An Anonymous yet Accountable Contract Wallet System using Account Abstraction

Kota Chin
University of Tsukuba
National Institute of
Information and
Communications Technology
Japan Keita Emura
Kanazawa University, Japan
National Institute of
Information and
Communications Technology
Japan Kazumasa Omote
University of Tsukuba
National Institute of
Information and
Communications Technology
Japan

Abstract

Account abstraction allows a contract wallet to initiate transaction execution. Thus, account abstraction is useful for preserving the privacy of externally owned accounts (EOAs) because it can remove a transaction issued from an EOA to the contract wallet and hides who issued the transaction by additionally employing anonymous authentication procedures such as ring signatures. However, unconditional anonymity is undesirable in practice because it prevents to reveal who is accountable for a problem when it arises. Thus, maintaining a balancing between anonymity and accountability is important. In this paper, we propose an anonymous yet accountable contract wallet system. In addition to account abstraction, the proposed system also utilizes accountable ring signatures (Bootle et al., ESORICS 2015). The proposed system provides (1) anonymity of a transaction issuer that hides who agreed with running the contract wallet, and (2) accountability of the issuer, which allows the issuer to prove they agreed with running the contract wallet. Moreover, due to a security requirement of accountable ring signatures, the transaction issuer cannot claim that someone else issued the transaction. This functionality allows us to clarify the accountability involved in issuing a transaction. In addition, the proposed system allows an issuer to employ a typical signature scheme, e.g., ECDSA, together with the ring signature scheme. This functionality can be considered an extension of the common multi-signatures that require a certain number of ECDSA signatures to run a contract wallet. The proposed system was implemented using zkSync (Solidity). We discuss several potential applications of the proposed system, i.e., medical information sharing and asset management.

Index Terms:

Blockchain, Account abstraction, Contract wallet, Accountable ring signatures.

I Introduction

I-A Introduction of Account Abstraction

Ethereum involves two kinds of accounts, i.e., externally owned accounts (EOA), which are controlled by a user-managed secret key, and contract accounts (contract wallets), which are controlled by smart contracts. In the current implementation of Ethereum, to run a contract wallet, an EOA must send a transaction to the contract wallet. Then the contract wallet runs a transaction according to the rule specified in the contract. Account abstraction [11] allows a contract wallet to initiate transaction execution, i.e., it can remove a transaction sent from an issuer to the contract. Account abstraction provides two primary benefits. The first benefit is the reduction of gas costs because account abstraction can remove a transaction sent from an issuer to the contract wallet. The second benefit is flexible verification. In the current Ethereum implementation, transactions, issued by EOAs, are verified according to the validity of signatures generated by secret keys of EOAs, and the underlying signature scheme is restricted to the elliptic curve digital signature algorithm (ECDSA). Thus, ECDSA signatures are employed generally when transaction validity is verified in the contract, although, theoretically, any signature schemes can be employed because signatures are verified by programs. In contrast, due to account abstraction, no EOA issues transactions, and thus any signature schemes can be employed more easily to verify transaction validity in the contract. For example, CRYSTALS-Dilithium [15], FALCON [18], and SPHINCS+ [4], which have been selected by the NIST Post-Quantum Cryptography Standardization, can be employed under the assumption they can be implemented by a program language that can be run by the contract wallet, e.g., Solidity.¹¹1Although we consider only signatures in this paper, any verification method can be employed or a contract wallet with no verification step can be constructed. In addition, account abstraction allows us to employ signatures with rich functionalities, such as accountable ring signatures [10]. Representative examples of systems that support account abstraction include StarkNet [2] and zkSync [3], which are network technologies in Ethereum Layer 2 (L2). Note that L2 is described in further detail in Section II-B.

Transactions between the EOAs and contract wallets are removed; thus account abstraction is useful for preserving the privacy of EOAs. In fact, EIP-2938 [11] states that “Privacy-preserving systems like tornado.cash” are a motivation to introduce account abstraction (tornado.cash is a mixing service). Concretely, it is expected that account abstraction can hide the issuer of a transaction. Note that a contract wallet typically verifies a signature using a verification key that has been registered in the contract program. Since the verification key is public (in a public blockchain), anyone can identify who issued the transaction (precisely, which verification key is used and the key holder who issued the transaction). In other words, account abstraction does not hide transaction issuer information. We emphasize that unconditional anonymity could promote crime. For example, tornado.cash is a tool that could be misused to facilitate money laundering, and the Fiscal Information and Investigation Service, an agency of the government of the Netherlands, arrested a 29-year-old man in Amsterdam as a suspected developer [1]. This indicates maintaining a balancing between anonymity and accountability is important.

I-B Privacy on Ethereum

Each EOA manages an ECDSA verification key $\mathsf{vk}$ , and the corresponding address is a (last 20 bytes of) hashed value of $\mathsf{vk}$ (here Keccak-256 hash function is used). Here, as each address appears random,²²2Vanity addresses are often used to reduce the storage cost of addresses. For example, using an address 0x0000…, a part of address “0 $\cdots$ 0” does not need to be stored. Even in this case, pseudonymity level privacy protection is guaranteed. anyone can easily determine whether multiple transactions were issued by the same EOA, although it is difficult to detect the EOA in the real world. This means that issuer privacy is preserved in the sense of pseudonymity in crypto asset trading.

Does Pseudonymity Provide Sufficient Privacy Protection? When crypto assets are traded between individuals, the pseudonymity level privacy protection might be sufficient. However, some information leakage occurs if a system is implemented using smart contracts.

For example, assume that a request to view patient data is made by a transaction in an electronic medical record system using Ethereum smart contracts [26, 22, 5, 20, 16, 33, 30, 25, 17]. In this case, we assume that multi-patient data are accessed from the same address. Then, we expect that the transaction issuing address is managed by a doctor or researcher. In addition, we expect that patients are suffering from similar diseases. Here, if the doctor or researcher associated with the address is identifiable, information identifying the patient’s disease may be leaked (although this was not authorized by the patient) depending on the specialty of the issuer of the transaction. Thus, no information about hospitals and medical offices should be leaked from transactions. However, it is necessary to internally verify who issued the transaction in order to prevent unnecessary access to medical data.

In the case of group asset management, pseudonymity level privacy protection would make the investment performance of each address public. Thus, it is desirable to be able to prove the investment performance internally while keeping information about the issuer of the transaction secret externally.

A Naive Solution 1: Key Sharing. Let a pair of signing and verification keys be generated and let all members of a group share the key pair. When a member issues a transaction, the same signing key is used to generate a signature. Then, anonymity level privacy protection is provided because a contract wallet uses the same verification key to verify the signature. However, there is no way to identify who issued the transaction, even among group members. Unconditional anonymity is undesirable in practice because it prevents to reveal who is accountable for a problem when it arises. In addition, determining how to revoke the signing key when a member leaves the group is a nontrivial problem.

A Naive Solution 2: External Services. Amazon Web Services (AWS) Key Management Service or a system on permissioned blockchain that support a trusted execution environment (TEE), e.g., Intel SGX, can be used to solve the above problems. By using such services, group members can issue a transaction without sharing the signing key. Here, anonymity still holds because the contract wallet uses the same verification key. In addition, group members can internally identify who issued a transaction via an access log (AWS Key Management Service) or the transaction (permissioned blockchain). Member revocation is also possible via access control to the services. Thus, technically we can provide both anonymity (for outside of the group) and accountability (for the group) simultaneously. However, both methods assume trust in AWS and TEE, which is undesirable relative to increase trust points.

Refer to caption — Figure 1: Proposed System

I-C Our Contribution

In this paper, we focus on account abstraction, which is attractive in terms of constructing a privacy-preserving system, and we propose an anonymous yet accountable contract wallet system (Figure 1).³³3We used Free Clip Art (http://www.clker.com/). In addition to account abstraction, the proposed system employs accountable ring signatures [10].⁴⁴4A user (EOA) needs to issue a transaction to a contract wallet when account abstraction is not employed. Thus, information that who issued a transaction is leaked even a ring signature scheme is employed in this case. Thus, both account abstraction and ring signatures are required mandatory in our system. We do not the following one-time deployment case that a contract wallet is newly deployed for issuing a transaction because it is not realistic solution. We implemented the proposed system using zkSync (Solidity). Precisely, we implemented the verification algorithm of the underlying accountable ring signature scheme using Solidity. The proposed system is briefly introduced as follows.

•

To issue a transaction, a ring signature is sent to a contract wallet, and the contract wallet verifies the signature. Then, the contract wallet uses a ring (i.e., a set of verification keys) to verify the signature. Anonymity holds in the sense that the contract wallet cannot identify the issuer among the verification key holders.
•

The opening functionality of the accountable ring signatures allows the actual issuer to prove that they issued the transaction, and other users can recognize this fact. In contrast, due to a security requirement of accountable ring signatures (i.e., opening soundness), no user can prove that they issued a transaction if they did not actually issue the transaction, and moreover the transaction issuer cannot claim that someone else issued the transaction. In addition, the proof can be generated by other ring members who share the secret opening key of the underlying accountable ring signatures. This functionality allows us to clarify the accountability involved in issuing a transaction. We remark that we mainly focus on how to identify/prove who issued a transaction in this paper. That is, we assume that the organization to which the transaction issuer belongs is accountable, and we do not address what penalties that organization would impose on the transaction issuer if the transaction became problematic, or how that organization would be held accountable.
•

The proposed system allows an issuer to employ a typical signature scheme, e.g., ECDSA, with the ring signature scheme. This functionality can be considered an extension of the typical multi-signatures that require a certain number of ECDSA signatures to run a contract wallet. For example, the contract wallet determines whether one of the issuers belongs to a group (in an anonymous manner), and a specific user (in the usual manner) agrees to run the contract wallet by verifying a ring signature and an ECDSA signature. This is illustrated in Figure 2. In the usual multi-signatures setting, anyone can recognize who agreed with running the contract wallet by observing ECDSA verification keys used for ECDSA signatures verification. Note that if two signatures are sent to the contract wallet separately, one of them must be preserved in the contract wallet which incurs an additional gas cost. To reduce the cost, one sender can collect all of the required signatures, and send them to the contract wallet.

I-D Applications

Potential applications of the proposed system include, but are not limited to, the following.

Medical Information Sharing. As mentioned previously, when a request to view patient data is made by a transaction in an electronic medical record system using Ethereum smart contracts, it is highly desirable that no information about hospitals and medical offices is leaked from the transactions. However, it is also essential to be able to internally verify who issued the transaction in order to prevent unnecessary access to medical data. With the proposed system, from the outside, it is possible to hide who is accessing patient data among members in an organization. For example, when a hospital is specified as the organization, it is possible to keep secret which doctors’ offices have access to medical data. If a clinical department, e.g., internal medicine, psychosomatic medicine, or plastic surgery, is specified as the organizational unit, which department is related to which disease is leaked, but no other information is leaked because which doctor accessed the patient data is kept secret. In addition, dividing the organization into independent departments relative to the actual medical offices may further prevent unnecessary leakage of information. Thus, by setting organizational units appropriately, we can control leaked information. In addition, more flexible settings can be realized by using our extended multi-signatures. For example, we can consider a case where the hospital director or a department head must agree to issue a transaction. Here, one person in a medical office needs to agree to issue the transaction.

Asset Management. The range of blockchain-based asset management has expanded due to the advent of smart contracts. Thus, the number of investment companies that manage their clients’ funds has been increasing. In some cases, the addresses held by lenders are known publicly. Then, the status of the fund management can be checked.⁵⁵5In fact, these addresses are not disclosed by lenders intentionally. Here, they are assumed to be lenders’ addresses based on the asset management status. It is assumed that there are cases where multiple users share an EOA as the address, and cases where multiple users employ contract wallets where transactions can be issued with the consent of a certain number of users. In the former case, it is impossible to know who issued the transaction internally. In the latter case, due to the pseudonymity level privacy protection, anyone can check the investment performance of each address. Except for cases where the investment status is disclosed intentionally, such information can be leaked unexpectedly. By employing the proposed system, the investment status of each address is not disclosed externally, and the investment status of each individual can be known internally.

II Preliminaries

II-A Accountable Ring Signatures

As a generalization of ring signatures [29] and group signatures [13], Xu and Yung proposed accountable ring signatures [34]. Briefly, as in ring signatures, each user generates their own public key $\mathsf{pk}$ and secret key $\mathsf{sk}$ . This decentralized structure matches blockchain systems. An opener has a public key $\mathsf{opk}$ and a secret key $\mathsf{osk}$ . When a user who has $(\mathsf{pk},\mathsf{sk})$ generates a ring signature $\Sigma$ on a message $M$ , the user selects a set of public keys, which we refer to as ring $R$ , and we assume that $\mathsf{pk}\in R$ , and selects the opener by indicating $\mathsf{opk}$ . We say that $(\Sigma,M)$ is valid if the signer is a member of $R$ , i.e., there exists $\mathsf{pk}\in R$ for which the corresponding $\mathsf{sk}$ has been used to generate $\Sigma$ . As in group signatures, the designated opener can trace the signer using $\mathsf{osk}$ . Moreover, the opening algorithm produces a proof $\pi$ proving that $\Sigma$ is generated by $\mathsf{sk}$ corresponding to $\mathsf{pk}\in R$ . We introduce the syntax defined by Bootle et al. [10] as follows.

Definition 1 (Syntax of Accountable Ring Signatures [10])

•

${\sf Setup}(1^{\lambda})$ : The setup algorithm takes the security parameter $\lambda\in\mathbb{N}$ as input and outputs the common parameter $\mathsf{pp}$ .
•

${\sf OKGen}(\mathsf{pp})$ : The opener key generation algorithm takes $\mathsf{pp}$ as input and outputs the opener public and secret keys $\mathsf{opk}$ and $\mathsf{osk}$ , respectively.
•

${\sf UKGen}(\mathsf{pp})$ : The user key generation algorithm takes $\mathsf{pp}$ as input and outputs the user public verification key $\mathsf{pk}$ and user secret signing key $\mathsf{sk}$ .
•

${\sf RSign}(\mathsf{opk},M,R,\mathsf{sk})$ : The signing algorithm takes $\mathsf{opk}$ , a message $M$ to be signed, a ring $R$ , and $\mathsf{sk}$ as inputs and outputs a ring signature $\Sigma$ . Here, $R$ is a set of user public keys and the $\mathsf{pk}$ corresponding to $\mathsf{sk}$ is assumed to be $\mathsf{pk}\in R$ .
•

${\sf RVerify}(\mathsf{opk},M,R,\Sigma)$ : The verification algorithm takes $\mathsf{opk}$ , $M$ , $R$ , and $\Sigma$ as inputs and outputs 1 (accept) or 0 (reject).
•

${\sf Open}(M,R,\Sigma,\mathsf{osk})$ : The open algorithm takes as $M$ , $R$ , $\Sigma$ , and $\mathsf{osk}$ as inputs and outputs $\mathsf{pk}\in R$ of the signer and its proof $\pi$ or $\bot$ otherwise.
•

${\sf Judge}(\mathsf{opk},M,R,\Sigma,\mathsf{pk},\pi)$ : The judge algorithm takes $\mathsf{opk}$ , $M$ , $R$ , $\Sigma$ , $\mathsf{pk}$ , and $\pi$ as inputs and outputs 0 if ${\sf RVerify}(\mathsf{opk},M,R,\Sigma)=0$ ; otherwise, it outputs 1 to indicate that $\Sigma$ is generated by $\mathsf{sk}$ corresponding to $\mathsf{pk}$ , and 0 otherwise.

We require correctness holds where an honestly generated signature is always valid (the ${\sf RVerify}$ algorithm outputs 1), and a proof generated by the ${\sf Open}$ algorithm against the signature and corresponding verification key is always accepted by the ${\sf Judge}$ algorithm. Bootle et al. defined full unforgeability, anonymity, traceability, and tracing soundness, which are briefly explained as follows. Refer to the literature [10] for details on these security definitions.

•

Full Unforgeability: It ensures that no adversary $\mathcal{A}$ (who may control the opener) can falsely accuse an honest user of creating a ring signature, nor $\mathcal{A}$ can forge a ring signature on behalf of an honest ring.
•

Anonymity: It ensures that no adversary $\mathcal{A}$ (who does not have $\mathsf{osk}$ ) can identify the signer, i.e., a signature does not reveal the identity of the ring member who generated it.
•

Traceability: It ensures that no adversary $\mathcal{A}$ can produce a signature that is valid but untraceable.
•

Tracing Soundness: It ensures that no adversary $\mathcal{A}$ can produce proofs for a signature that are accepted by the ${\sf Judge}$ algorithm for different verification keys.

Some studies have employed accountable ring signatures in blockchain systems [31, 19] due to its decentralized structure. In addition, Qiao et al. [28] removed the opening functionality from group signatures to reduce its centralized structure; however, it still has a centralized structure because a group manager issues signing keys to the group members unlike to (accountable) ring signatures. Linkable ring signatures [23, 8, 24] have been employed to provide a pseudonymity level privacy protection. As mentioned previously, this is insufficient; thus, anonymity level privacy protection is desirable. Delegatable anonymous credentials (DAC) [12] have been employed for eKYC systems [9, 32], where KYC stands for Know-Your-Customer. However, DACs are not applicable in the proposed system because they do not provide tracing functionality. Connolly et al. [14] proposed a revocable and auditable anonymous credential scheme called Protego, and they considered its application to Hyperledger Fabric. Although it might be employed in the proposed system, Connolly et al. only considered permissioned blockchains. Thus, accountable ring signatures are employed in the proposed system.

II-B Layer 2

Ethereum is widely recognized as providing high security as a smart contract-enabled blockchain. However, in terms of ensuring security and providing a distributed structure, there is room for improvement regarding scalability. Concretely, the number of transactions that can be processed within a certain time period is less than that of other blockchain systems. Thus, transaction fees (gas costs) will increase when many EOAs want to issue transactions. To solve this problem, we can issue a transaction off-chain, and the proof that the transaction is generated correctly, is only stored on the Ethereum blockchain. In this case, the blockchain and off-chain are referred to as Layer 1 (L1) and Layer 2 (L2), respectively. For example, when a Merkle tree is used to generate a hash chain, the proof that the hash chain satisfies the Merkle tree is stored in L1. To reduce the proof size stored in L1, the zk-STARK (zero-knowledge Scalable Transparent ARgument of Knowledge) [6] or zk-SNARK (zero-knowledge Succinct Non-interactive ARguments of Knowledge) [21, 27] are employed.

zkSync [3] is an Ethereum L2 network technology that supports zk-SNARK. The goal of L2 technologies to provide the same execution environment of Ethereum (i.e., the EVM: Ethereum Virtual Machine), and zkSync nearly supports the same execution environment of Ethereum, i.e., it is EVM-compatible and can run a smart contract programed by Solidity. Thus, we can utilize Ethereum ecosystem tools, and smart contracts on zkSync are described by Solidity. This means that the proposed system can be used directly when Ethereum supports account abstraction.

II-C Account Abstraction

In the following, we describe account abstraction. A user sends the code of a contract wallet to nodes that support account abstraction, and requests to its deployment. Note that the user does not need to be an issuer of a transaction. After deploying the contract wallet, an issuer sends transaction data to blockchain via nodes. Finally, the contract wallet runs the transaction according to the rule described in the code. We illustrate the flow of transaction issuing when account abstraction is/is not employed in Figure 3 and Figure 4.

Here, the issuer (User (EOA)) communicates with nodes, their IP address is known by nodes which break anonymity trivially. Thus, we exclude the nodes in our anonymity requirement.⁶⁶6This restriction can be removed if a user (who issued a transaction) prepares a node. However, currently only a test net supports account abstraction, and users who can prepare nodes are restricted.

III Proposed Anonymous yet Accountable Contract Wallet System

In this section, we describe the proposed anonymous yet accountable contract wallet system. First, we classify users who issue transactions.

•

Group User: a user $i$ who manages a key pair of the underlying accountable ring signature scheme $(\mathsf{pk}_{i},\allowbreak\mathsf{sk}_{i})$ and the common opening key $\mathsf{osk}$ . $i\in R$ denotes when user $i$ is a group member where $R$ is the ring used for signature verification (i.e., $\mathsf{pk}_{i}\in R$ ).
•

Individual User: a user $j$ who manages own ECDSA key pair $(\mathsf{vk}_{j},\allowbreak\mathsf{sigk}_{j})$ .

For simplicity, we assume that an issuer is either a group user or individual user. Thus, we define a policy $\mathsf{Policy}$ that specifies when the contract wallet runs a transaction. For example, let $\mathsf{Policy}:=\{R,j\}$ . Then, a transaction is run when one group user who belongs $R$ and one individual user $j$ agree with the execution of the transaction. In this case, the ring $R=\{\mathsf{pk}_{i}\}$ and ECDSA verification key $\mathsf{vk}_{j}$ are registered in the contract wallet.

III-A Security Requirements

We require the following security notions hold. Especially, due to the provability and proving soundness, the protocol is accountable because they allow us to clarify the accountability involved in issuing a transaction.

•

Anonymity: All entities that can observe transactions including contract wallets and excluding group users and nodes that communicate with the transaction issuer, cannot identify the actual issuer among the verification key holders contained in ring $R$ .
•

Unforgeability: As long as all signatures (either/both the ring signatures and/or the ECDSA signatures) specified by the $\mathsf{Policy}$ are sent to a contract wallet, no entity can issue a transaction that is valid under the $\mathsf{Policy}$ .
•

Provability: When a group user $i$ sends a ring signature to issue a transaction, the user can generate its proof.
•

Proving Soundness: When a group user $i$ does not send a ring signature to issue a transaction, the user cannot generate its proof.

III-B High-level Description

In the following, we explain the case of $\mathsf{Policy}:=\{R,j\}$ . First, we assume that all group users belonging to $R$ share $\mathsf{osk}$ . Let a group user $i\in R$ issue a transaction. Then, the user $i$ generates a ring signature $\Sigma$ , and the individual user $j$ generates an ECDSA signature $\sigma$ , respectively. After these signatures are sent to a contract wallet, the contract wallet checks whether $\Sigma$ is valid under $R$ , and $\sigma$ is valid under $\mathsf{vk}_{j}$ . If both signatures are valid, then the contract wallet runs the transaction. We note that only the signature verification is executed on-chain. Next, the user $i$ runs the ${\sf Open}$ algorithm using $\mathsf{osk}$ , generates $\pi$ that is a proof of transaction issuing, and sends $\pi$ to other group users (via an off-chain channel). For example, any information sharing tool used in the organization (e.g., a bulletin board in the organization or e-mails) can be used for sending pi. Other group users can recognize that the user $i$ issues the transaction by checking $\pi$ using the ${\sf Judge}$ algorithm.

We can easily consider a case that consents of two or more individual users are required. For example, $\mathsf{Policy}:=\{R,j,k\}$ . Similarly, we can consider two or more rings, e.g., $R_{1}$ and $R_{2}$ . Here, we assume that $R_{1}\cap R_{2}=\emptyset$ and do not consider the case $R_{1}\cap R_{2}\neq\emptyset$ because the contract wallet cannot distinguish whether one user who belongs to $R_{1}\cap R_{2}\neq\emptyset$ sends two ring signatures or not, due to anonymity. Similarly, we do not consider a case that consents two or more group users belonging to the same ring are required because the contract wallet cannot distinguish whether one user who belongs to the ring sends two or more ring signatures or not, due to anonymity. We remark that ring members can internally check whether one user who belongs to the ring sends two or more ring signatures or not. Thus, in the case that the proof $\pi$ will be opened after issuing the transaction, these restrictions could be removed.

III-C Proposed System

Here, we describe the proposed anonymous yet accountable contract wallet system. The proposed system consists of two procedures, $\mathsf{DeployContractWallet}$ and $\mathsf{SecdTransaction}$ . The $\mathsf{DeployContractWallet}$ protocol is used to deploy a contract wallet, and the $\mathsf{SecdTransaction}$ protocol issues a transaction against a transaction issuing request.

•

$\mathsf{DeployContractWallet}(\mathsf{Code},\mathsf{BlockChain})$ : Let $\mathsf{Code}$ be the code of a contract wallet. In the protocol, $\mathsf{Code}$ is sent to nodes that support account abstraction. Here, we describe $\mathsf{BlockChain}$ as the set of nodes. Then, $\mathsf{Code}$ contains a policy $\mathsf{Policy}$ , and a set of verification keys (a ring $R$ and ECDSA verification keys), and the rule that specifies the procedure run after the verification of signatures is passed. Finally, deploy a contract wallet $\mathsf{CW}$ .
•

$\mathsf{SecdTransaction}(\mathsf{TransactionData},\mathsf{BlockChain},\mathsf{CW})$ : A transaction data $\mathsf{TransactionData}$ , containing accountable ring signatures and ECDSA signatures, is sent to $\mathsf{CW}$ via nodes described by $\mathsf{BlockChain}$ . Then, $\mathsf{CW}$ checks the validity of signatures according to $\mathsf{Policy}$ , and issues a transaction.

In our system, the ${\sf RVerify}$ algorithm is run on-chain by the contract wallet, as in the case of ECDSA signatures, because any one can issue a transaction if no verification is involved. One may think that the ${\sf RVerify}$ algorithm could be run off-chain, e.g., the operator of the underlying L2 system runs the ${\sf RVerify}$ algorithm and sends the validity result to the wallet. However, it requires to assume an additional trust to the operator

III-D Security Discussion

•

Anonymity: Due to account abstraction and the anonymity of the underlying accountable ring signature scheme, the fact that a group user $i$ belonging $R$ generates the signature to issue a transaction is not leaked.
•

Unforgeability: Due to the unforgeability of the underlying accountable ring signature scheme and ECDSA, no entity, that does not belong to $R$ or does not have a signing key corresponding to $\mathsf{vk}$ specified by $\mathsf{Policy}$ , can issue a transaction. Due to the tamper resistance of the blockchain, the code of a contract wallet is not modified after its deployment. Thus, as long as all signatures (either/both ring signatures and/or the ECDSA signatures) specified by $\mathsf{Policy}$ are sent to a contract wallet, no entity can issue a transaction that is valid under the $\mathsf{Policy}$ .
•

Provability: Let $\Sigma$ be a ring signature generated by $\mathsf{sk}_{i}$ and verified by a contract wallet. Due to the correctness of the underlying accountable ring signature scheme, ${\sf Judge}(\mathsf{opk},M,R,\Sigma,\mathsf{pk}_{i},\pi)=1$ holds.
•

Proving Soundness: Let a ring signature be generated by $\mathsf{sk}_{i}$ . Due to the tracing soundness, no user (including group users) can produce $\pi$ that is accepted by the ${\sf Judge}$ algorithm with $\mathsf{pk}\neq\mathsf{pk}_{i}$ .

IV Implementation

The dominant of the proposed system in terms of cryptographic operations is to verify accountable ring signatures on-chain. Thus, we mainly focus on the accountable ring signature scheme in our implementation.

We implemented the Bootle et al. accountable ring signature scheme using Node.js. Because it is secure under the Decisional Diffie-Hellman (DDH) assumption, we employed secp256k1 as the underlying elliptic curve, which is known as a DDH-hard curve. We also implemented the ${\sf RVerify}$ algorithm using Solidity because the verification procedure is run on-chain (by the contract wallet). For ECDSA signature verification, we employed the OpenZeppelin library⁷⁷7https://docs.openzeppelin.com/.

IV-A Contract Wallet Deployment

First, we show that ergs (which is used in zkSync) for contract wallet deployment (which represent the average of ergs of 100-times deployment in the case of $|R|=4$ and $|R|=10$ ). We estimate the case of $|R|=4$ and $|R|=10$ (i.e., four/ten verification keys are contained in the ring). We also calculate the corresponding ETH and USD (using chart on 2022 December 1st). We can see that the costs are almost independent to the number of verification keys, i.e., $|R|$ , because each verification key is represented by two unsigned integers only.

TABLE I: Ergs for Contract Wallet Deployment

	$\|R\|=4$	$\|R\|=10$
	32,397,344 [ergs]	32,369,062 [ergs]
Deployment	0.0032 [ETH]	0.0032 [ETH]
	4 [USD]	4 [USD]

IV-B Implementation by Node.js

Here, we describe our implementation environment of Node.js in Table II.

TABLE II: Implementation Environment of Node.js

OS	Ubuntu 22.04.1 LTS
CPU	Intel Xeon E-2288G (3.70 [GHz])
Memory	128 [GB]

We show our implementation results (which represent the average of running times of 100-times executions) of the accountable ring signature scheme in Table III. We estimate the case of $|R|=4$ and $|R|=10$ .

TABLE III: Running Times

Algorithms	$\|R\|=4$	$\|R\|=10$
${\sf RSign}$	329 [ms]	473 [ms]
${\sf RVerify}$	276 [ms]	387 [ms]
${\sf Open}$	296 [ms]	393 [ms]
${\sf Judge}$	287 [ms]	393 [ms]

Although they depend on the ring size, they are reasonable because they are run off-chain, except the ${\sf RVerify}$ algorithm in the proposed system. The running time of the ${\sf RVerify}$ algorithm here is also important because the ${\sf Open}$ and ${\sf Judge}$ algorithms internally run the ${\sf RVerify}$ algorithm, since the corresponding ring signatures to be opened are required to be valid.

IV-C Implementation by Solidity

Here, we describe our implementation environment of Solidity in Table IV.

TABLE IV: Implementation Environment of Solidity

Version	Solidity @0.8.16
Compiler	hardhat-zksync-solc @0.3.9
Docker Image	matterlabs/geth

We show our implementation results (which represent the average of ergs of 100-times executions in the case of $|R|=4$ and $|R|=10$ ) of the accountable ring signature scheme in Table V. We also calculate the corresponding ETH and USD (using chart on 2022 December 1st). Currently, transaction fee to run zkSync is not strictly established, and thus, they are reference values. Nevertheless, they are quite expensive as a fee to issue a transaction. We note that the ECDSA verification algorithm is run by 574,254 ergs. The main reason of these high costs is inefficiency of elliptic curve operations in Solidity. Moreover, it seems that the transaction needs to be divided in the real environment due to the ergs costs because there is a limitation on the transaction size that can be executed in a single transaction in the mainnet.

TABLE V: Ergs for Running

{\sf RVerify}

Algorithm	$\|R\|=4$	$\|R\|=10$
	316,093,429 [ergs]	471,635,458 [ergs]
${\sf RVerify}$	0.0316 [ETH]	0.0471 [ETH]
	40 [USD]	60 [USD]

V Conclusion

In this paper, we proposed an anonymous yet accountable contract wallet system based on account abstraction and accountable ring signatures. The proposed system is implemented using Solidity for zkSync. Moreover, we discussed potential of the proposed system, e.g., medical information sharing and asset management. Since the current implementation results using Solidity show the required costs are expensive, our result here might be regarded as somewhat conceptual. However, to the best of our knowledge, no previous implementation result is known that confirms the cost to run an accountable ring signature scheme in Solidity to date, and we believe that our result can be seen as an important stepping stone to provide anonymity and accountability simultaneously in blockchain systems.

Investigating other applications of the proposed system will be left to future work. The underlying account ring signature scheme does not provide post-quantum security due to the discrete logarithm-based construction. Thus, it is difficult to accept the current construction as a platform to manage large amounts of assets due to the progress of quantum computing. Because a post-quantum accountable ring signature scheme has been proposed in [7], it would be interesting to employ the scheme, precisely, how to implement it using Solidity is left to future work.

Acknowledgment: The authors would like to thank Dr. Miyako Ohkubo (NICT) for her invaluable comments and suggestions. This work was supported by JSPS KAKENHI Grant Numbers JP21K11897 and JP22H03588.

References

[1] Arrest of suspected developer of Tornado Cash. https://www.fiod.nl/arrest-of-suspected-developer-of-tornado-cash/. August 12, 2022.
[2] StarkNet. https://starkware.co/starknet/.
[3] zkSync. https://zksync.io/.
[4] Jean-Philippe Aumasson, Daniel J. Bernstein, Ward Beullens, Christoph Dobraunig, Maria Eichlseder, Scott Fluhrer, Stefan-Lukas Gazdag, Andreas Hülsing, Panos Kampanakis, Stefan Kölbl, Tanja Lange, Martin M. Lauridsen, Florian Mendel, Ruben Niederhagen, Christian Rechberger, Joost Rijneveld, Peter Schwabe, and Bas Westerbaan. SPHINCS+: Submission to the NIST post-quantum project, v.3.1. https://sphincs.org/data/sphincs+-r3.1-specification.pdf.
[5] Asaph Azaria, Ariel Ekblaw, Thiago Vieira, and Andrew Lippman. MedRec: Using blockchain for medical data access and permission management. In 2016 2nd International Conference on Open and Big Data (OBD), pages 25–30, 2016.
[6] Eli Ben-Sasson, Iddo Bentov, Yinon Horesh, and Michael Riabzev. Scalable, transparent, and post-quantum secure computational integrity. IACR Cryptol. ePrint Arch., page 46, 2018.
[7] Ward Beullens, Samuel Dobson, Shuichi Katsumata, Yi-Fu Lai, and Federico Pintore. Group signatures and more from isogenies and lattices: Generic, simple, and efficient. In EUROCRYPT, pages 95–126, 2022.
[8] Ward Beullens, Shuichi Katsumata, and Federico Pintore. Calamari and Falafl: Logarithmic (linkable) ring signatures from isogenies and lattices. In ASIACRYPT, pages 464–492, 2020.
[9] Dmytro Bogatov, Angelo De Caro, Kaoutar Elkhiyaoui, and Björn Tackmann. Anonymous transactions with revocation and auditing in hyperledger fabric. In CANS, pages 435–459, 2021.
[10] Jonathan Bootle, Andrea Cerulli, Pyrros Chaidos, Essam Ghadafi, Jens Groth, and Christophe Petit. Short accountable ring signatures based on DDH. In ESORICS, pages 243–265, 2015.
[11] Vitalik Buterin, Ansgar Dietrichs, Matt Garnett, Will Villanueva, and Sam Wilson. EIP-2938: Account Abstraction. https://eips.ethereum.org/EIPS/eip-2938, 2020.
[12] Jan Camenisch, Manu Drijvers, and Maria Dubovitskaya. Practical uc-secure delegatable credentials with attributes and their application to blockchain. In ACM CCS, pages 683–699, 2017.
[13] David Chaum and Eugène van Heyst. Group signatures. In EUROCRYPT, pages 257–265, 1991.
[14] Aisling Connolly, Jérôme Deschamps, Pascal Lafourcade, and Octavio Perez-Kempner. Protego: Efficient, revocable and auditable anonymous credentials with applications to hyperledger fabric. In INDOCRYPT, pages 249–271, 2022.
[15] Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, Peter Schwabe, Gregor Seiler, and Damien Stehlé. CRYSTALS-Dilithium: A lattice-based digital signature scheme. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2018(1):238–268, 2018.
[16] Kai Fan, Shangyang Wang, Yanhui Ren, Hui Li, and Yintang Yang. MedBlock: Efficient and secure medical data sharing via blockchain. Journal of Medical Systems, 42(8):136:1–136:11, 2018.
[17] Tomilayo Fatokun, Avishek Nag, and Sachin Sharma. Towards a blockchain assisted patient owned system for electronic health records. Electronics, 10(5), 2021.
[18] Pierre-Alain Fouque, Jeffrey Hoffstein, Paul Kirchner, Vadim Lyubashevsky, Thomas Pornin, Thomas Prest, Thomas Ricosset, Gregor Seiler, William Whyte, and Zhenfei Zhang. FALCON: Fast-fourier lattice-based compact signatures over NTRU. https://falcon-sign.info/falcon.pdf.
[19] Tomoki Fujitani, Keita Emura, and Kazumasa Omote. A privacy-preserving enforced bill collection system using smart contracts. In AsiaJCIS, pages 51–60. IEEE, 2021.
[20] Merlin George and Anu Mary Chacko. MediTrans - patient-centric interoperability through blockchain. International Journal of Network Management, 32(3), 2022.
[21] Jens Groth. Short non-interactive zero-knowledge proofs. In ASIACRYPT, pages 341–358, 2010.
[22] Yiheng Liang. Identity verification and management of electronic health records with blockchain technology. In ICHI, pages 1–3. IEEE, 2019.
[23] Joseph K. Liu, Victor K. Wei, and Duncan S. Wong. Linkable spontaneous anonymous group signature for ad hoc groups (extended abstract). In ACISP, pages 325–335, 2004.
[24] Xingye Lu, Man Ho Au, and Zhenfei Zhang. Raptor: A practical lattice-based (linkable) ring signature. In ACNS, pages 110–130, 2019.
[25] Mohammad Moussa Madine, Ammar Ayman Battah, Ibrar Yaqoob, Khaled Salah, Raja Jayaraman, Yousof Al-Hammadi, Sasa Pesic, and Samer Ellahham. Blockchain for giving patients control over their medical records. IEEE Access, 8:193102–193115, 2020.
[26] Abdullah Al Omar, Md. Zakirul Alam Bhuiyan, Anirban Basu, Shinsaku Kiyomoto, and Mohammad Shahriar Rahman. Privacy-friendly platform for healthcare data in cloud based on blockchain environment. Future Gener. Comput. Syst., 95:511–521, 2019.
[27] Bryan Parno, Jon Howell, Craig Gentry, and Mariana Raykova. Pinocchio: nearly practical verifiable computation. Communications of the ACM, 59(2):103–112, 2016.
[28] Sen Qiao, Varun Madathil, and Kemafor Anyanwu. Integrating group signatures in complex decentralized marketplace transactions for improved buyer privacy. In Blockchain, pages 139–148. IEEE, 2022.
[29] Ronald L. Rivest, Adi Shamir, and Yael Tauman. How to leak a secret. In ASIACRYPT, pages 552–565, 2001.
[30] Alex Roehrs, Cristiano Andre da Costa, and Rodrigo da Rosa Righi. OmniPHR: A distributed architecture model to integrate personal health records. Journal of Biomedical Informatics, 71:70–81, 2017.
[31] Teppei Sato, Keita Emura, Tomoki Fujitani, and Kazumasa Omote. An anonymous trust-marking scheme on blockchain systems. IEEE Access, 9:108772–108781, 2021.
[32] Kazuo Takaragi, Takashi Kubota, Sven Wohlgemuth, Katsuyuki Umezawa, and Hiroki Koyanagi. Secure revocation features in eKYC - privacy protection in central bank digital currency. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 106-A(3), 2023.
[33] Qi Xia, Emmanuel Boateng Sifah, Kwame Omono Asamoah, Jianbin Gao, Xiaojiang Du, and Mohsen Guizani. MeDShare: Trust-less medical data sharing among cloud service providers via blockchain. IEEE Access, 5:14757–14767, 2017.
[34] Shouhuai Xu and Moti Yung. Accountable ring signatures: A smart card approach. In CARDIS, pages 271–286, 2004.