Yuen, T.H. et al. (2020). RingCT 3.0 for Blockchain Confidential Transaction: Shorter Size and Stronger Security. In: Financial Cryptography and Data Security. FC 2020(CCF-C). https://doi.org/10.1007/978-3-030-51280-4_25
RingCT 3.0
- Ring CT 3.0 construction
- Setup ( 1 λ , n m a x ) \operatorname{Setup}(1^\lambda,n_{max}) Setup(1λ,nmax)
- KeyGen \operatorname{KeyGen} KeyGen
- Mint ( p k , a ∈ Z p ) → ( C , c k ) \operatorname{Mint}(pk,{\bf a}\in\mathbb{Z}_p)\rightarrow(C,ck) Mint(pk,a∈Zp)→(C,ck)
- AccountGen ( ( s k , p k ) , C , c k , a ) → ( a c t , a s k ) \operatorname{AccountGen}((sk,pk),C,ck,{\bf a})\rightarrow(act,ask) AccountGen((sk,pk),C,ck,a)→(act,ask)
- Spend ( A S , { a s k k = ( s k k , κ i n , k , a i n , k ) } k ∈ [ 1 , M ] , A i n , { a o u t , j } j ∈ [ 1 , N ] , m ) → ( A o u t , π = ( π r a n g e , σ r i n g ) , S , C k o u t ) \operatorname{Spend}(\mathbb{A}_S,\{ask_k=(sk_k,\kappa_{in,k},{\bf a_{in,k}})\}_{k\in[1,M]},\mathbb{A}_{in},\{{\bf a}_{out,j}\}_{j\in[1,N]},m)\rightarrow(\mathbb{A}_{out},\pi=(\pi_{range},\sigma_{ring}),\mathbb{S},\mathbb{C}k_{out}) Spend(AS,{askk=(skk,κin,k,ain,k)}k∈[1,M],Ain,{aout,j}j∈[1,N],m)→(Aout,π=(πrange,σring),S,Ckout)
- Verify ( m , A i n , A o u t , π , S , U ) → 0 / 1 \operatorname{Verify}(m,\mathbb{A}_{in},\mathbb{A}_{out},\pi,\mathbb{S},\mathbb{U})\rightarrow0/1 Verify(m,Ain,Aout,π,S,U)→0/1
- 更有效的构造
- 性能
Ring CT 3.0 construction
其中用到的range proof 来自于bulletproof:
(
RSetup
,
RProof
,
RVerify
)
(\operatorname{RSetup},\operatorname{RProof},\operatorname{RVerify})
(RSetup,RProof,RVerify),证明陈述:
Setup ( 1 λ , n m a x ) \operatorname{Setup}(1^\lambda,n_{max}) Setup(1λ,nmax)
- group G \mathbb{G} G: order p p p, generators g c , h c , g , u ∈ G , g ⃗ = ( g 1 , . . . , g n m a x ) , h ⃗ = ( h 1 , . . . , h n m a x ∈ G n m a x g_c,h_c,g,u\in \mathbb{G},\vec{g}=(g_1,...,g_{n_{max}}),\vec{h}=(h_1,...,h_{n_{max}}\in\mathbb{G}^{n_{max}} gc,hc,g,u∈G,g=(g1,...,gnmax),h=(h1,...,hnmax∈Gnmax
- H j : { 0 , 1 } ∗ → Z p , j = 1 , 2 , 4 , 5 , H 3 : { 0 , 1 } ∗ → G , H 6 : G → Z p H_j:\{0,1\}^*\rightarrow\mathbb{Z}_p,j=1,2,4,5,H_3:\{0,1\}^*\rightarrow\mathbb{G},H_6:\mathbb{G}\rightarrow\mathbb{Z}_p Hj:{0,1}∗→Zp,j=1,2,4,5,H3:{0,1}∗→G,H6:G→Zp
- Run RSetup \operatorname{RSetup} RSetup
KeyGen \operatorname{KeyGen} KeyGen
LongTermKeyGen
l
t
s
k
:
=
(
x
1
,
x
2
)
∈
Z
p
2
,
l
t
p
k
:
=
(
g
x
1
,
g
x
2
)
ltsk:=(x_1,x_2)\in\mathbb{Z}_p^2,ltpk:=(g^{x_1},g^{x_2})
ltsk:=(x1,x2)∈Zp2,ltpk:=(gx1,gx2)
OneTimePKGen
(
l
t
p
k
)
→
(
p
k
,
R
o
t
)
(ltpk)\rightarrow(pk,R_{ot})
(ltpk)→(pk,Rot)
- random r o t r_{ot} rot
- p k : = g x 1 ⋅ g H 6 ( ( g x 2 ) r o t ) , R o t : = g r o t pk:=g^{x_1}\cdot g^{H_6((g^{x_2})^{r_{ot}})},R_{ot}:=g^{r_{ot}} pk:=gx1⋅gH6((gx2)rot),Rot:=grot
OneTimeSKGen ( p k , R o t , l t s k ) → s k (pk,R_{ot},ltsk)\rightarrow sk (pk,Rot,ltsk)→sk
- check p k = ? g x 1 ⋅ g H 6 ( R o t x 2 ) pk\overset{\text{?}}{=}g^{x_1}\cdot g^{H_6(R_{ot}^{x_2})} pk=?gx1⋅gH6(Rotx2)
- s k = x 1 + H 6 ( R o t x 2 ) sk=x_1+H_6(R_{ot}^{x_2}) sk=x1+H6(Rotx2)
Mint ( p k , a ∈ Z p ) → ( C , c k ) \operatorname{Mint}(pk,{\bf a}\in\mathbb{Z}_p)\rightarrow(C,ck) Mint(pk,a∈Zp)→(C,ck)
- random κ ∈ Z p , c k : = κ \kappa\in\mathbb{Z}_p,ck:=\kappa κ∈Zp,ck:=κ
- C = g c κ h c a C=g_c^\kappa h_c^{\bf a} C=gcκhca( a {\bf a} a是amount)
AccountGen ( ( s k , p k ) , C , c k , a ) → ( a c t , a s k ) \operatorname{AccountGen}((sk,pk),C,ck,{\bf a})\rightarrow(act,ask) AccountGen((sk,pk),C,ck,a)→(act,ask)
- check C = ? g c κ h c a C\overset{\text{?}}{=}g_c^\kappa h_c^{\bf a} C=?gcκhca
- a c t : = ( p k , C ) , a s k : = ( s k , c k , a ) act:=(pk,C),~ask:=(sk,ck,a) act:=(pk,C), ask:=(sk,ck,a)
Spend ( A S , { a s k k = ( s k k , κ i n , k , a i n , k ) } k ∈ [ 1 , M ] , A i n , { a o u t , j } j ∈ [ 1 , N ] , m ) → ( A o u t , π = ( π r a n g e , σ r i n g ) , S , C k o u t ) \operatorname{Spend}(\mathbb{A}_S,\{ask_k=(sk_k,\kappa_{in,k},{\bf a_{in,k}})\}_{k\in[1,M]},\mathbb{A}_{in},\{{\bf a}_{out,j}\}_{j\in[1,N]},m)\rightarrow(\mathbb{A}_{out},\pi=(\pi_{range},\sigma_{ring}),\mathbb{S},\mathbb{C}k_{out}) Spend(AS,{askk=(skk,κin,k,ain,k)}k∈[1,M],Ain,{aout,j}j∈[1,N],m)→(Aout,π=(πrange,σring),S,Ckout)
Input:
- M 个signer的输入账户: A S \mathbb{A}_S AS,账户的私钥集合: K S = { a s k k = ( s k k , κ i n , k , a i n , k ) } k ∈ [ 1 , M ] \mathbb{K}_S=\{ask_k=(sk_k,\kappa_{in,k},{\bf a_{in,k}})\}_{k\in[1,M]} KS={askk=(skk,κin,k,ain,k)}k∈[1,M]
- nM个输入账户集合: A i n \mathbb{A}_{in} Ain,注意 A S ⊂ A i n \mathbb{A}_S\subset\mathbb{A}_{in} AS⊂Ain
- N个输出数字的集合
O
=
{
a
o
u
t
,
j
}
\mathbb{O}=\{{\bf a}_{out,j}\}
O={aout,j}对应于N个接收者的公钥
{
p
k
o
u
t
,
j
}
j
∈
[
1
,
N
]
\{pk_{out,j}\}_{j\in[1,N]}
{pkout,j}j∈[1,N]
交易消息 m m m
先验证balance:
∑
k
=
1
M
a
i
n
,
k
=
?
∑
j
=
1
N
a
o
u
t
,
j
\sum_{k=1}^M a_{in,k}\overset{\text{?}}{=}\sum_{j=1}^N a_{out,j}
∑k=1Main,k=?∑j=1Naout,j,若不成立则交易数不正确,返回终止。
将
A
i
n
\mathbb{A}_{in}
Ain排列成一个
M
×
n
M\times n
M×n的矩阵,每一行只包含一个
A
S
\mathbb{A}_{S}
AS中的账户。定义列索引
i
n
d
k
ind_k
indk:
A
S
\mathbb{A}_{S}
AS中第k个元素在矩阵第k行第
i
n
d
k
ind_k
indk的位置:
关于spend交易最主要解决的是两个问题:1交易的balance合法性;2发送方匿名(环签名),所以这里用到两个sub-protocol.
sub-protocol:Balance property
- 生成一次性公钥:发送方通过OneTimePKGen将所有接收方的长期公钥转换为一次性公钥
- 生成输出的硬币:
- 运行 Mint ( a o u t , j ) → ( C o u t , j , κ o u t , j ) \operatorname{Mint}({\bf a}_{out,j})\rightarrow(C_{out,j},\kappa_{out,j}) Mint(aout,j)→(Cout,j,κout,j) for all j ∈ [ 1 , N ] j\in[1,N] j∈[1,N]
- 生成N个输出账户:
A
o
u
t
=
{
(
p
k
o
u
t
,
j
,
C
o
u
t
,
j
)
}
j
∈
[
1
,
N
]
\mathbb{A}_{out}=\{(pk_{out,j},C_{out,j})\}_{j\in[1,N]}
Aout={(pkout,j,Cout,j)}j∈[1,N]
(发送方可以秘密地将输出硬币的数量和coin key发送给每个 p k o u t , j pk_{out,j} pkout,j对应的私钥的拥有者;将所有coin key的集合定义为: C k o u t \mathbb{C}k_{out} Ckout)
- 生成范围证明:为所有的 a o u t , j , j ∈ [ 1 , N ] {\bf a}_{out,j},j\in[1,N] aout,j,j∈[1,N]运行 RProof \operatorname{RProof} RProof.定义证明输出的集合为 π r a n g e \pi_{range} πrange
- 准备balance proof:
- 定义 a c t k ( i n d k ) act_{k}^{(ind_k)} actk(indk)账户中的硬币为 C i n , k ( i n d k ) C_{in,k}^{(ind_k)} Cin,k(indk)
- 输入金额等于输出金额: ∏ k = 1 M C i n , k ( i n d k ) / ∏ j = 1 N C o u t , j = g c ∑ k = 1 M κ i n , k − ∑ j = 1 N κ o u t , j \prod_{k=1}^{M}C_{in,k}^{(ind_k)}/\prod_{j=1}^{N}C_{out,j}=g_c^{\sum_{k=1}^{M}\kappa_{in,k}-\sum_{j=1}^{N}\kappa_{out,j}} ∏k=1MCin,k(indk)/∏j=1NCout,j=gc∑k=1Mκin,k−∑j=1Nκout,j
- 定义 Δ : = ∑ k = 1 M κ i n , k − ∑ j = 1 N κ o u t , j \Delta:=\sum_{k=1}^{M}\kappa_{in,k}-\sum_{j=1}^{N}\kappa_{out,j} Δ:=∑k=1Mκin,k−∑j=1Nκout,j
sub-protocol:Ring signature
定义 a c t k ( i ) = ( p k i n , k ( i ) , C i n , k ( i ) ) , i ∈ [ 1 , n ] act_k^{(i)}=(pk_{in,k}^{(i)},C_{in,k}^{(i)}),~i\in[1,n] actk(i)=(pkin,k(i),Cin,k(i)), i∈[1,n] ,其中signer的索引是 i n d k ind_k indk,sender运行如下:
- 生成One-Time Secret Key:调用OneTimeSKGen
- 生成Key Images:定义 ( s k k , ⋅ , ⋅ ) (sk_k,\cdot,\cdot) (skk,⋅,⋅)作为账户 a c t k ( i n d k ) act_k^{(ind_k)} actk(indk)的私钥; key image U k = u 1 s k k U_k=u^{\frac{1}{sk_k}} Uk=uskk1
- 成环Ring Formation:
- 定义连接字符串 s t r str str是 { a c t k ( 1 ) ∣ ∣ . . . ∣ ∣ a c t k ( n ) } k ∈ [ 1 , M ] \{act_k^{(1)}||...||act_k^{(n)}\}_{k\in [1,M]} {actk(1)∣∣...∣∣actk(n)}k∈[1,M]的连接.
- 计算 d 0 = H 2 ( 0 , s t r ) , d 1 = H 2 ( 1 , s t r ) , d 2 = H 2 ( 2 , s t r ) d_0=H_2(0,str),d_1=H_2(1,str),d_2=H_2(2,str) d0=H2(0,str),d1=H2(1,str),d2=H2(2,str)
- 定义
Y
⃗
=
Y
⃗
1
∣
∣
.
.
.
.
∣
∣
Y
⃗
M
\vec{Y}=\vec{Y}_1||....||\vec{Y}_M
Y=Y1∣∣....∣∣YM,其中
- 准备Signer index:
- 生成二进制向量 b L , k ⃗ = ( b k , 1 , . . . , b k , n ) , k ∈ [ 1 , M ] \vec{b_{L,k}}=(b_{k,1},...,b_{k,n}),k\in[1,M] bL,k=(bk,1,...,bk,n),k∈[1,M],其中当 i = i n d k , b k , i = 1 i=ind_k,b_{k,i}=1 i=indk,bk,i=1;否则, b k , i = 0 b_{k,i}=0 bk,i=0
- 定义 b L ⃗ = b L , 1 ⃗ ∣ ∣ . . . ∣ ∣ b L , M ⃗ , b R ⃗ = b L ⃗ − 1 n ⃗ \vec{b_{L}}=\vec{b_{L,1}}||...||\vec{b_{L,M}},\vec{b_{R}}=\vec{b_{L}}-\vec{1^n} bL=bL,1∣∣...∣∣bL,M,bR=bL−1n.
- 零知识证明 b L , k ⃗ \vec{b_{L,k}} bL,k是仅有1位是1的二进制向量。相当于:对 k ∈ [ 1 , M ] : b L ⃗ ∘ b R ⃗ = 0 n ⃗ , b L ⃗ − b R ⃗ = 1 n ⃗ , ⟨ b L , k ⃗ , 1 n ⃗ ⟩ = 1 k\in[1,M]:\vec{b_{L}}\circ\vec{b_{R}}=\vec{0^n},\vec{b_{L}}-\vec{b_{R}}=\vec{1^n},\langle\vec{b_{L,k}},\vec{1^n}\rangle=1 k∈[1,M]:bL∘bR=0n,bL−bR=1n,⟨bL,k,1n⟩=1
- 生成签名:
- Commit 1:
h
=
H
3
(
Y
⃗
)
h=H_3(\vec{Y})
h=H3(Y),随机选取
α
1
,
α
2
,
β
,
ρ
,
r
α
1
,
r
α
2
,
r
s
k
1
,
.
.
.
,
r
s
k
M
,
r
Δ
∈
Z
p
,
s
L
⃗
,
s
R
⃗
∈
Z
p
n
M
\alpha_1,\alpha_2,\beta,\rho,r_{\alpha_1},r_{\alpha_2},r_{sk_1},...,r_{sk_M},r_\Delta\in\mathbb{Z}_p,\vec{s_L},\vec{s_R}\in\mathbb{Z}_p^{nM}
α1,α2,β,ρ,rα1,rα2,rsk1,...,rskM,rΔ∈Zp,sL,sR∈ZpnM,并计算:
观察 B 1 = h α 1 Y ⃗ b L ⃗ B_1=h^{\alpha_1}\vec{Y}^{\vec{b_L}} B1=hα1YbL - Challenge 1:
- 定义连接字符串 s t r ′ = Y ⃗ ∣ ∣ B 1 ∣ ∣ B 2 ∣ ∣ A ∣ ∣ S 1 ∣ ∣ S 2 ∣ ∣ S 3 ∣ ∣ U 1 ∣ ∣ . . . ∣ ∣ U M str'=\vec{Y}||B_1||B_2||A||S_1||S_2||S_3||U_1||...||U_M str′=Y∣∣B1∣∣B2∣∣A∣∣S1∣∣S2∣∣S3∣∣U1∣∣...∣∣UM
- 计算 y = H 4 ( 1 , s t r ′ ) , z = H 4 ( 2 , s t r ′ ) , w = H 4 ( 3 , s t r ′ ) y=H_4(1,str'),z=H_4(2,str'),w=H_4(3,str') y=H4(1,str′),z=H4(2,str′),w=H4(3,str′)
- Commit 2:
- 定义两个变量
X
X
X的degree 1多项式:
定义degree 2多项式 ⟨ l ( X ) , r ( X ) ⟩ \langle l(X),r(X)\rangle ⟨l(X),r(X)⟩,可整理成形式: t ( X ) = t 0 + t 1 X + t 2 X 2 t(X)=t_0+t_1X+t_2X^2 t(X)=t0+t1X+t2X2,其中 t 0 , t 1 , t 2 t_0,t_1,t_2 t0,t1,t2可用 ( b L ⃗ , b R ⃗ , s L ⃗ , s R ⃗ , w , y , z ) (\vec{b_L},\vec{b_R},\vec{s_L},\vec{s_R},w,y,z) (bL,bR,sL,sR,w,y,z),具体地:
随机选取 τ 1 , τ 2 ∈ Z p \tau_1,\tau_2\in\mathbb{Z}_p τ1,τ2∈Zp,计算: T 1 = g t 1 h τ 1 , T 2 = g t 2 h τ 2 T_1=g^{t_1}h^{\tau_1},T_2=g^{t_2}h^{\tau_2} T1=gt1hτ1,T2=gt2hτ2
- 定义两个变量
X
X
X的degree 1多项式:
- Challenge 2:计算 x = H 5 ( w , y , z , T 1 , T 2 , m ) x=H_5(w,y,z,T_1,T_2,m) x=H5(w,y,z,T1,T2,m)
- Response:计算
输出签名: σ r i n g = ( B 1 , B 2 , A , S 1 , S 2 , S 3 , T 1 , T 2 , τ x , μ , z α 1 , z α 2 , z s k , 1 , . . . , z s k , M , z Δ , l ⃗ , r ⃗ , t ) \sigma_{ring}=(B_1,B_2,A,S_1,S_2,S_3,T_1,T_2,\tau_x,\mu,z_{\alpha_1},z_{\alpha_2},z_{sk,1},...,z_{sk,M},z_\Delta,\vec{l},\vec{r},t) σring=(B1,B2,A,S1,S2,S3,T1,T2,τx,μ,zα1,zα2,zsk,1,...,zsk,M,zΔ,l,r,t)和key image ( U 1 , . . . , U M ) (U_1,...,U_M) (U1,...,UM)
- Commit 1:
h
=
H
3
(
Y
⃗
)
h=H_3(\vec{Y})
h=H3(Y),随机选取
α
1
,
α
2
,
β
,
ρ
,
r
α
1
,
r
α
2
,
r
s
k
1
,
.
.
.
,
r
s
k
M
,
r
Δ
∈
Z
p
,
s
L
⃗
,
s
R
⃗
∈
Z
p
n
M
\alpha_1,\alpha_2,\beta,\rho,r_{\alpha_1},r_{\alpha_2},r_{sk_1},...,r_{sk_M},r_\Delta\in\mathbb{Z}_p,\vec{s_L},\vec{s_R}\in\mathbb{Z}_p^{nM}
α1,α2,β,ρ,rα1,rα2,rsk1,...,rskM,rΔ∈Zp,sL,sR∈ZpnM,并计算:
Output:
定义
S
\mathbb{S}
S为一组序列号
{
U
1
,
.
.
.
,
U
M
}
\{U_1,...,U_M\}
{U1,...,UM},Spend算法输出
(
A
o
u
t
,
π
=
(
π
r
a
n
g
e
,
σ
r
i
n
g
)
,
S
,
C
k
o
u
t
)
(\mathbb{A}_{out},\pi=(\pi_{range},\sigma_{ring}),\mathbb{S},\mathbb{C}k_{out})
(Aout,π=(πrange,σring),S,Ckout)
Verify ( m , A i n , A o u t , π , S , U ) → 0 / 1 \operatorname{Verify}(m,\mathbb{A}_{in},\mathbb{A}_{out},\pi,\mathbb{S},\mathbb{U})\rightarrow0/1 Verify(m,Ain,Aout,π,S,U)→0/1
S
\mathbb{S}
S是一组序列号,
U
\mathbb{U}
U是过去用过的序列号集合
查验:
- 如果有任何 U U U在 S , U \mathbb{S,U} S,U中都存在,返回 − 1 -1 −1(双花);可在 U \mathbb{U} U上使用布隆过滤器来加速这个侦察。
- 调用RVerify验证范围证明,输入 π r a n g e \pi_{range} πrange,输出 A o u t \mathbb{A}_{out} Aout的硬币。
- 验证环签名
σ
r
i
n
g
\sigma_{ring}
σring和 key image
U
k
∈
S
U_k\in\mathbb{S}
Uk∈S for
k
∈
[
1
,
M
]
k\in[1,M]
k∈[1,M];
- 按照Spend-Ring Formation部分计算 d 0 , d 1 , d 2 , Y ⃗ d_0,d_1,d_2,\vec{Y} d0,d1,d2,Y,用 A i n \mathbb{A}_{in} Ain.
- 定义连接字符串 s t r ′ = Y ⃗ ∣ ∣ B 1 ∣ ∣ B 2 ∣ ∣ A ∣ ∣ S 1 ∣ ∣ S 2 ∣ ∣ S 3 ∣ ∣ U 1 ∣ ∣ . . . ∣ ∣ U M str'=\vec{Y}||B_1||B_2||A||S_1||S_2||S_3||U_1||...||U_M str′=Y∣∣B1∣∣B2∣∣A∣∣S1∣∣S2∣∣S3∣∣U1∣∣...∣∣UM.
- 计算 h = H 3 ( Y ⃗ ) , y = H 4 ( 1 , s t r ′ ) , z = H 4 ( 2 , s t r ′ ) , w = H 4 ( 3 , s t r ′ ) , x = H 5 ( w , y , z , T 1 , T 2 , m ) h=H_3(\vec{Y}),y=H_4(1,str'),z=H_4(2,str'),w=H_4(3,str'),x=H_5(w,y,z,T_1,T_2,m) h=H3(Y),y=H4(1,str′),z=H4(2,str′),w=H4(3,str′),x=H5(w,y,z,T1,T2,m)
- 定义 h ′ ⃗ = ( h 1 ′ , . . . . , h n M ′ ) ∈ G n M \vec{h'}=(h_1',....,h_{nM}')\in\mathbb{G}^{nM} h′=(h1′,....,hnM′)∈GnM,有 h i ′ = h i − i + 1 , i ∈ [ 1 , n M ] h_i'=h_i^{-i+1},i\in[1,nM] hi′=hi−i+1,i∈[1,nM];
- 如果以下条件符合则返回1,否则返回0:
分析:
条件(1)保证了 t t t是 l ⃗ , r ⃗ \vec{l},\vec{r} l,r的内积;
条件(2):
g t h τ x = g ⟨ l ⃗ , r ⃗ ⟩ h τ 1 x + τ 2 x 2 ( i f τ x = τ 1 x + τ 2 x 2 ) = g t 0 + t 1 x + t 2 x 2 h τ 1 x + τ 2 x 2 ( i f T 1 = g t 1 h τ 1 , T 2 = g t 2 h τ 2 ) = g ∑ k = 1 M z 1 + k + w ( z − z 2 ) ⟨ 1 ⃗ n M , y ⃗ n M ⟩ − ∑ k = 1 M n z 2 + k T 1 x T 2 x 2 \begin{aligned} g^th^{\tau_x}&=g^{\langle\vec{l},\vec{r}\rangle}h^{\tau_1x+\tau_2x^2}\\ (if~\tau_x=\tau_1x+\tau_2x^2)&=g^{t_0+t_1x+t_2x^2}h^{\tau_1x+\tau_2x^2}\\ (if~T_1=g^{t_1}h^{\tau_1},T_2=g^{t_2}h^{\tau_2})&=g^{\sum_{k=1}^{M}z^{1+k}+w(z-z^2)\langle\vec{1}^{nM},\vec{y}^{nM}\rangle-\sum_{k=1}^{M}nz^{2+k}}T_1^xT_2^{x^2} \end{aligned} gthτx(if τx=τ1x+τ2x2)(if T1=gt1hτ1,T2=gt2hτ2)=g⟨l,r⟩hτ1x+τ2x2=gt0+t1x+t2x2hτ1x+τ2x2=g∑k=1Mz1+k+w(z−z2)⟨1nM,ynM⟩−∑k=1Mnz2+kT1xT2x2
条件(3):
h μ Y ⃗ l ⃗ h ′ ⃗ r ⃗ = h α 1 + β ⋅ w + ρ ⋅ x Y ⃗ b L ⃗ − z ⋅ 1 ⃗ n M + s L ⃗ ⋅ x h ′ ⃗ y ⃗ n M ∘ ( w b R ⃗ + w z 1 ⃗ n M + s R ⃗ ⋅ x ) + ∑ k = 1 M z 1 + k ⋅ ( 0 ⃗ ( k − 1 ) n ∣ ∣ 1 ⃗ n ∣ ∣ 0 ⃗ ( M − k ) n ) = ( h α 1 Y ⃗ b L ⃗ ) ( h β h ⃗ b R ⃗ ) w ( h ρ Y ⃗ s L ⃗ h ⃗ s R ⃗ ) x Y ⃗ − z ⋅ 1 ⃗ n M h ′ ⃗ w z ⋅ y ⃗ n M + ∑ k = 1 M z 1 + k ⋅ ( 0 ⃗ ( k − 1 ) n ∣ ∣ 1 ⃗ n ∣ ∣ 0 ⃗ ( M − k ) n ) = B 1 A w S 2 x Y ⃗ − z ⋅ 1 ⃗ n M h ′ ⃗ w z ⋅ y ⃗ n M + ∑ k = 1 M z 1 + k ⋅ ( 0 ⃗ ( k − 1 ) n ∣ ∣ 1 ⃗ n ∣ ∣ 0 ⃗ ( M − k ) n ) \begin{aligned} h^\mu\vec{Y}^{\vec{l}}\vec{h'}^{\vec{r}}&=h^{\alpha_1+\beta\cdot w+\rho\cdot x}\vec{Y}^{\vec{b_L}-z\cdot \vec{1}^{nM}+\vec{s_L}\cdot x}\vec{h'}^{\vec{y}^{nM}\circ(w\vec{b_R}+wz\vec{1}^{nM}+\vec{s_R}\cdot x)+\sum_{k=1}^M z^{1+k}\cdot(\vec{0}^{(k-1)n}||\vec{1}^n||\vec{0}^{(M-k)n})}\\ &=(h^{\alpha_1}\vec{Y}^{\vec{b_L}})(h^\beta \vec{h}^{\vec{b_R}})^w(h^\rho \vec{Y}^{\vec{s_L}}\vec{h}^{\vec{s_R}})^x\vec{Y}^{-z\cdot\vec{1}^{nM}}\vec{h'}^{wz\cdot\vec{y}^{nM}+\sum_{k=1}^Mz^{1+k}\cdot(\vec{0}^{(k-1)n}||\vec{1}^n||\vec{0}^{(M-k)n})}\\ &=B_1A^wS_2^x\vec{Y}^{-z\cdot\vec{1}^{nM}}\vec{h'}^{wz\cdot\vec{y}^{nM}+\sum_{k=1}^Mz^{1+k}\cdot(\vec{0}^{(k-1)n}||\vec{1}^n||\vec{0}^{(M-k)n})} \end{aligned} hμYlh′r=hα1+β⋅w+ρ⋅xYbL−z⋅1nM+sL⋅xh′ynM∘(wbR+wz1nM+sR⋅x)+∑k=1Mz1+k⋅(0(k−1)n∣∣1n∣∣0(M−k)n)=(hα1YbL)(hβhbR)w(hρYsLhsR)xY−z⋅1nMh′wz⋅ynM+∑k=1Mz1+k⋅(0(k−1)n∣∣1n∣∣0(M−k)n)=B1AwS2xY−z⋅1nMh′wz⋅ynM+∑k=1Mz1+k⋅(0(k−1)n∣∣1n∣∣0(M−k)n)
推导成立的前提是: μ = α 1 + β ⋅ w + ρ ⋅ x , l ⃗ = . . . , r ⃗ = . . . \mu=\alpha_1+\beta\cdot w+\rho\cdot x,~\vec{l}=...,~\vec{r}=... μ=α1+β⋅w+ρ⋅x, l=..., r=...
h ′ ⃗ y ⃗ n M = ( h 1 ′ , h 2 ′ , . . . , h n M ′ ) y ⃗ n M = ( h 1 y 0 , h 2 y − 1 , . . . , h n M y 1 − n M ) ( 1 , y 1 , . . . , y n M − 1 ) = ( h 1 , h 2 , . . . , h n M ) = h ⃗ \begin{aligned} \vec{h'}^{\vec{y}^{nM}}&=(h_1',h_2',...,h_{nM}')^{\vec{y}^{nM}}\\ &=(h_1^{y^0},h_2^{y^{-1}},...,h_{nM}^{y^{1-nM}})^{(1,y^1,...,y^{nM-1})}\\ &=(h_1,h_2,...,h_{nM})=\vec{h} \end{aligned} h′ynM=(h1′,h2′,...,hnM′)ynM=(h1y0,h2y−1,...,hnMy1−nM)(1,y1,...,ynM−1)=(h1,h2,...,hnM)=h
条件(4):
h z α 1 − d 2 z α 2 g ∑ k = 1 M z s k , k d 0 k − 1 g c d 1 z Δ = h r α 1 + α 1 ⋅ x − d 2 ( r α 2 + α 2 ⋅ x ) g ∑ k = 1 M ( r s k , k + s k k ⋅ x ) d 0 k − 1 g c d 1 ( r Δ + Δ ⋅ x ) = ( h r α 1 − d 2 r α 2 g ∑ k = 1 M r s k , k d 0 k − 1 g c d 1 r Δ ) ( h α 1 ∏ k = 1 M g s k k d 0 k − 1 ( ∏ k = 1 M C i n , k ( i n d k ) / ∏ j = 1 N C o u t , j ) d 1 h − d 2 α 2 ) x = S 1 ( ( h α 1 ∏ k = 1 M g s k k d 0 k − 1 ( C i n , k ( i n d k ) ) d 1 g i n d k d 2 ) ( ∏ j = 1 N ( C o u t , j ) − d 1 g i n d k − d 2 h − d 2 α 2 ) x = S 1 ( B 1 ⋅ ∏ j = 1 N C o u t , j − d 1 ⋅ B 2 − d 2 ) x \begin{aligned} &h^{z_{\alpha_1}-d_2z_{\alpha_2}}g^{\sum_{k=1}^Mz_{sk,k}d_0^{k-1}}g_c^{d_1z_\Delta}=h^{r_{\alpha_1}+\alpha_1\cdot x-d_2(r_{\alpha_2}+\alpha_2\cdot x)}g^{\sum_{k=1}^M(r_{sk,k}+sk_k\cdot x)d_0^{k-1}}g_c^{d_1(r_\Delta+\Delta\cdot x)}\\ &=(h^{r_{\alpha_1}-d_2r_{\alpha_2}}g^{\sum_{k=1}^Mr_{sk,k}d_0^{k-1}}g_c^{d_1r_\Delta})(h^{\alpha_1}\prod_{k=1}^{M}g^{sk_kd_0^{k-1}}(\prod_{k=1}^{M}C_{in,k}^{(ind_k)}/\prod_{j=1}^{N}C_{out,j})^{d_1}h^{-d_2\alpha_2})^x\\ &=S_1((h^{\alpha_1}\prod_{k=1}^{M}g^{sk_kd_0^{k-1}}(C_{in,k}^{(ind_k)})^{d_1}g_{ind_k}^{d_2})(\prod_{j=1}^{N}(C_{out,j})^{-d_1}g_{ind_k}^{-d_2}h^{-d_2\alpha_2})^x\\ &=S_1(B_1\cdot\prod_{j=1}^{N}C_{out,j}^{-d_1}\cdot B_2^{-d_2})^x \end{aligned} hzα1−d2zα2g∑k=1Mzsk,kd0k−1gcd1zΔ=hrα1+α1⋅x−d2(rα2+α2⋅x)g∑k=1M(rsk,k+skk⋅x)d0k−1gcd1(rΔ+Δ⋅x)=(hrα1−d2rα2g∑k=1Mrsk,kd0k−1gcd1rΔ)(hα1k=1∏Mgskkd0k−1(k=1∏MCin,k(indk)/j=1∏NCout,j)d1h−d2α2)x=S1((hα1k=1∏Mgskkd0k−1(Cin,k(indk))d1gindkd2)(j=1∏N(Cout,j)−d1gindk−d2h−d2α2)x=S1(B1⋅j=1∏NCout,j−d1⋅B2−d2)x
推导成立的条件是:
z α 1 = r α 1 + α 1 ⋅ x , z α 2 = r α 2 + α 2 ⋅ x , z s k , k = r s k , k + s k k ⋅ x , z Δ = r Δ + Δ ⋅ x z_{\alpha_1}=r_{\alpha_1}+\alpha_1\cdot x,~z_{\alpha_2}=r_{\alpha_2}+\alpha_2\cdot x,~z_{sk,k}=r_{sk,k}+sk_k \cdot x,~z_{\Delta}=r_\Delta+\Delta\cdot x zα1=rα1+α1⋅x, zα2=rα2+α2⋅x, zsk,k=rsk,k+skk⋅x, zΔ=rΔ+Δ⋅x
S 1 = . . . , B 1 = . . . , B 2 = . . . S_1=...,B_1=...,B_2=... S1=...,B1=...,B2=...
Δ = ( ∏ k = 1 M C i n , k ( i n d k ) / ∏ j = 1 N C o u t , j ) \Delta=(\prod_{k=1}^{M}C_{in,k}^{(ind_k)}/\prod_{j=1}^{N}C_{out,j}) Δ=(∏k=1MCin,k(indk)/∏j=1NCout,j)
条件(5):
∏ k = 1 N U k z s k , k d 0 k − 1 = ∏ k = 1 N U k ( r s k , k + s k k ⋅ x ) d 0 k − 1 = ∏ k = 1 N U k r s k , k d 0 k − 1 ⋅ ∏ k = 1 N ( u 1 s k k ) s k k ⋅ x d 0 k − 1 = S 3 ⋅ u x ∑ k = 1 N d 0 k − 1 \begin{aligned} \prod_{k=1}^{N}U_k^{z_{sk,k}d_0^{k-1}}&=\prod_{k=1}^{N}U_k^{(r_{sk,k}+sk_k \cdot x)d_0^{k-1}}\\ &=\prod_{k=1}^{N}U_k^{r_{sk,k}d_0^{k-1}}\cdot \prod_{k=1}^{N}(u^{\frac{1}{sk_k}})^{sk_k \cdot xd_0^{k-1}}\\ &=S_3\cdot u^{x\sum_{k=1}^Nd_0^{k-1}} \end{aligned} k=1∏NUkzsk,kd0k−1=k=1∏NUk(rsk,k+skk⋅x)d0k−1=k=1∏NUkrsk,kd0k−1⋅k=1∏N(uskk1)skk⋅xd0k−1=S3⋅ux∑k=1Nd0k−1
推导成立的条件是:
z s k , k = r s k , k + s k k ⋅ x , U k = u 1 s k k , S 3 = . . . , z_{sk,k}=r_{sk,k}+sk_k \cdot x,~U_k=u^{\frac{1}{sk_k}},S_3=..., zsk,k=rsk,k+skk⋅x, Uk=uskk1,S3=...,
读到这里是不是觉得用了太多符号量云里雾里?(我就是这种感觉…)来尝试分析一下每个量的作用和作者的设计思路吧!
U
k
U_k
Uk:key image,包含交易的账户私钥,用于检测双花。
Ring Formation
- s t r str str是 { a c t k ( 1 ) ∣ ∣ . . . ∣ ∣ a c t k ( n ) } k ∈ [ 1 , M ] \{act_k^{(1)}||...||act_k^{(n)}\}_{k\in [1,M]} {actk(1)∣∣...∣∣actk(n)}k∈[1,M]的连接,包含交易所用所有输入账户的信息,用来做hash生成 d 0 , d 1 , d 2 d_0,d_1,d_2 d0,d1,d2的根;
- Y ⃗ k \vec{Y}_k Yk是为每个交易真实输入账户生成一个(承诺)环,每个环由一组n个账户的承诺组成, d 0 , d 1 , d 2 d_0,d_1,d_2 d0,d1,d2用作承诺中使用的随机值。M个 Y ⃗ k \vec{Y}_k Yk连接成 Y ⃗ \vec{Y} Y
Signer index
- 上一步生成了M个环,用一组M个向量 b L , k ⃗ \vec{b_{L,k}} bL,k记录环中真实签名者账户的位置(index);准备向量用于(类似于BulletProof改进的内积证明)零知识证明二进制向量的性质。
生成签名
- Commit 1:
- 将交易环信息 Y ⃗ \vec{Y} Yhash到一个群元素 h ∈ G h\in\mathbb{G} h∈G,用作群运算的元
- 采样所有需要的随机值
- 生成一组承诺
B 1 B_1 B1:signer的所有真实账户对应的环中元素;也可以看做 b L ⃗ \vec{b_L} bL的承诺(因为 b L ⃗ \vec{b_L} bL即表示账户矩阵中真实账户的位置)
B 2 B_2 B2:signer的所有生成元
A A A: b R ⃗ \vec{b_R} bR
S 1 S_1 S1:对 d 0 , d 1 , d 2 d_0,d_1,d_2 d0,d1,d2的承诺; S 3 S_3 S3中 r s k k r_{sk_k} rskk; r Δ r_\Delta rΔ
S 2 S_2 S2: s L ⃗ , s R ⃗ \vec{s_L},\vec{s_R} sL,sR
S 3 S_3 S3:所有 U k U_k Uk( S 3 S_3 S3不是承诺)
- Challenge 1
- 接收方将所有收到的公共承诺\参数连接到一起生成一个公共信息串 s t r ′ str' str′
- 用 s t r ′ str' str′hash生成挑战 y , z , w y,z,w y,z,w
- Commit 2
- 构造类似于bulletproof的内积证明所用的 l ( X ) , r ( R ) , t ( X ) l(X),r(R),t(X) l(X),r(R),t(X)并整理成二次多项式
- 整理零次系数 t 0 t_0 t0
- 将1,2次系数承诺到 T 1 , T 2 T_1,T_2 T1,T2
- Challenge 2
- 接收方将收到的承诺,上一轮的挑战值以及签名的消息 m m m打包hash生成新挑战 x x x
- Response
- 用 x x x整合所有盲化参数: τ x , μ , z α 1 , z α 2 , z Δ , z s k k \tau_x,\mu,z_{\alpha_1},z_{\alpha_2},z_\Delta,z_{sk_k} τx,μ,zα1,zα2,zΔ,zskk
- 用
x
x
x代入计算
l
,
r
,
t
l,r,t
l,r,t
最终形成的签名中包含:所有承诺+所有整合盲化参数+ l ⃗ , r ⃗ , t ⃗ \vec{l},\vec{r},\vec{t} l,r,t
Spend算法输出:交易输出账户+(交易输出的范围证明,交易签名)+keyimage序列号集合+输出账户的硬币密钥集合
验证签名
- 用 A i n \mathbb{A}_{in} Ain中的账户集信息可还原出 s t r → d 0 , d 1 , d 2 → Y ⃗ → h , s t r ′ → y , z , w → x str\rightarrow d_0,d_1,d_2\rightarrow \vec{Y}\rightarrow h,str'\rightarrow y,z,w\rightarrow x str→d0,d1,d2→Y→h,str′→y,z,w→x
- 与bulletproof类似地,构造生成元 h ′ ⃗ \vec{h'} h′
- 条件(1):内积关系 t ⃗ \vec{t} t正确
- 条件(2):二次多项式关系
- 条件(3): l ⃗ , r ⃗ \vec{l},\vec{r} l,r正确
- 条件(4):交易的输入输出关系 Δ \Delta Δ正确
- 条件(5):key image U k U_k Uk正确
更有效的构造
BulletProof中提出了一种有效压缩规模的构造Spend’:
- 运行Spend生成签名
- 计算 P = Y ⃗ l ⃗ h ⃗ ′ r ⃗ P=\vec{Y}^{\vec{l}}\vec{h}'^{\vec{r}} P=Ylh′r
- 运行内积证明 IPProve ( Y ⃗ , h ⃗ ′ , t , P , l ⃗ , r ⃗ ) → ( L ⃗ , R ⃗ , a , b ) \operatorname{IPProve}(\vec{Y},\vec{h}',t,P,\vec{l},\vec{r})\rightarrow (\vec{L},\vec{R},a,b) IPProve(Y,h′,t,P,l,r)→(L,R,a,b),注意 l ⃗ , r ⃗ \vec{l},\vec{r} l,r
- 签名: σ r i n g ′ = ( B 1 , B 2 , A , S 1 , S 2 , S 3 , T 1 , T 2 , τ x , μ , z α 1 , z α 2 , z s k , 1 , . . . , z s k , M , z Δ , t , P , L ⃗ , R ⃗ , a , b ) \sigma_{ring}'=(B_1,B_2,A,S_1,S_2,S_3,T_1,T_2,\tau_x,\mu,z_{\alpha_1},z_{\alpha_2},z_{sk,1},...,z_{sk,M},z_\Delta,t,P,\vec{L},\vec{R},a,b) σring′=(B1,B2,A,S1,S2,S3,T1,T2,τx,μ,zα1,zα2,zsk,1,...,zsk,M,zΔ,t,P,L,R,a,b),用这个签名代替原来签名在Spend输出中的位置。
对应的Verify’:
- 运行内积证明 IPVerify ( Y ⃗ , h ⃗ ′ , t , P , ( L ⃗ , R ⃗ , a , b ) ) → 0 / 1 \operatorname{IPVerify}(\vec{Y},\vec{h}',t,P,(\vec{L},\vec{R},a,b))\rightarrow 0/1 IPVerify(Y,h′,t,P,(L,R,a,b))→0/1.
- 运行Verify算法,除了将条件(3)替换为:(其实就是把等式左边用P等价替换了)
性能
Size
O
(
M
+
l
o
g
n
)
O(M + log n)
O(M+logn)
和 Ring CT 1.0的对比: