A Practical NIZK Argument for Confidential Transactions over Account-Model Blockchain

Abstract

We propose a novel non-interactive zero-knowledge (NIZK) argument for confidential transactions. Our NIZK argument provides a highly practical prover against other existing works, in which proof generation and verification times are at the same level. Our NIZK argument is perfect zero-knowledge in the common reference string model, with its soundness holds in the random oracle model. Based on the NIZK argument, we construct a confidential transaction smart contract (CTSC) scheme which enables transferring coins between users confidentially and automatically over the account-model blockchain. Furthermore, We provide a formal security definitions of such a primitive: confidentiality and transaction soundness, along with a security proof of the construction.

A Missing Proof of Theorem 1

(Perfect) Completeness. The completeness is trivial, we omit the details here.

(Adaptive) Soundness. Suppose that the soundness does not hold. Then there must exist a \(\mathsf {PPT}\) prover \(\mathsf {P}^*\) with random tape \( r_{\mathsf {P}^*} \) that generates an accepted proof \(\pi \) for a false statement with probability at least \(\epsilon (n) > \frac{1}{2^k}\), where

$$\begin{aligned} \pi = \big (a = (a_s, a_r, a'_s, \{V_i, V'_i, a_i,&a'_i, W_i, W'_i\}_{i=0}^{\ell -1}, \alpha ),\\ c,\,&z=(z_1, z_2, z_3, \{ z_{v_i}, z_{v'_i}, z_{t_i}, z_{t'_i} \}_{i = 0}^{\ell -1}, \hat{z}) \big ). \end{aligned}$$

Fix such a random tape, the probability that \( \mathsf {P}^* \) answers different challenges c correctly is at least \( \epsilon (n) \). Then, we construct such an extractor: Upon seeing an accepted proof \(\pi \), \(\mathcal {E}\) rewinds \(\mathsf {P}^*\) to the oracle query \(\mathsf {H}(a)\) that returned \(\tilde{c}\). It then reprogram the random oracle such that \( \tilde{c}' = \mathsf {H}(a) \) with \( \tilde{c} \ne \tilde{c}' \) and continue the execution of \(\mathsf {P}^*\) with the modified random oracle. In expected polynomial time \( \mathcal {O}(\frac{1}{\epsilon (n)}) \), another valid proof is obtained: \(\pi ' = (a, c' = \tilde{c}' + \hat{c}, z'_1, z'_2, z'_3, \{ z'_{v_i}, z'_{v'_i}, z'_{t_i}, z'_{t'_i} \}_{i = 0}^{\ell -1}, \hat{z}).\)

From the validity of the two transcripts, we have

$$\begin{aligned} a_s&= (1+N_s)^{z_t} \cdot C_s^c \cdot z_1^{N_s} \bmod N_s^2,&a_s&= (1+N_s)^{z'_t} \cdot C_s^{c'} \cdot {z_1'}^{N_s} \bmod N_s^2;\\ a_r&= (1+N_r)^{z_t} \cdot C_r^c \cdot z_2^{N_r} \bmod N_r^2,&a_r&= (1+N_r)^{z'_t} \cdot C_r^{c'} \cdot {z_2'}^{N_r} \bmod N_r^2;\\ a'_s&= (1+N_s)^{z_{t'}} \cdot (\frac{\tilde{C}_s}{C_s})^c \cdot z_3^{N_s} \bmod N_s^2,&a'_s&= (1+N_s)^{z'_{t'}} \cdot (\frac{\tilde{C}_s}{C_s})^{c'} \cdot {z_3'}^{N_s} \bmod N_s^2;\\ a_i&= W_i^c \cdot V_i^{-z_{t_i}} \cdot g_1^{z_{v_i}},&a_i&= W_i^{c'} \cdot V_i^{-z'_{t_i}} \cdot g_1^{z'_{v_i}}; \\ a'_i&= (W'_i)^c \cdot (V'_i)^{-z_{t'_i}} \cdot g_1^{z_{v'_i}},&a'_i&= (W'_i)^{c'} \cdot (V'_i)^{-z'_{t'_i}} \cdot g_1^{z'_{v'_i}}. \end{aligned}$$

Since \( c \in \{0,1\}^k \) and \(2^k\) is smaller than the smallest prime factor of \( N_s \) and \(N_r\), \( (c - c') \) is invertible in \( \mathbb {Z}_{N_s} \) and \(\mathbb {Z}_{N_r}\). Hence we get

$$\begin{aligned}&C_s = (1+N_s)^{(z'_t - z_t)/(c-c')} \cdot ((z'_1/z_1)^{(c-c')^{-1}})^{N_s} \bmod N_s^2;\\&C_r = (1+N_r)^{(z'_t - z_t)/(c-c')} \cdot ((z'_2/z_2)^{(c-c')^{-1}})^{N_r} \bmod N_r^2;\\&\frac{\tilde{C}_s}{C_s} = (1+N_s)^{(z'_{t'} - z_{t'})/(c-c')} \cdot ((z'_3/z_3)^{(c-c')^{-1}})^{N_s} \bmod N_s^2; \\&W_i = V_i^{(z_{t_i} - z'_{t_i}) / (c - c')} \cdot g_1^{(z'_{v_i} - z_{v_i}) / (c - c')}; W'_i = (V'_i)^{(z_{t'_i} - z'_{t'_i}) / (c - c')} \cdot g_1^{(z'_{v'_i} - z_{v'_i}) / (c - c')}. \end{aligned}$$

Thus, \( t_i = (z'_{t_i} - z_{t_i}) / (c - c'), v_i = (z'_{v_i} - z_{v_i}) / (c - c') \), \( t'_i = (z'_{t'_i} - z_{t'_i}) / (c - c') \), and \( v'_i = (z'_{v'_i} - z_{v'_i}) / (c - c') \) for all \( i \in [0, \ell ) \). From the fact that Paillier encryption algorithm is an isomorphism from the message and the randomness to the ciphertext, the witness can be obtained by computing modulo \(N_s\):

$$\begin{aligned}&t = (z'_t - z_t)/(c-c'), t' = (z'_{t'} - z_{t'})/(c-c'), \\&r_1 = (z'_1/z_1)^{(c-c')^{-1}}, r_2 = (z'_2/z_2)^{(c-c')^{-1}}, r = r_1 (z'_3/z_3)^{(c-c')^{-1}}. \end{aligned}$$

Thus if an argument \(\pi \) is accepted by the verifier, one can extract a valid witness \( w = (t_s = t + t', t, r, r_1, r_2)\).

If \( t \notin [0, u^\ell ) \) or \( t' \notin [0, u^\ell ) \), then there must be some \( t_i \) or \( t'_i \) not in [0, u) . That is, \(\mathsf {P}^*\) generates a valid signature \( V_i^{v_i^{-1}} \) on \(t_i\) or \( (V'_i)^{{v'_i}^{-1}} \) on \(t'_i\) with probability \(\textsf {poly}(\epsilon (n))\). This contradicts to the EUF-WCMA of Boneh-Boyen signature scheme. Thus \( \epsilon (n) \) must be negligible.

Fig. 2.

Simulator for our NIZK argument

Perfect (Adaptive) Zero-Knowledge. To argue zero-knowledge we construct a simulator \( \mathcal {S} = (\mathcal {S}_1, \mathcal {S}_2) \) in Fig. 2. We prove the property of zero-knowledge via a hybrid experiment where we use \(\mathcal {S}_1\) to generate crs, but follow the real prover strategy to produce a NIZK proof. Since \(\mathcal {S}_1\) proceeds as K except outputting an additional trapdoor \(\chi \) s.t. \( vk = g_2^{\chi } \), for all \(\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2)\) we have

$$\begin{aligned} \Big |&\Pr \big [ \begin{array}{c} crs \leftarrow \mathsf {K}(1^n); (x, w, state) \leftarrow \mathcal {A}_1(crs); \pi \leftarrow \mathsf {P}(crs, x, w): \\ (x, w) \in R \wedge \mathcal {A}_2(crs, \pi , state) = 1 \end{array} \big ] \\&- \Pr \big [\begin{array}{c} (crs, \chi ) \leftarrow S_1(1^n); (x, w, state) \leftarrow \mathcal {A}_1(crs); \pi \leftarrow \mathsf {P}(crs, x, w): \\ (x, w) \in R \wedge \mathcal {A}_2(crs, \pi , state) = 1 \end{array} \big ] \Big | = 0 . \end{aligned}$$

Next, instead of generating the proof from \( \mathsf {P}(x, w) \), we use the trapdoor \(\chi \) produced by \( \mathcal {S}_1 \) to simulate the NIZK proof. In the simulated proofs, \( (\alpha , c, z_1, z_2, z_3, \{ z_{v_i}, z_{v'_i}, z_{t_i}, z_{t'_i} \}_{i = 0}^{\ell -1}, \hat{z} )\) are uniformly randomly distributed in their different distributions, So do \( a_s, a_r, a'_s \) which are determined by these above values. \( \{V_i,\) \(V'_i, a_i, a'_i, W_i, W'_i\}_{i=0}^{\ell -1} \) are obvious uniformly distributed at random. While in the real proofs, the values \( a_s, a_r, a'_s, \{V_i, V'_i, a_i, a'_i, W_i, W'_i\}_{i=0}^{\ell -1}\), \(c, \alpha , \hat{z} \) are distributed uniformly and randomly due to the usage of uniform randomness. Thus, the distribution of the remaining values \( z_1, z_2, z_3\), \(\{ z_{v_i}, z_{v'_i}, z_{t_i}, z_{t'_i} \}_{i = 0}^{\ell -1} \) is uniformly distributed at random. Thus, for all \(\mathsf {PPT}\) \(\mathcal {A} = (\mathcal {A}_1, \mathcal {A}_2)\) we have

$$\begin{aligned} \Big |&\Pr \big [ \begin{array}{c} (crs, \chi ) \leftarrow \mathcal {S}_1(1^n); (x, w, state) \leftarrow \mathcal {A}_1(crs); \pi \leftarrow \mathsf {P}(crs, x, w): \\ (x, w) \in R \wedge \mathcal {A}_2(crs, \pi , state) = 1 \end{array} \big ] \\&- \Pr \big [\begin{array}{c} (crs, \chi ) \leftarrow \mathcal {S}_1(1^n); (x, w, state) \leftarrow \mathcal {A}_1(crs); \pi \leftarrow \mathcal {S}_2(crs, x, \chi ): \\ (x, w) \in R \wedge \mathcal {A}_2(crs, \pi , state) = 1 \end{array} \big ] \Big | = 0 . \end{aligned}$$

Hence, the perfect zero-knowledge property holds in the standard CRS model.