Practical Range Proof for Cryptocurrency Monero with Provable Security

  • Kang Li
  • Rupeng YangEmail author
  • Man Ho Au
  • Qiuliang Xu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10631)


With a market cap of about 1.5 billion US dollar, Monero is one of the most popular crypto-currencies at present. Much of its growing popularity can be attributed to its unique privacy feature. Observing that no formal security analysis is presented, we initiate a formal study on Monero’s core protocol. In this study, we revisit the design rationale of an important component of Monero, namely, range proof. Our analysis shows that the range proof may not be a proof-of-knowledge even if the underlying building block, ring signature, is secure. Specifically, we show that if a certain secure ring signature scheme is used, it is impossible to construct a witness extractor unless the Computational Diffie-Hellman problem is equivalent to the Discrete Logarithm problem. This shows that the design rationale is to possibly flawed. Then, we present a new range proof protocol that enjoys a few advantages. Firstly, it is a zero-knowledge proof-of-knowledge protocol. Secondly, it is compatible with the Monero’s wallet and algebraic structure and thus does not require extensive modification in the codebase. Finally, the efficiency is comparable to Monero’s version which does not admit a formal security proof.



This work was supported by the National Natural Science Foundation of China (Grant No. 61602396, U1636205, 61572294, 61632020).


  1. 1.
    Abe, M., Ohkubo, M., Suzuki, K.: 1-out-of-n signatures from a variety of keys. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 415–432. Springer, Heidelberg (2002). Scholar
  2. 2.
    Bender, A., Katz, J., Morselli, R.: Ring signatures: stronger definitions, and constructions without random oracles. Cryptology ePrint Archive, Report 2005/304 (2005).
  3. 3.
    Boudot, F.: Efficient proofs that a committed number lies in an interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000). Scholar
  4. 4.
    Chaabouni, R., Lipmaa, H., Shelat, A.: Additive combinatorics and discrete logarithm based range protocols. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 336–351. Springer, Heidelberg (2010). Scholar
  5. 5.
    Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 199–203. Springer, Boston (1983). Scholar
  6. 6.
    Lipmaa, H., Asokan, N., Niemi, V.: Secure Vickrey auctions without threshold trust. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357, pp. 87–101. Springer, Heidelberg (2003). Scholar
  7. 7.
    Mao, W.: Guaranteed correct sharing of integer factorization with off-line shareholders. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, pp. 60–71. Springer, Heidelberg (1998). Scholar
  8. 8.
    Maxwell, G.: Confidential transactions. Web, June 2015Google Scholar
  9. 9.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. White paper (2009).
  10. 10.
    Noether, S., Mackenzie, A., Monero Core Team: Ring confidential transactions. Monero research lab report MRL-0005, February 2016Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Kang Li
    • 1
    • 2
  • Rupeng Yang
    • 2
    • 3
    Email author
  • Man Ho Au
    • 1
    • 2
  • Qiuliang Xu
    • 3
  1. 1.Research Institute for Sustainable Urban DevelopmentThe Hong Kong Polytechnic UniversityHong KongChina
  2. 2.Department of ComputingThe Hong Kong Polytechnic UniversityHong KongChina
  3. 3.School of Computer Science and TechnologyShandong UniversityJinanChina

Personalised recommendations