0% found this document useful (0 votes)

85 views19 pages

PBT: A New Privacy-Preserving Payment Protocol For Blockchain Transactions

This document summarizes a new privacy-preserving payment protocol called PBT for blockchain transactions. PBT improves upon previous ring confidential transaction protocols by achieving a logarithmic signature size using an extended one-out-of-many proof and a special multi-signature. The protocol is more efficient and practical than prior works, and does not require a trusted setup. An implementation of PBT in Java showed it can process transactions with 5 inputs and a ring size of 500 in about 20 seconds, demonstrating its potential for real-world use.

Uploaded by

Anitha T

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

85 views19 pages

PBT: A New Privacy-Preserving Payment Protocol For Blockchain Transactions

Uploaded by

Anitha T

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 19

This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2020.2998682, IEEE
Transactions on Dependable and Secure Computing
1

PBT: A New Privacy-Preserving Payment

Protocol for Blockchain Transactions
Yanxue Jia, Shi-Feng Sun, Yuncong Zhang, Qingzhao Zhang, Ning Ding, Zhiqiang Liu, Joseph K. Liu,
Dawu Gu

Abstract—Ring confidential transaction (RingCT) protocol is widely used in cryptocurrency to protect the privacy of both users’
identities and transaction amounts. Most recently, a new RingCT protocol (called RingCT 2.0) was proposed by leveraging
cryptographic accumulators, which can achieve a constant-size output theoretically but still far from being practical due to the heavy
zero-knowledge associated with the accumulator. In this work, we revisit the design of ring confidential transaction protocol and put
forward a more efficient privacy-preserving payment protocol, which is built upon an extended version of one-out-of-many proof and a
special multi-signature. Compared with previous works, the new protocol is not only more practical, but also does not suffer from a
trusted setup. Besides, we show that the protocol satisfies the security requirements provided that the underlying cryptographic
primitives are secure in the random oracle model. We implement our new payment protocol in Java, and the experimental results show
that it is efficient enough to be used in practice.

Index Terms—Blockchain, Payment protocol, Confidential transaction, Zero-knowledge proof.

1 I NTRODUCTION

B ITCOIN [1] is the first widely used decentralized dig-

ital currency in the world. Compared with traditional
digital currencies, Bitcoin does not rely on a trusted third
[8], uses a different technology than the derivatives of
Bitcoin. It achieves the purpose of hiding the transaction
information by mixing the real input of the transaction into
party like a central bank. In fact, transactions in Bitcoin are several false inputs. Monero uses one-time ring signatures to
validated by consensus over the network and stored in a prevent transactions from being tampered with, meanwhile
structure called blockchain which is publicly accessible to concealing the real address of the input. The most significant
everybody. drawback of the ring signature originally utilized in Monero
The anonymity of Bitcoin has been questioned due to is the big signature size, which tremendously enlarges the
this publicity of information [2]. Although users may en- transactions and limits the transaction processing speed of
hance their privacy by using multiple identities, research the blockchain. To address this problem, they introduce the
shows that Bitcoin can be deanonymized by analyzing the notion of Ring Confidential Transaction (RingCT) [9] by using
structure of the transaction graph stored in the blockchain. a variant of linkable ring signature [10]. RingCT reduces the
Although there are various works trying to improve the size of the ring signature by approximately 50%, though it
anonymity of Bitcoin [3], [4], [5], they all suffer from either is still linear with the number of public keys in the ring.
poor efficiency and/or significant communication cost. With the goal of further reducing the signature or output
Zerocash is the first comprehensively privacy-preserving size of RingCT in Monero, RingCT 2.0 protocol [11] was
payment protocol for blockchain-based digital transac- proposed by using accumulators with one-way-domains.
tion [6]. It completely hides the identity of the user and In theory, the output size of RingCT 2.0 is constant with
the amount paid in each transaction. The construction of respect to the number of public keys in the ring. However,
Zerocash uses zero-knowledge proof, or zk-SNARKs (zero- the accumulator and zero-knowledge proof protocol used
knowledge Succinct Non-interactive ARgument of Knowl- in RingCT 2.0 are so complicated that its performance is
edge), to be exact. Despite the many advantages in privacy far from being practical. On the other hand, it suffers from
protection, Zerocash worsens the scalability and efficiency a trusted setup, which is not desired in cryptocurrency.
problems that exist in almost all blockchain-based digital To overcome the drawbacks of RingCT 2.0, we revisit the
currencies. It takes about two minutes to generate a transac- design of RingCT protocol in this paper, and present a
tion containing zero-knowledge proof, and it takes a longer new privacy-preserving payment protocol by extending the
time to verify the proof than to verify a Bitcoin transaction. Zerocoin protocol in [12]. In our protocol, the signature size
Another well-known privacy-preserving cryptocurrency is a logarithmic number of groups included in the ring. It is
is Monero [7], which is based on the CryptoNote protocol worth noting that the size is larger than the size in [11], but
the efficiency is significantly better, specially, we can spend a
• Yanxue Jia, Shi-Feng Sun, Yuncong Zhang, Qingzhao Zhang, Ning Ding, transaction with 5 inputs and whose ring size is 500 in about
Zhiqiang Liu and Dawu Gu are with Shanghai Jiao Tong University, 20 seconds, so it is practical. There are two concurrent and
China.
E-mail: {jiayanxue,dwgu}@sjtu.edu.cn independent works [13] and [14], whose goals are similar to
• Shi-Feng Sun and Joseph K. Liu are with Monash University, Australia. ours, and both of them realize logarithmic signature size by
E-mail: [email protected] leveraging the inner product argument in Bulletproof [15],
• Corresponding authors: Shi-Feng Sun and Dawu Gu.
but each utilizes a different ring formation.

With the development of quantum computers, quantum- 2.1.1 Homomorphic Commitment Schemes.
resistant cryptographic security has received extensive at- A commitment scheme includes two phases: in commit
tention. Lattice RingCT V1.0 [16] is the first post-quantum phase, a sender chooses a value and constructs a commit-
RingCT scheme using Lattice-based cryptography, however, ment to it; later in the reveal phase the sender may open the
it only supports for transferring from a single input wallet commitment and reveal the value. After that, the receiver
to a single output wallet. And Lattice RingCT v2.0 [17] can verify that it is exactly the value that was committed
realizes Lattice-based Ring Confidential Transactions for at first. More formally, a commitment scheme consists of
Multiple-Input and Multiple-Output wallets and adds range a pair of poly-time algorithms (CKGen, Com): on input a
proof to resist out-of-range attacks. Almost at the same security parameter λ, CKGen(1λ ) outputs a public commit-
time as [17], Esgin at al. [18] realizes a more scalable post- ment key ctk , which specifies a message space Mctk and
quantum RingCT. In this work, we present a more generic a commitment space Cctk ; on input a message m ∈ Mctk ,
construction. Thus, it is still possible for us to achieve Com(ctk, m) generates a commitment c ← Com(ctk, m) to
a post-quantum privacy-preserving payment protocol by m, where ctk is often omitted when it is clear from the
instantiating our construction with e.g., lattice-based one- context. Normally, a commitment scheme should satisfy the
out-of-many proofs [19], which will be left as future work. hiding and binding properties, as defined below.
Definition 1 (Security of HCom [12]). A non-interactive
scheme HCom = (CKGen, Com) is called a secure homo-
1.1 Our Contributions
morphic commitment scheme if it satisfies the following
Inspired by the Zerocoin protocol in [12], we propose a new properties.
payment protocol PBT that can not only avoid the trusted
setup but also protect both the anonymity of the spenders Hiding This property means that the commitment does
and the privacy of transaction amounts. In more details, our not reveal the committed value. More precisely, HCom is
contributions are as follows: called hiding if for all PPT adversaries A, it holds that

• To support the functionality of spending a couple

ctk ← CKGen(1λ );
 
of inputs in one transaction, we first present a new


(m0 , m1 ) ← A(ctk);  1
sigma protocol by extending the underlying protocol Pr A(c) = b :  − ≤ negl(λ)

b ← {0, 1};  2
– one-out-of-many proofs – deployed in Zerocoin

c ← Com(ctk, mb )
[12].
• Based on our extended sigma protocol, we then where m0 , m1 ∈ Mctk and HCom is called perfectly
present a practical privacy-preserving payment pro- hiding if the probability of A guessing b is exactly 1/2.
tocol PBT by further combining it with a special
flavor of multi-signature which is employed to resist Binding This property means that a commitment cannot
slandering attacks [20], [21]. And we prove that PBT be opened to two different values. More precisely, HCom
can satisfy the basic securities of payment protocols, is called binding if for all PPT adversaries A, it holds that
as long as the building blocks meet security require-
ments which would be described in section 2. " m0 6= m1 ∧ ctk ← CKGen(1λ ); #
• At last, we give an instantiation and prove rigor-
Pr Com(m0 ; r0 ) : (m0 , r0 , m1 , r1 ) ≤ negl(λ)
ously that it meets our security requirements. Then
= Com(m1 ; r1 ) ← A(ctk)
we implement our payment protocol to evaluate its
efficiency and signature size, which shows that PBT where m0 , m1 ∈ Mctk and r0 , r1 are random coins
can achieve a better performance while satisfying the of Com. HCom is called perfectly binding if the prob-
basic securities of payment protocols. ability is exactly 0. Moreover, we call HCom strongly
binding if the probability holds even for the condition
(m0 , r0 ) 6= (m1 , r1 ) rather than m0 6= m1 .
2 P RELIMINARIES
Homomorphic For this property, we assume that for
Throughout the paper, we use [n] to denote the set of each well-formed ctk , the commitment space Cck is a
integers {1, 2, . . . , n} for n ∈ N. Let A(·) be a randomized multiplicative group of order q and both the messages
algorithm, we then write y = A(x; r) to be the output of and random coins are from Zq . This property says that
A on input x and random coin r, and y ← A(x) be the for all λ ∈ N, ctk ← CKGen(1λ ), m0 , m1 ∈ Zq and
process of randomly choosing r and outputting y = A(x; r). r0 , r1 ∈ Zq , it holds that
In addition, we denote by x ← S uniformly sampling a
random from a set S . Com(m0 ; r0 ) · Com(m1 ; r1 ) = Com(m0 + m1 ; r0 + r1 ).

2.1.2 Sigma Protocols

2.1 Cryptographic tools
A Σ-protocol for a relationship R = {(crs, u, w)} is a triple
In this part, we briefly recall the basic cryptographic tools of three probabilistic polynomial time stateful interactive
used to design our payment protocol, including homomor- algorithms (G, P, V). The following is a run of a Σ-protocol
phic commitments, sigma protocols and multi-signatures. describing the interaction of the algorithms

1545-5971 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: University of Hyderabad IG Memorial Library. Downloaded on December 08,2021 at 18:01:48 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2020.2998682, IEEE
Transactions on Dependable and Secure Computing
3
 
• crs ← G(1λ ): Generates the common reference 
 ∀i, ci ∈ Cctk ∧ 

` ∈ [0, N − 1]∧
 ! 
string. ctk, (c0 , · · · , cN −1 , c0 ),

 

a ← P(crs, u, w): Given (crs, u, w) ∈ R the prover R= : r, r0 ∈ Zq ∧ .
• (`, r, r0 )
c` = Com(0; r)∧
 
generates an initial message a.

 

c0 = Com(`; r0 )

 

• x ← {0, 1}λ : A challenge x is chosen uniformly at
random by the verifier.
2.1.3 Multi-Signatures
• z ← P(x): The prover responds to the challenge x.
• b ← V(crs, u, a, x, z): The verifier returns 1 if accept- There is a group of signers who want to sign the same
ing the proof and 0 if rejecting the proof. message Msgs , and everyone in the group inputs its own
public and secret key as well as a list of the public keys
Definition 2 (Security of Σ-protocol [12]). A triple (G, P, V) of the other signers. The signers want to interact in a
is called a secure Σ-protocol if it satisfies the following protocol which eventually outputs a compact signature σ
properties. that represents the signature of each individual signer on the
message Msgs , and the protocol is called multi-signature.
Perfect Completeness (G, P, V) is perfectly complete if In general, a multi-signature MS = (Pg, Kg, Sign, Verf)
for all probabilistic polynomial time adversaries A consists of four algorithms with the following syntax:
• Pg(1λ ): outputs the system-wide parameter par.
crs ← G(1λ );
 
• Kg(par): outputs a pair of user key (msk, mvk)

 (u, w) ← A(crs);  where msk is the secret kept by the user and mvk
Pr 
 V(crs, u, a, x, z) = 1 : a ← P(crs, u, w); 
=1 is the verifying key.
 x ← {0, 1}λ ; 
• Sign({msk1 , · · · , mskm }, Msgs ): outputs a signature
z ← P(x) σ on message Msgs .
• Verf(L = {mvk1 , · · · , mvkm }, Msgs , σ ): outputs 1 if
where A outputs (u, w) such that (crs, u, w) ∈ R.
σ is a valid signature for L and Msgs , or 0 otherwise.
n-special soundness (G, P, V) is n-special sound if there Definition 3 (Security of multi-signature [22]). A multi-
is an efficient extraction algorithm X that can compute signature MS = (Pg, Kg, Sign, Verf) involving at least
the witness given n accepting transcripts with the same one honest signer is (t, qS , qH , N, )-secure in the ran-
initial message. Formally, for all probabilistic polynomial dom oracle model if for all PPT adversaries A, whose
uf −cma
time adversaries A advantage AdvMS (A) of winning the following
uf −cma
(t, qS , qH , N )-game is less than , i.e., AdvMS (A) ≤
crs ← G(1λ );
 
.
 (u, a, x1 , z1 , · · · , 
(t, qS , qH , N )-game: An adversary A runs in time at most t,
 
Pr  (crs, u, w) ∈ R : x ,
n n z ) ← A(crs); ≈1
A initiates at most qS signing queries with the honest signer,
 
 w ← X (crs, u, a, x1 , 
z1 , · · · , xn , zn ) the number of public keys in the multiset L involved in any
signing query or in the forgery is at most N . In the random
where A outputs distinct x1 , · · · , xn ∈ {0, 1}λ and oracle model, the Sign and Verf algorithms, as well as
for all i ∈ {1, · · · , n} the transcript is accepting, i.e. the adversary, additionally have access to a random oracle
V(crs, u, a, xi , zi ) = 1. We say the proof has perfect n- H : {0, 1}∗ → D, where D is a set possibly depending
special soundness if the probability is exactly 1. on the system parameters. The additional parameter qH
denotes the maximum number of adversary A’s random
Special honest verifier zero-knowledge (SHVZK) oracle queries. The game between adversary A and honest
(G, P, V) is special honest verifier zero-knowledge if signer is shown in Fig. 1. In brief, A can start a protocol
there exists a probabilistic polynomial time simulator S instance with the honest signer by providing the latter with
such that for all interactive probabilistic polynomial time a message m and a multiset L = {mvk1 , · · · , mvkm } of
adversaries A purported cosigners, where mvk ∗ occurs in L at least once.
It can choose these public keys as it wishes, including as a
crs ← G(1λ ); (u, w, x) ← A(crs);

Pr A(a, z) = 1 : function of mvk ∗ and previous protocol flows. In interacting
a ← P(crs, u, w); z ← P(x)
with the honest signer, A will∗ play the role of all signers
crs ← G(1λ ); (u, w, x) ← A(crs);

in L except the signer of mvk , sending messages to, and
≈ Pr A(a, z) = 1 : receiving messages from, the honest signer. The adversary
(a, z) ← S(crs, u, x)
can schedule an arbitrary number of protocol instances
where A outputs (u, w, x) such that (crs, u, w) ∈ R and concurrently, interacting with ”clones” of the honest signer,
x ∈ {0, 1}λ . where each clone maintains its own state and uses its own
The Σ-protocol is said to be perfect SHVZK if the two coins but all use the keys (mvk ∗ , msk ∗ ) and follow the pro-
probabilities are exactly equal to each other. tocol (i.e., use algorithm Sign) to compute their responses
to received messages. When the honest signer terminates
For our application, we need a Σ-protocol for the knowl- then its local output (whether ⊥ or a compact signature σ̂ )
edge of one out of N commitments c0 , · · · , cN −1 being a is returned to A. The adversary is said to win the game if
commitment to 0 and the exact index of this commitment. b = 1, mvk ∗ ∈ L and A never initiated a signing query with
In particular, the relation for the Σ protocol is: L, Msgs ∗ .

Honest Signer A

(mvk ∗ , msk ∗ ) ← Kg(par) −−−−mvk

∗
−−−−−−→ (mvki , mski ) ← Kg(par)
Selects L = {mvk1 , · · · , mvkm }
according to mvk ∗ , where mvk ∗
{Msgs i , σi }i∈[qS ] occurs in L at least once,
←−−−−−−−−−−− and m ≤ N ;
σi∗← Sign(msk , Msgs i ) ∗
{σ̂i }i∈[qS ] Signs Msgs i using L except
Get σ̂i by compact σi∗ and σi −−−−−−−−−−→ for mvk ∗ .
{L, Msgs ∗ , σ̂ ∗ }, Msgs ∗ ∈
/ {Msgs i }i∈[qS ]
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−
b = Verf(L, Msgs ∗ , σ̂ ∗ )

Fig. 1: An instance of (t, qS , qH , N )-game

In order to be useful and practical, a multi-signature to sign a message will not affect our protocol. Boneh et
scheme should produce signatures whose size is (ideally) al. [27] proposed a scheme based on BLS signature that is
independent of the number of signers and close to the one secure in plain public-key model, but computing pairings
of an ordinary signature scheme, thus we just consider the is less efficient than computing discrete logarithm. And the
schemes producing an aggregated signature on a common significant advantage of using BLS signature is that aggre-
message. The main concerns when dealing with these multi- gation can take place publicly by a simple multiplication
signature schemes are to realize public-key aggregation and without additional communication rounds between signers
to defend against rogue public-key attacks. as described in [27], but the advantage is not necessary in
Public-key aggregation means that the verifier only our protocol.
needs a short aggregate public key instead of an explicit list For all of the above reasons, we select the practical and
of all m public keys to verify a multi-signature. Fortunately, simple multi-signature scheme in [22] to instantiate our PBT
in PBT protocol, we do not need the property, because we protocol.
will require users to use every public key to generate a serial
number for every account and reveal the serial numbers to 2.2 Syntax and Securities of Payment Protocols
prevent double spending (please see the details in Section Following the formal definition given in [21]. A payment
2.2). Therefore, we do not need to use schemes that are protocol mainly comprises of two phases: the generation
dedicated to realizing public-key aggregation, such as [23]. and the verification of transactions, which are operated by
However, a scheme that can defend against rogue public- the spender and recipients respectively. When wanting to
key attacks is necessary in our protocol. spend m of her/his accounts, w.l.o.g., denoted by As =
The rogue public-key attack refers to that an attacker can (k) (k) (k)
{(pks , cns )}k∈[m] where pks is the user’s k -th account
register his public key based on others’ public keys such (k)
address and cns is the coin w.r.t. this account, the spender
that he knows the aggregated private-key, which is actually
first chooses t output accounts {(pkout,j , cnout,j )}j∈[t] for
his own private key, so he can produce multi-signatures for
all output addresses R = {pkout,j }j∈[t] accordingly, such
the whole signers by himself. The simple multi-signature
that the sum of balances of her/his input accounts equals to
schemes that are constructed directly by Schnorr signature
that of output accounts, and then additionally selects n − 1
[24] or BLS signature [25] are vulnerable to a rogue public-
groups of input accounts with each containing m different
key attack. One way [26] to prevent rogue public-key attacks
accounts to anonymously spend As for some payments
is to require the signers to prove knowledge of the private
(i.e., creating a ring confidential transaction). Whenever
key corresponding to their public key to some certification
receiving this transaction from the P2P blockchain network,
authority or to some other signers before engaging the pro-
the miners check the validity of the transaction with public
tocol. However, it is not suitable for our protocol, because
information along with it and add it to a (new) block if valid.
there is no certification authority in Cryptocurrencies and
In general, a payment protocol consists of a tuple of poly-
the zero-knowledge proof would add complexity to our
time algorithms (Setup, KeyGen, Mint, Spend, Verify), the
PBT protocol. We need a secure multi-signature scheme in
syntax of which are described as follows:
plain public-key model that means signers do not need to
prove knowledge of their secret key. The multi-signature • pp ← Setup(1λ ): the Setup algorithm takes a security
scheme shown in [22] is a practical scheme based on Schnorr parameter λ ∈ N, and outputs the public system
signature and it prevents rogue public-key attacks in plain parameters pp. All algorithms below have implicitly
public-key model by requiring each signer to use a distinct pp as part of their inputs.
“challenge” ci when computing their partial signature. Note • (sk, pk) ← KeyGen(pp): the key generation algorithm
that the flavor of multi-signature we need is signed by a takes as input pp and outputs a public and secret key
single user with m different key pairs, which is a special pair (pk, sk). In the context of Monero, pk is always
case of the standard multi-signature, thus the drawback of set as a one-time address, which together with a coin
the scheme in [22] requiring multiple rounds of interaction constitutes an account.

• (cn, ck) ← Mint(pk, a): the Mint algorithm takes • AddGen(i): on input a query number i, picks
as input an amount a and a valid address pk s.t. randomness τi , runs algorithm (ski , pki ) ←
(pk, sk) ← KeyGen(pp), and outputs a coin cn KeyGen(pp; τi ) and returns address pki .
for pk as well as the associated coin key ck 1 . The • ActGen(i, ai ): on input address index i and an
coin cn together with address pk forms an account amount ai , runs algorithm (cni , cki ) ← Mint(pki , ai ),
.
act = (pk, cn), the corresponding secret key of which then adds i and account acti = (pki , cni ) to ini-
.
is ask = (sk, ck) that is required for authorizing its tially empty lists I and G respectively, and outputs
spending. (acti , cki ) for address pki , where pki is assumed
• (tx, π, S) ← Spend(msg, Ks , As , A, R): on input to have been generated by AddGen. The associated
.
a group As of accounts together with the corre- secret key with account acti is aski = (ski , cki ). The
sponding account secret keys Ks , an arbitrary set oracle also uses aski to determine the serial number
A of groups of input accounts containing As , a si of acti and adds it to initially empty list S .
set R of out addresses and some transaction string • Spend(msg, As , A, R): takes in transaction
msg ∈ {0, 1}∗ , the algorithm outputs a transaction string msg, input accounts A containing As
tx (containing msg, A and AR which denotes the set and output addresses R, runs (tx, π, S) ←
of output accounts w.r.t. R), a proof π and a set S of Spend(msg, Ks , As , A, R) and returns (tx, π, S)
serial numbers and verification keys. after adding it to list T , where As ⊂ G and we
• 1/0 ← Verify(tx, π, S): on input the transaction tx assume that at least one account/address in As has
containing msg, A and AR , proof π and serial num- not been corrupted so far.
bers and verification keys S , the algorithm verifies • Corrupt(i): on input query number i ∈ I , uses
whether a set of accounts with serial numbers in account key aski to determine the serial number si
S is spent properly for the transaction tx towards of account acti with address pki , then adds si and
addresses R, and outputs 1 or 0, meaning a valid (si , ai ) to lists S and C respectively, where ai is the
or invalid spending respectively. balance of the account with address pki , and finally
Similar to the security properties of RingCT [21]. A returns τi .
payment protocol should at least satisfy the properties for-
malized below.
At last, A outputs all her spends with some new ac-
Definition 4 (Perfect Correctness). This property requires counts (act01 , act02 , · · · , act0µ , S1 , S2 , · · · , Sν ) such that
that a user can spend any group of her accounts w.r.t. Si = (txi , πi , Si ), where all spends are payed to, w.l.o.g.,
an arbitrary set of groups of input accounts, each group the challenger with account address pkc 2 , i.e., txi =
containing the same number of accounts as the group she (msgi , Ai , A{pkc } ), and Ai ⊂ G ∪ {act0i }µi=1 for all i ∈ [ν].
intends to spend. Specifically, a payment protocol Π = We call A wins in the experiment if her outputs satisfy
(Setup, KeyGen, Mint, Spend, Verify) is called perfectly the following conditions:
correct if for all PPT adversaries A, it holds that
pp ← Setup(1λ );
 
 (msg, A, R) ←  1) Verify(txi , πi , Si ) = 1 for all i ∈ [ν].
Si ∈
/ T ∧ Si 6⊂ S for all i ∈ [ν], and Sj ∩ Sk = ∅ for
 

 A(pp, A s , Ks ) 
 2)
 where (As , Ks ) =  any different j, k ∈ [ν].
  ν
Pr Verify(tx, π, S) = 1 :
 (pk, cn), (sk, ck) s.t. 
 3) Let Si = {si,j } and E =
S
{ai,j : (si,j , ai,j ) ∈
 (pk, sk) ← KeyGen(pp),  i=1 P
B ∧ si,j ∈ Si ∩ C}, it holds that ai,j ∈E ai,j <
 

 (cn, ck) ← Mint(pk, a); 
 Pν
 (tx, π, S) ←  i=1 aout,i , where aout,i denotes the balance of
Spend(msg, Ks , As , A, R). output account in Si .
= 1.
Definition 5 (Balance). This property requires that any
malicious user cannot (1) spend any account without
Definition 6 (Anonymity). This property requires that two
her control and (2) spend her own/contrallable accounts
proofs of spending with the same transaction string
with a larger output amount. Specifically, a payment
msg, input accounts A, output addresses R and dis-
protocol Π = (Setup, KeyGen, Mint, Spend, Verify) is
tinct spent accounts As0 , As1 ∈ A are (computation-
called balanced w.r.t. insider corruption if for all PPT
ally) indistinguishable, meaning that the spender’s ac-
adversaries A, it holds that
counts are successfully hidden among all the hon-
pp ← Setup(1λ );
 
estly generated accounts. Specifically, a payment proto-
0 µ ν
Pr A Wins : ({acti }i=1 , {Si }i=1 )  ≤ negl(λ), col Π = (Setup, KeyGen, Mint, Spend, Verify) is called
 
AddGen,ActGen,
← A Spend,Corrupt (pp) anonymous if for all PPT adversaries A = (A1 , A2 ), it

where all oracles AddGen, ActGen, Spend and Corrupt

are defined as below:
2. Note that in this case, assuming pkc has been generated by
1. We note that ck will be privately sent to the user possessing AddGen, the challenger knows all balances of the spent accounts and
account address pk, e.g., by private public key encryption. output accounts involved in the adversarial spends {S}νi=1 .

holds that of secret key corresponding to pk fi cannot ever imply as in


pp ← Setup(1 ); λ

 RingCT that the balance in accounts Ai equals that of the

(msg, As0 , As1 , A, R) ←
output accounts. Therefore, we use two form, like g1x hr and
  0 0
 AddGen,ActGen,  g2x hr , of commitment with only a common base. Moreover,
Spend,Corrupt
 

 A1 (pp); 


Zerocoin suffers from slandering attacks just as pointed
 0
Pr b = b : b ← {0, 1};  − 1
 out by [28] recently, so does our initial protocol. A direct
∗ ∗ ∗ 2

 (tx , π , S ) ← 


solution is to use a regular signature to sign the transaction,

 Spend(msg, Ksb , Asb , A, R); 

but this will make the size of transaction increase linearly

 b0 ← 


with the number of input accounts, so we further exploit
Spend,

Corrupt ∗ ∗ ∗
a variant of multi-signature to compact the total signature
A2 (pp, (tx , π , S ))
size.
≤ negl(λ),  (1) (1) (1) 
pkin,1 · · · pkin,` · · · pkin,n
where all oracles are defined as before, Asi ∈ A and  .
 . .. .. .. .. 
 . . . . . 

Asi ⊂ G for i ∈ {0, 1}. In addition, the following  (k) (k) (k) 
restrictions should be satisfied: pkin,1 · · · pk · · · pkin,n 
 in,` 
 . .. .. .. .. 
• For all i ∈ {0, 1}, any account in Asi has not been  .. . . . . 
 
corrupted.  (m) (m) (m) 
pkin,1 · · · pkin,` · · · pkin,n 
• Any query in the form of (·, As , ·, ·) s.t. As ∩ Asi 6= ∅  
has not been issued to Spend oracle. pk
f ··· 1 pk
f ··· pk
f
` n

Definition 7 (Non-Slanderability). This property requires

3.1 Protocol Description
that a malicious user cannot slander any honest user
after observing an honestly generated spending.That is, Let MS = (Pg, Kg, Sign, Verf) be a multi-signature, and Π =
it is infeasible for any malicious user to produce a valid (G, P, V)be a Σ-protocol for the relation 
spending that share at least one serial number with a pre- 
 ∀i, ci ∈ Cctk ∧ 
 ! ` ∈ [0, N − 1]∧  
viously generated honest spending. Specifically, a pay- 

ctk, (c0 , · · · , cN −1 , c0 ),


0
ment protocol Π = (Setup, KeyGen, Mint, Spend, Verify) R= : r, r ∈ Zq ∧ .
(`, r, r0 )
is called non-slanderable if for all PPT adversaries A, it c = Com (0; r)∧
 
`

 

c0 = Com(`; r0 )

 

holds that
Based on these primitives, our privacy-preserving payment
pp ← Setup(1λ );
 
protocol PBT = (Setup, KeyGen, Mint, Spend, Verify) is
ˆ π̂, Ŝ), (tx∗ , π ∗ , S ∗ ) 

Pr A Wins : (tx,  ≤ negl(λ),

AddGen,ActGen,
designed as follows:
← A Spend,Corrupt (pp)
Setup(1λ ): on input a security parameter λ, it generates
where all oracles are defined as before, and (tx, ˆ π̂, Ŝ) is par ← Pg(1λ ) and randomly picks h0 , h1 , h2 ∈ Gq , and
one output of the oracle Spend for some (msg, As , A, R). outputs the system parameter pp = (par, h0 , h1 , h2 ).
We call A succeeds if the output satisfies the following KeyGen(pp): on input pp, it first generates
conditions: (1) Verify(tx∗ , π ∗ , S ∗ ) = 1; (2) (tx∗ , π ∗ , S ∗ ) ∈
/ (msk, mvk) ← Kg(par), then chooses x uniformly
T ; (3) Ŝ ∩ C = ∅ but Ŝ ∩ S ∗ 6= ∅. at random from Zq and sets the serial number
s = H(mvk) where H(·) is a collision-resistant hash
function that maps mvk from Gq to Zq , and sets key
3 O UR P RIVACY -P RESERVING PAYMENT P ROTO - pair (sk, pk) := ((msk, x, s), y = hx0 hs1 ). In the context
COL of cryptocurrency, the public key pk is always set as a
one-time address, which combining with a coin constitutes
In this section, we present a new payment protocol based
a user’s account.
on a Σ-protocol for the relation R and a simplified multi-
signature. Without loss of generality, we denote all, say, n
Mint(pk, a): on input address pk and an amount a ∈ Zq ,
(k) (k) it mints a coin for pk : chooses r ∈ Zq uniformly at ran-
groups of input accounts by A = {(pkin,i , cnin,i )}i∈[n],k∈[m]
dom, computes commitment c = hr0 ha2 , and then returns
(including the group of m accounts to be spent) and set the
(cn, ck) = (c, (r, a)). The coin cn together with pk forms the
spent group as the `-th group. Essentially, the high-level
account act := (pk, cn), to which the corresponding secret
idea is similar to previous RingCT protocols: the groups
key is ask := (sk, ck).
of account keys are arranged into a matrix in which each
Spend(msg, K` , A` , A, R): on input a set of account
column corresponds to a group of keys, as is shown in the
keys K` associated with the group of input accounts A`
matrix below, and the spender computes extra public keys
that the user intends to spend, some transaction string
pk
fi from input accounts and output accounts to guarantee
msg ∈ {0, 1}∗ , an arbitrary set A of groups of input
the total balance in each transaction is conserved. Motivated accounts containing A` , and a set R of output addresses,
by the approach of Zerocoin [12], however, the account the accounts A` are payed to R as follows. For sim-
(k) (k)
public key pkin,i and the associated coin cnin,i in our pro- plicity, we denote all, say n groups (including A` ) of
(k) (k) (k)
tocol are commitments to serial number sin,i and amount input accounts by A = {(pkin,i , cnin,i )}i∈[n],k∈[m] and
(k)
ain,i
respectively. Thus, if they are generated by the same set the spender’s group as the `-th group, i.e., A` =
(k) (k)
form of Pedersen commitment g x hr , then the knowledge {(pkin,` , cnin,` )}k∈[m] , to which the corresponding secret

1545-5971 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: University of Hyderabad IG Memorial Library. Downloaded on December 08,2021 at 18:01:48 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2020.2998682, IEEE
Transactions on Dependable and Secure Computing
7
(k) (k) (k) (k)
keys are K` = {((xin,` , sin,` ), (rin,` , ain,` ))}k∈[m] , and de- Verify(tx, π, S): receiving tx containing msg, A and AR ,
note the intended output addresses by R = {pkout,j }j∈[t] . the associated proof π for tx and the serial numbers and
corresponding verification keys S = (s1 , mvk1 ,
1) Set aout,j ∈ Zq for all pkout,j ∈ R, such that the
Pm (k) s2 , mvk2 , . . . , sm , mvkm ), the recipient verifies that a set
input and output balances satisfy
Pt k=1 ain,` = of accounts with S from input accounts A was spent for
j=1 aout,j , then randomly pick rout,j ← Zq and a transaction tx (towards output addresses R) with string
r a
mint coin cnout,j = cout,j = h0out,j h2 out,j , for all msg, as follows:
j ∈ [t]. After that, add output account actout,j =
(pkout,j , cnout,j ) to AR , and privately send the coin 1) First verify the correspondence between the serial
key ckout,j = (rout,j , aout,j ) to pkout,j . numbers and verification keys, then use verifica-
2) Compute pk f for all i ∈ [1, n], x
i e` and se` as below: tion keys (mvk1 , mvk2 , . . . , mvkm ) to check if σ
is a valid signature on tx. That is, verify whether
m m t Verf(S, tx, {πk }m+1 0
k=1 , S, c ) = 1 or not. If not, just
(k) (k)
Y Y Y
pk
f
i = pkin,i · cnin,i / cnout,j reject the transaction. Otherwise, continue to verify
k=1 k=1 j=1 the validity of πk .
m m u (k) (k)
X (k)
X (k)
X 2) Use A = {(pkin,i , cnin,i )}i∈[n],k∈[m] and AR =
x
e` = xin,` + rin,` − rout,j actout,j = (pkout,j , cnout,j )j∈[t] (contained in tx) to
k=1 k=1 j=1 m m t
m compute pk fi = Q pk (k) · Q cn(k) / Q cnout,j for
in,i in,i
(k)
X
k=1 k=1 j=1
se` = sin,` . m
P
k=1 all i ∈ [n], and use S to compute sm+1 = sk .
Pm (k) k=1
(k)
Following from the fact that k=1 ain,` = 3) For each k ∈ [m], compute = pk in,i
Pt x
e` s
j=1 aout,j , it is easy to know that pk` = h0 h1e` (k) −sk
pkin,i · h1 for all i ∈ [1, n] and xk
g
=
holds. For clarification, we unify the notations in (k) n 0
(m+1) H(ctk, tx, sk , ({pk in,i }i=1 , c ), ak ), and then verify
the following and denote pk f , se` and x
i e` by yi , (k)
. 0
(m+1)
s` and x`
(m+1)
, respectively. That is, pk
f = if V(ctk, ({pk in,i }n
i=1 , c ), xk , πk ) = 1. Besides, com-
i
(m+1) . (m+1) . (m+1) pute xm+1 = H(ctk, tx, sm+1 , ({pk fi }n , c0 ), am+1 )
yi , se` = s` and x
e` = x` . Also, denote i=1
(k) (k)
pkin,i = yi for all i ∈ [n] and k ∈ [m], and and check whether V(ctk, ({pkfi ·
−sm+1 n 0
(k) (k) (k) (k) h1 }i=1 , c ), xm+1 , πm+1 ) = 1 or not. If all
(xin,` , sin,` ) = (x` , s` ) for all k ∈ [m].
above verifications hold, proceed to the next step.
3) Generate a proof π that the group of coins A`
Otherwise, reject it.
was spent properly in a transaction tx consisting
of message msg, accounts A and AR = {actout,j }, The correctness of this protocol follows directly from that
as follows. of the underlying Σ-protocol and multi-signature. We do not
a) First randomly pick r0 ← Zp and compute give more details here.
a commitment to the index `, i.e., c0 =
(k) (k)
Com(`, r0 ), and then use (x` , s` ) to gen-
erate a sub-proof πk = (ak , zk ) for each 3.2 Security Analysis
k ∈ [m + 1] by running Π:
The securities of our payment protocol are formally ana-
(k)
i) Compute
(k)
ȳi = ·
(k)
yi
−s
for all i ∈
h1 ` lyzed under the given security models, which are indicated
(k) (k) as the following theorems.
[1, n], where ȳ` = Com(0; x` ).
(k) (k)
ii) Generate ak = P(ctk, (ȳ1 , ȳ2 , . . . , Theorem 1. Assuming the discrete logarithm (DL) problem
(k) 0 (k) 0 in Gq is hard, (G, P, V) is a Σ-protocol for relation R
ȳn , c ), (`, x` , r )).
iii) Compute xk = H(ctk, tx, s` ,
(k) with perfectly completeness, n0 -special soundness and
(k) SHVZK, then the proposed payment protocol PBT is
({yi }ni=1 , c0 ), ak ).
balanced w.r.t. insider corruption.
iv) Generate zk = P(xk ) and set πk =
(ak , zk ).
Proof: Suppose that there exists an efficient adversary
(1) (2)
b) Use the signing keys (msk` , msk` , . . . , A being able to break the balance property of our payment
(m)
msk` ) to generate a multi-signature σ ← protocol PBT with a non-negligible probability , then we
(k)
Sign({msk` }m m+1 (k) m 0 can design a PPT algorithm B that can solve the DL problem
k=1 , tx, {πk }k=1 , {s` }k=1 , c )
on the transaction. in Gq .
c) Finally, set π = (π1 , . . . , πm+1 , c0 , σ), S = On input a random DL instance (h0 , h1 = hα 0 ), the
(1) (1) (2) (2)
((s` , mvk` ), (s` , mvk` ), · · · , (s` ,
(m) algorithm B randomly picks β ∈ Zq and sets pp =
(m) 3
mvk` )) , and return (tx, π, S). (par, h0 , h1 , h2 = hβ1 , H), where H is modeled as a random
oracle and all queries and responses are added to an initially
(i)
3. In fact, only mvk` is necessary, because verifiers can compute all empty list LH . Without loss of generality, we assume that
(i) (i)
the s` using mvk` , but for simplicity of explanation, we add both the number of AddGen, ActGen and Corrupt queries made
(i) (i)
s` and mvk` into set S . by A is at most qadd , qact and qcor , respectively.

At first, B picks j ∗ ∈ [qadd ], randomly chooses xi ← Zq • ∀i ∈ [ν], Si \S = ∅: in this case all spent accounts
and generates (mski , mvki ) ← Kg(par), si = H(mvki ) for are under the adversary’s
P control.
Pν Hence, it is easy
all i ∈ [qad ]. Then he sets the queried addresses as to know from ai,j ∈E ai,j < i=1 aout,i that there
exists some i∗ ∈ [ν] s.t. ai∗ ,j ∈Ei∗ ai∗ ,j < aout,i∗ .
xi si P
h0 h1 , i 6= j ∗
pki = With the set of serial numbers {si∗ ,j }m j=1 , we can
hx1 i hs1i , i = j ∗
locate the group {acti∗ ,j } of corresponding accounts
where the corresponding secret key to pki is implicitly set Asi∗ spent in txi∗ , where acti∗ ,j = (pki∗ ,j , cni∗ ,j )
as ski = (mski , xi , si ) for all i ∈ [qad ]\{j ∗ } and skj ∗ = and the associated account secret key is aski∗ ,j =
(mskj ∗ , α · xj ∗ , sj ∗ ). After that, B simulates the AddGen, ((mski∗ ,j , xi∗ ,j , si∗ ,j ), (ri∗ ,j , ai∗ ,j )). Without loss of
ActGen and Corrupt oracles as follows: generality, we assume that Asi∗ is the `∗ -th column
• AddGen(i): receiving the i-th address query, directly of Ai∗ . Then we can compute the extra public keys
returns pki to A. f ∗ }n from the accounts in txi∗ , and rewind the
{pk i ,j j=1
• ActGen(i, ai ): on input index i and amount ai , ran- adversary with the same initial message correspond-
domly chooses ri ∈ Zq and sets ci = hr0i ha2 i , and ing to the statement {pk f ∗ · h−sei∗ }n for n0 times,
i ,j 1 j=1
then outputs (cni , cki ) = (ci , (ri , ai )) after adding Pm
where sei∗ = si∗ ,j . Particularly, the spent account
the tuple i, acti = (pki, cni ), (xi , si ), ai to list j=1
Lact = { i, acti , (xi , si ), ai }, which is used to keep f ∗ }n is pk
in {pk f ∗ ∗ , such that
i ,j j=1 i ,`
track of the generated accounts.
• Spend(msg, As , A, R): on input a transaction string m m
msg, input accounts A formed in a matrix and As ⊂
Y Y
pk
f∗ ∗
i ,` = pki∗ ,j · cni∗ ,j /cnout,i∗
Lact (to be spent) being the `-th column of A, as well j=1 j=1
as output addresses R, B simulates this query in the m m r ∗ ,j a ∗

following way:
Y x ∗ ,j s ∗ ,j
Y h0i h2 i ,j
= (h0 i h1i )· rout,i∗ aout,i∗
j=1
h
j=1 0
h2
– actj ∗ ∈/ As : generates (tx, π, S) as in real PBT
m m
protocol with the associated accounts keys
P P
xi∗ ,j + ri∗ ,j −rout,i∗
j=1 j=1
Ks = {skk = (mskk , xk , sk )}actk ∈As . Note = h0
that in this case B knows the correspond- α·β(
m
P
ai∗ ,j −aout,i∗ )
ing secret key skk to each account actk = ·h0
j=1
· hs1ei∗
(pkk , cnk ) ∈ As .
r ∗ a ∗
– actj ∗ ∈ As : we assume without loss of gener- where cnout,i∗ = h0out,i h2 out,i denotes the output
ality that actj ∗ is the k ∗ -th element of As , then coin of txi∗ . By the n0 -special soundness of Π, we
B computes c0 = Com(`; r0 ) and generates πk∗ can efficiently extract a valid witness (`∗ , x
ei∗ , ri0∗ ) s.t.
−s x
by invoking the simulator SΠ of Π with c0 and pk i∗ ,`∗ ·h1
f ei∗ ei∗
= h0 for the statement w.r.t. Si∗ . Then
the k ∗ -th row of A as input. Similarly, the last the discrete problem can be solved by computing
sub-proof w.r.t. additionally computed public m m
keys is simulated by calling the simulator of
P P
ei∗ − (
x ski∗ ,j + ri∗ ,j − rout,i∗ )
Π. As to the other sub-proofs, they can be gen- α=
j=1 j=1
.
m
erated as in real protocol. At last, B uses the P
β( ai∗ ,j − aout,i∗ )
corresponding signing keys {msk} to generate j=1
a signature on (tx, {πk }, c0 ). m m
P P
By the SHVZK security of Π, the simulated spending Note that ai∗ ,j − aout,i∗ 6= 0, since ai∗ ,j <
j=1 j=1
without (partial) witness is computationally indistin- aout,i∗ .
guishable from the real one. • ∃ i ∈ [ν], Si \S = 6 ∅: in this case A successfully spends
• Corrupt(i): on input query i, B aborts if i = j ∗ , Oth- some accounts without her control (i.e., uncorrupted
erwise, looks for the tuple i, (pki , cni ), (xi , si ), ai accounts). For convenience, we denote J = {i ∈
in Lact , and adds si (resp. (si , ai )) to set S (resp. C )
S
[ν] : Si \S 6= ∅}, SJ = i∈J (Si \S) and |Si \S| = ηi .
before returning xi . Then we check if sj ∗ ∈ SJ . If not, simply outputs
Eventually, the adversary A outputs (act01 , act02 , · · · , act0µ , a random guess. Otherwise, there exists i∗ ∈ J s.t.
S1 , S2 , · · · , Sν ), where Si = (txi , πi , Si ), all input accounts sj ∗ ∈ Si∗ . Similarly, we then can extract the witness
−s ∗ x̂ ∗ α·x ∗
and spent accounts in txi are Ai and Asi , and all transac- x̂j ∗ s.t. pkj ∗ · h1 j = h0 j = h0 j by rewinding
tions are payed to B . the adversary, and solve the discrete logarithm by
computing α = x̂j ∗ /xj ∗ .
For sake of simplicity, in the following we denote
Si = {si,j }, Ei = {ai,j : (si,j , aSi,j ) ∈ C ∧ si,j ∈ Si ∩ B} At last, we briefly analyze the probability of B solving
ν
for each i ∈ [ν] and E = i=1 Ei . Suppose that A the DL problem. For clarity, we denote by abortc the event
wins
P the simulated
Pν game given above, then we get that that B aborts in the Corrupt phase. Obviously, if abortc
ai,j ∈E a i,j < i=1 aout,i , where a out,i is the output does not happen, the simulated game is identical to the real
amount of txi . Next, we show how to use A to solve the one from the point of A’s view, except for the simulation of
DL problem. More precisely, the discrete logarithm α can be spending queries (msg, As , A, R) in the case of actj ∗ ∈ As ,
computed as follows: where the query is answered by calling the simulator of

Π. Hence, A wins the above game with probability at least . (m+1) (b) . (m+1)
f (b) (b) .
That is, = yi
pk i , sesb = ssb and x
esb =
− ε(λ) for some negligible ε(λ). Moreover, B (conditioned (m+1)
xsb
(k) (k)
. Also, denote pkin,i = yi for all i ∈ [n]
on abortc ) always succeeds to compute α if A wins in the (k) (k) (k) (k)
and k ∈ [m], and (xin,` , sin,` ) = (x` , s` ) for all
first case; otherwise, the probabilityPof B computing α is at
k ∈ [m].
least Pr[sj ∗ ∈ SJ |j ∗ ∈ Lact ] = ( i∈J `i )/qact . From the
3) A proof π ∗ for Asb being spent properly in tx∗ is
simulation we know that Pr[abortc ] = 1 − qcor /qact . Finally,
generated as follows:
we get that the probability that B succeeds to solve the
discrete
logarithm
Pof h1 to h0 is Pr [A0 (h0 , h1 = hα
0 ) = α] ≥ a) First pick r∗ ← Zq and compute c∗ =
ηi (k) (k)
qcor
1 − qact 1 + ( i∈J qact − 1)( − ε) . Com(sb , r∗ ), and then use (xsb , ssb ) to gen-
∗ ∗ ∗
erate sub-proof πk = (ak , zk ) for each k ∈
Theorem 2. Let HComP be the Pedersen commitment, [m + 1] by running Π:
(G, P, V) is a Σ-protocol for relation R with perfectly (k) (k) −s(k)
s
i) Compute ȳi = yi · h1 b for all i ∈
completeness, n0 -special soundness and SHVZK, then (k) (k)
the proposed payment protocol PBT is anonymous un- [1, n], s.t. ȳsb = Com(0; xsb ).
(k) (k)
der the DDH assumption. ii) Generate a∗k = P(ctk, (ȳ1 , . . . , ȳsb ,
(k) ∗ (k) ∗
. . . , ȳn , c ), (sb , xsb , r )).
Proof: The proof follows a series of hybrid games. (k)
iii) Compute x∗k = H(ctk, tx, ssb ,
We will denote by Wini the event that the adversary wins (k) n
Gamei . ({yi }i=1 , c0 ), a∗k ).
iv) Generate zk∗ = P(x∗k ) and set πk∗ =
Game0 : This is exactly the real game. More precisely, the (a∗k , zk∗ ).
challenger generates pp = 1λ , h0 , h1 , h2 , H ← Setup(1λ ), (1) (2)
and responds all AddGen, ActGen, Spend and Corrupt b) Use the signing keys (msksb , msksb ,
(m)
queries as in real game. On input the challenge query . . . , msksb ) to generate a multi-signature
(k) ∗ m+1 ∗
(msg, As0 , As1 , A, R) with Asi for i ∈ {0, 1} being σ ∗ ← Sign({msksb }m ∗
k=1 , tx , {πk }k=1 , c )
the si -th group of accounts in A, the challenger picks on the transaction.
b ← {0, 1} and generates the challenge spending as fol- c) ∗
Finally, set π ∗ = (π1∗ , . . . , πm+1 , c∗ , σ ∗ ) and
lows. For clarity, we write all input accounts as A = ∗ (1) (1) (2) (2) (m)
S = (ssb , mvksb , ssb , mvksb , . . . , ssb ,
(k) (k)
{(pkin,i , cnin,i )}i∈[n],k∈[m] , the sb -th group of A as Asb = (m) ∗
mvksb ), and return (tx , π , S ). ∗ ∗
(k) (k) (k)
{actin,sb = (pkin,sb , cnin,sb )}k∈[m] s.t. the corresponding
(k) (k) (k) (k) (k)
Finally, the adversary outputs its guess b0 . Clearly, we
key being askin,sb = ((xin,sb , sin,sb )(rin,sb , ain,sb )), and the have that
set of output addresses as R = {pkout,j }j∈[t] . With these Pr[Win0 ] = Pr[b0 = b].
notations, the challenge spending (tx∗ , π ∗ , S ∗ ) is generated
as follows: Game1 : The difference of this game from the previous is that
(b) the spending queries and challenge query are answered by
1) Set output amount aout,j for all pkout,j ∈ R, such invoking the simulator of Π, without using any information
(k)
that the input balance {ain,sb } and output balance of the witness. Recall that for each spending query, it is
(b)
m
P (k) Pt
(b) stipulated that As ∩ Asb = ∅. By the SHVZK property of
{aout,j } satisfy that ain,sb = aout,j , then Π we have that
k=1 j=1
(b) (b)
(b) rout,j aout,j
mint coins cnout,j = h0 h1 and adds output | Pr[Win1 ] − Pr[Win0 ]| ≤ negl(λ).
(b) (b) (b)
accounts actout,j = (pkout,j , cnout,j ) to AR . Game2 : This game is the same as Game1 , except that the
(b)
2) Compute pkf for all i ∈ [1, n], x
(b)
esb and
(b)
sesb as generation of output coins during the challenge phase. In
i
below: more details, in this game we set h2 = hα 0 for α ←
(b)
Zq , then generate each output coin cnout,j w.r.t. address
m m t pkout,j ∈ R by randomly choosing r̂j ∈ Zq and then
f (b) (k) (k) (b) (b) r̂ (b)
Y Y Y
pk i = pkin,i · cnin,i / cnout,j setting cnout,j = h0j . The corresponding key to cnout,j is
(b) (b) (b)
k=1 k=1 j=1 implicitly set as ckout,j = (r̂j − α · aout,j , aout,j ). In this
m m t m m t
X (k)
X (k)
X (b) f (b) = Q pk (k) · Q cn(k) / Q cn(b) for all i ∈ [n]
case, pk
e(b)
x sb = xin,sb + rin,sb − rout,j i in,i in,i out,j
k=1 k=1 j=1
k=1 k=1 j=1
is completely independent of b. Thus, by the perfectly hiding
m
X (k) property of HComP , we get that
se(b)
sb = sin,sb .
k=1 Pr[Win2 ] = Pr[Win1 ].
m t
Following from
P (k)
ain,sb =
P (b)
aout,j , it holds that At this point, it is observable that the proof π ∗ =
k=1 j=1 (π1∗ , . . . , πm+1
∗
, c∗ , σ ∗ )
contains no information about b be-
(b) (b)
f (b) = hxesb hsesb .
pk
cause of the SHVZK property of Π and the completely
in,sb 0 1
(b) hiding property of the commitment. Moreover, since no
(b)
For clarity, in the following we denote pk f , x
i esb accounts in Asb is corrupted and no spending queries
(b) (m+1) (m+1) (m+1)
and ssb by yi
e , ssb and xsb , respectively. (msg, As , A, R) s.t. As ∩ Asb 6= ∅ is permitted, the serial

1545-5971 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: University of Hyderabad IG Memorial Library. Downloaded on December 08,2021 at 18:01:48 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2020.2998682, IEEE
Transactions on Dependable and Secure Computing
10
(1) (2) (m)
numbers (ssb , ssb , . . . , ssb )
are fresh to the adversary and and msg is never queried to M before. If si∗ ∈ / S ∗ , B fails
thus leaks no information about b. Hence, the probability of in the challenge of M.
A winning this game is Pr[Win2 ] = 1/2. Therefore, B succeeds if: (1) B does not abort; (2) A suc-
Theorem 3. Assuming the DL problem in Gq is hard, ceeds; and (3) si∗ ∈ S ∗ . We now prove that the probability
(G, P, V) is a Σ-protocol for relation R with perfectly of this is non-negligible.
completeness, n0 -special soundness and SHVZK and MS Assume B simultaneously starts a game with another
is a secure multi-signature, then the proposed payment adversary A0 , and responds to A0 in exactly the same way to
protocol PBT is non-slanderable w.r.t. insider corruption. A, with the exception that B replaces si∗ with a verification
key that B generates himself, and does not abort in query
Proof: Suppose that there exists an efficient adversary Corrupt(i∗ ). Therefore, A0 is being challenged by an ordi-
A being able to break the non-slanderability property of our nary non-slanderability challenger, and A0 succeeds with
payment protocol PBT with a non-negligible probability , non-negligible probability as we assumed. Let I be the
then we can design a PPT algorithm B that can break the set of indices corresponding to Ŝ ∩ S ∗ . Since i∗ is sampled
(t, qS , qH , N, ) − security of the multi-signature. independently from the procedure of the game between B
Let M be the challenger for the (t, qS , qH , N, ) − and A0 , the conditional probability Pr[i∗ ∈ I | A0 wins] =
security of the multi-signature. First, M randomly gener- |I|/m ≥ 1/m. Therefore, the probability that A0 wins and
ates a pair of verification and secret keys (msk, mvk) ← i∗ ∈ I is
Kg(par) and sends mvk to B . On receiving mvk , B
samples i∗ ∈ [m] uniformly, and randomly generates p = Pr [A0 wins ∧ i∗ ∈ I]
(mski , mvki ) ← Kg(par) for i ∈ [m]\{i∗ }. Using si = = Pr [i∗ ∈ I | A0 wins] · Pr [A0 wins] ≥ /m
H(mvki ), B randomly chooses xi ← Zq and generates
(ski , pki ) = ((mski , xi , si ), hx0 i hs1i ) for each i ∈ [m], where which is non-negligible. For simplicity, we say A or A0 is
mski∗ is set to ⊥. Then B responds to the queries of A as helpful when he wins with i∗ ∈ I .
follows We claim that the probability that A is helpful with
probability that is only negligibly different from p, thereby
• AddGen(i): on receiving i-th address query, directly concluding that B wins with non-negligible probability. We
returns pki to A; accomplish this by designing an intermediate game where
• ActGen(i, ai ): on input index i and amount ai , ran- B interacts with A00 in exactly the same manner as with
domly chooses ri ∈ Zq and sets ci = hr0i ha2 i , and A0 , with the exception that B aborts when A00 queries
then returns (cni , cki ) = (ci , (ri , ai )) after adding Corrupt(i∗ ). Obviously, A00 is exactly as helpful as A0 , since
the tuple i, acti = (pki, cni ), (xi , si ), ai to list the interaction with A00 differs from that with A0 only in
Lact = { i, acti , (xi , si ), ai }, which is used to keep the condition that i∗ ∈/ I which already rules out A0 being
track of the generated accounts. helpful. In comparison to A, the only difference in interac-
• Spend(msg, As , A, R): on input a transaction string tion with A00 is replacing si∗ by a hash of a verification key
msg, input accounts A formed in a matrix and As ⊂ generated by B himself, which is indifferentiable from mvk
Lact (to be spent) being the `-th column of A, as well generated by M, thus complete the proof.
as output addresses R, B simulates this query in the
following way:
3.3 Instantiations
– acti∗ ∈/ As : generates (tx, π, S) as in real
Our payment protocol is constructed based on a well-known
PBT protocol with the associated accounts
homomorphic commitment, i.e., the Pedersen commitment,
keys Ks = {skk = (mskk , xk , sk )}actk ∈As .
and a Σ-protocol for one-out-of-many proof.
Note that in this case B knows the corre-
sponding secret key mski to each account
actk = (pkk , cnk ) ∈ As . 3.3.1 Sigma protocol for one-out-of-many proof
– acti∗ ∈ As : we assume without loss of gen- Our construction of the one-out-of-many Σ-protocol in Fig.
erality that acti∗ is the k ∗ -th element of As , 2 is a slight modification to the construction proposed in
then B computes the multi-signature σ by his [12]. In the original construction, the Σ-protocol can prove
knowledge of {mskk }k∈[m] / and querying M that there is a commitment to 0 in the N commitments,
(k)
with message (tx, {πk }k=1 , {s` }m+1
m+1 0 and its index is ` that can be different in different instances
k=1 , c ).
and randomness is r. But in our protocol, given the input
• Corrupt(i): on input query i, B aborts if i = i∗ . accounts denoted by A that has m rows and n columns, the
Otherwise, add si to C and returns ski to A. index of the spent accounts in each row need to be fixed.
So the aim of modification is to guarantee that the index of
Assume that B does not abort and A successfully produces
commitment to 0 in each row is the same and it is the open
ˆ π̂, Ŝ), (tx∗ , π ∗ , S ∗ ) such that (1) Verify(tx∗ , π ∗ , S ∗ ) =
(tx, of c0 . Specifically, in addition to the original construction,
1; (2) (tx∗ , π ∗ , S ∗ ) ∈
/ T ; (3) Ŝ ∩ C = ∅ but Ŝ ∩ S ∗ 6= ∅. If 0
we need verifier to compute cu = Qn c 2(j−1) , and use
si∗ ∈ S , then B outputs σ as the multi-signature in tx∗ ,
∗
j=1 c`
j
a set of verification keys S ∗ containing si∗ = H(mvk) and the initial message cv and response zu to verify that cu is
message msg = (tx∗ , pk ∗ , S ∗ , c0 ) where pk ∗ is the set of a commitment to 0 and prover knows the randomness of
public keys corresponding to S ∗ , and succeeds since σ is a the commitment. If we denote the open of c0 as ` and the
Qn (j−1)
valid signature on msg with respect to S ∗ containing mvk open of j=1 c2`j as `0 , cu is a commitment to 0 means

P(crs, (c0 , · · · , cN −1 , c0 ), (`, r, r0 )) V(crs, (c0 , · · · , cN −1 , c0 ))

v ← Zq
For j = 1, · · · , n using k = j − 1
rj , aj , sj , tj , ρk ← Zq
c`j = Com(`j ; rj )
caj = Com(aj ; sj ) cv , c`1 , ca1 , cb1 , cd0 , · · ·
Accept if and only if
cbj = Com(`j aj ; tj ) c`n , can , cbn , cdn−1
Q −1 pi,k −−−−−−−−−−−−−−−→ f1 , · · · , zd , zu ∈ Zq
cdk = N c Com(0; ρk ) For all j ∈ {1, · · · , n}
Pi=0 i
u = r0 − nj=1 2(j−1) · rj cx`j caj = Com(fj ; zaj )
cv = Com(0; v) x−f
c`j j cbjQ= Com(0; zbj )
QN −1 nj=1 fj,ij Qn−1 −xk
x ← {0, 1}λ i=0 ci · k=0 cdk
←−−−−−−−− = Com(0; zd )
using fj,1 = fj and fj,0 = x − fj
For j = 1, · · · , n 0
Compute cu = Qn c 2(j−1)
fj = `j x + aj j=1 c`
j
zaj = rj x + sj f1 , za1 , zb1 , · · · cxu · cv = Com(0; zu )
zbj = rj (x − fj ) + tj fn , zan , zbn , zd , zu
zd = rxn − n−1
P k −−−−−−−−−−−−→
k=0 ρk x
zu = u · x + v

Fig. 2: Σ-protocol for commitment to 0 in list c0 , · · · , cN −1 , and c0 is the commitment of `.

z (1) −z (2)
that ` = `0 , so the index of commitment to 0 in each row is witnesses of cu that are 0 and u = xu(1) −xu(2) . And because
the open of c0 . cu = Com(`− nj=1 2j−1 ·`j ; r0 − nj=1 2j−1 ·rj ), it is obvious
P P
n Pn
that r0 = u+ j=1 2j−1 ·rj and ` = j=1 2j−1 ·`j = `0 . If an
P
Theorem 4. The Σ-protocol in Fig. 2 for knowledge of one out
of N commitments opening to 0 is perfectly complete. adversary can forge the index of commitment to 0 to make
It is (perfect) (n + 1)-special sound if the commitment it not equal to the open of c0 , but pass the verification with
0
scheme is (perfectly) binding. It is (perfect) special hon- probability, he is able to construct Qn c 2(j−1) that is not a
j=1 c`
j
est verifier zero-knowledge if the commitment scheme is commitment to 0 but can pass the verification, which means
(perfectly) hiding. that he has probability of breaking the binding property
Proof: We add a commitment of index `, that is c0 = of the commitment scheme. Given two different challenges
Com(`; r0 ), to the one-out-of-many proofs in [12], in order and corresponding responses, the added witnesses can be
to guarantee that the index of the commitment to 0 in each extracted, nevertheless, the original extractor needs n + 1
row is identical. In [12], authors constructed a extractor to different challenges and corresponding responses, so our
prove their Σ-protocol is (perfect) (n+1)-special sound if the new Σ-protocol is (n + 1)-special sound.
commitment scheme is (perfectly) binding, and constructed It is necessary to illustrate that in PBT we need to execute
a simulator to prove (perfect) special honest verifier zero- our new Σ-protocol m + 1 times to generate a proof for
knowledge if the commitment scheme is (perfectly) hiding. each row respectively, and we use the identical c0 in the
Our new Σ-protocol inherits the security property of one- m + 1 executions. The binding property of the commitment
out-of-many proofs. Then we will modify the extractor and scheme ensure that the commitments to 0 are in the same
simulator in [12] to prove our protocol is (perfect) (n + 1)- column.
special sound and (perfect) special honest verifier zero- Special honest verifier zero-knowledge (SHVZK):
knowledge, and prove the perfect completeness in brief. The simulator descripted in [12] can generate initial
Perfect completeness: Firstly, we will show that the messages (c`1 , ca1 , cb1 , cd0 , · · · c`n , can , cbn , cdn−1 ) and re-
added part is perfectly complete. It is easy to compute sponses (f1 , za1 , zb1 , fn , zan , zbn , zd ). Specifically, the sim-
0
cu = Qn c 2(j−1) = Com(` − nj=1 2j−1 · `j ; r0 − nj=1 2j−1 ·
P P ulator in [12] picks the responses uniformly at random
j=1 c`
j as (f1 , za1 , zb1 , fn , zan , zbn , zd ) ← Zq . Then it chooses
rj ) = Com(0; u) and cxu · cv = Com(0; u · x) · Com(0; v) = c`1 , · · · , c`n , cd1 , · · · , cdn−1 as random commitments to 0. Fi-
Com(0; zu ). So we can use the verification equation to show nally, it uses the above messages and responses to compute
that the protocol is perfectly complete. (ca1 , · · · , can , cb1 , · · · , cbn ) and cd0 to satisfy the verification
(n+1)-special soundness: The extractor in [12] can ex- equation. And the authors argued that an adversary that
tract the witnesses of c`j and c` , so we can get
Pn`j , rj and r, distinguishes the simulation from a real argument with
and get the value of `0 by computing `0 = j=1 2j−1 · `j . advantage can be turned into an adversary that breaks

Then we will present we can modify the extractor to get the the hiding property of the commitment scheme with 2n−1
(1)
randomness r0 of commitment c0 too, given responses zu advantage. We need to add computation to the simula-
(2) tor to generate cv and zu besides above-mentioned ini-
and zu to two different challenges x(1) and x(2) . We have
x(1) (1) (2)
cu · cv = Com(0; zu ) and cxu · cv = Com(0; zu ), so
(2) tial messages and responses. The simulator gets the cu =
c0
(1) (2) (1) (2) and randomly selects zu ← Zq , then computes
we can get cxu −x = Com(0; zu − zu ) and then get the Qn
j=1
2(j−1)
c`
j

cv = c−x u · Com(0; zu ) where x is a challenge. We can see par ← Pg(1λ ):

that in both real proofs and simulated proofs zu is uniformly Let G be a cyclic group of prime order q ,
random in Zq , and the verification equations uniquely de- and choose a random generator g ← G
termine cu and cv conditioned on zu , c0 and (c`1 , · · · , c`n ). return par = (G, q, g)
So in our added part, the adversary’s advantage comes
from being able to distinguish real and simulated com- (x, X) ← Kg(par):
mitments c`1 , · · · , c`n . Overall, a distinguisher used to dis- Generate a random secret key x ← Zq ,
tinguish our modified simulation from a real argument and generate corresponding verify key X ← g x
must can distinguish (f1 , za1 , zb1 , fn , zan , zbn , zd , zu ) and return (x, X)
(c`1 , · · · , c`n , cd1 , · · · , cdn−1 ) in simulation and real execu-
tion. Both of the responses (f1 , za1 , zb1 , fn , zan , zbn , zd , zu ) σ ← Sign(L = {X1 , · · · , Xm }, {x1 , · · · , xm }, Msgs ):
in simulation and real execution are uniformly random For i = 1, · · · , m
in Zq , so we just need to consider the initial messages Choose random ri ← Zq
(c`1 , · · · , c`n , cd1 , · · · , cdn−1 ). Ri ←Q g ri
The standard hybrid argument is showed in Fig. 9 and R← m i=1 Ri
Fig. 10 in Appendix A. Game0 represents the simulator, For i = 1, · · · , m
and Game1 replaces the c`1 = Com(0; r10 ) with c`1 = ci ← H(Xi kRkhLikMsgs )
Com(`1 ; r1 ) and adjusts the relevant initial messages and where H is a hash function
responses, Game2 replaces the c`1 = Com(0; r10 ) and c`2 = and hLi is a unique encoding of L
Com(0; r20 ) with c`1 = Com(`1 ; r1 ) and c`2 = Com(`2 ; r2 ) ← xi ci + ri
si P
respectively, and so on. An adversary who can distinguish s← m i=1 si mod q
Game0 from Game1 is able to distinguish Com(`1 , r1 ) from return σ = (R, s)
Com(0; r10 ) with the same probability, the difference holds
until Game2n−1 . b ← Verf(L = {X1 , · · · , Xm }, Msgs , σ):
The difference between Game2n−1 and Game2n+1 is For i = 1, · · · , m
whether the zd and zu are chosen at random or calculated ci ← H(Xi kRkhLikMsg s)
according to challenge x, but they are uniformly random in Qm
check g s = R i=1 Xici
Zq . Therefore, if an adversary can distinguish the modified return 1 if true, or 0 otherwise.
simulator from a real argument with advantage, he can
break the hiding property of the commitment scheme with Fig. 3: Multi-signature based on Schnorr signature

2n−1 advantage too. In our protocol, we use Pedersen
commitment that has perfectly hiding property, so our new
protocol is perfect special honest verifier zero-knowledge. Theorem 5. Assuming the DL problem in G is hard, the func-
In PBT, we need to execute our new Σ-protocol m + tion H is a random oracle, the multi-signature presented
1 times, if we regard the m + 1 simulators as an integral in Fig. 3 is (t, qS , qH , N, )-secure.
simulator, according to a standard hybrid argument, there

is a (m+1)(2n−1) advantage in breaking the hiding property The multi-signature in [22] is a interactive version in
of the commitment scheme. which there are multiple signers to sign, but in PBT, we
need the single user with m different key pairs to sign,
3.3.2 Pedersen commitment which is a special case. If the single user has all the sign
keys, we can regard the non-interactive version in PBT as
As shown in [12], the Pedersen commitment is naturally
the interactive construction in [22] without adversaries. But
a homomorphic commitment scheme. Its key generation
if not, it is equal to that there are adversaries in the interac-
algorithm CKGen and commit algorithm Com are described
tive construction who want to win the (t, qS , qH , N )-game.
respectively as:
Thus, it is obviously that interactive and non-interactive
• CKGen(1λ ): on input a security parameter 1λ , out- versions are equivalent, and the multi-signature in PBT is
puts the commitment key ctk = (Gq , q, g, h), where (t, qS , qH , N, )-secure.
Gq is a cyclic group of prime order q and g, h are
random generators of Gq .
• Com(ctk, m): to commit to a message m ∈ Zq , the 4 E XPERIMENTS
algorithm randomly picks r ∈ Zq and computes c = 4.1 Performance of PBT
g m hr .
To evaluate the performance of payment protocol, we se-
As well known, this commitment scheme is perfectly hiding lect main indicators such as the execution latency and the
and computationally strongly binding under the discrete space efficiency. Execution latency indicates the complexity
logarithm assumption in Gq . of the algorithm, which is evaluated by execution time of
Spend and Verify. Space efficiency, on the other hand, affects
3.3.3 Multi-signature the efficiency of communication between two sides of the
Our construction of multi-signature is based on the Schnorr protocol and we use the size of signature (π declared in
signature, and is the non-interactive version of the multi- Section 3.1) to present it.
signature construction presented in [22]. See Fig. 3 for Our Java implementation builds the whole process of
details. the payment protocol. We use Pedersen commitment as the

homomorphic commitment scheme and Schnorr signature

as the multi-signature algorithm. All cryptographic methods
are built based on Elliptic Curves. We select Curve25519
offering 128 bits of security, which is the standard curve of
EdDSA scheme and used in RingCT 1.0 [9], as the curve in
our payment protocol.
Experiment environment and parameters. All experi-
ments in this section is performed on a laptop with 4GB
RAM (3.85GB available) and Intel i5-6200U CPU (2 kernels).
Each statistic of execution time is the arithmetic mean of 100
repetitive executions and each execution deploys various,
randomly generated arguments (e.g. key pairs, random
(a) Execution time of Verify on various number of groups.
numbers and amounts). To make the experiment compre-
hensive and simple, we set the number of outputs (R in
Spend) to a constant 1 and set the message (msg in Spend) to
a blank string. It is easy to learn the choice of output number
and transaction message can hardly affect the performance
of our payment protocol.
We denote by m as the number of accounts one group
contains (the number of inputs) and denotes by n as the
number of groups. We run experiments to evaluate execu-
tion latency and space efficiency on different settings of m
and n.
Execution latency. Fig. 4 and Fig. 5 depict the results
of experiments on execution latency. The result shows the (b) Execution time of Verify on various number of inputs.
execution time is linear to both m and n. Within 14 seconds,
our payment protocol can easily accomplish the Spend and Fig. 5: Execution latency of Verify on different number of
Verify on 1024 groups with 20 accounts in each, which inputs (m) and number of groups (n).
shows the proposed protocol is practical to implement.
shows that the signature size (π in Spend) is almost linear
to m. If we use constant size of index number (l in Spend)
the signature size is independent with n. To further save
the space usage, we set the size of l according to n. For
example, if n is smaller than 16, which means the largest
possible value of index l is 15, we only use 4 bits to
present l. In this way, the signature size is O(log n) and
overall communication space usage is O((m + 1) log n). In
contrast to [9], the proposed protocol presents a significant
space/bandwidth saving. And in the experiment, we store
the points of elliptic curve in a compressed form [29], that
means only x coordinate and a 8-bit prefix, rather than both
(a) Execution time of Spend on various number of groups. x coordinate and y coordinate, are stored to represent a
point. Specifically, in this way, we just need 33 bytes to
represent a point of Curve25519.

4.2 Comparison with other protocols

In this section, we theoretically compare the efficiency of
PBT with RingCT 1.0 [9] and RingCT 2.0 [21], and we give
the computational complexity and communication complex-
ity in Table 1 firstly. In the comparison, we only take into
account of the expensive operations, mainly exponentiation
and bilinear pairing. Then we implement the three protocols
in Java to quantitatively compare them through experi-
ments. As for RingCT 1.0 and PBT, we use Curve25519
(b) Execution time of Spend on various number of inputs.
as the underlying elliptic curve. However, Curve25519 is
Fig. 4: Execution latency of Spend on different number of not pairing-friendly and there are bilinear pairing maps in
inputs (m) and number of groups (n). RingCT 2.0, so we choose the Type A elliptic curve over
the field Fq (where q is 256-bit) in jPBC library [30] as the
Space efficiency. Fig. 6 demonstrates the relationship curve in RingCT 2.0. And for all the three protocols, we store
between signature size and the choice of m and n. It clearly points on elliptic curve in a compressed form mentioned

TABLE 1: Comparison with different protocols.

Protocl Spender Verifier Communication
2.1mn · exp1 2.2mn · exp1 m|G1 | + 1|H|
RingCT 1.0
+mn · Hp +mn · Hp +mn|Zp |
3.2|Zp |(m + 1) · expq (|Zp | + 5)(m + 1)|G1 |
0.4(m + 1)(n + 1) · exp1
+(1.1|Zp | + 0.4n + 4)(m + 1) · exp1 +(3|Zp | + 6)(m + 1)|Zp |
RingCT 2.0 +(m + 1) · p
+3(m + 1) · p +3|Zp |(m + 1)|Zq |
+(m + 1) · expT
+2.2m + 1) · expT +(m + 1)|GT |
(m + 1)(n + 7 · logn + 1) · expq (m + 1)(7 · logn + n + 3) · expq (m + 1)(4 · logn + 1)|Gq |
PBT
+logn · expq +logn · expq +(m + 1)(3 · logn + 2)|Zq |
*
”n”: the number of group of input accounts; ”m”: the number of input accounts in each group; ”expx ”: an exponentiation
operation in group Gx ; ”p”: a bilinear pairing operation; ”Hp ”: a map-to-point hash function; ”|H|”: the output size of a hash
function H; ”|Gx |”: the length of element in group Gx , similarly for |Zx |.

(a) Proof size on various number of groups. (a) Comparison of Spend execution time on various number of
groups.

(b) Proof size on various number of inputs.

(b) Comparison of Verify execution time on various number of
Fig. 6: Space efficiency (size of proofs) of PBT protocol on groups.
different number of inputs (m) and number of groups (n).
Fig. 7: Comparison of execution latency among RingCT 1.0,
RingCT 2.0 and PBT on different number of groups (n) and
the same number of inputs (m = 20).
before. The larger the number of groups n is, the better
the privacy of the protocol is, thus we run experiments to
compare the three protocols in terms of execution latency nature in PBT increases logarithmically with the number n
and space efficiency on different settings of n and the same as mentioned before. From the theoretical analysis, RingCT
m = 20. 2.0 is the best protocol in terms of space efficiency, because
Execution latency. We can see from Fig. 7 that the spend its signature size is independent of the number of groups
time and verify time in the three protocols increase linearly n, but from the experimental results, we can see that the
with the number of groups n, but the execution time of signature size in RingCT 2.0 is much larger than that in
RingCT 2.0 is much longer than that of the other two, RingCT 1.0 and PBT. And for the fixed number of inputs
and PBT is the most efficient in the three protocols. The m = 20, the signature size in RingCT 1.0 will be larger
experimental results are consistent with the theoretical data than that in RingCT 2.0 only when the number of groups
in Table 1, which shows that there are much more expensive n is about 2000. Fig. 8 shows that as the number of groups
operations in RingCT 2.0 than the other two protocols. increases, the signature size in PBT increases too slowly to
Space efficiency. We can see from Fig. 8 that the size of exceed the signature size of RingCT 1.0 and RingCT 2.0.
signature in RingCT 1.0 increases linearly with the number Therefore, from a practical point of view, PBT is the most
n of groups, and the size of signature in RingCT 2.0 is space-saving.
independent of the number of groups, and the size of sig- To sum up, PBT protocol is better than RingCT 1.0

from the linear growing size with the number of groups.

The signature size in RingCT 2.0 is constant with respect
to the number of groups in theory, but its performance is
far from being practical because of the accumulator and
zero-knowledge proof, and it depends on a trusted setup.
We believe the significant space complexity improvement
in PBT will improve the overall efficiency and security
of Monero. Specially, we give a general construction and
rigorously prove its security, so we can instantiate it in
different ways. We give only one instantiation in this work,
we will further study different instantiations to get more
efficient and quantum-resistant protocols in the future.
Fig. 8: Comparison of signature size among RingCT 1.0,
RingCT 2.0 and PBT on different number of groups (n) and
the same number of inputs (m = 20). ACKNOWLEDGMENT
We would like to thank the anonymous reviewers for
and RingCT 2.0 in terms of execution latency and space their comments and suggestions. This work is supported
efficiency, and it is more applicable to practical scenarios. in part by the National Natural Science Foundation of
China (NSFC) (No. 61802255, 61672347, 61672339, 61932014,
61572318).
5 D ISCUSSION
In this section, we discuss the generation of one-time
addresses. We all know that in order to guarantee the R EFERENCES
anonymity of receivers, the out addresses must be one- [1] S. Nakamoto, “Bitcoin: A Peer-to-Peer Electronic Cash System
time. In Monero, they used the stealth address that includes — Satoshi Nakamoto Institute,” p. 1, 2008. [Online]. Available:
http://nakamotoinstitute.org/bitcoin/
a permanent address, and senders can generate the one- [2] P. Koshy, D. Koshy, and P. D. McDaniel, “An analysis of anonymity
time address for receivers in every transaction. When the in bitcoin using P2P network traffic,” in Financial Cryptography and
receivers spend their coins in the one-time address, the Data Security - 18th International Conference, FC 2014, Christ Church,
pervious senders cannot find it. In our protocol, we also Barbados, March 3-7, 2014, Revised Selected Papers, 2014, pp. 469–485.
[3] E. Heilman, L. AlShenibr, F. Baldimtsi, A. Scafuro, and
use the one-time address, but we need receivers generate S. Goldberg, “TumbleBit: An Untrusted Bitcoin-Compatible
their own one-time addresses by themselves and send these Anonymous Payment Hub,” in Proceedings 2017 Network
addresses to senders in a private way. Because in our pro- and Distributed System Security Symposium, 2017. [Online].
Available: https://www.ndss-symposium.org/ndss2017/ndss-
tocol, a sender need to release the verification keys mvk 2017-programme/tumblebit-untrusted-bitcoin-compatible-
and corresponding serial numbers s = H(mvk) when they anonymous-payment-hub/
want to spend the coins in address pk = hx0 hs1 . If the pk [4] T. Ruffing, P. Moreno-Sanchez, and A. Kate, “CoinShuffle: Practical
is generated by the previous sender, there are two cases. decentralized coin mixing for Bitcoin,” in European Symposium on
Research in Computer Security. Springer, 2014, pp. 345–364.
One is the previous sender generates the one-time mvk , and [5] I. Miers, C. Garman, M. Green, and A. D. Rubin, “Zerocoin:
the corresponding msk is known only to the sender, but in Anonymous distributed e-cash from bitcoin,” in Proceedings - IEEE
this case the previous sender can find the sender spends Symposium on Security and Privacy, 2013, pp. 397–411.
[6] E. Ben-Sasson, A. Chiesa, C. Garman, M. Green, I. Miers,
these coins. The other is the previous sender generates the E. Tromer, and M. Virza, “Zerocash: Decentralized anonymous
0 0
one-time address pk 0 = hx0 hs1 from a permanent address payments from bitcoin,” in 2014 IEEE Symposium on Security and
x0 s 0
pk0 = h0 h1 , but in this case the sender cannot know the Privacy, SP 2014, Berkeley, CA, USA, May 18-21, 2014, 2014, pp. 459–
one-time msk . 474. [Online]. Available: http://dx.doi.org/10.1109/SP.2014.36
[7] “Monero,” https://www.getmonero.org/.
Therefore, in our protocol, we need receivers to generate [8] N. van Saberhagen, “Cryptonote v 2.0,” 2013. [Online]. Available:
the one-time addresses and send them to senders in a https://cryptonote.org/whitepaper.pdf
private way. Senders cannot know the serial number s in [9] S. Noether, “Ring Signature Confidential Transactions for Mon-
ero,” Cryptology ePrint Archive, Report 2015/1098, 2015,
address pk in advance, and receiver knows the signing key http://eprint.iacr.org/.
msk for spending later. The shortcoming will make our [10] J. K. Liu, V. K. Wei, and D. S. Wong, “Linkable Spontaneous
protocol less flexible during usage, but there are hierarchical Anonymous Group Signature for Ad Hoc Groups (Extended Ab-
deterministic wallets can manage these one-time addresses stract),” in ACISP 2004, ser. Lecture Notes in Computer Science,
vol. 3108. Springer, 2004.
efficiently, so it is not necessary to store all the one-time [11] S.-F. Sun, M. H. Au, J. K. Liu, and T. H. Yuen, “Ringct 2.0:
addresses. Nevertheless, we will modify our protocol to A compact accumulator-based (linkable ring signature) protocol
support stealth addresses in the future. for blockchain cryptocurrency monero,” in Computer Security –
ESORICS 2017, S. N. Foley, D. Gollmann, and E. Snekkenes, Eds.
Cham: Springer International Publishing, 2017, pp. 456–474.
6 C ONCLUSION [12] J. Groth and M. Kohlweiss, “One-out-of-many proofs: Or how
to leak a secret and spend a coin,” in Advances in Cryptology -
In this work, we propose a privacy-preserving payment pro- EUROCRYPT 2015 - 34th Annual International Conference on the
tocol PBT, based on a specific homomorphic commitment, Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria,
a modified Σ-protocol for one-out-of-many commitments, April 26-30, 2015, Proceedings, Part II, 2015, pp. 253–280.
and a multi-signature scheme. The output size of PBT pro- [13] T. H. Yuen, S. feng Sun, J. K. Liu, M. H. Au, M. F. Esgin, Q. Zhang,
and D. Gu, “Ringct 3.0 for blockchain confidential transaction:
tocol is a logarithmic number of groups included in the gen- Shorter size and stronger security,” Cryptology ePrint Archive,
eralized ring, while the RingCT protocol in Monero suffers Report 2019/508, 2019, https://eprint.iacr.org/2019/508.

[14] R. W. Lai, V. Ronge, T. Ruffing, D. Schröder, S. A. K. Thyagarajan, June 28 - July 1, 2011, 2011, pp. 850–855. [Online]. Available:
and J. Wang, “Omniring: Scaling private payments without trusted https://doi.org/10.1109/ISCC.2011.5983948
setup,” in Proceedings of the 2019 ACM SIGSAC Conference on
Computer and Communications Security, 2019, pp. 31–48.
[15] B. Bünz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, and
G. Maxwell, “Bulletproofs: Short proofs for confidential
transactions and more,” in 2018 IEEE Symposium on Security
and Privacy, SP 2018, Proceedings, 21-23 May 2018, San Francisco,
California, USA. IEEE Computer Society, 2018, pp. 315–334.
[Online]. Available: https://doi.org/10.1109/SP.2018.00020 Yanxue Jia received BE degree in Shang-
[16] W. A. Alberto Torres, R. Steinfeld, A. Sakzad, J. K. Liu, V. Kuchta, hai Jiao Tong University, China. She is cur-
N. Bhattacharjee, M. H. Au, and J. Cheng, “Post-quantum one- rently pursuing Ph.D at the Department of Com-
time linkable ring signature and application to ring confidential puter Science and Engineering in Shanghai Jiao
transactions in blockchain (lattice ringct v1.0),” in Information Tong University. Her research interests include
Security and Privacy, W. Susilo and G. Yang, Eds. Cham: Springer blockchain technology, multi-party computation
International Publishing, 2018, pp. 558–576. and privacy enhanced technology.
[17] W. A. Torres, V. Kuchta, R. Steinfeld, A. Sakzad, J. K. Liu,
and J. Cheng, “Lattice ringct v2.0 with multiple input and out-
put wallets,” Cryptology ePrint Archive, Report 2019/569, 2019,
https://eprint.iacr.org/2019/569.
[18] M. F. Esgin, R. K. Zhao, R. Steinfeld, J. K. Liu, and
D. Liu, “Matrict: Efficient, scalable and post-quantum blockchain
confidential transactions protocol,” in Proceedings of the 2019 ACM
SIGSAC Conference on Computer and Communications Security, CCS
2019, London, UK, November 11-15, 2019, L. Cavallaro, J. Kinder,
X. Wang, and J. Katz, Eds. ACM, 2019, pp. 567–584. [Online]. Shi-Feng Sun was awarded his Ph.D degree in
Available: https://doi.org/10.1145/3319535.3354200 Computer Science and Technology from Shang-
[19] M. F. Esgin, R. Steinfeld, A. Sakzad, J. K. Liu, and D. Liu, “Short hai Jiao Tong University in 2016. During his
lattice-based one-out-of-many proofs and applications to ring Ph.D. study, he worked as a visiting scholar in
signatures,” Cryptology ePrint Archive, Report 2018/773, 2018, the Department of Computing and Information
https://eprint.iacr.org/2018/773. Systems at the University of Melbourne for one
[20] T. Ruffing, S. A. K. Thyagarajan, V. Ronge, and D. Schröder, year. He was a postdoc fellow in Department
“Burning zerocoins for fun and for profit: A cryptographic denial- of Computing at PolyU, Hong Kong under the
of-spending attack on the zerocoin protocol,” IACR Cryptology supervision of A/Prof. Man Ho Au. After that,
ePrint Archive, vol. 2018, p. 612, 2018. [Online]. Available: he worked as a research fellow in the Faculty
https://eprint.iacr.org/2018/612 of Information Technology at Monash University.
[21] S.-F. Sun, M. H. Au, J. K. Liu, and T. H. Yuen, “RingCT 2.0: A Currently, he is a Lecturer in the Department of Software Systems and
Compact Accumulator-Based (Linkable Ring Signature) Protocol Cybersecurity at Monash University. His research interest centers on
for Blockchain Cryptocurrency Monero (Full Version),” Cryptol- cryptography and data privacy, particularly on provably secure cryp-
ogy ePrint Archive, Report 2017, 2017, http://eprint.iacr.org/. tosystems against physical attacks, data privacy-preserving technology
[22] M. Bellare and G. Neven, “Multi-Signatures in the Plain in cloud storage, and privacy-enhancing technology in blockchain.
Public-Key Model and a General Forking Lemma,” CCS
2006: Proceedings of the 13th ACM conference on Computer and
communications security, pp. 390–399, 2006. [Online]. Available:
http://dl.acm.org/citation.cfm?id=1180453
[23] G. Maxwell, A. Poelstra, Y. Seurin, and P. Wuille, “Simple
schnorr multi-signatures with applications to bitcoin,” Des. Codes
Cryptogr., vol. 87, no. 9, pp. 2139–2164, 2019. [Online]. Available:
https://doi.org/10.1007/s10623-019-00608-x Yuncong Zhang received Bachelor’s degree
[24] C. Schnorr, “Efficient signature generation by smart cards,” J. and Master’s degree in Shanghai Jiao Tong
Cryptology, vol. 4, no. 3, pp. 161–174, 1991. [Online]. Available: University, China. He is currently pursuing
https://doi.org/10.1007/BF00196725 Ph.D at the School of Cybersecurity in
[25] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the Shanghai Jiao Tong University. His research
weil pairing,” J. Cryptology, vol. 17, no. 4, pp. 297–319, 2004. interests include lattice-based cryptography,
[Online]. Available: https://doi.org/10.1007/s00145-004-0314-9 zero-knowledge proofs, cryptocurrency, and
[26] T. Ristenpart and S. Yilek, “The power of proofs-of- blockchain technology.
possession: Securing multiparty signatures against rogue-key
attacks,” in Advances in Cryptology - EUROCRYPT 2007,
26th Annual International Conference on the Theory and
Applications of Cryptographic Techniques, Barcelona, Spain, May
20-24, 2007, Proceedings, 2007, pp. 228–245. [Online]. Available:
https://doi.org/10.1007/978-3-540-72540-4 13
[27] D. Boneh, M. Drijvers, and G. Neven, “Compact multi-signatures
for smaller blockchains,” in Advances in Cryptology - ASIACRYPT
2018 - 24th International Conference on the Theory and Application Qingzhao Zhang received the BE degree from
of Cryptology and Information Security, Brisbane, QLD, Australia, School of Cyber Security, Shanghai Jiao Tong
December 2-6, 2018, Proceedings, Part II, 2018, pp. 435–464. [Online]. University, China in 2019. He is currently a first-
Available: https://doi.org/10.1007/978-3-030-03329-3 15 year Ph.D. student in University of Michigan. His
[28] V. R. Tim Ruffing, Sri Aravinda Thyagarajan and D. Schroder, research interests include software engineering,
“Burning zerocoins for fun and for profit,” 2018. [Online]. network security, and system security.
Available: https://www.chaac.tf.fau.de/files/2018/04/attack-
cryptocur.pdf
[29] A. M. Antonopoulos, Mastering Bitcoin: Programming the Open
Blockchain, 2nd ed. O’Reilly Media, Inc., 2017.
[30] A. D. Caro and V. Iovino, “jpbc: Java pairing based
cryptography,” in Proceedings of the 16th IEEE Symposium on
Computers and Communications, ISCC 2011, Kerkyra, Corfu, Greece,

Ning Ding received the Ph.D. degree in Com-

puter Science in 2009 from Shanghai Jiao Tong
University China. He is currently an associate
professor in School of Electronic Information and
Electrical Engineering of Shanghai Jiao Tong
University China. His research interests include
cryptography and computational learning theory.

Zhiqiang Liu is an Associate Professor in the

department of Computer Science and Engi-
neering at Shanghai Jiao Tong University. His
research interests include cryptocurrency and
blockchain technology, privacy preserving, de-
sign and analysis of symmetric-key cryptogra-
phy, sidechannel attacks, white-box cryptogra-
phy

Joseph K. Liu is an Associate Professor in

the Faculty of Information Technology, Monash
University. He got his PhD from the Chinese
University of Hong Kong at 2004. Prior to joining
Monash at 2015, he has worked as a research
scientist at Institute for Infocomm Research (I2R)
in Singapore for more than 7 years. His re-
search areas include cyber security, blockchain,
IoT security, applied cryptography and privacy
enhanced technology. He has received more
than 5700 citations and his H-index is 43, with
more than 170 publications in top venues such as CRYPTO, ACM CCS.
He is currently the lead of the Monash Cyber Security Group. He has
established the Monash Blockchain Technology Centre at 2019 and
serves as the founding director.

Dawu Gu received from Xidian University of

China his B.S. degree in applied mathematics
in 1992, M.S. in 1995, and Ph.D. degree in
1998 both in cryptography. He is now a distin-
guished professor at Shanghai Jiao Tong Univer-
sity in Computer Science and Engineering De-
partment. His research interests include crypto
algorithms, crypto engineering, and system se-
curity. His major work has been published in jour-
nals or conferences such as CRYPTO, CHES,
FSE, TCC, CCS, ACSAC. He also served as PC
members of international conferences such as ASIACRYPT, ASIACCS,
ACNS, ISC, ISPEC, ICICS, Globecom, IEEE TrustCom, and NSS for
more than 30 times.

A PPENDIX A
H YBRID EXPERIMENTS FOR PROVING SHVZK
We use hybrid experiments to prove the special honest veri-
fier zero-knowledge (SHVZK) of the extended Σ protocol for
one-out-of-many proof in Fig. 2, and the hybrid experiments
are showed in Fig. 9 and Fig. 10.

Game0 (Simulator) Gamei (i ∈ [1, n])

x ← {0, 1}λ x ← {0, 1}λ
f1 , · · · , fn , za1 , · · · , zan , zb1 , · · · , zbn , zd ← Zq fi+1 , · · · , fn , zai+1 , · · · , zan , zbi+1 , · · · , zbn , zd ← Zq
c`1 , c`2 , · · · , c`n ← Comck (0) For j = 1, · · · , i
cd1 , cd2 , · · · , cdn−1 ← Comck (0) rj , aj , sj , tj ← Zq
For j = 1, · · · , n c`j = Com(`j , rj )
f −x
caj = c−x `j Com(f j ; zaj ); cbj = c`j Com(0; zbj ) caj = Com(aj , sj )
cbj = Com(`j aj , tj )
Qn
Q −1 j=1 fj,ij Qn−1 −xk
cd0 = N i=0 ci · k=1 cdk · Com(0; −zd ) c`i+1 , · · · , c`n ← Comck (0)
0
cu = Qn c 2(j−1) ; zu ← Zq ; cv = Com(0;z cx
u)
cd1 , cd2 , · · · , cdn−1 ← Comck (0)
j=1 c` u
j
For j = i + 1, · · · , n
f −x
caj = c−x `j Com(f j ; zaj ); cbj = c`j Com(0; zbj )
QN −1 nj=1 fj,ij Qn−1 −xk
Q
cd0 = i=0 ci · k=1 cdk · Com(0; −zd )
0
cu = Qn c 2(j−1) ; zu ← Zq ; cv = Com(0;z cx
u)

j=1 c` u
j
For j = 1, · · · , i
fj = `j x + aj ; zaj = rj x + sj
zbj = rj (x − fj ) + tj

Gamei (i ∈ [n + 1, 2n − 2]) Game2n−1

x ← {0, 1}λ x ← {0, 1}λ
zd ← Zq zd ← Zq
For j = 1, · · · , n For j = 1, · · · , n
rj , aj , sj , tj ← Zq rj , aj , sj , tj ← Zq
c`j = Com(`j , rj ); caj = Com(aj , sj ) c`j = Com(`j , rj ); caj = Com(aj , sj )
cbj = Com(`j aj , tj ) cbj = Com(`j aj , tj )
For j = 1, · · · , i − n For j = 1, · · · , n − 1
ρj ← Z q ρj ← Zq
Q −1 pi,k Q −1 pi,k
cdj = N i=0 Qci Com(0; ρk ) cdj = N i=0 Qci Com(0; ρk )
QN −1 nj=1 fj,ij Qn−1 −xk QN −1 nj=1 fj,ij Qn−1 −xk
cd0 = i=0 ci · k=1 cdk · Com(0; −zd ) cd0 = i=0 ci · k=1 cdk · Com(0; −zd )
c0 c0
cu = Qn 2(j−1) ; zu ← Zq ; cv = Com(0;zcx
u)
cu = Qn 2(j−1) ; zu ← Zq ; cv = Com(0;zcx
u)

j=1 c` u
j=1 c` u
j j
For j = 1, · · · , i For j = 1, · · · , i
fj = `j x + aj ; zaj = rj x + sj fj = `j x + aj ; zaj = rj x + sj
zbj = rj (x − fj ) + tj zbj = rj (x − fj ) + tj

Fig. 9: Hybrid argument (1): replace c`1 , · · · , c`n , cd1 , · · · , cdn−1 in turn.

Game2n Game2n+1 (Real)

x ← {0, 1}λ x ← {0, 1}λ
For j = 1, · · · , n using k = j − 1 v ← Zq
rj , aj , sj , tj , ρk ← Zq For j = 1, · · · , n using k = j − 1
c`j = Com(`j , rj ) rj , aj , sj , tj , ρk ← Zq
caj = Com(aj , sj ) c`j = Com(`j ; rj )
cbj = Com(`j aj , tj ) caj = Com(aj ; sj )
Q −1 pi,k
cdk = N i=0 ci Com(0; ρk ) cbj = Com(`j aj ; tj )
Q −1 pi,k
cdk = N
0
cu = Qn c 2(j−1) Pi=0 i
c Com(0; ρk )
j=1 c`
j u = r0 − nj=1 2(j−1) · rj
zu ← Z q cv = Com(0; v)
cv = Com(0;z
cx
u)
For j = 1, · · · , n
u
For j = 1, · · · , i fj = `j x + aj
fj = `j x + aj zaj = rj x + sj
zaj = rj x + sj zbj = rj (x − fj ) + tj
zbj = rj (x − fj ) + tj zd = rxn − n−1 k
P
k=0 ρk x
zd = rxn − n−1 k
P
k=0 ρk x zu = u · x + v

Fig. 10: Hybrid argument (2): replace zd and zu in turn.

The Advance of Ring Confidential Transactions
No ratings yet
The Advance of Ring Confidential Transactions
7 pages
Zcash
No ratings yet
Zcash
3 pages
Compact Confidential Transactions For Bitcoin: Denis Lukianov Published 9 June, Revised 22 December 2015
No ratings yet
Compact Confidential Transactions For Bitcoin: Denis Lukianov Published 9 June, Revised 22 December 2015
18 pages
Polymerized RingCT An Efficient Linkable Ring Signature
No ratings yet
Polymerized RingCT An Efficient Linkable Ring Signature
15 pages
Master Thesis Privacy Preserving and Horizontally Scalable Blockchain Using Zero Knowledge and Distributed Computing
No ratings yet
Master Thesis Privacy Preserving and Horizontally Scalable Blockchain Using Zero Knowledge and Distributed Computing
103 pages
Ring Confidential Transactions
No ratings yet
Ring Confidential Transactions
34 pages
Paper 3. Zerocoin Anonymous Distributed E-Cash From Bitcoin
No ratings yet
Paper 3. Zerocoin Anonymous Distributed E-Cash From Bitcoin
15 pages
118 Paper
No ratings yet
118 Paper
31 pages
Zerocoin - Anonymous Distributed E-Cash From Bitcoin PDF
No ratings yet
Zerocoin - Anonymous Distributed E-Cash From Bitcoin PDF
15 pages
UCoin An Efficient Privacy Preserving Scheme For Cryptocurrencies
No ratings yet
UCoin An Efficient Privacy Preserving Scheme For Cryptocurrencies
14 pages
Trustless Privacy-Preserving Data Aggregation On
No ratings yet
Trustless Privacy-Preserving Data Aggregation On
17 pages
Privacy in Blockchains
No ratings yet
Privacy in Blockchains
7 pages
Ring Confidential Transactions: Research Bulletin MRL-0005
No ratings yet
Ring Confidential Transactions: Research Bulletin MRL-0005
20 pages
DCAP Anonymous Payment System
No ratings yet
DCAP Anonymous Payment System
13 pages
Zero-Knowledge SendProof Protocol
No ratings yet
Zero-Knowledge SendProof Protocol
14 pages
Privacy Coins
No ratings yet
Privacy Coins
15 pages
Confidential Assets & Transactions
No ratings yet
Confidential Assets & Transactions
21 pages
BB Privacy-Enabled, Blockchain-Based Smart Marketplace
No ratings yet
BB Privacy-Enabled, Blockchain-Based Smart Marketplace
16 pages
Bulletproofs: Efficient Zero-Knowledge Proofs
No ratings yet
Bulletproofs: Efficient Zero-Knowledge Proofs
45 pages
2018 1132 Ouruborus
No ratings yet
2018 1132 Ouruborus
54 pages
A Survey On The Applications of Zero-Knowledge Pro
No ratings yet
A Survey On The Applications of Zero-Knowledge Pro
81 pages
Caldarola, D'atri, Zanardo - Neural Fairness Blockchain
No ratings yet
Caldarola, D'atri, Zanardo - Neural Fairness Blockchain
20 pages
Sensors 21 01540 v2
No ratings yet
Sensors 21 01540 v2
17 pages
Privacy Coins - @GasTrading
No ratings yet
Privacy Coins - @GasTrading
4 pages
TNSM-zkFabLedger Enabling Privacy Preserving and Regulatory Compliance in Hyperledger Fabric
No ratings yet
TNSM-zkFabLedger Enabling Privacy Preserving and Regulatory Compliance in Hyperledger Fabric
22 pages
The Dusk Network
No ratings yet
The Dusk Network
36 pages
Suterusu: To Anonymize All The Cryptocurrency in The World
No ratings yet
Suterusu: To Anonymize All The Cryptocurrency in The World
14 pages
Pino Coin
No ratings yet
Pino Coin
3 pages
Obscuring Transaction Information in Decentralized P2P Wireless Networks
No ratings yet
Obscuring Transaction Information in Decentralized P2P Wireless Networks
15 pages
TSP Csse 29622
No ratings yet
TSP Csse 29622
15 pages
Alternative Uses of The Blockchain I (2019!12!17 19-12-19 UTC)
No ratings yet
Alternative Uses of The Blockchain I (2019!12!17 19-12-19 UTC)
42 pages
PePoS A Privacy Enhanced Proof of Stake Consensus Algorithm 8 1
No ratings yet
PePoS A Privacy Enhanced Proof of Stake Consensus Algorithm 8 1
10 pages
Blockchain Privacy in Energy
No ratings yet
Blockchain Privacy in Energy
4 pages
Enhancing Account Privacy in Blockchain-Based Iot Access Control Via Zero Knowledge Proof
No ratings yet
Enhancing Account Privacy in Blockchain-Based Iot Access Control Via Zero Knowledge Proof
7 pages
Whitepaper: Why Daps?
No ratings yet
Whitepaper: Why Daps?
15 pages
Bulletproofs Preceeding
No ratings yet
Bulletproofs Preceeding
20 pages
Design of Personal Data Protection Decentralized Model Using Blockchain and IPFS
No ratings yet
Design of Personal Data Protection Decentralized Model Using Blockchain and IPFS
4 pages
Bulletproofs Short Proofs For Confidential Transactions and More
No ratings yet
Bulletproofs Short Proofs For Confidential Transactions and More
20 pages
The Keep Network: A Privacy Layer For Public Blockchains: Matt Luongo Corbin Pon
No ratings yet
The Keep Network: A Privacy Layer For Public Blockchains: Matt Luongo Corbin Pon
11 pages
Zcash: Abstract - Bitcoin's Transparent, Immutable, Publicly
No ratings yet
Zcash: Abstract - Bitcoin's Transparent, Immutable, Publicly
5 pages
Privacy Coins for Crypto Investors
No ratings yet
Privacy Coins for Crypto Investors
8 pages
SenGupta Slides
No ratings yet
SenGupta Slides
55 pages
Accountable Monero System With Privacy Protection
No ratings yet
Accountable Monero System With Privacy Protection
15 pages
A Survey On Zero-Knowledge Proof in Blockchain
No ratings yet
A Survey On Zero-Knowledge Proof in Blockchain
8 pages
A Survey On Zero-Knowledge Proof in Blockchain
No ratings yet
A Survey On Zero-Knowledge Proof in Blockchain
8 pages
Demystifying The Role of Zk-SNARKs in Zcash
No ratings yet
Demystifying The Role of Zk-SNARKs in Zcash
9 pages
Electronics 13 04260
No ratings yet
Electronics 13 04260
20 pages
415 Bitcoin
No ratings yet
415 Bitcoin
16 pages
Mathematics 12 01481
No ratings yet
Mathematics 12 01481
20 pages
Protecting Data Privacy For Permission Blockchain Using Identity Based Encryption
No ratings yet
Protecting Data Privacy For Permission Blockchain Using Identity Based Encryption
4 pages
Zeleny Ans ZK I 8616997
No ratings yet
Zeleny Ans ZK I 8616997
5 pages
1 Bitcoin Soumy Tiwari
No ratings yet
1 Bitcoin Soumy Tiwari
35 pages
Direct Anonymous Attestation: Cse, 7th Sem
No ratings yet
Direct Anonymous Attestation: Cse, 7th Sem
8 pages
CBDC Design for Privacy-Conscious Users
No ratings yet
CBDC Design for Privacy-Conscious Users
44 pages
Operating ZKPs On Blockchain A Performance Analysis Based On Hyperledger Fabric
No ratings yet
Operating ZKPs On Blockchain A Performance Analysis Based On Hyperledger Fabric
10 pages
Privacy 1
No ratings yet
Privacy 1
1 page
Zero Knowledge
No ratings yet
Zero Knowledge
10 pages
Lightweight Privacy-Preserving Mechanisms For Cross-Chain Transactions
No ratings yet
Lightweight Privacy-Preserving Mechanisms For Cross-Chain Transactions
6 pages
Zether: Towards Privacy in A Smart Contract World: Benedikt, Dabo @cs - Stanford.edu Shaagraw, Mzamani
No ratings yet
Zether: Towards Privacy in A Smart Contract World: Benedikt, Dabo @cs - Stanford.edu Shaagraw, Mzamani
33 pages
FTP Resource Sharing Guide
No ratings yet
FTP Resource Sharing Guide
5 pages
Case One
No ratings yet
Case One
3 pages
Lab W
100% (1)
Lab W
11 pages
5 Reasons To Use Teams
No ratings yet
5 Reasons To Use Teams
2 pages
BIC401
No ratings yet
BIC401
2 pages
Guide Peplink Command Line (CLI)
No ratings yet
Guide Peplink Command Line (CLI)
17 pages
Add Payment Method Bot by @BlackHeadsOP
No ratings yet
Add Payment Method Bot by @BlackHeadsOP
2 pages
Smuat Guide
No ratings yet
Smuat Guide
53 pages
MEMO SBE-v1 - 10-Revd
No ratings yet
MEMO SBE-v1 - 10-Revd
48 pages
Data Recovery Services
No ratings yet
Data Recovery Services
16 pages
ASA 5506 10.2.1.9 Lab B - Configure A Site-to-Site IPsec VPN Using ISR CLI and ASA ASDM
100% (1)
ASA 5506 10.2.1.9 Lab B - Configure A Site-to-Site IPsec VPN Using ISR CLI and ASA ASDM
23 pages
Login Credentials and URLs List
No ratings yet
Login Credentials and URLs List
1,085 pages
IoT Course Exam Pattern & Content
No ratings yet
IoT Course Exam Pattern & Content
214 pages
Frequently Asked Questions (FAQ's) For Taking Online Proctored Examinations
No ratings yet
Frequently Asked Questions (FAQ's) For Taking Online Proctored Examinations
6 pages
CAIM Reading For Ext
No ratings yet
CAIM Reading For Ext
15 pages
Presentation Aveva Plant Scada Product Overview
No ratings yet
Presentation Aveva Plant Scada Product Overview
35 pages
Web Design Question
No ratings yet
Web Design Question
3 pages
Power User Guide Google Search Tips, Tricks and Secrets Unleash The Power of Google Search (2021 Edition) (Savitt, Jason) (Z-Library)
No ratings yet
Power User Guide Google Search Tips, Tricks and Secrets Unleash The Power of Google Search (2021 Edition) (Savitt, Jason) (Z-Library)
164 pages
IPv4 & IPv6 Address Verification Guide
No ratings yet
IPv4 & IPv6 Address Verification Guide
6 pages
Gogolcoin White Paper
No ratings yet
Gogolcoin White Paper
19 pages
BSPHCL: Computer GK
No ratings yet
BSPHCL: Computer GK
6 pages
T2S Eth: Monitoring Unit
No ratings yet
T2S Eth: Monitoring Unit
2 pages
Template 0072
No ratings yet
Template 0072
3 pages
Online Classroom Rules
No ratings yet
Online Classroom Rules
3 pages
L.V. Siva Reddy: Sivareddylella95@
No ratings yet
L.V. Siva Reddy: Sivareddylella95@
3 pages
Process Log
No ratings yet
Process Log
8 pages
Project Management RAID Log
No ratings yet
Project Management RAID Log
8 pages
Smart Cities Mission Policy Roadmap From Vision To Reality
No ratings yet
Smart Cities Mission Policy Roadmap From Vision To Reality
9 pages
2008 TNPSC AE Exam Question Paper Answer Key
No ratings yet
2008 TNPSC AE Exam Question Paper Answer Key
5 pages
STV LC24ST0055W
No ratings yet
STV LC24ST0055W
32 pages