Abstract
In this paper, we propose the most efficient blockchain ring confidential transaction protocol (RingCT3.0) for protecting the privacy of the sender’s identity, the recipient’s identity and the confidentiality of the transaction amount. For a typical 2-input transaction with a ring size of 1024, the ring signature size of our RingCT3.0 protocol is 98% less than the ring signature size of the original RingCT1.0 protocol used in Monero. Taking the advantage of our compact RingCT3.0 transcript size, privacy-preserving cryptocurrencies can enjoy a much lower transaction fee which will have a significant impact on the crypto-economy.
In addition to the significant improvement in terms of efficiency, our scheme is proven secure in a stronger security model. We remove the trusted setup assumption used in RingCT2.0. Our scheme is anonymous against non-signing users who are included in the ring, while we show that the RingCT1.0 is not secure in this improved model. Our implementation result shows that our protocol outperforms existing solutions, in terms of efficiency and security.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: IEEE SP 2014, pp. 459–474. IEEE Computer Society (2014)
Bootle, J., Cerulli, A., Chaidos, P., Ghadafi, E., Groth, J., Petit, C.: Short accountable ring signatures based on DDH. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 243–265. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_13
Bootle, J., Groth, J.: Efficient batch zero-knowledge arguments for low degree polynomials. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10770, pp. 561–588. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76581-5_19
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: IEEE S&P 2018, pp. 315–334. IEEE (2018)
Camenisch, J., Chaabouni, R., Shelat, A.: Efficient protocols for set membership and range proofs. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 234–252. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7_15
Esgin, M.F., Zhao, R.K., Steinfeld, R., Liu, J.K., Liu, D.: Matrict: efficient, scalable and post-quantum blockchain confidential transactions protocol. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) CCS 2019, pp. 567–584. ACM (2019)
Foley, S.N., Gollmann, D., Snekkenes, E. (eds.): ESORICS 2017, LNCS, vol.10493. Springer (2017)
Groth, J., Kohlweiss, M.: One-out-of-many proofs: or how to leak a secret and spend a coin. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 253–280. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_9
Kumar, A., Fischer, C., Tople, S., Saxena, P.: A traceability analysis of monero’s blockchain. In: Foley, S., et al. [7], pp. 153–173. https://doi.org/10.1007/978-3-319-66399-9_9
Lai, R.W.F., Ronge, V., Ruffing, T., Schröder, D., Thyagarajan, S.A.K., Wang, J.: Omniring: scaling private payments without trusted setup. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) CCS 2019, pp. 31–48. ACM (2019)
Liu, J.K., Wei, V.K., Wong, D.S.: Linkable spontaneous anonymous group signature for Ad Hoc groups. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 325–335. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27800-9_28. (extended abstract)
Maxwell, G.: Confidential transactions (2015). https://people.xiph.org/~greg/confidential_values.txt
Meiklejohn, S., Mercer, R.: Möbius: trustless tumbling for transaction privacy. PoPETs 2018(2), 105–121 (2018)
Möser, M., et al.: An empirical analysis of traceability in the monero blockchain. PoPETs 2018(3), 143–163 (2018)
Noether, S.: Ring Signature Confidential Transactions for Monero. Cryptology ePrint Archive, Report 2015/1098 (2015). http://eprint.iacr.org/
Park, S., Sealfon, A.: It wasn’t me! - repudiability and claimability of ring signatures. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 159–190. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_6
Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_32
Sun, S., Au, M.H., Liu, J.K., Yuen, T.H.: RingCT 2.0: a compact accumulator-based (linkable ring signature) protocol for blockchain cryptocurrency monero. In: Foley, S.N. et al. [7], pp. 456–474
Torres, W.A.A., Kuchta, V., Steinfeld, R., Sakzad, A., Liu, J.K., Cheng, J.: Lattice RingCT V2.0 with multiple input and multiple output wallets. In: Jang-Jaccard, J., Guo, F. (eds.) ACISP 2019. LNCS, vol. 11547, pp. 156–175. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21548-4_9
Torres, W.A.A., et al.: Post-quantum one-time linkable ring signature and application to ring confidential transactions in blockchain (Lattice RingCT v1.0). In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 558–576. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93638-3_32
Wijaya, D.A., Liu, J.K., Steinfeld, R., Liu, D.: Monero ring attack: recreating zero mixin transaction effect. In: IEEE TrustCom, pp. 1196–1201. IEEE (2018)
Yuen, T.H., et al.: Ringct 3.0 for blockchain confidential transaction: Shorter size and stronger security. Cryptology ePrint Archive, Report 2019/508 (2019). https://eprint.iacr.org/2019/508
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Set Membership Proof without Trusted Setup
A Set Membership Proof without Trusted Setup
We first review the definition of set membership proof in [5] and then we give our new construction without using trusted setup.
Definition 1
[5] Let \(C = (Gen, Com, Open)\) be the generation, the commit and the open algorithm of a commitment scheme. For an instance c, a proof of set membership with respect to commitment scheme C and set \(\varPhi \) is a proof of knowledge for the following statement:
The security model for set membership proof follows the standard definitions of zero-knowledge proof: perfect completeness, computational soundness and perfect zero-knowledge.
In this section, we consider the following modified set membership proof for a set \(\varPhi \) of base group elements :
1.1 A.1 Our Basic Construction
Our construction is essentially a set membership proof for group elements which is the domain of public keys. It is the first set membership proof for public keys in the base group, instead of in the exponent. The intuition of our scheme is introduced in the previous section. Our construction is as follows.
-
Setup. On input security parameter \(1^\lambda \) and the maximum size of the set of membership public key N, it picks a group \(\mathbb {G}\) of prime order p and some generators \(g \in \mathbb {G}, \vec {h} = (h_1, \ldots , h_N) \in \mathbb {G}^N\). Suppose that \(H_j: \{0,1\}^* \rightarrow \mathbb {Z}_p\) for \(j=1,2,3,4\), \(H_6: \{0,1\}^* \rightarrow \mathbb {G}\) are collision resistant hash functions. Let \(C = (Gen, Com, Open)\) be the Pedersen commitment scheme. Assume these parameters are known in the system.
-
PKGen. It randomly picks \(x \in \mathbb {Z}_p\) and outputs a public key \(Y = g^x\).
-
Prove. On input the set of \(n \le N\) public keys as \(\vec {Y} = (Y_1, Y_2, \ldots \), \(Y_n)\) and denote the set member \(\sigma = Y_{i^*} \in \vec {Y}\), with corresponding secret key \(x_{sk, i^*}\). The prover runs as follows.
-
1.
Prepare Index. The prover generates a binary vector \(\vec {b_L} = (b_1, \ldots , b_n)\), where \(b_{i} = 1\) when \(i = i^*\) and \(b_i = 0\) otherwise. Define \(\vec {b_R} = \vec {b_L} - \vec {1^n}\). It proves in zero knowledge that \(\vec {b_L}\) is a binary vector with only one bit equal to 1. It is equivalent to showing:
$$ \vec {b_L} \circ \vec {b_R} = \vec {0}^n, \quad \vec {b_L} - \vec {b_R} = \vec {1}^n, \quad \langle \vec {b_L}, \vec {1}^n \rangle = 1. $$ -
2.
Commit 1. It computes \(h = H_6(\vec {Y})\). It picks random \(\alpha , \beta , \rho , r_\alpha \), \(r_{sk} \in \mathbb {Z}_p\), \(\vec {s_L}, \vec {s_R} \in \mathbb {Z}_p^n\) and computes:
$$\begin{aligned} A_1&= h^\alpha \vec {Y}^{\vec {b_L}} = h^\alpha Y_{i^*},&A_2&= h^\beta \vec {h}^{\vec {b_R}},&S_1&= h^{r_\alpha } g^{r_{sk}},&S_2&= h^\rho \vec {Y}^{\vec {s_L}} \vec {h}^{\vec {s_R}}. \end{aligned}$$Note that \(A_1\) is the Pedersen commitment of the secret key of \(Y_{i^*}\) for randomness \(\alpha \).
-
3.
Challenge 1. Denote the concatenated string \(\mathsf{str} = \vec {Y}||A_1||A_2||\) \(S_1|| S_2\). It computes \(y = H_2(\mathsf{str})\), \(z = H_3(\mathsf{str})\) and \(w = H_4(\mathsf{str})\).
-
4.
Commit 2. It can construct two degree 1 polynomials of variable X:
$$\begin{aligned} l(X)&= \vec {b_L} - z \cdot \vec {1}^n + \vec {s_L} \cdot X,\\ r(X)&= \vec {y}^n \circ (w \cdot \vec {b_R} + wz \cdot \vec {1}^n + \vec {s_R} \cdot X) + z^2 \cdot \vec {1}^n. \end{aligned}$$Denote \(t(X) = \langle l(X), r(X) \rangle \), which is a degree 2 polynomial. We can write \(t(X) = t_0 + t_1 X + t_2 X^2\), and \(t_0, t_1, t_2\) can be computed by using \((\vec {b_L}, \vec {b_R}, \vec {s_L}, \vec {s_R}, w\), y, z). In particular, observe that
$$\begin{aligned} t_0&= w \langle \vec {b_L}, \vec {b_R} \circ \vec {y}^n \rangle + zw \langle \vec {b_L} - \vec {b_R}, \vec {y}^n \rangle \\&\qquad \qquad \qquad \qquad + z^2 \langle \vec {b_L}, \vec {1}^n \rangle - wz^2 \langle \vec {1}^n, \vec {y}^n \rangle - z^3 \langle \vec {1}^n, \vec {1}^n \rangle ,\\&= z^2 + w(z - z^2) \langle \vec {1}^n, \vec {y}^n \rangle - z^3 \langle \vec {1}^n, \vec {1}^n \rangle . \end{aligned}$$It picks random \(\tau _1, \tau _2 \in \mathbb {Z}_p\), and computes:
$$\begin{aligned} T_1 = g^{t_1} h ^{\tau _1},\quad T_2 = g^{t_2} h ^{\tau _2}. \end{aligned}$$ -
5.
Challenge 2. It computes \(x = H_1(w, y, z, T_1, T_2)\).
-
6.
Response. It computes:
$$\begin{aligned} \tau _x&= \tau _1 \cdot x + \tau _2 \cdot x^2,\\ \mu&= \alpha + \beta \cdot w + \rho \cdot x,\\ z_\alpha&= r_\alpha + \alpha \cdot x,\\ z_{sk}&= r_{sk} + x_{sk, i^*} \cdot x,\\ \vec {l}&= l(x) = \vec {b_L} - z \cdot \vec {1}^n + \vec {s_L} \cdot x,\\ \vec {r}&= r(x) = \vec {y}^n \circ (w \cdot \vec {b_R} + wz \cdot \vec {1}^n + \vec {s_R} \cdot x) + z^2 \cdot \vec {1}^n, \\ t&= \langle \vec {l}, \vec {r} \rangle . \end{aligned}$$
It outputs \(A_1\) and \(\sigma = (A_2, S_1, S_2, T_1, T_2, \tau _x, \mu , z_\alpha , z_{sk}, \vec {l}\), \(\vec {r}, t)\).
-
1.
-
Verify. On input a set of public keys \(\vec {Y}\), \(A_1\) and the proof \(\sigma = (A_2, S_1, S_2, T_1\), \(T_2, \tau _x, \mu , z_\alpha , z_{sk}, \vec {l}\), \(\vec {r}, t)\), denote the concatenated string \(\mathsf{str} = \vec {Y}|| A_1|| A_2|| S_1|| S_2\). It computes \(h = H_6(\vec {Y})\), \(y = H_2(\mathsf{str})\), \(z = H_3(\mathsf{str})\), \(w= H_4(\mathsf{str})\) and \(x = H_1(w, y, z, T_1, T_2)\). Define \(\vec {h'} = (h'_1, \ldots , h'_n) \in \mathbb {G}^n\) such that \(h'_i = h_i^{y^{-i+1}}\) for \(i \in [1,n]\). It checks if all of the following hold:
$$\begin{aligned} t&= \langle \vec {l}, \vec {r} \rangle , \end{aligned}$$(6)$$\begin{aligned} g^t h^{\tau _x}&= g^{z^2 + w(z - z^2) \langle \vec {1}^n, \vec {y}^n \rangle - z^3 \langle \vec {1}^n, \vec {1}^n \rangle } \cdot T_1^x \cdot T_2^{x^2}, \end{aligned}$$(7)$$\begin{aligned} h^\mu \vec {Y}^{\vec {l}} \vec {h'}^{\vec {r}}&= A_1 \cdot A_2^w \cdot S_2^{x} \cdot \vec {Y}^{-z \cdot \vec {1}^n} \cdot \vec {h'}^{wz \cdot \vec {y}^n + z^2 \cdot \vec {1}^n}, \end{aligned}$$(8)$$\begin{aligned} h^{z_\alpha } g^{z_{sk}}&= S_1 A_1^x. \end{aligned}$$(9)
Theorem 4
The set membership proof is secure if the discrete logarithm assumption holds in \(\mathbb {G}\) in the random oracle model.
The proof is given in the full version of the paper [22].
1.2 A.2 Set Membership Proof with Logarithm Size
Our scheme in the last section is linear size of n for the part of \(\vec {l}\) and \(\vec {r}\). Observe that the verifier can compute \(A_1 \cdot A_2^w \cdot S_2^{x} \cdot \vec {Y}^{-z \cdot \vec {1}^n} \cdot \vec {h'}^{wz \cdot \vec {y}^n + z^2 \cdot \vec {1}^n}\). We note that verifying both equations (6) and (8) is equivalent to verifying the witness \(\vec {l}\) and \(\vec {r}\) satisfying the inner-product relation. Therefore, it can be fitted into the improved inner-product argument framework from [4] to give a zero knowledge proof \(\pi \) of \(\vec {l}, \vec {r}\) such that:
The size of \(\pi \) is \(2 \cdot \left\lceil {\log _2(n)}\right\rceil \) elements in \(\mathbb {G}\) and 2 elements in \(\mathbb {Z}_p\). The signer’s work is dominated by \(\log n + 1\) multi-exponentiations in \(\mathbb {G}\) of size \(2n, n , n/2, \ldots , 1\) respectively. The verifier’s work is dominated by a single multi-exponentiations in \(\mathbb {G}\) of size \(2n+2\log _2 n +1\).
To sum up, the set membership proof output is \(\sigma = (A_1, A_2, S_1, S_2\), \(T_1, T_2, \tau _x\), \(\mu , z_\alpha , z_{sk}, t, \pi )\), which has size \(2 \cdot \left\lceil {\log _2(n)}\right\rceil +6\) elements in \(\mathbb {G}\) and 7 elements in \(\mathbb {Z}_p\). The signer’s work is dominated by three multi-exponentiations in \(\mathbb {G}\) of size \(2n+1\), 2n and \(n+1\) respectively. The verifier’s work is dominated by two multi-exponentiations in \(\mathbb {G}\) of size \(2n+2\log _2 n +1\) and \(n+4\) respectively.
Rights and permissions
Copyright information
© 2020 International Financial Cryptography Association
About this paper
Cite this paper
Yuen, T.H. et al. (2020). RingCT 3.0 for Blockchain Confidential Transaction: Shorter Size and Stronger Security. In: Bonneau, J., Heninger, N. (eds) Financial Cryptography and Data Security. FC 2020. Lecture Notes in Computer Science(), vol 12059. Springer, Cham. https://doi.org/10.1007/978-3-030-51280-4_25
Download citation
DOI: https://doi.org/10.1007/978-3-030-51280-4_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-51279-8
Online ISBN: 978-3-030-51280-4
eBook Packages: Computer ScienceComputer Science (R0)