Digital signature scheme for information non-repudiation in blockchain: a state of the art review

Blockchain, as one of the most promising technology, has attracted tremendous attention. The interesting characteristics of blockchain are decentralized ledger and strong security, while non-repudiation is the important property of information security in blockchain. A digital signature scheme is an effective approach to achieve non-repudiation. In this paper, the characteristics of blockchain and the digital signature to guarantee information non-repudiation are firstly discussed. Secondly, the typical digital signature schemes in blockchain are classified and analyzed, and then the state-of-the-art digital signatures are investigated and compared in terms of application fields, methods, security, and performance. Lastly, the conclusions are given, and some future works are suggested to stir research efforts in this field. Our works will facilitate to design efficient and secure digital signature algorithms in blockchain.


Introduction
Currently, as the key technology behind Bitcoin, the blockchain has been widely researched and deployed [1]. It provides a decentralized mechanism and infrastructure in different fields [2][3][4][5] and maintains a chronologically continuous, non-tamperable data record. Meanwhile, it is also a research hotspot [6][7][8][9]. When assets in the real or digital world can generate digital digests, the blockchain becomes the perfect vehicle for the application of the assertion class, to provide digital evidence of ownership and timestamps. Hence, the blockchain can be applied in many fields [10], which involve online payment, stock exchange, trade management, and IoT. Blockchain technology not only serves as the technical basis for all digital cryptocurrencies, but also extends broader developments and applications in traditional finance and trade. Furthermore, it also opens the door to new technologies such as smart contracts [11].
With the development of blockchain, the issues of hard fork and double payment [12], which are caused by block conflicts, will directly impact on the validity and integrity of E-commerce transactions. The essence of these issues is information security, in short, whether it is the consensus process in the face of 51% attack [13,14], the Byzantine failures or in the future on the asymmetric encryption algorithm, as well as those attacks from outside rivals and transaction information forgery, or there are the personal privacy leakage and the software design flaws. The non-repudiation of information is very important for the security in blockchain. In order to guarantee the non-repudiation of information in the blockchain system, some security technologies, such as digital signature [15], identity authentication, and time stamping [16] are studied and applied.
Digital signatures can be used to verify the integrity of a file or a message. It is non-repudiation. In Fig. 1, a typical digital signature process is given basic on RSA. It is one of the digital signature algorithms, which are widely used [17]. Digital signature technology can be well adapted to its characteristics in the blockchain system. It will be more secure and applicable than the traditional application field and has the possibility of increasing value. For example, digital signature only carries information on the Internet, but has no value transfer.
In blockchain system, there is not only information transmission, but also the transfer of value. In such a context, our contributions of this paper include the following: 1) Digital signature schemes to guarantee the nonrepudiation of information in blockchain, as well as the state-of-the-art works in digital signatures are reviewed, analyzed, and compared systematically, in order to facilitate the design and optimization of signature algorithms. 2) Future research directions on digital signature are suggested so as to provide possible opportunities for this research field.
The rest of this paper is organized as follows. Firstly, the blockchain and non-repudiation are discussed in Section 2. Then, the digital signature schemes are analyzed in Section 3. Furthermore, the related works are reviewed and compared in detail in Section 4. Finally, the conclusions and future works are given in Section 5.

Blockchain
The concept of blockchain was originally proposed by Nakamoto in 2008 [18], and now has become the core technology of Bitcoin. In the original text, the terms "block" and "chain" were used separately at the earliest stage and were used as blockchain after being widely used. The block is a recorded Bitcoin transaction data unit, which consists of two parts: one is the block header, and the other is the block content. It is not until 2016 that the word "blockchain" has been synthesized. Generally, the blockchain can be categorized into as follows: Public Blockchain, Consortium, and Private Blockchain. In addition, different blockchains can also form a network, and the links and the chains in the same network are interconnected to generate an interchain [13]. The relationship of blockchain classification is shown in Fig. 2.
The blockchain has some features, including decentralization, openness, self-control, untamperability, and anonymity [19]. The core technologies in blockchains involve asymmetric encryption, P2P, distributed ledger, consensus mechanism, and smart contract [20]. Many traditional security schemes and algorithms [21][22][23][24][25][26] are deployed in blockchains. With the development of the blockchain, it has also merged with a series of new information technologies, such as IoT, cloud computing, and big data and is becoming the support of infrastructures. Meanwhile, it also plays an important role in promoting the development of a newgeneration information technology. By using the blockchain, up to military-grade security can be achieved with typical devices in IoT [27]. Furthermore, many researchers have done a series of works to observe whether it is well suited to the IoT. They also describe how blockchain and IoT are integrated closely, such as facilitating the sharing of services and resources, establishing a service market between devices, and allowing users to automate the encryption and authentication process in the time-consuming workflow of several existing units. Finally, according to the research results, they show that combining blockchain and IoT is quite optimistic. The combination can promote the development of a number of industries, can drive major reforms and innovations across multiple fields of industry, and, furthermore, also can pave the way for new business models and new distributed applications [28].

Non-repudiation
Non-repudiation means that participants cannot deny the transaction and behavior in the transaction of Ecommerce in the blockchain. The purpose of nonrepudiation service is to collect, maintain, provide, and verify the undeniable evidence about messages from the transmitter to the receiver. The nonrepudiation service may involve the services of the trusted third party, called the delivery authority (DA) [29]. In blockchain, the non-repudiation involves two aspects: one is that the sent information cannot be denied, for example, A sent a message to B, so A cannot deny the behavior. The other is the information receiver cannot be denied. Similarly, A sent to B a message, but B cannot claim that he did not receive this message. Digital signatures in blockchain systems use asymmetric encryption techniques that are typical of elliptic curve equations [30] to guarantee the nonrepudiation of information.
For example, a digital signature for Bitcoin is achieved by using elliptic curves and modular arithmetic in finite fields [31]. It allows non-repudiation, as it means the person who sent the message had to be in possession of the private key. Therefore, owns the Bitcoins-anyone on the network can verify the transaction as a result. The Bitcoin digital signature is shown in Fig. 3.

Digital signature
In this section, we will survey and analyze several typical digital signature schemes in blockchain. These signature schemes include aggregate signature, group signature, ring signature, blind signature, and proxy signature.

Aggregate signature
An aggregate signature [32] is a typical digital signature scheme with aggregation function based on co-GDH and bilinear mapping. The meaning of aggregation is given n signatures on n different messages from n different users, and it is possible to summarize all these signatures into a short signature. This brief single signature (n original messages) will convince the verifier that the n users do indeed sign n messages (e.g., user i signs message M i from i = 1 to n). The aggregate signatures greatly reduce the workload of signature storage and signature verification. In practice, the computational and communication costs can be reduced. It is usually used in environments where bandwidth and storage space are limited.

Group signature
A group signature [33] scheme allows members in a group to anonymously represent group signed messages. The security elements formed by group signatures must comply with the following eight requirements: reliability and integrity, unforgeable, anonymity, traceability, unlinkability, no framing, unforgeable tracing verification, and coalition resistance.
Due to the differences in blockchain application scenarios, the execution efficiency of the group signature scheme becomes critical. Generally, the execution efficiency of the group signature mechanism can be evaluated by the length of the group signature, the size of the public key, the time of signature generation, and the verification time.

Ring signature
A ring signature scheme [34] uses the public key of all users on a set U and a single private key of a user on U. Considering the feature of the ring signature, it can be deployed to the anonymous payment applications or the transactions that need the untraceability. The signature scheme has no trusted center, the signer is in a completely anonymous state, and there are significant special cases in which the information needs long-term protection. This signature scheme has better security. For attacker A, even if he has private keys of all members, he cannot determine the specific signer. The probability that the real signer is determined is 1/n (n is the total number of ring members), and A cannot generate the ring signature of the message from all kinds of non-negligible probability. Generally, a good ring signature must meet the following security requirements: Unconditional anonymity. Even if an attacker illegally obtains the private key of all possible signers, he can determine that the probability of the true signer does not exceed 1/n. Unforgeability. If an external attacker does not know any member's private key, even if he can get the signature of any message m from a random predictor that generates a ring signature, the probability that he successfully forged a legitimate signature is negligible.  The signer can freely specify his own anonymous scope, can constitute a beautiful circular logical structure, and can realize the main function of group signature but does not need a trusted third party or group administrator.

Blind signature
A blind signature [35] is based on the problem of large number factor de-composition, discrete logarithm problem, and elliptic curve. It is characterized by the fact that the message is disguised before it is signed. Typically, it is used where the transmitter's privacy is very important, for example, it is used in the privacy-related protocol where the signer and the message author are different.
In blockchain applications, the blind signature is often used for encrypted election systems and digital cash plans. In addition to satisfying the general digital signature conditions, blind signatures must also satisfy the following two properties: The signer is invisible to the message he signed, namely the signer does not know the specific content of the message he signed. The signed message is not traceable, that is, when the signed message is published, the signer cannot know which one he signed.

Proxy signature
The proxy signature [36] allows a designated signer, called as a proxy signer, to represent an original signer. Proxy signature is based on the discrete logarithm problem. Compared with the continuous execution of ordinary digital signature schemes, the proxy signature has a direct form. The verifier does not need the public key of the user other than the original signer in the verification process. In terms of performance, it requires less computational cost than the continuous execution of a general signature scheme. Essentially speaking, the proxy signature in blockchain is that the original signer authorizes his signature to the proxy signer and then causes the proxy signer to generate a valid signature on behalf of the original signer. It contains the following sections: Initialization process (e.g., signature system parameters, user's key); Power delegation process; Process of generating a proxy signature; Verification process of the proxy signature.
The comparisons of five typical digital signatures in blockchain are shown in Table 1. Digital signatures are implemented to achieve the identification of digital information by using public-key cryptography. A set of digital signatures usually defines two complementary operations, one for signature and one for verification. To put it simply, only a string of digits that cannot be forged by someone else can be generated by the transmitter of the message. This string of digits is also a valid proof of the authenticity of the information sent by the sender of the message. In the distributed network of blockchains, communication and trust between nodes rely on digital signature technology. It mainly implements information non-repudiation, identity verification, as well as information authenticity, and integrity verification.

Related work and comparison
In this section, we will systematically review some stateof-the-art digital signature schemes, which are deployed in blockchain. Then, we give a comparative analysis of the mentioned signature schemes, in terms of application fields, methods, security, and performance.
Zhu et al. [37] proposed an IIS, which could protect the owner's information from being falsified and the trader's information could not be denied. This signature protocol was mainly used to build a blockchain system that was more accurate and had higher performance than existing blockchain systems. As the core of this system, IIS could ensure that the transaction was confirmed by the dealer and was undeniable. With this signature, the merchant could assure the owner that the transaction would be included in the blockchain system in an undeniable manner. The signature scheme proved to be a security guarantee for the owner's unforgeability and the merchant's non-repudiation. This scheme solved the problem of ensuring instant confirmation of nonrepudiation during blockchain implementation.
Tian et al. [38] proposed a BVES based on traditional verifiable cryptographic signatures and blind signature ideas. Since each node of the blockchain could read transaction data during the transaction to verify that the transaction data was correct, but the transaction data involved the content of privacy. Therefore, either the contradiction arose or the privacy was protected. It was difficult to design a fair contract-signing agreement that protected privacy on the blockchain. They built a fair and confidential contract signing agreement based on this signature system, which not only allowed contract signers to complete fair contract signing through the blockchain, but also protected the privacy content related to the contract. This new blind verifiable cryptographic signature system effectively protected contractrelated privacy content in the event of a transaction being disclosed.
Sato et al. [39] pointed out how the security of blockchain information would be affected when the underlying encryption algorithm (hash function and digital signature) compromised. If compromise occurred in  Aggregate signature (AS) Based on co-GDH and bilinear mapping The security in AS is mainly guaranteed by the bilinear mapping and the trapdoor permutation. AS has the ability to detect the attackers' forged signature.
Verification time of AS is linear with the number of signatures.
In special cases, when all n signatures are generated by the same public key k, verification speed in AS is faster. Meanwhile, the workload of signature storage and verification are reduced.
Group signature (GS) Based on non-repudiation signature Reliability and integrity, unforgeability, anonymity, traceability, no correlation, no framework, and defense against joint attack. The length of the public key, the length of signature, and the number of group members have a linear relationship and impact on GS performance. GS is not suitable for a large group.
A new member needs to restart the entire system, when it enters. Fortunately, zero-knowledge proof is an effective approach to improve GS.
Ring signature (RS) Variant of group signature. Two ring signatures based on RSA and Labin versions Untraceability and anonymity. The attacker cannot find who the specific signer is. Even if he has the private keys of all ring members. This is due to that the probability of determining the real signer is 1/n (n is the number of ring members). In essence, RS is a series of cryptographic transformations by using a public key, a private key, and the information to be signed. It signature process and the verification process is similar to a regular signature for each non-signer, RS runs efficiently even if there are hundreds of members in a ring.
Blind signature (BS) SHA256, it would result in stolen electronic money, double payment, and failure to complete the agreement; when RIPEMD160 compromises, it would result in a denial of payment; when ECDSA compromised, it would result in currency theft and send a false alarm claims No payment was received; the hash function and the digital signature scheme produced compromises that, when combined, resulted in denied transactions, currency theft, double payments, and changes to existing transaction data. In order to solve the security problems in the blockchain, they proposed how to use a long signature scheme like the ETSI [40] standard and did not require the TTP mechanism. Through the research and analysis, it was found that the change of the key pair and the bifurcation could not be avoided when the signature scheme was compromised, but the additional blockchain could be used in a certain period of time (within a few years) through the protocol proposed by the researchers. Aitzhan et al. [41] solved the problem of providing transaction security in decentralized smart grid energy trading without relying on trusted third parties. The concept validation of the decentralized energy trading system was implemented through blockchain technology, multiple signatures, and anonymously encrypted information flows. It enabled peers to anonymously negotiate energy prices and conducted transactions securely. Because they replicated between all active nodes, the system used P2P community data replication methods to protect transactions from failure. In addition, the use of workload proofs, such as Bitcoin, allowed the system to overcome the Byzantine general problem and to defend against any double payment attack that occurred in electronic payment systems.
Yuan et al. [42] proposed that privacy protection and blockchain performance were two research hotspots in academia and business fields, but there were still some unsolved problems in these two aspects. They designed a new signature scheme based on the aggregation signature algorithm in the blockchain big data transaction to try to solve the above problems. This scheme was applied to the transaction with multiple inputs and outputs whose amount would be hidden. In addition, the size of the signature in the transaction was constant, and it improved the performance of the signature regardless of the number of inputs and outputs contained in the transaction.
Shen et al. [43] introduced a method of concealing the transaction amount in the strongly dispersed anonymous password currency Monero. Similar to Bitcoin, Monero is a cryptocurrency that was assigned through a workload proof "dig" process, with no center or trusted party established. The original Monero protocol was based on Crypto Note, which used ring signatures and one-time keys to hide the purpose and source of the transaction.
Bitcoin core developer Gregory Maxwell had discussed and implemented techniques for using a commitment scheme to hide transaction amounts.
Benjamin [44] described how ECDSA was applied to Bitcoin technology and introduced the elliptic curve digital signature and its application in blockchain technology. The emphasis on the elliptic curve theory and its application in cryptography was a more extensive topic, and it was proved that the security of elliptic curvebased cryptosystem was infeasible by the computation of elliptic curve discrete logarithm problem, thus deriving its security. The difficulty of solving this problem also ensured the security and authenticity of the Bitcoin network's transaction on the blockchain.
ShenTu et al. [45] proposed an order to strengthen the anonymity of Bitcoin in the blockchain and prevented the centralized coin mixing provider (mixer) to mix bits with multiple inputs and multiple outputs to reveal the relationship between them, in order to provide real anonymity for user. Then, a centralized coin mixing algorithm based on the elliptic curve blind signature scheme (expressed as Blind-Mixing) was proposed, which prevented the mixer from linking the input address with the output address. In addition, Blind-Mixing blind signature scheme was 10.5 times faster than RSA Coin-Mixing, and Blind-Mixing can resist super attackers.
Mercer [46] focused on implementing the privacy on the blockchain and introduced a unique ring signature scheme that worked with the existing blockchain systems, implemented a URS scheme by using secp256k1, and created the first instance that was compatible with the blockchain library to easily implement Ethereum smart contracts. Researchers had demonstrated the privacy and security attributes of the solution and compared its efficiency with other commonly recommended blockchain privacy methods. Although the URS scheme was expensive to implement in the Ethereum, it had realistic feasibility. The compromise between the anonymous guarantee and the availability of the program was decided by the users.
Wu et al. [47] studied how to jointly manage Bitcoin transactions in a blockchain where multiple participants had Bitcoin accounts while maintaining the anonymity of multiple owners. A scenario in which a distributor owned a Bitcoin account and authorized multiple participants to manage together, and a Bitcoin account was shared by peers. Based on the above two application scenarios, partial blind threshold signatures and their extensions were proposed to meet these requirements. The proposed solution was compatible with the current Bitcoin system. The proposed scheme bound the public information c with a key that only the distributor knew, so that an attacker who wanted to tamper with c' must solve the CDH problem, which was computationally infeasible. As for Bitcoin, the platform could not know the amount of Bitcoin and the output address of the transaction. This was the main purpose of ensuring the security of this scheme. Andreev [48] mentioned that existing ECC blind signatures lack compatibility with the standard ECDSA and therefore could not be directly used for Bitcoin transactions in the blockchain. A solution that allowed the generation of a blind signature that was compatible with existing Bitcoin protocols was then proposed. In this situation, signatories could provide services to store private keys and authenticate transactions without knowing the funds being transferred. Combined with multisignature transactions, the program could privately lock some money and multiple parties. As in normal ECDSA, secret parameters must never be reused in different signatures.
Bonneau et al. [49] mentioned that Bitcoin's ecosystem in the blockchain was often subject to theft and loss, affecting businesses and individuals. Because of the irreversibility, automation, and pseudonym of transactions, Bitcoin lacked support for the complex internal control systems deployed by modern companies to stop fraud. The first threshold signature scheme compatible with Bitcoin's ECDSA signature was proposed to solve how to use this original resource to establish a distributed Bitcoin wallet and how to use it to implement a threshold wallet and various internal control protocols. The proposed solution had the potential to significantly increase the security of Bitcoin and make it closer to the widely adopted currency.
Dikshit and Singh [50] stated that all Bitcoin transactions were recorded and stored in a publicly available database called blockchain. Because these transactions were available to everyone, Bitcoin must be stored in a secure wallet. These Bitcoin wallets could only be opened with a key, and if the wallet's key was lost, it could not be recovered because of the irreversibility of Bitcoin transactions. In order to solve this problem, previous researchers proposed some solutions, but these solutions had the disadvantage of managing and processing each player's key. In order to remedy this deficiency, they proposed a scheme in which all participants could obtain a single share and could meet the requirements of the weight concept.
Cruz and Kaji [51] studied various cryptographic schemes to implement a secure and efficient electronic voting system, but these systems were difficult to use for actual voting. One of the technical reasons for this unfortunate situation was that many E-voting systems require an anonymous communication channel that was difficult to implement on the Internet. An E-voting system based on Bitcoin protocol and blind signature was proposed. In the proposed system, Bitcoin protocol was supplemented by known protocols (such as blind signature protocol and digital signature protocol) to implement a secure, anonymous, and transparent electronic voting system, and several important features of the electronic voting system were discussed, including fairness, anonymity, soundness, and verifiability. It had shown that the use of the Bitcoin protocol brought other advantageous features in addition to the anonymity of the communication.
Fu et al. [52] mentioned that because of the transaction in the blockchain, even if the user used the public key as the account address to make the transaction anonymous, it would bring potential privacy leakage to the user. In addition, in order to prevent recurring costs, the system agreed only when there were k subsequent blocks generated after the target block, in order to confirm that the transaction on the target block was valid. This time, waiting for the subsequent block generation was longer, and the transaction efficiency was greatly reduced. In view of the above problems, a proxy-based payment system model of password money was proposed, and an implementation scheme based on a blind signature algorithm was given. By introducing agents at the payment stage, the transaction validation time was shortened, the transaction efficiency was improved, and the anonymity of the user was realized better.
Chalkias et al. [53] proposed BPQS, an extensible PQresistant digital signature scheme from the blockchain architecture and existing Merkle tree-based signature schemes. BPQS could apply specific chain/graph structures in order to decrease key generation, signing, and verification costs as well as signature size. Compared to recent improvements in the field, BPQS outperformed existing hash-based algorithms, when a key was reused for reasonable numbers of signatures. It also supported a fallback mechanism to allow for a practically unlimited number of signatures if required. BPQS had shorter signatures and faster key generation, signing, and verification times. It was computationally comparable to nonquantum schemes. One could take advantage of the easy-to-apply multiple hash-chain WOTS parallelization and cache to provide almost instant signing and faster verification. Meanwhile, it could be used as a building block to implement novel PQ schemes. In addition, when used in blockchain and DLT applications, it could deploy the underlying chain/graph structure by referencing a previous transaction, in which the same key was reused. This could effectively mean that each new BPQS signature simply required the effort of an OTS scheme, because the rest of the signature path to the root was in the ledger already and can be omitted Lin et al. [54] introduced the concept and security model of ID-based linearly homomorphic signature and then designed a new ID-based linear homomorphic signature scheme to avoid the shortcomings of the use of public-key certificates. It meant that the signer could construct a linearly homomorphic signature in identitybased cryptosystems. The proposed scheme was proved secure against existential forgery on adaptively chosen message and ID attack under the random oracle model. The ID-based linearly homomorphic signature schemes could be deployed in e-business, cloud computing, and blockchain.
In e-Health, Guo et al. [55] proposed an attributebased signature scheme to guarantee the validity of EHRs encapsulated in blockchain. The proposed scheme had multiple authorities, in which a patient endorsed a message according to the attribute while disclosing no information other than the evidence that he had attested to it. Furthermore, there were multiple authorities without a trusted single or central one to generate and distribute public/private keys in this scheme. It was to avoid the escrow problem and conforms to the mode of distributed data storage in the blockchain. By sharing the secret pseudorandom function seeds among authorities, this protocol resists collusion attacks. Under the assumption of the computational bilinear Diffie-Hellman, the unforgeability and perfect privacy of the attribute signer were also formally demonstrated.
Qian et al. [56] proposed an efficient short signature length aggregate signature scheme, which solved the privacy protection and performance issues of the blockchain. In this scheme, the length of the aggregate signature was independent of the number of users, which was fixed and reduced the storage overhead. In addition, the signature scheme constructed a signature based on the discrete logarithm problem, instead of constructing a bilinear map-based. It reduced the computational overhead. Meanwhile, in the blockchain transaction, the identity privacy of the receiver was effectively protected. When a transaction contained n input addresses and m output addresses, the number of signatures could be reduced from n to 1. Compared with related schemes, the privacy protection scheme reduced the computational overhead of the signature and verification process, reduced the storage overhead of the blockchain, and improved the communication efficiency.
Li et al. [57] proposed a new lattice-based signature scheme that could be used to secure the blockchain network over existing classical channels. In the key generation phase, they combined the algorithm RandBasis with the algorithm ExtBasis to generate the sub-private keys for verifying the transaction message. This could randomize the output of algorithm ExtBasis and improve the security of the users' private information. Furthermore, the security proof showed that the scheme was secure against the adaptively chosen message attack in random oracle, and the comparison results indicated that it was more efficient than similar works. Therefore, this scheme was more suitable for the transaction implementation in P-QBN.
In addition, Cao et al. [58] proposed a group signature based on blockchain. This signature could be proofed to guarantee security in an untrusted environment and extend the real applications. Long and Wei [59] presented a new Byzantine Fault Tolerance (BFT) consensus mechanism based on an aggregated signature gossip protocol. This mechanism could take thousands of nodes to participate in the consensus process. It had high transaction throughput and low messaging complexity. To meet the requirement of lower bandwidth cost in blockchain, Ren et al. [60] proposed a compact Non-Interactive Zero-Knowledge (NIZK) argument of knowledge and then used it to improve a ring signature. The proposed signature scheme was anonymous and unforgeable and need lower storage space of signature and pairing computations in the verification process. Wang et al. [61] used both mixing and confidential transaction technique to construct a full anonymous blockchain system by a one-way aggregate signature scheme and a homomorphic encryption scheme. In this blockchain, the full anonymity of user identities and transaction amounts were achieved. All individual signatures were compresses by the one-way aggregate signature scheme to reduce storage space. Comparisons of various improved digital signature schemes in blockchain are shown in Table 2. Continuing the classification strategy of Table 1, we conclude these various improved digital signature schemes into six types as follows: aggregate signature (AS), group signature (GS), ring signature (RS), blind signature (BS), proxy signature (PS), and other signatures. The security and performance of different signature schemes in the table vary according to the specific scenarios of their application. It shows that the digital signature technology has relatively good security performance under various applications in the future of the blockchain.
From the above analysis, most of the digital signature schemes in blockchain are deployed by the asymmetric encryption algorithms, which involve RSA, DSA, and ECDSA. For example, Zhu [37], Benjamin [44], Bonneau [49], and Dikshit [50] use ECDSA to implement the digital signatures. In general, DSA can only be used for digital signatures, not encryption (some extensions can support encryption); RSA can be used as a digital signature algorithm or as an encryption algorithm. However, when RSA is used as encryption, its performance decreases sharply with the increase of key length. With the same key length,  Yuan [42] Amount will be hidden in blockchain big data transactions with multiple inputs and outputs Elliptic curve discrete logarithm and bilinear mapping.
According to the security analysis, the potential forgery of the attacker cannot be realized, and the security performance and the aggregate signature are basically the same.
The evaluation by the aggregated signature time, aggregate verification time, and signature space size proves to be superior to other signature schemes.
Bonneau et al.
[ 49] In the blockchain Bitcoin transaction, the modern enterprise deploys a complex internal control system ECDSA compatible threshold signature Integrate two-factor security measures to increase Bitcoin's security potential and bring it closer to the widely used currency The total execution time is small compared to the time required for Bitcoin transactions to be confirmed on the blockchain, with an average of 10 min. Therefore, this system is efficient enough to work well in practice.

Dikshit and
Singh [50] All Bitcoin transactions are recorded and stored in the publicly available database of the blockchain ECDSA and threshold signature Potential to significantly increase Bitcoin's security The program is more practical than previously proposed, users can get different weights according to their needs Qian et al. [56] Solving the privacy protection and performance issues of the blockchain Based on the discrete logarithm problem, instead of constructing a bilinear map-based.
Length of the aggregate signature was independent of the number of users Reducing the computational overhead of the signature and verification process, reducing the storage overhead of the blockchain, and improving the communication efficiency Li et al. [57] Used to secure the blockchain network over existing classical channels.
Public and private keys are generated by the Bonsai trees with RandBasis algorithm from the root keys.
Secure against the adaptively chosen message attack in the random oracle Not only ensure the randomness, but also construct the lightweight nondeterministic wallets Zhu et al. [37] In the process of building blockchain system Elliptic curve pairs based on bilinear mapping group system It can protect the owner's unforgery and trader's non-repudiation.   DSA is faster when doing signatures, but slower when doing signature verification. Generally, the number of signature verifications is greater than the number of signatures. Similarly, with the same key length, DSA (with extended support) decrypts the ciphertext faster and the encryption is slower; RSA is just the opposite, and generally, the decryption times are more than the encryption times. However, due to the inherent performance issues of asymmetric encryption algorithms, neither is a good choice for encryption. Compared with RSA and DSA, ECDSA has the following advantages: Higher security performance: for example, 160-bit ECDSA has the same security strength as 1024-bit RSA and DSA. Lower computation is and fast processing speed: in the processing speed of the private key (decryption and signature), ECDSA is much faster than RSA and DSA. Small storage space: the key size and system parameters of ECDSA are much smaller than those of RSA and DSA, so the storage space occupied is much smaller. Low bandwidth requirements make ECDSA widely used.

Conclusions and future works
In this paper, we focus on the non-repudiation of information security in blockchain. By comparing and analyzing the features of different digital signature schemes used in blockchain system in recent years, it is demonstrated that digital signature technology can well satisfy various specific application properties of blockchains and meet the security requirements in different situations. Our contributions in this paper can facilitate to guide the design of the digital signature schemes in blockchain and optimize the digital signature algorithm to enhance the blockchain security. Based on the above overview on the digital signature schemes of blockchain systems, we propose the following future suggestions to improve security and performance in this field: 1)For the Bitcoin transaction scenario in the blockchain environment, the characteristics of schemes such as ring signature and blind signature can be used to further study the anonymity of transaction membership and the level of encryption of transaction information and reduce the transaction overhead.
2) Combining digital signatures with identity authentication or time stamps can improve multidimensional security and protect the non-repudiation of information in the blockchain from a broader perspective and direction.
The convergence of blockchain and IoT is the future development trend. Considering the resource-constrained terminals in IoT, we are working on the certificateless aggregation signature scheme for a mobile terminal.