RingCT 3.0 for Blockchain Confidential Transaction: Shorter Size and Stronger Security

Abstract

In this paper, we propose the most efficient blockchain ring confidential transaction protocol (RingCT3.0) for protecting the privacy of the sender’s identity, the recipient’s identity and the confidentiality of the transaction amount. For a typical 2-input transaction with a ring size of 1024, the ring signature size of our RingCT3.0 protocol is 98% less than the ring signature size of the original RingCT1.0 protocol used in Monero. Taking the advantage of our compact RingCT3.0 transcript size, privacy-preserving cryptocurrencies can enjoy a much lower transaction fee which will have a significant impact on the crypto-economy.

In addition to the significant improvement in terms of efficiency, our scheme is proven secure in a stronger security model. We remove the trusted setup assumption used in RingCT2.0. Our scheme is anonymous against non-signing users who are included in the ring, while we show that the RingCT1.0 is not secure in this improved model. Our implementation result shows that our protocol outperforms existing solutions, in terms of efficiency and security.

A Set Membership Proof without Trusted Setup

We first review the definition of set membership proof in [5] and then we give our new construction without using trusted setup.

Definition 1

[5] Let \(C = (Gen, Com, Open)\) be the generation, the commit and the open algorithm of a commitment scheme. For an instance c, a proof of set membership with respect to commitment scheme C and set \(\varPhi \) is a proof of knowledge for the following statement:

$$\begin{aligned} PK \{ (\mu , \rho ): c \leftarrow { Com} (\mu ; \rho ) \wedge \mu \in \varPhi \}. \end{aligned}$$

The security model for set membership proof follows the standard definitions of zero-knowledge proof: perfect completeness, computational soundness and perfect zero-knowledge.

In this section, we consider the following modified set membership proof for a set \(\varPhi \) of base group elements :

$$\begin{aligned} PK \{ (\mu , \rho ): c = g^{\mu } h^{\rho } \wedge g^{\mu } \in \varPhi \}. \end{aligned}$$

1.1 A.1 Our Basic Construction

Our construction is essentially a set membership proof for group elements which is the domain of public keys. It is the first set membership proof for public keys in the base group, instead of in the exponent. The intuition of our scheme is introduced in the previous section. Our construction is as follows.

• Setup. On input security parameter \(1^\lambda \) and the maximum size of the set of membership public key N, it picks a group \(\mathbb {G}\) of prime order p and some generators \(g \in \mathbb {G}, \vec {h} = (h_1, \ldots , h_N) \in \mathbb {G}^N\). Suppose that \(H_j: \{0,1\}^* \rightarrow \mathbb {Z}_p\) for \(j=1,2,3,4\), \(H_6: \{0,1\}^* \rightarrow \mathbb {G}\) are collision resistant hash functions. Let \(C = (Gen, Com, Open)\) be the Pedersen commitment scheme. Assume these parameters are known in the system.

• PKGen. It randomly picks \(x \in \mathbb {Z}_p\) and outputs a public key \(Y = g^x\).

• Prove. On input the set of \(n \le N\) public keys as \(\vec {Y} = (Y_1, Y_2, \ldots \), \(Y_n)\) and denote the set member \(\sigma = Y_{i^*} \in \vec {Y}\), with corresponding secret key \(x_{sk, i^*}\). The prover runs as follows.

  1. 1.

     Prepare Index. The prover generates a binary vector \(\vec {b_L} = (b_1, \ldots , b_n)\), where \(b_{i} = 1\) when \(i = i^*\) and \(b_i = 0\) otherwise. Define \(\vec {b_R} = \vec {b_L} - \vec {1^n}\). It proves in zero knowledge that \(\vec {b_L}\) is a binary vector with only one bit equal to 1. It is equivalent to showing:

     $$ \vec {b_L} \circ \vec {b_R} = \vec {0}^n, \quad \vec {b_L} - \vec {b_R} = \vec {1}^n, \quad \langle \vec {b_L}, \vec {1}^n \rangle = 1. $$
  2. 2.

     Commit 1. It computes \(h = H_6(\vec {Y})\). It picks random \(\alpha , \beta , \rho , r_\alpha \), \(r_{sk} \in \mathbb {Z}_p\), \(\vec {s_L}, \vec {s_R} \in \mathbb {Z}_p^n\) and computes:

     $$\begin{aligned} A_1&= h^\alpha \vec {Y}^{\vec {b_L}} = h^\alpha Y_{i^*},&A_2&= h^\beta \vec {h}^{\vec {b_R}},&S_1&= h^{r_\alpha } g^{r_{sk}},&S_2&= h^\rho \vec {Y}^{\vec {s_L}} \vec {h}^{\vec {s_R}}. \end{aligned}$$

     Note that \(A_1\) is the Pedersen commitment of the secret key of \(Y_{i^*}\) for randomness \(\alpha \).

  3. 3.

     Challenge 1. Denote the concatenated string \(\mathsf{str} = \vec {Y}||A_1||A_2||\) \(S_1|| S_2\). It computes \(y = H_2(\mathsf{str})\), \(z = H_3(\mathsf{str})\) and \(w = H_4(\mathsf{str})\).

  4. 4.

     Commit 2. It can construct two degree 1 polynomials of variable X:

     $$\begin{aligned} l(X)&= \vec {b_L} - z \cdot \vec {1}^n + \vec {s_L} \cdot X,\\ r(X)&= \vec {y}^n \circ (w \cdot \vec {b_R} + wz \cdot \vec {1}^n + \vec {s_R} \cdot X) + z^2 \cdot \vec {1}^n. \end{aligned}$$

     Denote \(t(X) = \langle l(X), r(X) \rangle \), which is a degree 2 polynomial. We can write \(t(X) = t_0 + t_1 X + t_2 X^2\), and \(t_0, t_1, t_2\) can be computed by using \((\vec {b_L}, \vec {b_R}, \vec {s_L}, \vec {s_R}, w\), y, z). In particular, observe that

     $$\begin{aligned} t_0&= w \langle \vec {b_L}, \vec {b_R} \circ \vec {y}^n \rangle + zw \langle \vec {b_L} - \vec {b_R}, \vec {y}^n \rangle \\&\qquad \qquad \qquad \qquad + z^2 \langle \vec {b_L}, \vec {1}^n \rangle - wz^2 \langle \vec {1}^n, \vec {y}^n \rangle - z^3 \langle \vec {1}^n, \vec {1}^n \rangle ,\\&= z^2 + w(z - z^2) \langle \vec {1}^n, \vec {y}^n \rangle - z^3 \langle \vec {1}^n, \vec {1}^n \rangle . \end{aligned}$$

     It picks random \(\tau _1, \tau _2 \in \mathbb {Z}_p\), and computes:

     $$\begin{aligned} T_1 = g^{t_1} h ^{\tau _1},\quad T_2 = g^{t_2} h ^{\tau _2}. \end{aligned}$$
  5. 5.

     Challenge 2. It computes \(x = H_1(w, y, z, T_1, T_2)\).

  6. 6.

     Response. It computes:

     $$\begin{aligned} \tau _x&= \tau _1 \cdot x + \tau _2 \cdot x^2,\\ \mu&= \alpha + \beta \cdot w + \rho \cdot x,\\ z_\alpha&= r_\alpha + \alpha \cdot x,\\ z_{sk}&= r_{sk} + x_{sk, i^*} \cdot x,\\ \vec {l}&= l(x) = \vec {b_L} - z \cdot \vec {1}^n + \vec {s_L} \cdot x,\\ \vec {r}&= r(x) = \vec {y}^n \circ (w \cdot \vec {b_R} + wz \cdot \vec {1}^n + \vec {s_R} \cdot x) + z^2 \cdot \vec {1}^n, \\ t&= \langle \vec {l}, \vec {r} \rangle . \end{aligned}$$

  It outputs \(A_1\) and \(\sigma = (A_2, S_1, S_2, T_1, T_2, \tau _x, \mu , z_\alpha , z_{sk}, \vec {l}\), \(\vec {r}, t)\).

• Verify. On input a set of public keys \(\vec {Y}\), \(A_1\) and the proof \(\sigma = (A_2, S_1, S_2, T_1\), \(T_2, \tau _x, \mu , z_\alpha , z_{sk}, \vec {l}\), \(\vec {r}, t)\), denote the concatenated string \(\mathsf{str} = \vec {Y}|| A_1|| A_2|| S_1|| S_2\). It computes \(h = H_6(\vec {Y})\), \(y = H_2(\mathsf{str})\), \(z = H_3(\mathsf{str})\), \(w= H_4(\mathsf{str})\) and \(x = H_1(w, y, z, T_1, T_2)\). Define \(\vec {h'} = (h'_1, \ldots , h'_n) \in \mathbb {G}^n\) such that \(h'_i = h_i^{y^{-i+1}}\) for \(i \in [1,n]\). It checks if all of the following hold:

  $$\begin{aligned} t&= \langle \vec {l}, \vec {r} \rangle , \end{aligned}$$

  (6)
  $$\begin{aligned} g^t h^{\tau _x}&= g^{z^2 + w(z - z^2) \langle \vec {1}^n, \vec {y}^n \rangle - z^3 \langle \vec {1}^n, \vec {1}^n \rangle } \cdot T_1^x \cdot T_2^{x^2}, \end{aligned}$$

  (7)
  $$\begin{aligned} h^\mu \vec {Y}^{\vec {l}} \vec {h'}^{\vec {r}}&= A_1 \cdot A_2^w \cdot S_2^{x} \cdot \vec {Y}^{-z \cdot \vec {1}^n} \cdot \vec {h'}^{wz \cdot \vec {y}^n + z^2 \cdot \vec {1}^n}, \end{aligned}$$

  (8)
  $$\begin{aligned} h^{z_\alpha } g^{z_{sk}}&= S_1 A_1^x. \end{aligned}$$

  (9)

Theorem 4

The set membership proof is secure if the discrete logarithm assumption holds in \(\mathbb {G}\) in the random oracle model.

The proof is given in the full version of the paper [22].

1.2 A.2 Set Membership Proof with Logarithm Size

Our scheme in the last section is linear size of n for the part of \(\vec {l}\) and \(\vec {r}\). Observe that the verifier can compute \(A_1 \cdot A_2^w \cdot S_2^{x} \cdot \vec {Y}^{-z \cdot \vec {1}^n} \cdot \vec {h'}^{wz \cdot \vec {y}^n + z^2 \cdot \vec {1}^n}\). We note that verifying both equations (6) and (8) is equivalent to verifying the witness \(\vec {l}\) and \(\vec {r}\) satisfying the inner-product relation. Therefore, it can be fitted into the improved inner-product argument framework from [4] to give a zero knowledge proof \(\pi \) of \(\vec {l}, \vec {r}\) such that:

$$\begin{aligned} P = \vec {Y'}^{\vec {l}} \vec {h'}^{\vec {r}} \quad \wedge \quad t = \langle \vec {l}, \vec {r} \rangle . \end{aligned}$$

The size of \(\pi \) is \(2 \cdot \left\lceil {\log _2(n)}\right\rceil \) elements in \(\mathbb {G}\) and 2 elements in \(\mathbb {Z}_p\). The signer’s work is dominated by \(\log n + 1\) multi-exponentiations in \(\mathbb {G}\) of size \(2n, n , n/2, \ldots , 1\) respectively. The verifier’s work is dominated by a single multi-exponentiations in \(\mathbb {G}\) of size \(2n+2\log _2 n +1\).

To sum up, the set membership proof output is \(\sigma = (A_1, A_2, S_1, S_2\), \(T_1, T_2, \tau _x\), \(\mu , z_\alpha , z_{sk}, t, \pi )\), which has size \(2 \cdot \left\lceil {\log _2(n)}\right\rceil +6\) elements in \(\mathbb {G}\) and 7 elements in \(\mathbb {Z}_p\). The signer’s work is dominated by three multi-exponentiations in \(\mathbb {G}\) of size \(2n+1\), 2n and \(n+1\) respectively. The verifier’s work is dominated by two multi-exponentiations in \(\mathbb {G}\) of size \(2n+2\log _2 n +1\) and \(n+4\) respectively.