mirror of
https://github.com/monero-project/research-lab.git
synced 2025-01-25 11:55:52 +00:00
443 lines
22 KiB
Text
443 lines
22 KiB
Text
BOOTLE-RUFFING RINGCT SCHEME
|
|
----------------------------
|
|
Sublinear-sized ring signatures without trusted
|
|
set-ups or bilinear pairings. Summarized for
|
|
Monero Research Lab by B Goodell
|
|
----------------------------
|
|
WARNING: Many errors such wow
|
|
|
|
We describe sublinear-sized ring signatures for use in cryptocurrency. This
|
|
scheme was first sent to MRL by Ruffing and co-authors. These results use
|
|
tools first described by Bootle, et al in the paper "Short Accountable Ring
|
|
Signatures Based on DDH," 2015 European Symposium on Research in Computer Sec-
|
|
urity, use a "vanilla" elliptic curve multisignature scheme first described by
|
|
Bellare and Neven in "Multi-signatures in the plain public-key model and a gen-\
|
|
eral forking lemma," 2006 Proceedings of the 13th, ACM conference on Computer and
|
|
Communications Security.
|
|
|
|
This is a living document and will be updated. In section I, the introduction,
|
|
we introduce the general idea of the scheme together with preliminary stuff.
|
|
We have a section on homomorphic commitments and encryption, a section on
|
|
ordinary multi-signatures, and a section on the NIZK proof systems presented
|
|
by Bootle et al. In section II, we present pseudocode describing Ruffing's
|
|
scheme. In section III, references.
|
|
|
|
I. INTRODUCTION
|
|
|
|
The scheme presented by Ruffing roughly works as follows, exploiting homo-
|
|
morphic commitments. Sender Sally uses L of her txnout keys to send some amount
|
|
stored in a commitment to receiver Roy. Sally wishes to implicate N-1 other
|
|
senders, so she constructs an LxN matrix of public keys (L = # key images used,
|
|
N = ring size) by picking random public keys from the anonymity set; she stores
|
|
her own pubkeys in some secret column i*. Sally demonstrates that the output
|
|
amount from her secret column and the input amount are the same without re-
|
|
vealing that column or the amounts by using a NIZK proof from the Bootle paper
|
|
to show that at least one commitment in a vector opens to zero. In the constru-
|
|
ction of this proof, she uses information from her secret keys, which binds the
|
|
index she can open to zero to the column of pubkeys in the matrix without re-
|
|
vealing which index. She uses her secret keys to construct a multisignature on
|
|
the Bootle proof that is verifiable with the key images only. This way, her
|
|
signature consists of some random information, a Bootle proof, and a multi-
|
|
signature on the Bootle proof. The multisignature is efficient in construction,
|
|
verification, and storage. The Bootle proof, for a vector of commitments of
|
|
length N = n^m, takes O(n*m) (roughly) for construction, verification, and sto-
|
|
rage. For a ring size N=n^m, for a fixed ring base n (say all ring sizes are
|
|
powers of n=16), the Ruffing scheme is approximately log(N).
|
|
|
|
The scheme consists of four algorithms, KEYGEN, SPEND, and VER, which we des-
|
|
cribe in the next section. The scheme uses multisignatures and Bootle proofs
|
|
as subroutines, and hammers on homomorphic commitment very hard, so we describe
|
|
these in this section as "pre-requisites". The Bootle method is an interactive
|
|
sigma protocol that uses another interactive sigma protocol as a subroutine. We
|
|
made these both non-interactive and present the pseudocode in PROVE1, VALID1,
|
|
PROVE2, VALID2 (the Ruffing scheme uses PROVE2, VALID2, which use PROVE1,
|
|
VALID1). The Ruffing scheme did not specify a multisignature scheme; we desc-
|
|
ribe here the pseudocode for the Bellare-Neven multisignature scheme, KEYGEN*,
|
|
SIG*, VER*.
|
|
|
|
a. Commitments and Encryption
|
|
|
|
To commit to a scalar x with some random mask r, we use the following options:
|
|
|
|
COMp(x; r) := rG + xHp(xG) # Unconditionally hiding Pedersen
|
|
COMeg(x; r) := (rG + xHp(xG), rG) # Computationally hiding El Gamal
|
|
|
|
We may extend these to a vector/array/matrix B=[b[j][i]; j=0...m-1,i=0..n-1]:
|
|
|
|
COMp(B; r) := rG + b[0][0]Hp(b[0][0]G) + ... + b[m-1][n-1]Hp(b[m-1][n-1]G)
|
|
|
|
and we can similarly lift this to an El Gamal commitment by appending rG. In
|
|
the first case, we refer to x or the matrix B as the "data under commitment"
|
|
and the value r as the "mask." Given a Pedersen commitment c, we open c by
|
|
revealing x and r, where a verifier checks that c == rG + xHp(xG). Given an
|
|
El Gamal commitment (C1, C2), we open by revealing r and x, a verifier
|
|
computes C2' = rG, C1' = rG + xHp(xG) from these, and lastly checks that
|
|
C1 == C1' and C2 == C2'.
|
|
|
|
These commitments are additive under the following definition:
|
|
|
|
COMp(x; r) + COMp(x'; r') := COMp(x+x'; r+r')
|
|
COMeg(x; r) + COMeg(x'; r') := COMeg(x+x'; r+r')
|
|
|
|
|
|
b. Ordinary Multi-signature
|
|
|
|
The Ruffing scheme utilizes as a subroutine an efficient multisignature scheme,
|
|
consisting of three algorithms (KEYGEN*, SIG*, VER*). We present a scheme based
|
|
on the scheme described by Bellare and Neven in 2006 [3] (which is, in turn,
|
|
based on Schnorr signatures). Our variation of the B&N scheme is that it is
|
|
executed only by one party holding all the keys, so interaction is unnecessary.
|
|
We use a group of prime order q. Ruffing's scheme assumes that the Decisional
|
|
Diffie-Hellman assumption holds, so there is no harm in making this assumption
|
|
for the ordinary multi-signature scheme. Let G be a commonly known generator of
|
|
the group. Let Hs be a hash function that produces a scalar in Zq. Let Zq denote
|
|
the integers modulo q.
|
|
|
|
KEYGEN*: Each user selects x at random from Zq. The secret key is x. The
|
|
public key is X=xG. Output (sk,pk) = (x,X).
|
|
|
|
SIG*: Take as input a message M and a list of private keys L = x[0], x[1],
|
|
..., x[n-1]. Let L' be the associated list of public keys X[0], ..., X[n-1],
|
|
and assume L' is lexicographically ordered.
|
|
1) Compute L* = H(L').
|
|
2) For each i=0,1,...,n-1, select r[i] at random from Zq.
|
|
3) Compute r=r[0]+r[1]+...+r[n-1] and R=rG.
|
|
4) For each i=0,1,...,n-1:
|
|
i) Compute c[i] := Hs(X[i], R, L*, M)
|
|
ii) Compute s[i] := r[i] + x[i]*c[i]
|
|
5) Compute s = s[0] + ... + s[n-1].
|
|
6) Output the signature sigma = (R, s)
|
|
|
|
VER*: Take as input a message M, a set of keys L' = X[0], ..., X[n-1], and a
|
|
signature sigma = (R,s).
|
|
1) Compute L* = H(L')
|
|
2) For each i=0,1,...,n-1, compute c[i] = Hs(X[i], R, L*, M)
|
|
3) Accept if and only if sG = R + c[0]*X[0] + ... + c[n-1]*X[n-1]
|
|
|
|
c. NIZK Proofs
|
|
====|====|====|====|====|====|====|====|====|====|====|====|====|====|====|====
|
|
Lastly, the scheme also utilizes the following algorithms, (PROVE1, VALID1),
|
|
and (PROVE2, VALID2), which are NIZK prove-and-verify algorithm pairs. These
|
|
use the Fiat-Shamir transformation to make the zero-knowledge sigma protocols
|
|
presented by Bootle non-interactive under the random oracle model. The second
|
|
algorithm requires the usage of a helper algorithm, COEFs, which computes
|
|
coefficients of certain polynomials.
|
|
|
|
The pair (PROVE1, VALID1) allows a prover to demonstrate that each row of a
|
|
matrix is a set of commitments to bits that open to exactly one 1 (the rest
|
|
open to 0). The implementation works like this:
|
|
|
|
PROVE1: Take as input ([[b[0][0], b[0][1], ..., b[m-1][n-1]] ], r).
|
|
1) Select r[A], r[C], r[D] at random from Zq.
|
|
2) For each j=0, 1,..., m-1 and for each i=1,2,...,n-1, select a[j][i]
|
|
from Zq at random.
|
|
3) For each j, compute a[j][0] = -a[j][1] - a[j][2] - ... - a[j][n-1].
|
|
4) Compute A:=COMp(a[0][0], ..., a[m-1][n-1]; r[A])
|
|
5) For each j=0,...,m-1 and i=0,...,n-1, compute the values
|
|
c[j][i] := a[j][i]*(1-2*b[j][i])
|
|
d[j][i] := -a[j][i]^2
|
|
6) Compute the commitments C:=COMp(c[0][0], ..., c[m-1][n-1]; r[C]) and
|
|
D:=COMp(d[0][0],...,d[m-1][n-1]; r[D]).
|
|
7) Compute x := Hs(A,C,D)
|
|
8) For each j=0,...,m-1, i=0,...,n-1, compute f[j][i]:=b[j][i]*x + a[j][i]
|
|
9) Compute z[A]:= r*x + r[A], z[C]:=r[C]*x+r[D]
|
|
10) Output proof P:=A,C,D, f[0][1],f[0][2], ..., f[0][n-1], f[1][1],
|
|
f[1][2], ..., f[1][n-1], ..., f[m-1][1], ..., f[m-1][n-1], z[A], z[C].
|
|
|
|
When PROVE1 is run as a subroutine for PROVE2, the prover will also output the
|
|
values of each a[j][i]; these are not part of the formal proof, but they are
|
|
used elsewhere. Note that we do not output the first column of the matrix F
|
|
whose (ji)^th entry is f[j][i]. Essentially here, we are taking a matrix, we
|
|
are showing each row sums to 1 and each element satisfies the equation
|
|
b[j][i]*(1-b[j][i]) = 0.
|
|
|
|
VALID1: Take as input B (the prover wishes to demonstrate B is a commitment to
|
|
the values b[j][i] as described in PROVE1) and proof P.
|
|
1) If A,B,C,D are each elliptic curve points, both z[A] and z[C] are ele-
|
|
ments of Zq, and each f[j][i] are elements of Zq, compute the value
|
|
x := Hs(A,C,D). Else, output FAIL and terminate.
|
|
2) For each j=0, ..., m-1, compute f[j][0] = x-f[j][1] - ... - f[j][n-1].
|
|
3) For each j=0, ..., m-1, i=0,...,n-1, compute each of the values
|
|
f'[j][i] := f[j][i]*(x-f[j][i])
|
|
4) Return 1 if and only if all of the conditions hold true:
|
|
i) For each j=0, ..., m-1, f[j][0]=x-f[j][1]-f[j][2]- ... -f[j][n-1]
|
|
ii) xB + A = COMp(f[0][0], ..., f[m-1][n-1]; z[A])
|
|
iii) xC + D = COMp(f'[0][0], ..., f'[m-1][n-1]; z[C])
|
|
(otherwise return 0).
|
|
|
|
The pair (PROVE2, VALID2) allows a prover to demonstrate that a sequence of
|
|
commitments contains at least one commitment to 1. The implementation works
|
|
like this:
|
|
|
|
PROVE2: Take as input a sequence of values c[0], c[1], ... c[N-1] for
|
|
some N= n^m, a secret index i* in this list corresponding to a commitment that
|
|
opens to 1, and a random scalar r in Zq. For all integers j, i, define the
|
|
Kronecker delta function as DELTA(j,i) := 1 if j=i and 0 otherwise.
|
|
1) For k=0, 1, ..., m-1, select random coefficient u[k] at random from Zq.
|
|
2) Select r[B] at random from Zq.
|
|
3) Write i* in n-ary i* = i*[0] + i*[1]*(n) + i*[2]*(n^2) + ...
|
|
... + i*[m-1]*(n^(m-1)), and represent i* as the sequence i*[j].
|
|
4) For each j=0, 1, ..., m-1 and i=0, 1, ..., n-1, define the values
|
|
d[j][i] := DELTA(i*[j],i).
|
|
5) Compute B:=COMp(d[0][0], ..., d[m-1][n-1]; r[B]).
|
|
6) Prover runs PROVE1 and stores the output as the list of data
|
|
P <- PROVE1(B, (d[0][0], ..., d[m-1][n-1], r[B])) and stores the values
|
|
a[j][i] for use in the next step. Note the prover receives A, C, D from
|
|
PROVE1, all the values f[j][i], and the values z[A], z[C].
|
|
7) coefs <- COEFS(a[0][0], ..., a[m-1][n-1], i*)
|
|
8) For k=0, ..., m-1:
|
|
i) G[k] := ENCeg(0, u[k]) # = (rHp(G), rG)
|
|
ii) For i=0, ..., N-1, update G[k] by multiplying:
|
|
G[k]=G[k]*(co[i]^coefs[i][k])
|
|
=(G[k][1]+coefs[i][k]*co[i][1], G[k][2]+coefs[i][k]*co[i][2])
|
|
The final value for each G[k] from step 8 can be written explicitly:
|
|
G[k]=(rHp(G)+coefs[0][k]*co[0][1] + ... +coefs[n-1][k]*co[n-1][1],
|
|
rG+coefs[0][k]*co[0][2] + ... +coefs[n-1][k]*co[n-1][2])
|
|
9) Compute x' = Hs(A,B,C,D, G[0], ..., G[m-1]).
|
|
10) Compute z:= r*(x')^m - u[m-1]*(x')^(m-1) - ... - u[1]*(x')^1 - u[0]
|
|
11) Output proof P':=P, B, G[0], ..., G[m-1], z.
|
|
|
|
VALID2: Take as input a list of N El Gamal commitments co[0], ..., co[N-1] and a
|
|
proof P' parsed as P, B, G[0],...,G[m-1], where P is a proof parsed as
|
|
P = A,C,D, f[0][1],f[0][2], ..., f[m-1][n-1], z[A], z[C].
|
|
1) If A,B,C,D, each G[k] are all elliptic curve points, and if z[A], z[C],
|
|
and z are elements of Zq, and if each f[j][i] are elements of Zq, and
|
|
if VALID1(B,P)=1, then compute the value
|
|
x' := Hs(A, B, C,D,G[0],...,G[m-1]).
|
|
Else, output FAIL and terminate.
|
|
2) Compute c := ENCeg(0,z).
|
|
3) For each k=0,...,m-1, compute
|
|
G[k]^(-x^k) := (-x^k*G[k][1],-x^k*G[k][2]).
|
|
4) Compute (G[0]^(-(x')^0))*(G[1]^(-(x')^1))*...*(G[m-1]^(-(x')^(m-1))
|
|
which explicitly is the ordered pair (G*[1], G*[2]):
|
|
(-G[0][1] - (x')G[1][1] - ... - (x')^(m-1)G[m-1][1],
|
|
-G[0][2] - (x')G[1][2] - ... - (x')^(m-1)G[m-1][2] )
|
|
5) For each j=0, ..., m-1, i=0,...,n-1, compute each of the values
|
|
f[j][0] := x' - f[j][1] - f[j][2] - ... - f[j][n-1].
|
|
6) For each i=0,...,N-1, write i in n-ary arithmetic as usual as
|
|
i = i[0] + i[1]*n + i[2]*(n^2) + ... + i[m-1]*(n^(m-1)). Compute the
|
|
values g[i] := f[0][i[0]]*f[1][i[1]]*...*f[m-1][i[m-1] and the
|
|
commitments co*[i] := co[i]^g[i] = (g[i]*co[i][1], g[i]*co[i][2]).
|
|
7) Compute (co*[0])*(co*[1])*...*(co*[N-1]) which ends up as the ordered
|
|
pair (c**[1], c**[2])
|
|
(c*[0][1] + c*[1][1] + ... c*[N-1][1], c*[0][2] + ... c*[N-1][2])
|
|
8) Compute c'=(c**[1],c**[2])*(G*[1],G*[2])=(c**[1]+G*[1], c**[2] + G*[2]).
|
|
9) Return 1 if and only if c' == c and 0 otherwise.
|
|
|
|
COEFS: We split this into two algorithms. The outer layer, COEFS, is specific
|
|
to the Ruffing scheme. The inner layer, COEFPROD, takes two sequences of coef-
|
|
ficients as input, representing polynomials, and outputs a sequence of coef-
|
|
ficients of the resulting product of those two polynomials. We denote the
|
|
Discrete Fourier Transform as DFT, and the inverse IDFT.
|
|
|
|
COEFS takes as input a matrix A = a[0][0], ..., a[m-1][n-1] and index i* such
|
|
that 0 <= i* < n^m. We decompose 0 <= i* < N into the n-ary representation
|
|
i* = i*[0] + i*[1]*n + ... + i*[m-1]*n^(m-1)
|
|
In this decomposition, for each 0 <= j < m, we have the constraint
|
|
0 <= i*[j] < n (otherwise we could include the "runoff" above n into the co-
|
|
efficient one index higher). For index 0 <= k < N we again decompose into
|
|
the n-ary representation
|
|
k = k[0] + k[1]*n + ... + k[m-1]*n^(m-1)
|
|
where for each index 0 <= j < m (where N=n^m), we have 0 <= k[j] < n. We rep-
|
|
resent the polynomial defined by DELTA(i*[j],k[j])*x + a[j][k[j]] as an array
|
|
q[j][k] = [a[j][k[j]], DELTA(i*[j],k[j])]
|
|
We then do the following:
|
|
1) For each k = 0, ..., N-1:
|
|
i) Compute coefList[k] : = q[0][k]
|
|
ii) For 1<=j<m update coefList[k] = COEFPROD(coefList[k], q[j][k[j]])
|
|
2) Output coefList[0], coefList[1], ..., coefList[N-1].
|
|
|
|
COEFPROD: Take as input lists c[0],...,c[n-1] and d[0],...,d[n-1]. If these are
|
|
not the same length, the shorter one may be padded with zeros at the end. We
|
|
can parse the polynomial p(x) = c[0] + c[1]*x + ... + c[n-1]*x^(n-1) and the
|
|
polynomial q(x) = d[0] + d[1]*x + ... + d[n-1]*x^(n-1). Let m = 2n-1.
|
|
1) Compute P := DFT(p), Q := DFT(q). Both P and Q should have length m and
|
|
This should take O(n*log(n)) time.
|
|
2) Compute PQ := [P[0]*Q[0], P[1]*Q[1], ...]. This should take O(n) time.
|
|
3) Compute t:= IDFT(PQ) = t[0], t[1], ..., t[m]. This should take
|
|
O(n*log(n)).
|
|
4) Output t as the coefficients of p(x)*q(x).
|
|
|
|
|
|
II. BOOTLE-RUFFING RINGCT SCHEME
|
|
|
|
We are now in a position to present Ruffing's scheme in its entirety. We select
|
|
a group of prime order q under which the Decisional Diffie-Hellman assumption
|
|
holds. Let G be a commonly known generator of the group. Let Hp be a hash func-
|
|
tion that produces an elliptic curve point. Let Hs be a hash function that prod-
|
|
uces a scalar in Zq. Let Zq denote the integers modulo q.
|
|
|
|
KEYGEN:
|
|
1) Select r,r' randomly from Zq.
|
|
2) Set sk := (r,r')
|
|
3) Set ki := r'G
|
|
4) Set pk := ENCeg(ki,r)
|
|
5) Output (sk,ki,pk).
|
|
|
|
SPEND: Take as input an (L x N) matrix of public keys PK written as
|
|
PK = [pk[j][i]; j=0,1,...,L-1, i=0,1,...,N-1], such that the signer knows the
|
|
associated secret keys of the column with (secret) index i*, a commitment for
|
|
each column co = co[0], co[1], ...., co[N-1] such that co[i*] opens to zero, a
|
|
set of secret keys sk = sk[0],sk[1],...,sk[L-1], a set of key images ki, a
|
|
message M, and a random scalar s from Zq. Write each secret key as
|
|
sk[i]=(r[i],r'[i]).
|
|
|
|
1) Compute co' := sG.
|
|
2) Set f := (ki, PK, co, co', M)
|
|
3) Compute (c, f') := SUB(f)
|
|
4) Compute s' := s + r[0]*f'[0] + r[1]*f'[1] + ... + r[L-1]*f'[L-1]
|
|
5) Compute sigma[1] := PROVE2(c, i*,s')
|
|
6) Compute sigma[2] := SIG*((r'[0], r'[1], ..., r'[L-1]), (sigma[1], f))
|
|
7) Output signature = (co', sigma[1], sigma[2])
|
|
|
|
SUB: Take as input key images ki = ki[0], ki[1], ..., ki[L-1], a matrix of
|
|
public keys PK = [pk[j][i]; j=1,2,...,L, i=1,2,...,N], a set of Pedersen com-
|
|
mitments co = co[1], ..., co[N], an elliptic curve point co', and message M.
|
|
|
|
1) For j=0, 1, ..., L-1:
|
|
i) Compute pkz[j] := (ki[j],0)
|
|
ii) Compute f[j] := Hs(ki[j],f,j)
|
|
2) For i=0, 1, ..., N-1 do:
|
|
i) Set c[i] := (co[i], co')
|
|
ii) For j=0,1, ..., L-1, update c[i] = c[i]*(pk[j][i]/pkz[j])^(f[j])
|
|
3) Output (c,f) where c = c[0], ..., c[N-1], f=f[0], ..., f[L-1].
|
|
|
|
Note that due to commitment arithmetic the result c[i] is written explicitly as:
|
|
(co[i]+f[0]*(pk[0][i][1]-pkz[0][1])+ ... +f[L-1]*(pk[L-1][i][1]-pkz[L-1][1]),
|
|
co'+f[0]*(pk[0][i][2]-pkz[0][2])+ ... +f[L-1]*(pk[L-1][i][2]-pkz[L-1][2]))
|
|
|
|
VER: This verifies a ring signature. Take as input a set of key images
|
|
ki = ki[0], ki[1], ..., ki[L-1], a matrix of public keys PK, commitments
|
|
co = co[0], ..., co[N-1], an elliptic curve point co', a message M, and a sig-
|
|
nature from SPEND, signature = (co', sigma[1], sigma[2]).
|
|
|
|
1) Set f := (ki, PK, co, co', M).
|
|
2) Compute (c, f') := SUB(f) (we only use c for verification)
|
|
3) Return 1 iff
|
|
(i) the signature sigma[2] on message (sigma[1], f) passes VER* with
|
|
keys ki, i.e. VER*((sigma[1],f), ki, sigma[2])==1
|
|
(ii) the proof sigma[1] is a valid NIZK proof that one of the commit-
|
|
ments in co open to 0, i.e. VALID2(sigma[1], co) == 1.
|
|
Return 0 otherwise.
|
|
|
|
III. Specific Example
|
|
|
|
Here is a quick concrete example using integer scalars of the Bootle NIZK
|
|
proof that a commitment opens appropriately* as in PROVE1/VALID1 above.
|
|
We start with random data we wish to commit to. Each entry must be
|
|
a bit and each row must sum to 1 if VALID1 is to validate the proof. We
|
|
may as well go with the identity matrix:
|
|
|
|
[ [b[0][0], b[0][1] ], = [ [1, 0],
|
|
[b[1][0], b[1][1] ] ] [0, 1] ]
|
|
|
|
We compute the commitment B = COMp([b[j][i]], rB):
|
|
|
|
B = rB*G + 1*H[0,0] + 0*H[0,1] + 0*H[1,0] + 1*H[1,1]
|
|
|
|
We pick random a[0][1], say 7, and a random a[1][1], say -5. We compute a[j][0]
|
|
as -sum(a[j][i]):
|
|
|
|
[ [a[0][0], a[0][1] ], = [ [-7, 7],
|
|
[a[1][0], a[1][1] ] ] [ 5, -5] ]
|
|
|
|
We compute commitment A = COMp( [a[j][i]], rA):
|
|
|
|
A = rA*G - 7*H[0,0] + 7*H[0,1] + 5*H[1,0] - 5*H[1,1]
|
|
|
|
We compute c[j][i] = a[j][i]*(1-2b[j][i]), d[j][i] = -a[j][i]^2:
|
|
|
|
[ [c[0][0], c[0][1] ], = [ [7, 7],
|
|
[c[1][0], c[1][1] ] ] [5, 5] ]
|
|
|
|
[ [d[0][0], d[0][1] ], = [ [-49, -49],
|
|
[d[1][0], d[1][1] ] ] [-25, -25] ]
|
|
|
|
We compute commitments C and D:
|
|
|
|
C = rC*G + 7*H[0,0] + 7*H[0,1] + 5*H[1,0] + 5*H[1,1]
|
|
D = rD*G - 49*H[0,0] - 49*H[0,1] - 25*H[1,0] - 25*H[1,1]
|
|
|
|
We compute x = Hs(A,C,D). We compute f[j][i] = b[j][i]*x + a[j][i]:
|
|
|
|
[ [f[0][0], f[0][1] ], = [ [x-7, 7],
|
|
[f[1][0], f[1][1] ] ] [ 5, x-5] ]
|
|
|
|
We compute zA = rB*x + rA, zC = rC*x + rD and send [A,B,C,D, zA, zC] together
|
|
with all columns except the first column of [f[j][i]] as our NIZK proof that B
|
|
is a well-formed Bootle commitment*. Now a verifier receives the left hand side
|
|
of the following system of equations
|
|
|
|
A = rA*G - 7*H[0,0] + 7*H[0,1] + 5*H[1,0] - 5*H[1,1]
|
|
B = rB*G + 1*H[0,0] + 0*H[0,1] + 0*H[1,0] + 1*H[1,1]
|
|
C = rC*G + 7*H[0,0] + 7*H[0,1] + 5*H[1,0] + 5*H[1,1]
|
|
D = rD*G - 49*H[0,0] - 49*H[0,1] - 25*H[1,0] - 25*H[1,1]
|
|
f[0][1] = 7
|
|
f[1][1] = x-5
|
|
zA = rB*x + rA
|
|
zC = rC*x + rD
|
|
|
|
Using the left hand side only, the verifier computes:
|
|
x := H(A,C,D)
|
|
f[0][0] := x - f[0][1]
|
|
f[1][0] := x - f[1][1]
|
|
Now the verifier computes the matrix [f'[j][i]] = [f[j][i]*(x-f[j][i])]:
|
|
[ [f'[0][0], f'[0][1] ], = [ [f[0][0]*(x-f[0][0]), f[0][1]*(x-f[0][1])],
|
|
[f'[1][0], f'[1][1] ] ] [ f[1][0]*(x-f[1][0]), f[1][1]*(x-f[1][1])] ]
|
|
and computes the commitments COM(f[j][i], zA), COM(f'[j][i], zC):
|
|
|
|
COM( f[j][i], zA) := zA*G + f[0][0]*H[0,0] + f[0][1]*H[0,1] + ...
|
|
COM(f'[j][i], zC) := zC*G + f'[0][0]*H[0,0] + f'[0][1]*H[0,1] + ...
|
|
|
|
The verifier can now check whether
|
|
i) xB + A =? COM(f[j][i], zA)
|
|
ii) xC + D =? COM(f'[j][i], zC)
|
|
|
|
Note that if the verifier received the values as specified above, she computes
|
|
the same f[0][0], f[1][0] as the prover used, x-7 and 5, so the verifier
|
|
obtains the matrix
|
|
|
|
[ [f[0][0], f[0][1] ], = [ [x-7, 7],
|
|
[f[1][0], f[1][1] ] ] [ 5, x-5] ]
|
|
|
|
and computes
|
|
|
|
[ [f'[0][0], f'[0][1] ], = [ [7(x-7), 7(x-7)],
|
|
[f'[1][0], f'[1][1] ] ] [5(x-5), 5(x-5)] ]
|
|
|
|
And thus computes the commitments
|
|
|
|
COM([ f[j][i]], zA) = zA*G + (x-7)*H[0,0] + 7*H[0,1] + 5*H[1,0] + (x-5)*H[1,1]
|
|
COM([f'[j][i]], zC) = zC*G + 7(x-7)*H[0,0] + 7(x-7)*H[0,1] + 5*(x-5)*H[1,0]
|
|
+ 5(x-5)*H[1,1]
|
|
|
|
On the other hand, she is given B and A, and with her x, she can compute xB+A:
|
|
|
|
xB + A = x(rB*G + 1*H[0,0] + 0*H[0,1] + 0*H[1,0] + 1*H[1,1])
|
|
+ (rA*G - 7*H[0,0] + 7*H[0,1] + 5*H[1,0] - 5*H[1,1])
|
|
= (rB*x + rA)*G + (x-7)*H[0,0] + 7*H[0,1] + 5*H[1,0] + (x-5)*H[1,1]
|
|
|
|
Lo and behold, this matches COM([ f[j][i]], zA). She can do the same with C,D:
|
|
|
|
xC + D = x(rC*G + 7*H[0,0] + 7*H[0,1] + 5*H[1,0] + 5*H[1,1])
|
|
+ (rD*G - 49*H[0,0] - 49*H[0,1] - 25*H[1,0] - 25*H[1,1])
|
|
= (rC*x + rD)*G + 7(x-7)*H[0,0] + 7(x-7)*H[0,1] + 5(x-5)*H[1,0]
|
|
+ 5*(x-5)*H[1,1]
|
|
|
|
Voila!
|
|
|
|
|
|
|
|
IV. REFERENCES
|
|
|
|
[1] Ruffing, Thyagarajan, Ronge, Schröder. "Boosting Private Payments in
|
|
Monero: New Attacks, Exact Cryptographic Definitions, and Sublinear
|
|
Ring Signatures." In preparation.
|
|
[2] Bootle, Cerulli, Chaidos, Ghadafi, Groth, Petit. "Short accountable
|
|
ring signatures based on DDH." European Symposium on Research in
|
|
Computer Security. Springer, Cham, 2015.
|
|
[3] Bellare, Mihir, and Gregory Neven. "Multi-signatures in the plain
|
|
public-key model and a general forking lemma." Proceedings of the 13th
|
|
ACM conference on Computer and communications security. ACM, 2006.
|
|
|
|
|