1. Introduction

2. Preliminaries

2.4. Payment Channel

The payment channel ($\mathrm{PC}$) enables two mutually distrustful parties to transact without uploading every single payment message to blockchain. Two parties broadcast a funding transaction together with their deposits to the blockchain to open a payment channel [36]. The capital capacity to open the payment channel is the total amount of transactions between the two parties, that is, the amount transferred by the bank to the client. The key to the payment channel protocol is that the parties to the transaction can reach a cognitive agreement on the latest fund allocation. If one of the two parties in the transaction wants to close the transaction, they can send a promise to the blockchain regarding the final version of the fund’s distribution. In this way, the payment channel can be closed and the corresponding funds will be returned to the user. Since only the first and the last transactions are uploaded to the blockchain for opening and closing payment channels, the throughput of the blockchain is significantly improved.

Table 1. Notations in CMS System.

Table 1. Notations in CMS System.

Notations	Descriptions
B	Bank
C	Clients
V	Vendors
F	The total amount sent by bank to clients
${\mathbb{O}}_{\mathit{C}},\mathit{V}$	Partially identifiable information of clients and vendors
$S_0$	Bank’s signature on transaction information sent to clients
$\lambda$	The security parameter
$mpk$	The master public key
$msk$	The master secret key
$\mathbb{S}$	An attribute set
${Tx}_{p,i}$	The i-th transaction
${ts}_i$	The time of the i-th transaction
${\sigma }_i$	The client’s signature on the i-th transaction information
$\ell {\mathtt{k}}_{\mathit{i}}$	The lock of the i-th transaction

3. System Model

4. Our Construction

4.1. Framework Overview

The continuous micropayment system can ensure efficient, fast and safe continuous micropayment for both parties. The system is based on blockchain. The use of off-chain payment channels increases the scalability of the blockchain and allows transactions and data to be moved off-chain. The system includes bank, clients and vendors. The bank provides the clients with the total amount of the transaction required. Each user (clients and vendors) has a corresponding reputation value in the bank. After receiving the transaction request, the bank has the right to check the reputation value of both parties to determine whether the transaction can be opened. Continuous small-value transactions between users and suppliers through transaction channels. These consecutive transactions can be micro-coins. Each transaction $T{x}_{p,i}$ is not independent but associated.

$$T{x}_{p,i}=H(T{x}_{p,i-1})=H(H(T{x}_{p,i-2}))$$

The client signs each transaction information, thereby generating a series of signature locks. Every transaction vendors received contains a signature lock. The lock is invisible during the transaction, which can ensure the security of the transaction. After the vendor receives the last transaction, the $\mathrm{unlock}$ algorithm is used to unlock the chain of locks one by one. After the unlocking process is completed, each transaction message can be obtained. Finally, the first transaction information and the last transaction information are uploaded to the blockchain.

Table 2. Notations in LS.

Table 2. Notations in LS.

Notations	Descriptions
p	A prime
${\mathbb{Z}}_{\mathit{q}}$	The finite field of integers modulo a prime p.
$\mathit{G}$	A point on an elliptic curve
q	The order of group $\mathbb{G}$
${\sigma }_i$	The client’s signature on the i-th transaction information
$\mathit{H}(·)$	The hash function
$\mathit{k}$	The instance key
${\mathit{r}}_{\mathit{x}}$	The x-coordinate of the elliptic curve point
${\mathit{r}}_{\mathit{y}}$	The y-coordinate of the elliptic curve point
$\sigma$	The locked signature
$\widehat{\sigma }$	The locking signature

4.2. Detailed LS

The algorithm is parameterized by a group $\mathbb{G}$ of order $\mathit{q}$. The group $\mathbb{G}$ is generated by a point $\mathit{G}$ on an elliptic curve over the finite field ${\mathbb{Z}}_{\mathit{q}}$ of integers modulo a prime $\mathit{p}$. The algorithm makes use of a hash function $\mathit{H}:{\{0,1\}}^{*}\mapsto {\mathbb{Z}}_{\mathit{q}}$. Curve coordinates and scalars are represented in $\mathit{k}={log}_2(q)$ bits, which is also the security parameter [16]. The LS algorithms are as follows:

• $\mathrm{KeyGen}(1^{\lambda })\to (pk,sk),(\widehat{pk},\widehat{sk})$:

Select the secret key $sk$ from the finite field ${\mathbb{Z}}_{\mathit{q}}$

$${\mathbb{Z}}_{\mathit{q}}\to sk$$

Compute the public key $pk$ as

$$pk:=sk·G$$

Select the secret key $\widehat{sk}$ from the finite field ${\mathbb{Z}}_{\mathit{q}}$

$${\mathbb{Z}}_q\to \widehat{sk}$$

Compute the public key $\widehat{sk}$:

$$\widehat{pk}:=\widehat{sk}·\mathit{G}$$

Output$(pk,sk)$ and $(\widehat{pk},\widehat{sk})$

• $\mathrm{Lock}(sk,m,\widehat{sk},\widehat{m})\to \ell \mathtt{k}$:

1) $\mathrm{Sign}(sk,m),\{sk\in {\mathbb{Z}}_q,m\in {\{0,1\}}^{*}\}$

• Select $\mathit{k}$ from the finite field ${\mathbb{Z}}_{\mathit{q}}$

  $${\mathbb{Z}}_q\to \mathit{k}$$

Compute

$$(r_x,r_y)=\mathcal{R}:=\mathit{k}·\mathit{G}$$

Compute

$$\mathrm{sig}:=\frac{\mathit{H}(m)+sk·{\mathit{r}}_{\mathit{x}}}{\mathit{k}}$$

Compute

$$\sigma :=(\mathrm{sig}\mathrm{mod}\mathit{q},r_x\mathrm{mod}\mathit{q})$$

2) $\mathrm{Sign}(\widehat{sk},\widehat{m}),\{\widehat{sk}\in {\mathbb{Z}}_{\mathit{q}},\widehat{m}\in {\{0,1\}}^{*}\}$

• Select the instance key $\mathit{k}$ from the finite field ${\mathbb{Z}}_{\mathit{q}}$

  $${\mathbb{Z}}_q\to \mathit{k}$$

Compute

$$(r_x,r_y)=\mathcal{R}:=\mathrm{k}·\mathit{G}$$

Compute

$$\widehat{\mathrm{sig}}:=\frac{\mathit{H}(\widehat{\mathit{m}})+\widehat{\mathit{sk}}·{\mathit{r}}_{\mathit{x}}}{\mathit{k}}$$

Compute

$$\widehat{\sigma }:=(\widehat{\mathrm{sig}}\mathrm{mod}\mathit{q},{\mathit{r}}_{\mathit{x}}\mathrm{mod}\mathit{q})$$

Output

$$\ell \mathtt{k}:=\sigma \oplus \mathit{H}(\widehat{\sigma })$$

• $\mathrm{Unlock}(pk,m,\widehat{pk},\widehat{m},\widehat{\sigma },\ell \mathtt{k})\to \sigma$:
  Output

  $$\sigma :=\ell \mathtt{k}\oplus \mathit{H}(\widehat{\sigma })$$

• $\mathrm{Vf}(pk,m,\mathrm{Unlock}(pk,m,\widehat{pk},\widehat{m},\widehat{\sigma },\ell \mathtt{k}))=1$:
  1) $\mathrm{Verify}(pk,m,\sigma ),\{pk\in G,\sigma \in ({\mathbb{Z}}_q,{\mathbb{Z}}_q)\}$
  Parse $\sigma$ as $(\mathrm{sig},{\mathit{r}}_{\mathit{x}})$
  Compute

  $$({{\mathit{r}}_{\mathit{x}}}^{\prime },{{\mathit{r}}_{\mathit{x}}}^{\prime })={\mathcal{R}}^{\prime }:=\frac{\mathit{G}}{\mathrm{sig}·\mathit{H}(\mathit{m})}+\frac{\mathit{pk}}{\mathrm{sig}·{\mathit{r}}_{\mathit{x}}}$$
  Output 1 if and only if

  $$({{\mathit{r}}_{\mathit{x}}}^{\prime }\mathrm{mod}\mathit{q})=({\mathit{r}}_{\mathit{x}}\mathrm{mod}\mathit{q})$$
  2) $\mathrm{Vf}(pk,m,\mathrm{Unlock}(pk,m,\widehat{pk},\widehat{m},\widehat{\sigma },\ell \mathtt{k}))$

Output 1 if for all $\lambda \in \mathbb{N}$, all pairs of messages $(m,\widehat{m})\in ({0,1}^{\mathbf{\lambda }})$, for all key pairs of $(pk,sk)$ and $(\widehat{pk},\widehat{sk})$ in the image of $\mathrm{KGen}$.

A lockable signature scheme contains two signatures, defined as the locking signature and the locked signature. In the same breath, the lockable signature scheme contains two algorithms, namely the lock algorithm and the unlock algorithm. In the continual micropayment schemes, they sign two different but adjacent transaction messages.

Here, we first determine the transaction information. Then distinguish the information corresponding to the locked signature and the locked signature, and use the signature algorithm to generate the corresponding signature. Then we combine the signature with the hash operation and link the signatures according to the operation method of the hash chain. Finally, the lockable signature calculation process is introduced. The two signatures formed can be verified against different public keys.

The invisible signature lock can be obtained by inputting the locked signature and the locked signature into the locking algorithm. During the transaction process, a series of invisible locks generated by the client, and each node transaction of the hash chain is sent to the vendor through the payment channel. The vendor completes the unlocking process through the unlocking algorithm so that the transaction messages and the amount of each transaction can be obtained.

Our notion of security for lockable signatures is defined as follows. As mentioned earlier, the lockable signature scheme contains two algorithms, namely the lock algorithm and the unlock algorithm. First, we believe that signature algorithms can get deterministic signatures. Then we believe that the lock algorithm is implemented honestly in the security concept.

Algorithm 1 Unlockability of lockable signature

(Unlockability) The unlock ability embodies three features.

1) Correctness: It ensures that lockable signature schemes can be unlocked correctly at the end of a series of transactions;

2) Efficiency: Lockable signature shows higher efficiency during transactions compared to the traditional schemes that use a trusted third party to witness the whole transaction process;

3) Completeness: Lockable signature schemes can prevent the transaction process from being interrupted by an external adversary who might launch a transaction-intercept attack1.

The adversary $\mathcal{A}$ obtains the transaction message (time or phase) in the middle of the micropayment transaction using a hash chain. Then $\mathcal{A}$ can trace back to the first transaction and the account messages of transaction parties are exposed.

There is an adversary $\mathcal{A}$ in security analysis. He can choose a message pair $(m,\widehat{m})$ while accessing the secret key’s signing oracle. In the process of unlockability feature verification, the generated signature lock $\ell \mathtt{k}$ is obtained by running the lock algorithm honestly. The signature lock is revealed to the adversary $\mathcal{A}$. Then the adversary $\mathcal{A}$ returns a candidate locking signature for unlocking, and obtains the corresponding locked signature through the unlocking process. If the obtained locked signature is an invalid signature for the transaction message m under the public key $pk$, the adversary $\mathcal{A}$ wins.

We say that the lockable signature satisfies the property of unlockability, which means that the adversary $\mathcal{A}$ has a negligible advantage under the restriction of the given security parameters.

(Invisibility) As mentioned earlier, the signature locks are hidden during transactions [29]. The invisibility feature can ensure that the information of both the locking signature and the locked signature will be invisible within the transaction process. In other words, the transaction information is not exposed when it is not unlocked. In the security analysis, $\mathcal{A}$ can query the signature oracle for the secret key $sk$ , and then select a message pair $(m,\widehat{m})$. The lockable signature scheme is reckoned to fit the definition of invisibility, suggesting that the winning probability of the adversary is approximately 1/2.

Algorithm 2 Invisibility of lockable signature

Figure 3. The idea of Lockable Signature ($\mathrm{LS}$).

Figure 3. The idea of Lockable Signature ($\mathrm{LS}$).

5. Security Analysis

6. Experiment

Table 3. The costs of CMS.

Table 4. Communication overhead comparison results.

Figure 4. The time cost of setup phase.

Figure 4. The time cost of setup phase.

Figure 5. The time cost of transaction phase.

Figure 5. The time cost of transaction phase.

Figure 6. The time cost of release phase.

Figure 6. The time cost of release phase.

7. Related Work

8. Conclusions

References

1. Rezaeibagha, F.; Mu, Y. Efficient micropayment of cryptocurrency from blockchains. The Computer Journal, 2019, 62, 507–517. [Google Scholar] [CrossRef]
2. Boudriga, N. A resilient micro-payment infrastructure: an approach based on blockchain technology. Kuwait Journal of Science 2022, 49. [Google Scholar]
3. Pass, R.; Shelat, A. Micropayments for decentralized currencies[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015, 207–218. [Google Scholar]
4. Decker, C.; Wattenhofer, R. A fast and scalable payment network with bitcoin duplex micropayment channels[C]//Symposium on Self-Stabilizing Systems; Springer: Cham, 2015; pp. 3–18. [Google Scholar]
5. Lipton, R. J.; Ostrovsky, R. Micro-payments via efficient coin-flipping[C]//International Conference on Financial Cryptography; Springer: Berlin, Heidelberg, 1998; pp. 1–15. [Google Scholar]
6. Micali, S.; Rivest R, L. Micropayments revisited[C]//Cryptographer Track at the RSA Conference; Springer: Berlin, Heidelberg, 2002; pp. 149–163. [Google Scholar]
7. Mu, Y.; Varadharajan, V.; Lin Y, X. New micropayment schemes based on Pay Words[C]//Australasian Conference on Information Security and Privacy; Springer: Berlin, Heidelberg, 1997; pp. 283–293. [Google Scholar]
8. Burchert, C.; Decker, C.; Wattenhofer, R. Scalable funding of bitcoin micropayment channel networks. Royal Society open science, 2018, 5, 180089. [Google Scholar] [CrossRef] [PubMed]
9. Rivest, R. L.; Shamir, A. PayWord and MicroMint: Two simple micropayment schemes[C]//International workshop on security protocols; Springer: Berlin, Heidelberg, 1996; pp. 69–87. [Google Scholar]
10. Nguyen, Q. S. Multi-dimensional hash chains and application to micropayment schemes[C]//International Workshop on Coding and Cryptography; Springer: Berlin, Heidelberg, 2005; Volume 218, p. 228. [Google Scholar]
11. Lei, H.; Huang, L.; Wang, L.; et al. MPC: Multi-node Payment Channel for Off-chain Transactions[C]//ICC 2022-IEEE International Conference on Communications; IEEE, 2022; pp. 4733–4738. [Google Scholar]
12. Li, D.; Liu, J.; Tang, Z.; et al. Agentchain: A decentralized cross-chain exchange system[C]//2019 18th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/13th IEEE International Conference on Big Data Science and Engineering (Trustcom/BigdataSE); IEEE, 2019; pp. 491–498. [Google Scholar]
13. Buldas, A.; Laanoja, R.; Truu, A. A blockchain-assisted hash-based signature scheme[C]//Nordic Conference on Secure IT Systems; Springer: Cham, 2018; pp. 138–153. [Google Scholar]
14. Erdin, E.; Mercan, S.; Akkaya, K. An evaluation of cryptocurrency payment channel networks and their privacy implications. arXiv 2021, arXiv:2102.02659. [Google Scholar]
15. Avarikioti, Z.; Thyfronitis Litos, O. S.; Wattenhofer, R. Cerberus channels: Incentivizing watchtowers for bitcoin[C]//International Conference on Financial Cryptography and Data Security; Springer: Cham, 2020; pp. 346–366. [Google Scholar]
16. Doerner, J.; Kondi, Y.; Lee, E.; et al. Secure two-party threshold ECDSA from ECDSA assumptions[C]//2018 IEEE Symposium on Security and Privacy (SP); IEEE, 2018; pp. 980–997. [Google Scholar]
17. Zhang, Y.; Deng, R. H.; Liu, X.; et al. Blockchain based efficient and robust fair payment for outsourcing services in cloud computing. Information Sciences 2018, 462, 262–277. [Google Scholar] [CrossRef]
18. Syed, T. A.; Alzahrani, A.; Jan, S.; et al. A comparative analysis of blockchain architecture and its applications: Problems and recommendations. IEEE access 2019, 7, 176838–176869. [Google Scholar] [CrossRef]
19. Dai, H. N.; Zheng, Z.; Zhang, Y. Blockchain for Internet of Things: A survey. IEEE Internet of Things Journal, 2019, 6, 8076–8094. [Google Scholar] [CrossRef]
20. Konstantinidis, I.; Siaminos, G.; Timplalexis, C.; et al. Blockchain for business applications: A systematic literature review[C]//International conference on business information systems; Springer: Cham, 2018; pp. 384–399. [Google Scholar]
21. Malavolta, G.; Moreno-Sanchez, P.; Schneidewind, C.; et al. Anonymous multi-hop locks for blockchain scalability and interoperability. Cryptology ePrint Archive 2018. [Google Scholar]
22. Wu, J.; Jiang, S. On Increasing Scalability and Liquidation of Lightning Networks for Blockchains. IEEE Transactions on Network Science and Engineering 2022. [Google Scholar] [CrossRef]
23. Pandey, A. A.; Fernandez, T. F.; Bansal, R.; et al. Maintaining Scalability in Blockchain[C]//International Conference on Intelligent Systems Design and Applications; Springer: Cham, 2022; pp. 34–45. [Google Scholar]
24. Takahashi, T.; Otsuka, A. Probabilistic micropayments with transferability[C]//European Symposium on Research in Computer Security; Springer: Cham, 2021; pp. 390–406. [Google Scholar]
25. Ying, N.; Wu, T W. xlumi: Payment channel protocol and off-chain payment in blockchain contract systems. arXiv 2021, arXiv:2101.10621. [Google Scholar]
26. Fazli, M. A.; Nehzati, S. M.; Salarkia, M. A. Building Stable Off-chain Payment Networks. arXiv 2021, arXiv:2107.03367. [Google Scholar]
27. Nofer, M.; Gomber, P.; Hinz, O.; et al. Blockchain. Business and Information Systems Engineering, 2017, 59, 183–187. [Google Scholar] [CrossRef]
28. Deepa, N.; Pham, Q. V.; Nguyen, D. C.; et al. A survey on blockchain for big data: approaches, opportunities, and future directions. Future Generation Computer Systems 2022. [Google Scholar] [CrossRef]
29. Thyagarajan, S. A. K.; Malavolta, G. Lockable signatures for blockchains: Scriptless scripts for all signatures[C]//2021 IEEE Symposium on Security and Privacy (SP); IEEE, 2021; pp. 937–954. [Google Scholar]
30. Zhang, Y.; Deng, R. H.; Liu, X.; et al. Blockchain based efficient and robust fair payment for outsourcing services in cloud computing. Information Sciences, 2018, 462, 262–277. [Google Scholar] [CrossRef]
31. Zhang, Y.; Deng, R. H.; Liu, X.; et al. Blockchain based efficient and robust fair payment for outsourcing services in cloud computing. Information Sciences, 2018, 462, 262–277. [Google Scholar] [CrossRef]
32. McCorry, P.; Möser, M.; Shahandasti, S. F.; Hao, F. Towards bitcoin payment networks[C]//Australasian Conference on Information Security and Privacy; Springer: Cham, 2016; pp. 57–76. [Google Scholar]
33. Delmolino, K.; Arnett, M.; Kosba, A.; et al. Step by step towards creating a safe smart contract: Lessons and insights from a cryptocurrency lab[C]//International conference on financial cryptography and data security; Springer: Berlin, Heidelberg, 2016; pp. 79–94. [Google Scholar]
34. Boneh, D.; Lynn, B.; Shacham, H. Short signatures from the Weil pairing[C]//International conference on the theory and application of cryptology and information security; Springer: Berlin, Heidelberg, 2001; pp. 514–532. [Google Scholar]
35. Lei, H.; Huang, L.; Wang, L.; et al. MPC: Multi-node Payment Channel for Off-chain Transactions[C]//ICC 2022-IEEE International Conference on Communications; IEEE, 2022; pp. 4733–4738. [Google Scholar]
36. Zhang, J.; Ye, Y.; Wu, W.; et al. Boros: Secure and Efficient Off-Blockchain Transactions via Payment Channel Hub. IEEE Transactions on Dependable and Secure Computing 2021. [Google Scholar] [CrossRef]
37. Bonneau, J.; Preibusch, S.; Anderson, R. Financial cryptography and data security; Springer International Publishing, 2020. [Google Scholar]
38. Li, T.; Yang, A.; Weng, J.; et al. Concurrent and efficient IoT data trading based on probabilistic micropayments; Wireless Networks, 2022; pp. 1–16. [Google Scholar]