Practical Range Proof for Cryptocurrency Monero with Provable Security

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10631)

Abstract

With a market cap of about 1.5 billion US dollar, Monero is one of the most popular crypto-currencies at present. Much of its growing popularity can be attributed to its unique privacy feature. Observing that no formal security analysis is presented, we initiate a formal study on Monero’s core protocol. In this study, we revisit the design rationale of an important component of Monero, namely, range proof. Our analysis shows that the range proof may not be a proof-of-knowledge even if the underlying building block, ring signature, is secure. Specifically, we show that if a certain secure ring signature scheme is used, it is impossible to construct a witness extractor unless the Computational Diffie-Hellman problem is equivalent to the Discrete Logarithm problem. This shows that the design rationale is to possibly flawed. Then, we present a new range proof protocol that enjoys a few advantages. Firstly, it is a zero-knowledge proof-of-knowledge protocol. Secondly, it is compatible with the Monero’s wallet and algebraic structure and thus does not require extensive modification in the codebase. Finally, the efficiency is comparable to Monero’s version which does not admit a formal security proof.

Notes

Acknowledgement

This work was supported by the National Natural Science Foundation of China (Grant No. 61602396, U1636205, 61572294, 61632020).

References

  1. 1.
    Abe, M., Ohkubo, M., Suzuki, K.: 1-out-of-n signatures from a variety of keys. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 415–432. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-36178-2_26CrossRefGoogle Scholar
  2. 2.
    Bender, A., Katz, J., Morselli, R.: Ring signatures: stronger definitions, and constructions without random oracles. Cryptology ePrint Archive, Report 2005/304 (2005). http://eprint.iacr.org/2005/304
  3. 3.
    Boudot, F.: Efficient proofs that a committed number lies in an interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-45539-6_31CrossRefMATHGoogle Scholar
  4. 4.
    Chaabouni, R., Lipmaa, H., Shelat, A.: Additive combinatorics and discrete logarithm based range protocols. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 336–351. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14081-5_21CrossRefGoogle Scholar
  5. 5.
    Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 199–203. Springer, Boston (1983).  https://doi.org/10.1007/978-1-4757-0602-4_18CrossRefGoogle Scholar
  6. 6.
    Lipmaa, H., Asokan, N., Niemi, V.: Secure Vickrey auctions without threshold trust. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357, pp. 87–101. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36504-4_7CrossRefGoogle Scholar
  7. 7.
    Mao, W.: Guaranteed correct sharing of integer factorization with off-line shareholders. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, pp. 60–71. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0054015CrossRefGoogle Scholar
  8. 8.
    Maxwell, G.: Confidential transactions. Web, June 2015Google Scholar
  9. 9.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. White paper (2009). https://bitcoin.org/bitcoin.pdf
  10. 10.
    Noether, S., Mackenzie, A., Monero Core Team: Ring confidential transactions. Monero research lab report MRL-0005, February 2016Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Kang Li
    • 1
    • 2
  • Rupeng Yang
    • 2
    • 3
  • Man Ho Au
    • 1
    • 2
  • Qiuliang Xu
    • 3
  1. 1.Research Institute for Sustainable Urban DevelopmentThe Hong Kong Polytechnic UniversityHong KongChina
  2. 2.Department of ComputingThe Hong Kong Polytechnic UniversityHong KongChina
  3. 3.School of Computer Science and TechnologyShandong UniversityJinanChina

Personalised recommendations