pre-transaction input be ptx.in={Cini∣i∈[1,n]}. It generates n′ outputs of total value vρ=∑n′j=1voutj. Let the pre-transaction remainder be ptx.rmdr={voutj∣j∈[1,n′]}.
● The payer computes the change value voutc=v−vρ. Let the change value be ptx.chg=voutc. It randomly selects randomness of the change value soutc∈Zq. It computes Cout1c=soutcY and Cout2c=soutcP+voutcH. Let Coutc={Cout1c,Cout2c}, and it stores Coutc in tx.out.
● The payer generates the pre-transaction balance proof πpbp. It randomly chooses ra∈Zq and computes sins=−∑ni=1sini+soutc. It computes Xa=sinsP, Ra=raP, ea=H0(Ra,Xa) and σa=ra+esins. So, the pre-transaction balance proof πpbp={σa,ea,Ra,Xa}.
● The payer computes the pre-transaction audit proof πpau. The proof can be described as SKDL{(voutc,soutc):Cout1c=soutcY∧Cout2c=soutcP+voutcH}, which ensures that this transaction can be reliably audited. It randomly chooses sout′c∈Zq and vout′c∈Zq, then it computes R1c=sout′cY, R2c=sout′cP+vout′cH, ˜cp=H1(R1c,R2c,Coutc), σc,1=sout′c+˜cpsoutc and σc,2=vout′c+˜cpvoutc. So the pre-transaction audit proof is πpau={σc,1,σc,2,R1c,R2c,˜cp}.
The payer outputs the generated pre-transaction ptx={ptx.in,ptx.out,πpbp,πpau}, where ptx.out={ptx.chg,ptx.rmdr}.
(2) The tx(pp,ptx.rmdr,Y) algorithm is executed by the payee. It takes as input the public parameters pp, pre-transaction remainder ptx.rmdr and the audit public key Y. It generates the transaction outputs tx.out, balance randomness Pb and range proof πrp as the following shows: The payee checks whether ∑ni=1vini=∑n′j=1voutj+voutc holds. If it does not hold, it aborts. Otherwise, the payee executes the txenc(pp,vini,Y) algorithm, which is twisted ElGamal encryption. This algorithm randomly chooses soutj∈Zq and computes Cout1j=soutjY and Cout2j=soutjP+voutjH, and then it stores them to tx.out. The payee computes souts=∑n′j=1soutj and the balance randomness Pb=soutsP, and then the payee executes the Bulletproofs[36] to generate range proof πrp={πrpc,πrpj∣j∈[1,n′]}. For data assets such as v1,v2,v3(v3=v1v2), it generates C1,C2,C3 by txenc(pp,v1,v2,v3,Y) in the same way, and it stores them in tx.data={C1,C2,C3}.
(3) The bl(pp,πpbp,Pb) algorithm is executed by the payer and payee. It takes as input the public parameters pp, pre-transaction balance proof πpbp and balance randomness Pb. It generates balance proof πbl as the following shows:
● The payee computes e′a=H0(Ra,Xa), and then it verifies whether σaP=Ra+e′aXa holds. If it does not hold, the payee aborts. Otherwise, the payee randomly chooses rb∈Za, computes Rb=rbP, △R=Ra+Rb and ˉX=Xa+Pb. It calculates e=H0(△R,ˉX) and computes σB=rb+esouts. The payee sends these generated σB and Pb to the payer.
● The payer computes △R=Ra+Rb, ˉX=Xa+Pb=xsP, e=H0(△R,ˉX), σA=ra+esins and σ=σA+σB. Therefore, the generated balance proof is πbl={σ,e,△R,ˉX}.
(4) The pro(pp,v1,v2,v3,C21,C22,C23) algorithm is executed by the user. It proves that some encrypted transaction values v1,v2,v3 satisfy the product relationship v1v2=v3. It takes as input the public parameters pp, C21=v1H+s1P, C22=v2H+s2P and C23=v3H+s3P that are encrypted values of v1, v2, v3. It generates multiplicative proof πpro as the following shows:
● The user randomly chooses y1,y2,y3,s′1,s′2,s′3∈Zq, and then it computes d1=y1H+s′1P, d2=y2H+s′2P, d3=y3H+s′3P and d4=y2C21+s′3H. It computes c=H2(d1,d2,d3,d4,C21,C22,C23).
● It computes u1=y1+v1c, u2=y2+v2c, u3=y3+v3c, θ1=s′1+s1c, θ2=s′2+s2c, θ3=s′3+s3c and θ4=s′3+(s3−s1v2)c. So, the multiplicative proof πpro is πpro={c,u1,u2,u3,θ1,θ2,θ3,θ4}.
(5) The au(pp,ptx.out,πpau,Y) algorithm is run by the payee. It takes as input public parameters pp, a remainder ptx.rmdr, the pre-transaction audit proof πpau and the audit public key Y. It outputs the audit proof πau as the following shows:
● The payee randomly chooses sout′j∈Zq and computes R1=R1c+∑n′j=1R1j=R1c+∑n′1jsout′jY, and then it randomly selects vout′j∈Zq and computes R2=R2c+∑n′2jR2j=R2c+∑n′2j(sout′jP+vout′jH).
● It calculates ˜c=H3(R1,R2,tx.out) and σj,1=sout′j+˜csoutj, σj,2=vout′j+˜cvoutj, where voutj is the output value, and soutj is the random number.
● It computes ˉσ=σc,1+∑n′j=1σj,1 and σ′=σc,2+∑n′j=2σj,2. So, the audit proof πau is πau={ˉσ,σ′,R1,R2,˜c}.
Finally, the payee sends the transaction to the validating nodes.
Verify: In the verify phase, validating nodes are responsible for verifying whether the transaction meets some requirements that we defined. There are four verifying algorithms that are described as the following shows:
(1) The verirp(pp,tx.out,πrp) algorithm takes as input the public parameters pp, transaction output tx.out and the range proof πrp. It uses the Bulletproofs[36] to verify whether the transaction output is in a certain range [0,vmax]. The detailed Bulletproofs can be seen in [36].
(2) The veribl(pp,πbl) algorithm takes as input the public parameters pp and balance proof πbl. It verifies whether the transaction satisfies the balance property as the following shows: It computes e′=H0(△R,ˉX), and then it checks whether e′=e and σP=△R+eˉX hold. If they hold, it outputs true which means that the transaction satisfies balance property.
(3) The veripro(pp,πpro) algorithm takes as input the public parameters pp and the multiplicative proof πpro. It verifies whether these encrypted transaction values satisfy product relationship v1v2=v3. It computes d′1=θ1P+u1H−cC21, d′2=θ2P+u2H−cC22, d′3=θ3P+u3H−cC23, d′4=θ4P+u2C21−cC23 and c′=H2(d′1,d′2,d′3,d′4,C21,C22,C23), and then it checks whether c′=c holds. If it holds, it outputs true which means that these encrypted transaction values satisfy product relationship.
(4) The veriau(pp,πau) algorithm takes as input the public parameters pp and audit proof πau. It verifies whether the transaction can be reliably audited as the following shows: It computes R′1=ˉσY−˜cCout1c−∑n′j=1˜cCout1j, R′2=σ′H+ˉσP−˜cCout2c−∑n′j=1˜cCout2j and ˜c′=H3(R′1,R′2,tx.out). It checks whether ˜c=˜c′ holds. If this equation holds, it outputs true, which means that the transaction can be reliably audited.
Aggregate(σk,△R,σ′k,ˉσk,R1k,R2k): In the aggregate phase, the ordering nodes takes as input the balance signature σk, balance randomness △R, audit signature σ′k,ˉσk, and audit randomness R1k,R2k, it aggregates m transactions' balance signature and audit signature, where k∈m. The ordering nodes compute σAgg=∑m1σk, RAgg=∑m1△Rk, σ′Agg=∑m1σ′, ˉσAgg=∑m1ˉσk, R1Agg=∑m1R1k and R2Agg=∑m1R2k. Therefore, the aggregated message is infoAgg={σAgg,RAgg,σ′Agg,ˉσAgg,R1Agg,R2Agg}.
Chain(infoAgg,ˉXk,tx.outk,ek,˜ck): In the chain phase, the committing nodes take as input the aggregated message infoAgg, public randomness ˉXk, transaction outputs tx.outk, hash value ek corresponding to each transaction and balance challenge value ˜ck. They verify the correctness of the aggregated message infoAgg by checking whether σAggP=RAgg+∑kekˉXk, ˉσAggP=R1Agg+˜ckCout1c+∑n′j=1˜ckCout1j and σ′AggH+ˉσAggP=R2Agg+˜ckCout2c+∑n′j=1˜ckCout2j hold. If these two equations hold, it outputs true, then committing nodes add transactions that have been verified onto the ledger and the updated ledger is Λ.
Audit(pp,X,tx.out): In the audit phase, the auditor takes as input the public parameters pp, audit secret key X and transaction outputs tx.out, and it computes voutjH=Cout2j−X−1˙Cout1j and auditing transaction by comparing voutjH with the pre-computed bH, where b∈[0,vmax).
6.
Security analysis
6.1. Transaction confidentiality
Theorem 2 (Transaction confidentiality). Our scheme satisfies transaction confidentiality, if the twisted ElGamal algorithm is IND-CPA secure, and the audit proof πau is zero-knowledge.
Proof of Theorem 2. We prove it via the following games. Let Wini denote the probability that the adversary A wins the Gamei.
Game0: We proceed with the transaction confidentiality experiment defined in Section 5.2. The challenger C and the adversary A interact as the following shows:
(1)C computes pp←setup(λ) and (X,Y)←keygen. It returns the generated pp and Y to A.
(2)A queries OPre and OGenCT. C answers these queries. On input ((Cini,vini,sini),vρ), run ptx←pretx(pp,Cini,vini,sini,vρ,Y) and store {(Cini,vini,sini),vρ,Y,ptx} into the list L. On input (ptx.rmdr), search L, run tx.out←tx(pp,ptx.rmdr,Y) and πau←au(pp,ptx.out,πpau,Y), and then return tx.out and πau.
(3)A chooses {ptx.rmdr0,ptx.rmdr1}. C randomly selects b∈[0,1] and computes tx.out∗←tx(pp,ptx.rmdrb,Y), π∗au←au(pp,ptx.rmdrb,ptx.chg,πpau,Y). It returns the generated {tx.out∗,π∗au} to A.
(4)A generates the guess b′ of b. If b=b′, it wins the experiment.
Therefore, we have AdvA(λ)=Pr[Win0]−12.
Game1: Game1 is similar to Game0 except that the audit proof πau is generated by simulator S=(S1,S2). S1 generates the trapdoor τ, and then S2 takes τ as input without any proof. It outputs the simulated proof πau. Therefore, the proof generated by S2 is the same as the proof computed in Game1. The probability that A wins Game1 satisfies
|Pr[Win1]−Pr[Win0]|≤negl(λ).
(6.1)
As we can see in Lemma 1, we have Pr[Win1]≤negl(λ).
Lemma 4.If the twisted ElGamal algorithm is IND-CPA secure, then for all PPT adversary A, we have Pr[Win1]≤negl(λ).
Proof of Lemma 4. Suppose that there is a PPT adversary A that wins Game1 with non-negligible advantage, and then we can contruct algorithm B that can break the IND-CPA secure property of the twisted ElGamal algorithm. B simulates Game1 as the following shows:
(1)B computes pp←setup(λ) and (X,Y)←keygen(pp). It uses S1 to generate the trapdoor τ, and then it returns them to A.
(2)A queries the oracle OPre and the oracle OGenCT. The challenger C answers these queries.
OPre: A makes this query with (Cini,vini,sini,vρ). C receives this query, and then it executes ptx←pretx(Cini,vini,sini,vρ,Y). It stores (Cini,vini,sini,vρ,Y,ptx) in the list L.
OGenCT: A makes this query with (ptx.rmdr). C receives this query, and then it executes tx.out←tx(pp,ptx.rmdr,Y). It takes the trapdoor τ generated by S2, and it outputs simulated πtr. It returns tx.out and πtr to A.
(3)A selects two pre-transaction remainders {ptx.rmdr0,ptx.rmdr1}. B sends {ptx.rmdr0,ptx.rmdr1} to its challenger C. B receives Cout∗j={Cout∗1j,Cout∗1j}, where Cout∗j is the encrypted value that is obtained by encrypting ptx.rmdrb using audit public key Y. Let tx.out∗={Cout∗j}. B takes the trapdoor τ as input. It outputs the simulated audit proof π∗tr. B returns tx.out∗ and π∗tr to A as challenge.
(4)A generates b′ as the guess of b, then B returns the guess generated by A.
We can see that B successfully simulates the Game1, so it can break the IND-CPA secure property of twisted ElGamal algorithm with the same advantage. We prove the Lemma 4.
To sum up, we prove that if the twisted ElGamal algorithm is IND-CPA secure, and the audit proof πau is zero-knowledge, our scheme satisfies transaction confidentiality.
6.2. Public verification
6.2.1. Balance verification
Theorem 3 (Balance verification). Our scheme enables transaction balance verification, which means that outputs of the transaction and the inputs of the transaction are equal, if the Discrete logarithm assumption holds.
Proof of Theorem 3. Suppose that there is a PPT adversary A that wins the transaction balance experiment we defined in Section 3 with non-negligible advantage, and then we can construct algorithm B that can solve the Discrete logarithm problem with the same advantage. Let pp=(G,P,H,q,H0). (P,H) is the instance of B's Discrete logarithm problem, where P and H are two random generators of G. B simulates the experiment as the following shows:
(1)B computes pp←setup(λ) and (X,Y)←keygen(pp). It returns the generated public parameters pp and the public key Y to A.
(2)A queries oracles OPre and OGenBal. These oracles answer these queries.
OPre: A makes this query with (Cini,vini,sini,vρ). C computes (ptx)←pretx(pp,Cini,vini,sini,vρ,Y), and then it stores (Cini,vini,sini,vρ,Y,ptx) into the list L.
OGenBal: A makes this query with (ptx.rmdr). C receives this query and computes tx.out←tr(pp,ptx.rmdr,Y). It selects L to find the corresponding (πpbp,Pb), and then it computes πbp←bl(pp,πpbp,Pb). It returns tx.out and πbp to A.
(3)A obtains complete transaction information that includes transaction inputs tx.in={Cini|Cini={Cin1i,Cin2i,i∈[1,n]}}, transaction outputs tx.out={Coutj,Coutc|Coutj={Cout1j,Cout2j},j=[1,n′],Coutc={Cout1c,Cout2c}} and transaction balance information πbl={σ,e,△,ˉX}. B rewinds e2 and σ2. Therefore, we have:
So, we have (∑ni=1vini−voutc−∑n′j=1voutj)H=(souts−sins−x∗s)P. Therefore, B can take logPH=(souts−sins−x∗s)/(∑ni=1vini−voutc−∑n′j=1voutj) as the solution of the Discrete logarithm problem.
Thus, if the Discrete logarithm problem is hard to solve, our scheme satisfy the transaction balance property.
6.2.2. Multiplicative verification
Theorem 4 (Multiplicative verification). Our scheme enables multiplicative verification, which means that our scheme is able to prove and verify some encrypted values v1,v2,v3 satisfy product relationship v1⋅v2=v3, if the Discrete logarithm assumption holds.
Proof of Theorem 4. Suppose that there exists a PPT adversary A that can break the multiplicative verification property with non-negligible advantage, and then we can construct algorithm B that can solve the Discrete logarithm problem with the same advantage. Let pp=(G,P,H,q,H0). (P,H) is the instance of B's Discrete logarithm problem, where P and H are two random generators of G. B simulates the experiment as the following shows:
(1)B computes pp←setup(λ) and (X,Y)←keygen(pp). It returns the generated public parameters pp and the public key Y to A.
(2)A queries the Opro oracle with (v1,v2,v3,C21,C22,C23). C computes πpro←pro(pp,v1,v2,v3,C21,C22,C23). It returns πpro to the adversary A.
(3)A obtains the transaction information (C21,C22,C23) and multiplicative proofs πpro={c,u1,u2,u3,θ1,θ2,θ3,θ4}. B rewinds c′, u′1, u′2, u′3, θ′1, θ′2, θ′3 and θ′4. Therefore, we have
θ1P+u1H−cC21=θ′1P+u′1H−c′C21
(6.7)
θ2P+u2H−cC22=θ′2P+u′2H−c′C22
(6.8)
θ3P+u3H−cC23=θ′3P+u′3H−c′C23
(6.9)
u2C21+θ4P−cC23=u′2C21+θ′4P−c′C23
(6.10)
Let v∗1=(u1−u′1)/(c−c′), s∗1=(θ1−θ′1)/(c−c′), v∗2=(u2−u′2)/(c−c′), s∗2=(θ2−θ′2)/(c−c′), v∗3=(u3−u′3)/(c−c′), s∗3=(θ3−θ′3)/(c−c′) and s∗=(θ4−θ′4)/(c−c′). Then, we have v∗3H+s∗3P=v∗1v∗2H+(v∗2s∗1+s∗)P. If v∗1v∗2≠v∗3, we have (v∗1v∗2−v∗3)H=(s∗3−s∗−v∗2s∗1)P. B can take logPH=(s∗3−s∗−v∗2s∗1)/(v∗1v∗2−v∗3) as the solution of the Discrete logarithm problem.
Thus, if the Discrete logarithm problem is hard to solve, our scheme satisfies multiplicative verification.
6.3. Reliable audit
Theorem 5 (Reliable audit). Transactions in our privacy-preserving transaction scheme can be reliably audited.
Proof of Theorem 5. Suppose that trading parties (payee and payer) may construct a fake to escape audit. The adversary's malicious actions can be roughly summarized as the following two types:
(1) The adversary A randomly chooses Y′∈G,Y′≠Y to generate encrypted transaction outputs instead of using audit public key Y. It computes Cout′1j=soutjY′, Cout′j={Cout′1j,Cout2j}. Therefore, validating nodes can verify it as the following shows:
We can see that Y′≠Y, so R′1≠sout′cY+∑n′j=1sout′jY and R′1≠sout′cY+∑n′j=1sout′jY′. Therefore, we have R′1≠R1. Besides, hash functions are collision-resistant, so we get ˜c′≠˜c.
(2) The adversary A randomly chooses vout′j≠voutj to generate encrypted transaction outputs instead of using the real transaction value voutj. It computes Cout′2j=soutjP+vout′jH,Cout′j={Cout1j,Cout′2j}. Therefore, validating nodes can verify it as the following shows:
We can see that vout′j≠voutj, so R′2≠R2c+∑n′j=1vout′jH+∑n′j=1sout′jP that is R′2≠R2. Therefore, we get ˜c′≠˜c.
In summary, the probability of the audit proof information forged by the adversary A that can pass the verification is negligible. Therefore, our scheme satisfies transaction auditability.
7.
Performance analysis
In order to evaluate the performance of our proposed scheme, we implement the prototype of the proposed privacy preserving transaction scheme which mainly focuses on the transaction layer without considering the differences of consensus mechanisms. This makes our privacy preserving transaction scheme more feasible for different blockchain systems. Our implementation is in Golang language on a laptop with 8GB of RAM, an Intel Core i7-8500U 2.00GHz. The elliptic curve we used is secp256k1, and the hash function is sha256.
According to Table 3, we give an evaluation of the computation time about each step of the main phase in our proposed privacy preserving transaction scheme. We take the most frequently used 2 inputs-1 outputs as instance. As we can see from Table 3, computation times in each phase such as setup, transact, verify and audit are all in milliseconds. The total time is approximate 7.65 ms. It is practical and feasible for low frequency transaction scenarios.
Table 3.
Computation time of the main phase of our proposed scheme in milliseconds.
In Figures 3 and 4, we also evaluate our privacy preserving transaction scheme's time costs in transact, verify and audit phases with increasing inputs and outputs. According to Figure 3, as the number of inputs and outputs grows from 2-2 to 12-12 in one transaction, the balance zero-knowledge prove time and audit zero-knowledge prove time are approximately 0.9 and 1.0 ms with no obvious increasing. In Figure 4, the balance zero-knowledge proofs verification time requirements is kept approximate 0.4 ms as the number of inputs and outputs increasing from 2-2 to 12-12. Though the time of generating encrypted values grows from 0.8 to 4.9 ms in Figure 3, and the time of verifying audit zero-knowledge proofs and auditing time are increasing from 1.6 to 5.4 ms and 0.9 to 5.1 ms respectively in Figure 4, they are still within milliseconds.
Figure 5 presents the verification time comparison before and after aggregation, and Figure 6 presents the block size comparison before and after aggregation. According to Figure 5, the verification time linearly grows from 4.9 to 21.0 ms as the number of inputs and outputs is set to be 2-2, 4-4, 6-6, 8-8, 10-10, 12-12 respectively when there is no aggregation of balance proofs and audit proofs. However, in our proposed privacy preserving transaction scheme, we aggregate the balance proofs and audit proofs, which greatly shortens the verification time, as it approximately grows 3.8 to 7.5 ms when the number of inputs and outputs is set to be 2-2, 4-4, 6-6, 8-8, 10-10, 12-12, respectively. For the reason that we replace the multiplication operation with the faster add operation of group in our aggregation algorithm, the verification time has no obvious growth. Therefore, our aggregation algorithm makes the transaction verification more efficient. As we can see in Figure 6, the growth rate of block size has been significantly slowed as the number of transactions in a block after we make aggregation of the audit proofs and balance proofs. Thus, the aggregation technique reduces the storage size of proof at least 50% of the size before optimization. It effectively saves the ledger space.
Figure 4.
Computation time comparison in verify and audit phase with increasing inputs and outputs.
Our scheme has functional advantages. In particular, there are several applications in blockchain for the proposed multiplicative zero-knowledge proof to be used in some specific scenarios. For monetary assets in UTXO model, if there are k outputs with the same value v for a user and the total amount of them is sum=v⋅k, it needs to computes k encrypted values that C1={C11=s1Y,C21=vH+s1P},...,Ck={C1k=skY,C2k=vH+skP}, and it needs to store k encrypted values C1,C2,...,Ck in the leger. However, by using the proposed multiplicative zero-knowledge proof, it only needs to compute two encrypted values Cv,Ck and only stores these two ciphertexts in the leger without influencing the transaction balance and reliable audit. It is obvious that using the proposed multiplicative zero-knowledge proof achieves space savings of ledger and efficiency gains for the user. For data assets such as those in supply chain, suppose that the quantity of goods is r, the unit price of goods is v, and the total amount is t=v⋅r. r, v and tneed to record in chain with privacy preserving. We can compute Cv={C1v=svY,C2v=vH+svP}, Cr={C1r=srY,C2r=rH+srP}, and Ct={C1t=stY,C2t=tH+stP}. This hides the transaction information, and then the multiplicative zero-knowledge proof ensures t=v⋅r to be public verified by validators in blockchain without revealing t, r and v.
8.
Conclusions
In this paper, we propose a privacy preserving transaction scheme with public verification and reliable audit in blockchain. Our scheme not only provides confidentiality for transaction contents in a more flexible way by decoupling user identity and transaction contents, but also defines several verification rules that makes full use of validators in blockchain. It enables balance verification for monetary assets, and then we design a multiplicative zero-knowledge proof with security analysis, which can be potentially used in blockchain based financial applications, supply chains and so on. Then, validators can optionally multiplicative verification of data assets to ensure the data compliance by applying the proposed multiplicative proof. In addition, our proposal enables the auditor to make precise audit of each transaction which audit reliability is guaranteed by publicly verifying the audit proof. Security analysis shows that the proposed scheme satisfies the security requirements we defined. Performance analysis indicates that its computation cost is in milliseconds, and the aggregation effectively saves the storage space. Also, how to construct a more efficient range-proof is still to be taken into consideration.
Acknowledgments
This paper was supported by National Natural Science Foundation of China (Grant no. U21A20463).
Conflict of interest
The authors declare there is no conflicts of interest.
References
[1]
El-Bassi L, Azzaz AA, Jellali S, et al. (2021) Application of olive mill waste-based biochars in agriculture: Impact on soil properties, enzymatic activities and tomato growth. Sci Total Environ 755: 142531. doi: 10.1016/j.scitotenv.2020.142531
[2]
Ahmad M, Rajapaksha AU, Lim JE, et al. (2014) Biochar as a sorbent for contaminant management in soil and water: A review. Chemosphere 99: 19–33. doi: 10.1016/j.chemosphere.2013.10.071
[3]
Sohi S, Lopez-Capel E, Krull E, et al. (2009) Biochar, climate change and soil: A review to guide future research. CSIRO Land Water Sci Rep 5: 17–31.
[4]
Lehmann J, Joseph S (2009) Biochar for environmental management. Earthscan, Sterling, VA.
[5]
Blanco-Canqui H (2017) Biochar and soil physical properties. Soil Sci Soc Am J 81: 687–711. doi: 10.2136/sssaj2017.01.0017
[6]
Agegnehu G, Bass AM, Nelson PN, et al. (2016) Benefits of biochar, compost and biochar–compost for soil quality, maize yield and greenhouse gas emissions in a tropical agricultural soil. Sci Total Environ 543: 295–306. doi: 10.1016/j.scitotenv.2015.11.054
[7]
Gerlach H, Schmidt HP (2012) Biochar in poultry farming. Ithaka J 1: 262–264.
[8]
Arif M, Ilyas M, Riaz M, et al. (2017) Biochar improves phosphorus use efficiency of organic-inorganic fertilizers, maize-wheat productivity and soil quality in a low fertility alkaline soil. Field Crops Res 214: 25–37. doi: 10.1016/j.fcr.2017.08.018
[9]
Meyer S, Glaser B, Quicker P (2011) Technical, economical, and climate-related aspects of biochar production technologies: a literature review. Environ Sci Technol 45: 9473–9483. doi: 10.1021/es201792c
[10]
Cha JS, Sun J, Park SH, et al. (2016) Production and utilization of biochar: A review. J Ind Eng Chem 40: 1–15. doi: 10.1016/j.jiec.2016.06.002
[11]
Downie A, Crosky A, Munroe P (2009) Physical properties of biochar. In: Lehmann J, Joseph S (Eds), Biochar for environmental management: science and technology, Earthscan, London, 13–32.
[12]
Ronsse F, van Hecke S, Dickinson D, et al. (2013) Production and characterization of slow pyrolysis biochar: Influence of feedstock type and pyrolysis conditions. GCB Bioenergy 5: 104–115. doi: 10.1111/gcbb.12018
[13]
Kloss S, Zehetner F, Dellantonio A, et al. (2012) Characterization of slow pyrolysis biochars: Effects of feedstocks and pyrolysis temperature on biochar properties. J Environ Qual 41: 990–1000. doi: 10.2134/jeq2011.0070
[14]
Laird D, Brown R, Amonette J, et al. (2009) Review of the pyrolysis platform for coproducing bio-oil and biochar. Biofuels Bioprod Biorefin 3: 547–562. doi: 10.1002/bbb.169
[15]
Sohi S, Krull E, Lopez-Capel E, et al. (2010) A review of biochar and its use and function in soil. Adv Agron 105: 47–82. doi: 10.1016/S0065-2113(10)05002-9
[16]
Verheijen F, Jeffery S, Bastos AC, et al. (2010) Biochar application to soils. A critical scientific review of effects on soil properties, processes, and functions. EUR 24099: 162.
[17]
Lehmann J, da Silva JP, Steiner C, et al. (2003) Nutrient availability and leaching in an archaeological Anthrosol and a Ferralsol of the Central Amazon basin: Fertilizer, manure and charcoal amendments. Plant Soil 249: 343–357. doi: 10.1023/A:1022833116184
[18]
Lehmann J (2009) Terra preta Nova – where to from here? In: Woods WI (Eds), Terra preta Nova: A Tribute to Wim Sombroek, Springer, Berlin, 473–486.
[19]
Lu L, Yu W, Wang Y, et al. (2020) Application of biochar-based materials in environmental remediation: from multi-level structures to specific devices. Biochar 2: 1–31. doi: 10.1007/s42773-020-00041-7
[20]
Glaser B, Haumaier L, Guggenberger G, et al. (2001) The Terra Preta phenomenon: A model for sustainable agriculture in the humid tropics. Naturwissenschaften 88: 37–41. doi: 10.1007/s001140000193
[21]
Glaser B, Guggenberger G, Zech W (2004) Identifying the Pre-Columbian anthropogenic input on present soil properties of Amazonian Dark Earth (Terra Preta). In: Glaser B, Woods W (Eds.), Amazonian Dark Earths: Explorations in Space and Time, Springer, Heidelberg, 215.
[22]
Jeffery S, Verheijen FGA, van der Velde M, et al. (2011) A quantitative review of the effects of biochar application to soils on crop productivity using meta analysis. Agr Ecosyst Environ 144: 175–187. doi: 10.1016/j.agee.2011.08.015
[23]
Lee EH, Park RS, Kim H, et al. (2016) Hydrodeoxygenation of guaiacol over Pt loaded zeolitic materials. J Ind Eng Chem 37: 18–21. doi: 10.1016/j.jiec.2016.03.019
[24]
Han TU, Kim YM, Watanabe C, et al. (2015) Analytical pyrolysis properties of waste medium-density fiberboard and particle board. J Ind Eng Chem 32: 345–352. doi: 10.1016/j.jiec.2015.09.008
[25]
Heidari A, Stahl R, Younesi H, et al. (2014) Effect of process conditions on product yield and composition of fast pyrolysis of Eucalyptus grandis in fluidized bed reactor. J Ind Eng Chem 20: 2594–2602. doi: 10.1016/j.jiec.2013.10.046
[26]
Shafaghat H, Rezaei PS, Daud WMAW (2016) Catalytic hydrodeoxygenation of simulated phenolic bio-oil to cycloalkanes and aromatic hydrocarbons over bifunctional metal/acid catalysts of Ni/HBeta, Fe/HBeta and NiFe/HBeta. J Ind Eng Chem 35: 268–276. doi: 10.1016/j.jiec.2016.01.001
[27]
Fahmy TYA, Fahmy Y, Mobarak F, et al. (2020) Biomass pyrolysis: past, present, and future. Environ Dev Sustain 22: 17–32. doi: 10.1007/s10668-018-0200-5
[28]
Brown R (2012) Biochar production technology. In: Biochar for environmental management, 159–178.
[29]
Zhang H, Voroney RP, Price GW (2017) Effects of temperature and activation on biochar chemical properties and their impact on ammonium, nitrate, and phosphate sorption. J Environ Qual 46: 889–896. doi: 10.2134/jeq2017.02.0043
[30]
Leng L, Huang H, Li H, et al. (2019) Biochar stability assessment methods: a review. Sci Total Environ 647: 210–222. doi: 10.1016/j.scitotenv.2018.07.402
[31]
Bruun EW, Hauggaard-Nielsen H, Ibrahim N (2011) Influence of fast pyrolysis temperature on biochar labile fraction and short-term carbon loss in a loamy soil. Biomass Bioenerg 35: 1182–1189. doi: 10.1016/j.biombioe.2010.12.008
[32]
Wang D, Jiang P, Zhang H, et al. (2020) Biochar production and applications in agro and forestry systems: A review. Sci Total Environ 10: 137775. doi: 10.1016/j.scitotenv.2020.137775
[33]
Huber GW, Iborra S, Corman A (2006) Synthesis of transportation fuels from biomass; chemistry, catalysts, and engineering. Chem Rev 106: 4044–4098. doi: 10.1021/cr068360d
[34]
Zhang J, Liu J, Liu R (2015) Effects of pyrolysis temperature and heating time on biochar obtained from the pyrolysis of straw and lignosulfonate. Bioresour Technol 176: 288–291. doi: 10.1016/j.biortech.2014.11.011
[35]
Lu GQ, Low JCF, Liu CY, et al. (1995) Surface area development of sewage sludge during pyrolysis. Fuel 74: 344–348. doi: 10.1016/0016-2361(95)93465-P
[36]
Mohan D, Sarswat A, Ok YS, et al. (2014) Organic and inorganic contaminants removal from water with biochar, a renewable, low cost and sustainable adsorbent–a critical review. Bioresour Technol 160: 191–202. doi: 10.1016/j.biortech.2014.01.120
[37]
Lee Y, Park J, Ryu C, et al. (2013) Comparison of biochar properties from biomass residues produced by slow pyrolysis at 500 C. Bioresour Technol 148: 196–201. doi: 10.1016/j.biortech.2013.08.135
[38]
Evans MR, Jackson BE, Popp M, et al. (2017) Chemical properties of biochar materials manufactured from agricultural products common to the southeast United States. Horttechnology 27: 16–23. doi: 10.21273/HORTTECH03481-16
[39]
Parmar A, Nema PK, Agarwal T (2014) Biochar production from agrofood industry residues: a sustainable approach for soil and environmental management. Curr Sci 107: 1673–1682.
[40]
Chan KY, Xu Z (2009) Biochar: nutrient properties and their enhancement. In: Lehmann J, Joseph S, Biochar for Environmental Management: Science and Technology, London: Earthscan, 67–84.
[41]
Gao Y, Shao G, Lu J, et al. (2020) Effects of biochar application on crop water use efficiency depend on experimental conditions: A meta-analysis. Field Crops Res 249: 107763. doi: 10.1016/j.fcr.2020.107763
[42]
Xuan L, Yang Z, Zifu L, et al. (2014) Characterization of corncob derived biochar and pyrolysis kinetics in comparison with corn stalk and sawdust. Bioresour Technol 170: 76–82. doi: 10.1016/j.biortech.2014.07.077
[43]
Kan T, Strezov V, Evans TJ (2016) Lignocellulosic biomass pyrolysis: A review of product properties and effects of pyrolysis parameters. Renew Sustain Energy Rev 57: 1126–1140. doi: 10.1016/j.rser.2015.12.185
[44]
Peng X, Ye L, Wang C, et al. (2011) Temperature and duration dependent rice straw-derived biochar: characteristics and its effects on soil properties of an Ultisol in Southern China. Soil Tillage Res 112: 159–166. doi: 10.1016/j.still.2011.01.002
[45]
Si L, Xie Y, Ma Q, et al. (2018) The short-term effects of rice straw biochar, nitrogen and phosphorus fertilizer on rice yield and soil properties in a cold waterlogged paddy field. Sustainability 10: 537. doi: 10.3390/su10020537
[46]
Liu D, Feng Z, Zhu H, et al. (2020) Effects of Corn Straw Biochar Application on Soybean Growth and Alkaline Soil Properties. BioResources 15: 1463–1481. doi: 10.15376/biores.15.1.1463-1481
[47]
Taghizadeh-Toosi A, Clough TJ, Sherlock RR, et al. (2012) Biochar adsorbed ammonia is bioavailable. Plant Soil 350: 57–69. doi: 10.1007/s11104-011-0870-3
[48]
Ding Y, Liu Y, Liu S, et al. (2017) potential benefits of biochar in agricultural soils: A Review. Pedosphere 27: 645–661. doi: 10.1016/S1002-0160(17)60375-8
[49]
Pandit NR, Mulder J, Hale SE, et al. (2018) Biochar improves maize growth by alleviation of nutrient stress in a moderately acidic low-input Nepalese soil. Sci Total Environ 625: 1380–1389. doi: 10.1016/j.scitotenv.2018.01.022
[50]
Xu RK, Zhao AZ, Yuan JH, et al. (2012) pH buffering capacity of acid soils from tropical and subtropical regions of China as influenced by incorporation of crop straw biochars. J Soils Sediments 12: 494–502. doi: 10.1007/s11368-012-0483-3
[51]
Hussain R, Ravi K, Garg A (2020) Influence of biochar on the soil water retention characteristics (SWRC): potential application in geotechnical engineering structures. Soil Tillage Res 204: 104713. doi: 10.1016/j.still.2020.104713
[52]
Kamran M, Malik Z, Parveen A, et al. (2020) Ameliorative effects of biochar on rapeseed (Brassica napus L.) growth and heavy metal immobilization in soil irrigated with untreated wastewater. J Plant Growth Regul 39: 266–281.
[53]
Park JH, Choppala GK, Bolan N, et al. (2011) Biochar reduces the bioavailability and phytotoxicity of heavy metals. Plant Soil 348: 439–451. doi: 10.1007/s11104-011-0948-y
[54]
Abideen Z, Koyro HW, Huchzermeyer B, et al. (2020) Ameliorating effects of biochar on photosynthetic efficiency and antioxidant defence of Phragmites karka under drought stress. Plant Biol 22: 259–266. doi: 10.1111/plb.13054
[55]
Farhangi-Abriz S, Torabian S (2017) Antioxidant enzyme and osmotic adjustment changes in bean seedlings as affected by biochar under salt stress. Ecotoxicol Environ Saf 137: 64–70. doi: 10.1016/j.ecoenv.2016.11.029
[56]
Farhangi-Abriz S, Torabian S (2018) Effect of biochar on growth and ion contents of bean plant under saline condition. Environ Sci Pollut Res 25: 11556–11564. doi: 10.1007/s11356-018-1446-z
[57]
Elad Y, Rav David D, Meller Harel Y, et al. (2010) Induction of systemic resistance in plants by biochar, a soilapplied carbon sequestering agent. Phytopathology 100: 913–921. doi: 10.1094/PHYTO-100-9-0913
[58]
Elmer WH, Pignatello JJ (2011) Effect of biochar amendments on mycorrhizal associations and Fusarium crown and root rot of asparagus in replant soils. Plant Dis 95: 960–966. doi: 10.1094/PDIS-10-10-0741
[59]
Nerome M, Toyota K, Islam TM, et al. (2005) Suppression of bacterial wilt of tomato by incorporation of municipal biowaste charcoal into soil. Soil Microorg (Japan) 59: 9–14.
[60]
Song D, Chen L, Zhang S, et al. (2020) Combined biochar and nitrogen fertilizer change soil enzyme and microbial activities in a 2-year field trial. Eur J Soil Biol 99: 103212. doi: 10.1016/j.ejsobi.2020.103212
[61]
Lehmann J, Gaunt J, Rondon M (2006) Biochar sequestration in terrestrial ecosystems - a review. Mitig Adapt Strat GL 11: 403–427. doi: 10.1007/s11027-005-9006-5
[62]
Omondi MO, Xia X, Nahayo A, et al. (2016) Quantification of biochar effects on soil hydrological properties using meta-analysis of literature data. Geoderma 274: 28–34. doi: 10.1016/j.geoderma.2016.03.029
[63]
Jeffery S, Abalos D, Prodana M, et al. (2017) Biochar boosts tropical but not temperate crop yields. Environ Res Lett 12: 053001. doi: 10.1088/1748-9326/aa67bd
[64]
Ventura M, Alberti G, Panzacchi P, et al. (2019) Biochar mineralization and priming effect in a poplar short rotation coppice from a 3-year field experiment. Biol Fertil Soils 55: 67–78. doi: 10.1007/s00374-018-1329-y
[65]
Zimmerman AR, Ouyang L (2019) Priming of pyrogenic C (biochar) mineralization by dissolved organic matter and vice versa. Soil Biol Biochem 130: 105–112. doi: 10.1016/j.soilbio.2018.12.011
[66]
Cornelissen G, Nurida NL, Hale SE, et al. (2018) Fading positive effect of biochar on crop yield and soil acidity during five growth seasons in an Indonesian Ultisol. Sci Total Environ 634: 561–568. doi: 10.1016/j.scitotenv.2018.03.380
[67]
Van Zwieten L, Kimber S, Morris S, et al. (2010) Effects of biochar from slow pyrolysis of papermill waste on agronomic performance and soil fertility. Plant Soil 327: 235–246. doi: 10.1007/s11104-009-0050-x
[68]
Glaser B, Lehr VI (2019) Biochar effects on phosphorus availability in agricultural soils: A meta-analysis. Sci Rep 9.
[69]
Tammeorg P, Simojoki A, Mäkelä P, et al. (2014) Biochar application to a fertile sandy clay loam in boreal conditions: effects on soil properties and yield formation of wheat, turnip rape and faba bean. Plant Soil 374: 89–107. doi: 10.1007/s11104-013-1851-5
[70]
Liang F, Li GT, Lin QM, et al. (2014) Crop yield and soil properties in the first 3 years after biochar application to a calcareous soil. J Integr Agric 13: 525–532. doi: 10.1016/S2095-3119(13)60708-X
[71]
Huang M, Long FAN, Jiang LG, et al. 2019. Continuous applications of biochar to rice: Effects on grain yield and yield attributes. J Integr Agric 18: 563–570.
[72]
Asai H, Samson BK, Stephan HM, et al. (2009) Biochar amendment techniques for upland rice production in northern laos: 1. soil physical properties, leaf SPAD and grain yield. Field Crop Res 111: 81–84.
Noyce GL, Basiliko N, Fulthorpe R, et al. (2015) Soil microbial responses over 2 years following biochar addition to a north temperate forest. Biol Fertil Soils 51: 649–659. doi: 10.1007/s00374-015-1010-7
[75]
Wang N, Chang ZZ, Xue XM, et al. (2017) Biochar decreases nitrogen oxide and enhances methane emissions via altering microbial community composition of anaerobic paddy soil. Sci Total Environ 581: 689–696. doi: 10.1016/j.scitotenv.2016.12.181
[76]
Sarkhot DV, Berhe AA, Ghezzehei TA (2012) Impact of biochar enriched with dairy manure effluent on carbon and nitrogen dynamics. J Environ Qual 41: 1107–1114. doi: 10.2134/jeq2011.0123
[77]
Palansooriya KN, Wong JTF, Hashimoto Y, et al. (2019) Response of microbial communities to biochar-amended soils: a critical review. Biochar 1: 3–22. doi: 10.1007/s42773-019-00009-2
[78]
Rasa K, Heikkinen J, Markus H, et al. (2018) How and why does willow biochar increase a clay soil water retention capacity? Biomass Bioenergy 119: 346–353.
[79]
Zhang Y, Ding J, Wang H, et al. (2020) Biochar addition alleviate the negative effects of drought and salinity stress on soybean productivity and water use efficiency. BMC Plant Biol 20: 288. doi: 10.1186/s12870-020-02493-2
[80]
Zhang A, Liu Y, Pan G, et al. (2012) Effect of biochar amendment on maize yield and greenhouse gas emissions from a soil organic carbon poor calcareous loamy soil from Central China Plain. Plant Soil 351: 263–275. doi: 10.1007/s11104-011-0957-x
[81]
Guo M (2020) The 3R principles for applying biochar to improve soil health. Soil Syst 4: 9. doi: 10.3390/soilsystems4010009
[82]
Lehmann J, Kern DC, Glaser B, et al. (2003) Amazonian Dark Earths: Origin, Properties, Management, Kluwer Academic Publishers, The Netherlands.
[83]
Steiner C, Das KC, Garcia M, et al. (2008) Charcoal and smoke extract stimulate the soil microbial community in a highly weathered xanthic Ferralsol. Pedobiologia 51: 359–366. doi: 10.1016/j.pedobi.2007.08.002
[84]
Kolb SE, Fermanich KJ, Dornbush ME (2009) Effect of charcoal quantity on microbial biomass and activity in temperate soils. Soil Sci Soc Am J 73: 1173–1181. doi: 10.2136/sssaj2008.0232
[85]
Li S, Zhang Y, Yan W, et al. (2018) Effect of biochar application method on nitrogen leaching and hydraulic conductivity in a silty clay soil. Soil Tillage Res 183: 100–108. doi: 10.1016/j.still.2018.06.006
[86]
Cetin E, Moghtaderi B, Gupta R, et al. (2004) Influence of pyrolysis conditions on the structure and gasification reactivity of biomass chars. Fuel 83: 2139–2150. doi: 10.1016/j.fuel.2004.05.008
[87]
Liu Z, Dugan B, Masiello CA, et al. (2017) Biochar particle size, shape, and porosity act together to influence soil water properties. Plos One 12: e0179079.
[88]
Głąb T, Palmowska J, Zaleski T, et al. (2016) Effect of biochar application on soil hydrological properties and physical quality of sandy soil. Geoderma 281: 11–20. doi: 10.1016/j.geoderma.2016.06.028
[89]
Githinji L (2014) Effect of biochar application rate on soil physical and hydraulic properties of a sandy loam. Arch Agron Soil Sci 60: 457–470. doi: 10.1080/03650340.2013.821698