Abstract

Confidential Transactions (CT) hide coin amounts even from verifiers without the help of trusted third parties. Aggregable CTs are a scalable category of CTs with “spent coin record trimming”. For example, if Alice sends coins to Bob, who had sent similar coins to Charles, the aggregated transaction shows only that Alice sent coins to Charles by deleting Bob’s coin records. Since the number of spent coin records grows linearly with the number of transactions, faster than the number of accounts, cash systems based on aggregable CTs are highly scalable. However, existing quantum-safe aggregable CT protocols have large unspent coin records, and existing efficient aggregable CTs are vulnerable to quantum attacks. We introduce two aggregable CT protocols, based on new efficient homomorphic zero-knowledge proofs, from either the plain or Module Short Integer Solution (SIS and MSIS) problems, both believed to be secure against quantum adversaries. We further implement the MSIS-based aggregable CT protocol as a C library. Our experiments on 10 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">4</sup> transactions show that aggregation reduces the cash system’s size by 40%–54% when the output/input rate is in the range 1/1–2/1. For example, a cash system of 1.73 GB can be reduced to 0.98 GB when the output/input rate is 1.5, which has been the historical real-world average rate.

Highlights

  • Zero-Knowledge (ZK) proofs are exhaustively used in multiparty distributed systems to preserve privacy while maintaining public verification

  • We introduce the first Lattice-based Aggregable Confidential Transactions with binary commitments which are based on the Short Integer Solution (SIS) problem and the Module Short Integer Solution (MSIS) problem

  • We introduce a new aggregate confidential transaction protocol based on the MSIS problem

Read more

Summary

INTRODUCTION

Zero-Knowledge (ZK) proofs are exhaustively used in multiparty distributed systems to preserve privacy while maintaining public verification. Stateless cash systems like Mimblewimble [15]–[17] and stateless data systems like Origami datachains [18] aggregate transactions by safely deleting spent coin bundles and stale data records. Stateless cash systems depend on aggregable CTs [22] to safely trim spent coin records. Due to the homomorphic properties of Pedersen commitments, ZK summation proofs can be implemented directly They are Discrete-Log Problem (DLP) based protocols and vulnerable to quantum adversaries. [25]’s shortnorm vectors are [v, r1, r2..] for some coin amount v and masking key [r1, r2..] Such quantum-safe latticebased CTs as [25] are not efficient and have limitations on the commitments that can be added.

STATIC CARRIES
RELATED WORK
PRELIMINARIES
PROPERTIES OF CONFIDENTIAL COIN BUNDLES
SECURITY PROOFS FOR SIS PROBLEM BASED TRANSACTIONS
AGGREGABLE CONFIDENTIAL TRANSACTIONS WITH IDEAL LATTICES
SECURITY PROOFS FOR MSIS PROBLEM BASED TRANSACTIONS
SECURITY PROOFS FOR CONFIDENTIAL
CONCLUSION

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.