Abstract
We propose a novel non-interactive zero-knowledge (NIZK) argument for confidential transactions. Our NIZK argument provides a highly practical prover against other existing works, in which proof generation and verification times are at the same level. Our NIZK argument is perfect zero-knowledge in the common reference string model, with its soundness holds in the random oracle model. Based on the NIZK argument, we construct a confidential transaction smart contract (CTSC) scheme which enables transferring coins between users confidentially and automatically over the account-model blockchain. Furthermore, We provide a formal security definitions of such a primitive: confidentiality and transaction soundness, along with a security proof of the construction.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Adversary \(\mathcal {A}\) queries the oracle \( \mathcal {O}_{\mathsf {CreateAccount}} \) with a random choosed id and a random balance \( t_{id} \), and obtains a reply containing \( (pk_{id}, sk_{id}, \tilde{C}_{id}) \).
References
Zcash: Privacy-protecting digital currency. https://z.cash/
miracl (2012). https://github.com/miracl/MIRACL
Arfaoui, G., Lalande, J.-F., Traoré, J., Desmoulins, N., Berthomé, P., Gharout, S.: A practical set-membership proof for privacy-preserving NFC mobile ticketing. Proc. Priv. Enhanc. Technol. 2015(2), 25–45 (2015)
Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/046 (2018). https://eprint.iacr.org/2018/046
Ben-Sasson, E., et al.: Decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, CA, USA, 18–21 May 2014, pp. 459–474. IEEE Computer Society (2014)
Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.: SNARKs for C: verifying program executions succinctly and in zero knowledge. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 90–108. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_6
Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications. In Proceedings of the 20rd Annual ACM Symposium Theory of Computing- STOC 1988, pp. 103–112. ACM Press (1988)
Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_4
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_30
Bünz, B., Agrawal, S., Zamani, M., Boneh, D.: Zether: towards privacy in a smart contract world. In: Financial Cryptography and Data Security (2020). https://eprint.iacr.org/2019/191
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334. IEEE (2018)
Camenisch, J., Chaabouni, R., shelat: Efficient protocols for set membership and range proofs. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 234–252. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7_15
Damgård, I., Jurik, M., Nielsen, J.B.: A generalization of Paillier’s public-key system with applications to electronic voting. Int. J. Inf. Secur. 9(6), 371–385 (2010)
Damgård, I.: On sigma protocols (2010). http://www.cs.au.dk/~ivan/Sigma.pdf
Fiat, A., Shamir, A.: How To prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Liu, J.K., Wei, V.K., Wong, D.S.: Linkable spontaneous anonymous group signature for ad hoc groups. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 325–335. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27800-9_28
Ma, S., Deng, Y., He, D., Zhang, J., Xie, S.: An efficient Nizk scheme for privacy-preserving transactions over account-model blockchain. IEEE Trans. Depend. Secure Comput. (2020, early access). https://doi.org/10.1109/TDSC.2020.2969418
Maxwell, G.: Confidential transactions
Nakamoto, S..: Bitcoin: A peer-to-peer electronic cash system (2008, Consulted)
Noether, S., Mackenzie, A., et al.: Ring confidential transactions. Ledger 1, 1–18 (2016)
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_16
Volkhausen, T.: Paillier cryptosystem: A mathematical introduction. In: Seminar Public-Key Kryptographie (WS 05/06) bei Prof. Dr. J. Blömer (2006)
Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly-efficient zksnarks without trusted setup. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 926–943 (2018)
Wood, G.: Ethereum: A secure decentralised generalised transaction ledger. Ethereum Project Yellow Paper 151 (2014)
Xie, T., Zhang, J., Zhang, Y., Papamanthou, C., Song, D.: Libra: succinct zero-knowledge proofs with optimal prover computation. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 733–764. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_24
Acknowledgements
We thank the anonymous reviewers for their invaluable comments. This work is supported by the National Key Research and Development Program of China (Grant No. 2017YFB0802500), PlatON, the National Natural Science Foundation of China (Grant Nos. 61932019, 61772521, 61772522 and 61972294), the Key Research Program of Frontier Sciences, CAS (Grant No. QYZDB-SSW-SYS035), the Natural Science Foundation of Hubei Province (Grant No. 2020CFA052), the Wuhan Municipal Science and Technology Project(Grant No. 2020010601012187).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Missing Proof of Theorem 1
A Missing Proof of Theorem 1
(Perfect) Completeness. The completeness is trivial, we omit the details here.
(Adaptive) Soundness. Suppose that the soundness does not hold. Then there must exist a \(\mathsf {PPT}\) prover \(\mathsf {P}^*\) with random tape \( r_{\mathsf {P}^*} \) that generates an accepted proof \(\pi \) for a false statement with probability at least \(\epsilon (n) > \frac{1}{2^k}\), where
Fix such a random tape, the probability that \( \mathsf {P}^* \) answers different challenges c correctly is at least \( \epsilon (n) \). Then, we construct such an extractor: Upon seeing an accepted proof \(\pi \), \(\mathcal {E}\) rewinds \(\mathsf {P}^*\) to the oracle query \(\mathsf {H}(a)\) that returned \(\tilde{c}\). It then reprogram the random oracle such that \( \tilde{c}' = \mathsf {H}(a) \) with \( \tilde{c} \ne \tilde{c}' \) and continue the execution of \(\mathsf {P}^*\) with the modified random oracle. In expected polynomial time \( \mathcal {O}(\frac{1}{\epsilon (n)}) \), another valid proof is obtained: \(\pi ' = (a, c' = \tilde{c}' + \hat{c}, z'_1, z'_2, z'_3, \{ z'_{v_i}, z'_{v'_i}, z'_{t_i}, z'_{t'_i} \}_{i = 0}^{\ell -1}, \hat{z}).\)
From the validity of the two transcripts, we have
Since \( c \in \{0,1\}^k \) and \(2^k\) is smaller than the smallest prime factor of \( N_s \) and \(N_r\), \( (c - c') \) is invertible in \( \mathbb {Z}_{N_s} \) and \(\mathbb {Z}_{N_r}\). Hence we get
Thus, \( t_i = (z'_{t_i} - z_{t_i}) / (c - c'), v_i = (z'_{v_i} - z_{v_i}) / (c - c') \), \( t'_i = (z'_{t'_i} - z_{t'_i}) / (c - c') \), and \( v'_i = (z'_{v'_i} - z_{v'_i}) / (c - c') \) for all \( i \in [0, \ell ) \). From the fact that Paillier encryption algorithm is an isomorphism from the message and the randomness to the ciphertext, the witness can be obtained by computing modulo \(N_s\):
Thus if an argument \(\pi \) is accepted by the verifier, one can extract a valid witness \( w = (t_s = t + t', t, r, r_1, r_2)\).
If \( t \notin [0, u^\ell ) \) or \( t' \notin [0, u^\ell ) \), then there must be some \( t_i \) or \( t'_i \) not in [0, u) . That is, \(\mathsf {P}^*\) generates a valid signature \( V_i^{v_i^{-1}} \) on \(t_i\) or \( (V'_i)^{{v'_i}^{-1}} \) on \(t'_i\) with probability \(\textsf {poly}(\epsilon (n))\). This contradicts to the EUF-WCMA of Boneh-Boyen signature scheme. Thus \( \epsilon (n) \) must be negligible.
Perfect (Adaptive) Zero-Knowledge. To argue zero-knowledge we construct a simulator \( \mathcal {S} = (\mathcal {S}_1, \mathcal {S}_2) \) in Fig. 2. We prove the property of zero-knowledge via a hybrid experiment where we use \(\mathcal {S}_1\) to generate crs, but follow the real prover strategy to produce a NIZK proof. Since \(\mathcal {S}_1\) proceeds as K except outputting an additional trapdoor \(\chi \) s.t. \( vk = g_2^{\chi } \), for all \(\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2)\) we have
Next, instead of generating the proof from \( \mathsf {P}(x, w) \), we use the trapdoor \(\chi \) produced by \( \mathcal {S}_1 \) to simulate the NIZK proof. In the simulated proofs, \( (\alpha , c, z_1, z_2, z_3, \{ z_{v_i}, z_{v'_i}, z_{t_i}, z_{t'_i} \}_{i = 0}^{\ell -1}, \hat{z} )\) are uniformly randomly distributed in their different distributions, So do \( a_s, a_r, a'_s \) which are determined by these above values. \( \{V_i,\) \(V'_i, a_i, a'_i, W_i, W'_i\}_{i=0}^{\ell -1} \) are obvious uniformly distributed at random. While in the real proofs, the values \( a_s, a_r, a'_s, \{V_i, V'_i, a_i, a'_i, W_i, W'_i\}_{i=0}^{\ell -1}\), \(c, \alpha , \hat{z} \) are distributed uniformly and randomly due to the usage of uniform randomness. Thus, the distribution of the remaining values \( z_1, z_2, z_3\), \(\{ z_{v_i}, z_{v'_i}, z_{t_i}, z_{t'_i} \}_{i = 0}^{\ell -1} \) is uniformly distributed at random. Thus, for all \(\mathsf {PPT}\) \(\mathcal {A} = (\mathcal {A}_1, \mathcal {A}_2)\) we have
Hence, the perfect zero-knowledge property holds in the standard CRS model.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Ma, S., Deng, Y., Bai, M., He, D., Zhang, J., Xie, X. (2020). A Practical NIZK Argument for Confidential Transactions over Account-Model Blockchain. In: Nguyen, K., Wu, W., Lam, K.Y., Wang, H. (eds) Provable and Practical Security. ProvSec 2020. Lecture Notes in Computer Science(), vol 12505. Springer, Cham. https://doi.org/10.1007/978-3-030-62576-4_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-62576-4_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-62575-7
Online ISBN: 978-3-030-62576-4
eBook Packages: Computer ScienceComputer Science (R0)