Abstract
Confidential Transactions (CT) hide coin amounts even from verifiers without the help of trusted third parties. Aggregable CTs are a scalable category of CTs with “spent coin record trimming”. For example, if Alice sends coins to Bob, who had sent similar coins to Charles, the aggregated transaction shows only that Alice sent coins to Charles by deleting Bob’s coin records. Since the number of spent coin records grows linearly with the number of transactions, faster than the number of accounts, cash systems based on aggregable CTs are highly scalable. However, existing quantum-safe aggregable CT protocols have large unspent coin records, and existing efficient aggregable CTs are vulnerable to quantum attacks. We introduce two aggregable CT protocols, based on new efficient homomorphic zero-knowledge proofs, from either the plain or Module Short Integer Solution (SIS and MSIS) problems, both believed to be secure against quantum adversaries. We further implement the MSIS-based aggregable CT protocol as a C library. Our experiments on 10 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">4</sup> transactions show that aggregation reduces the cash system’s size by 40%–54% when the output/input rate is in the range 1/1–2/1. For example, a cash system of 1.73 GB can be reduced to 0.98 GB when the output/input rate is 1.5, which has been the historical real-world average rate.
Highlights
Zero-Knowledge (ZK) proofs are exhaustively used in multiparty distributed systems to preserve privacy while maintaining public verification
We introduce the first Lattice-based Aggregable Confidential Transactions with binary commitments which are based on the Short Integer Solution (SIS) problem and the Module Short Integer Solution (MSIS) problem
We introduce a new aggregate confidential transaction protocol based on the MSIS problem
Summary
Zero-Knowledge (ZK) proofs are exhaustively used in multiparty distributed systems to preserve privacy while maintaining public verification. Stateless cash systems like Mimblewimble [15]–[17] and stateless data systems like Origami datachains [18] aggregate transactions by safely deleting spent coin bundles and stale data records. Stateless cash systems depend on aggregable CTs [22] to safely trim spent coin records. Due to the homomorphic properties of Pedersen commitments, ZK summation proofs can be implemented directly They are Discrete-Log Problem (DLP) based protocols and vulnerable to quantum adversaries. [25]’s shortnorm vectors are [v, r1, r2..] for some coin amount v and masking key [r1, r2..] Such quantum-safe latticebased CTs as [25] are not efficient and have limitations on the commitments that can be added.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
