Next Article in Journal
A Variational Bayesian Deep Network with Data Self-Screening Layer for Massive Time-Series Data Forecasting
Next Article in Special Issue
An Approach for Security Enhancement of Certain Encryption Schemes Employing Error Correction Coding and Simulated Synchronization Errors
Previous Article in Journal
Simple Majority Consensus in Networks with Unreliable Communication
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Cuproof: Range Proof with Constant Size

1
School of Communication Engineering, Hangzhou Dianzi University, Hangzhou 310018, China
2
School of Cyberspace Security, Hangzhou Dianzi University, Hangzhou 310018, China
3
Department of Mathematical Sciences, Clemson University, Clemson, SC 29634, USA
*
Author to whom correspondence should be addressed.
Entropy 2022, 24(3), 334; https://doi.org/10.3390/e24030334
Submission received: 27 January 2022 / Revised: 14 February 2022 / Accepted: 22 February 2022 / Published: 25 February 2022
(This article belongs to the Special Issue Information Theoretical Security and Privacy)

Abstract

:
Zero-Knowledge Proof is widely used in blockchains. For example, zk-SNARK is used in Zcash as its core technology to identifying transactions without the exposure of the actual transaction values. Up to now, various range proofs have been proposed, and their efficiency and range-flexibility have also been improved. Bootle et al. used the inner product method and recursion to construct an efficient Zero-Knowledge Proof in 2016. Later, Benediky Bünz et al. proposed an efficient range proof scheme called Bulletproofs, which can convince the verifier that a secret number lies in [ 0 , 2 κ 1 ] with κ being a positive integer. By combining the inner-product and Lagrange’s four-square theorem, we propose a range proof scheme called Cuproof. Our Cuproof can make a range proof to show that a secret number v lies in an interval [ a , b ] with no exposure of the real value v or other extra information leakage about v. It is a good and practical method to protect privacy and information security. In Bulletproofs, the communication cost is 6 + 2 log κ , while in our Cuproof, all the communication cost, the proving time and the verification time are of constant sizes.

1. Introduction

The blockchain technology is the most well-known decentralized and tamper-proof information technology, and it can be applied to construct many different digital service systems or application platforms, such as digital currencies, supply systems and so on. Wu et al. [1] elaborated the intellectual cores of the blockchain-Internet of Things (BIoT). Fedorov et al. [2] stated how to apply blockchain technology to 5G. Cryptocurrencies were the first to bring the concept of blockchain into the world. The blockchain-based cryptocurrencies enable peer-to-peer transactions and make sure that the transactions are valid. In the Bitcoin [3] system, all the transactions are recorded in a public ledger, and everyone can check whether the transactions in the ledger are valid. The hash function used in the blockchains ensures that the transaction data cannot be tampered with. However, every coin has two sides. Despite its advantage, the transparency in Bitcoin also has a disadvantage. In a transaction of Bitcoin, the transaction data, the addresses of the senders and the receivers are almost transparent, and it means that Bitcoin cannot achieve anonymity and cannot provide the same level of privacy as paper cash.
In order to offset the disadvantages that exist in Bitcoin, people have start to think about using zero-knowledge proof to protect the privacy of blockchain users, because a zero-knowledge proof is a cryptographic protocol that has strong privacy protection function. In [4], Sun et al. showed how zero-knowledge proof technology is applied to the blockchain. There are lots of blockchain-based cryptocurrencies using range proofs [5,6] or zk-SNARKs [7,8,9,10] such as Zcash [11]. The transactions between the shielded addresses are what makes Zcash special. In these transactions, although the traders’ addresses and the amount of the transactions are all covert, the validity of these transactions can still be checked because zk-SNARKs have been applied. According to the property of protecting anonymity, more and more cryptocurrencies apply range proof as a tool to avoid the disclosure of users’ information.
In 2018, Bünz et al. proposed a type of range proof that is called Bulletproofs [5]. The efficiency of Bulletproofs is particularly well suited for the blockchains. However, its communication cost, which is 6 + 2 log κ , grows with larger κ . In this paper, we combine the Lagrange’s four-square theorem with Bulletproofs [5] to construct a range proof for arbitrary interval [ a , b ] . In our scheme, the communication cost is 4 elements of G and 18 elements of Z . Our Cuproof is a good method to protect uers’ privacy and information security. For example, we can use the Cuproof scheme to declare that our age v lies in some interval. Because of the RSA assumption and discrete logarithm problems, it is hard for the verifier to get the secret v but still believe that v is in this interval.

1.1. Related Work

Nowadays, information security or privacy protection has become more and more important for each of us. A number of works on information security or privacy protect have been published. For example, Dong et al. [12] elaborated how overconfidence affects information security investment and information security performance. Range proof technology, a kind of zero-knowledge proof protocol, is a good method for protecting information security or privacy. There have been lots of research works on range proof since the first relevant algorithm of range proof was proposed. Brickel et al. [6] first stated the correlative algorithm of range proof in 1987. Its purpose was to send reliable values to other participants, which can allow a user with a discrete logarithm to disclose one bit of information to another user so that any other user can verify the equations as they receive each bit. In 1998, Chan et al. [13] showed how to use the algorithm given in [6] to verify the non-negative transaction amount and they also enhanced the algorithm in [6]. Their improved proof method was called CTF proof. In 2000, Boudot [14] used the square numbers to build an effective range proof which was based on CTF.
By using the Lagrange’s four-square theorem [15], that is, any non-negative integer can be represented as the sum of squares of four integers, Lipmaa [16] proposed a proof of any range for the first time. In 2005, Groth [17] pointed out that if y is a non-negative integer, then 4 y + 1 could be represented as the sum of the squares of three integers. Using Boneh-Boyen signature [18], Teranishi et al. [19] proposed many anonymous authentication methods in 2006. In 2008, Camenisch et al. [20] used signature method that relies on the security of the q-Strong Diffie-Hellman assumptions to construct a range proof. In 2014, Belenkiy [21] designed a scheme to extend the u-proof cryptographic specification [22] by making use of the membership proof of a set. This scheme can be used twice to compare the size of one committed value with some other committed value, and therefore it can be used to construct a range proof.
Bootle et al. [23] made a step forward on the efficiency of space in Zero-Knowledge Proof based on discrete logarithms. They combined the inner product method and recursion to enhance the efficiency of Zero-Knowledge Proof. Based on this work, Bünz et al. [5] improved the inner product method for zero certificate range proof and proposed a more efficient Zero-Knowledge Proof scheme called Bulletproofs.

1.2. Contributions

Our scheme, called Cuproof for conveniency, is established on the techniques of Bulletproofs and Lagrange’s three-square theorem given in [17]. Our protocol can be used to construct a range proof for arbitrary range. The argument of our scheme has low computation complexity. The main difference between Bulletproofs and ours is that Bulletproofs’s communication cost [5] is logarithmic in κ , where κ is the exponent in the proving range [ 0 , 2 κ 1 ] , while the cost in our scheme is constant. The key is that we combine the following Theorem 2 with Bulletproofs. Our Cuproof satisfies the three security properties required for a secure Zero-Knowledge Proof: completeness, soundness, and zero-knowledge.

1.3. Structure of the Paper

In Section 2, some mathematical symbols, definitions, and theorems are given. The framework and construction of our range proof protocol are stated in Section 3. In Section 3.1, we show how to construct a proof that convinces the verifier that the prover knows the secret number v. In Section 3.2, we describe our range proof protocol Cuproof in detail. The performance comparisons among Bulletproofs, some other range proof protocols and Cuproof are shown in Section 4. Finally, the proof of Theorem 3 about our Cuproof will be given in Appendix A.

2. Preliminaries

Before we state our protocol, we first state some of the underlying tools. In this paper, A is a PPT adversary, which is a probabilistic interactive Turing Machine that runs in polynomial time in the security parameter λ .

2.1. Notation

Let [ N ] denote the set { 1 , , N 1 } . Let p and q denote two prime numbers. Let G denote the multiplicative group of integers modulo n, where n is the product of p and q , i.e., G is a RSA group. Let Z denote the set of all integers. Let Z n denote the ring of integers modulo n. Let G j and Z n j be vector spaces of dimension j over G and Z n , respectively. Let Z n * denote Z n { 0 } . Group elements which represent commitments are capitalized. For example, C = g a h α is a Pedersen commitment to a for g , h G . x $ Z n * means the uniform sampling of an element from Z n * . In this paper, a F j is a vector with elements a 1 , , a j F . For an element c Z n and a vector a Z n j , we denote by b = c · a Z n j the vector with b i = c · a i . For the two vectors a , b F j , let a , b = i = 1 j a i · b i denote the inner product and a b = ( a 1 · b 1 , , a j · b j ) F j be the Hadamard product, respectively. We define vector polynomials P ( x ) = i = 0 d p i · x i Z j [ x ] where each coefficient p i is a vector in Z j . The inner product between two vector polynomials l ( x ) and r ( x ) is defined as
l ( x ) , r ( x ) = i = 0 d j = 0 i l i , r j · x i + j Z [ x ]
Let a b denote the concatenation of two vectors: if a Z n j and b Z n m then a b Z n j + m . For 0 s , we use Python notation to denote slices of vectors:
a [ : ] = a [ 0 : ] = ( a 1 , , a ) F ,
a [ : ] = a [ : s ] = ( a + 1 , , a s ) F s .
Let t ( x ) = l ( x ) , r ( x ) , then the inner product is defined such that t ( x ) = l ( x ) , r ( x ) holds for all x Z n . For vectors g = ( g 1 , , g j ) G j and a Z n j , we write C = g a = i = 1 j g i a i G . We set u = ( 1 , 2 , 3 , , u ) Z u for u 1 .

2.2. Assumptions

Groups of Unknown Order: In order to achieve the soundness of our range proof, we use the RSA group G where the order of the group is unknown. The RSA group is generated by a trusted setup.
RSA Group: In the multiplicative group G of the integers modulo n where n is the product of the large primes p and q. The hardness of computing the order of the group G is the same as the hardness of factoring n.
Assumption 1 (Discrete Log Relation Assumption).
For all PPT adversaries A and j 2 , there exists a negligible function μ ( λ ) such that:
P G = Setup 1 λ , g 1 , , g j $ G ; a 1 , , a j Z 2 λ n A g 1 , , g j : a i 0 , i = 1 j g i a i = 1 μ ( λ ) .
As Bünz et al. [5] stated, i = 1 j g i a i = 1 is a non trivial discrete log relation among g 1 , , g j . The discrete log relation assumption makes sure that an adversary cannot find a non-trivial relation between randomly selected group elements. This assumption is equivalent to the discrete-log assumption when j 1 .
Assumption 2 (Order Assumption).
For any efficient adversary A there exists a negligible function μ ( λ ) such that:
P g 1 1 g 1 a 1 = 1 : G $ Setup ( λ ) , ( g 1 , a 1 ) $ A ( G ) , where a 1 0 Z 2 λ n , and g 1 G μ ( λ ) .
Lemma 1.
A PPT adversary A breaking Order Assumption can also break Discrete Log Relation Assumption easily.
Proof. 
We show that if an adversary A O r d breaks the Order Assumption, then we can construct A D L which breaks the Discrete Log Relation Assumption with overwhelming probability. In order to get a vector ( g 1 , g 2 , , g j ) G j and a vector ( a 1 , a 2 , , a j ) Z 2 λ n j such that g 1 a 1 · g 2 a 2 g j a j = 1 where g i 1 , a i 0 and i { 1 , 2 , , j } , we run A O r d for n times and it will output g j G and a j Z such that g j a j = 1 for j = 1 , , n . It follows that j = 1 n g j a j = 1 . □

2.3. Commitments

Definition 1 (Commitments).
A non-interactive commitment scheme consists of a pair of probabilistic polynomial time algorithms ( Setup , Com ) . The setup algorithm p p Setup ( 1 λ ) generates the public parameters p p with the security parameter λ. The commitment algorithm Com p p defines a function M p p × R p p C p p for a message space M p p , a randomness space R p p , and a commitment space C p p determined by p p . For a message x M p p , the algorithm draws r $ R p p uniformly at random, and computes commitment com = Com p p ( x , r ) .
Definition 2 (Pedersen Commitment).
Let M p p = Z n , R p p = Z 2 λ n and C p p = ( G , * ) be a multiplicative group, the commitment is generated as follows:
Setup : g , h $ G , Com ( x ; r ) = ( g x h r ) .
Definition 3 (Pedersen Vector Commitment).
Let M p p = Z n j , R p p = Z 2 λ n and C p p = ( G , * ) being a multiplicative group, the commitment is generated as follows:
Setup : g = ( g 1 , , g j ) , h $ G , Com ( x = ( x 1 , , x j ) ; r ) = h r g x = h r i g i x i G .

2.4. Zero-Knowledge Arguments of Knowledge

A Zero-Knowledge Argument consists of three interactive algorithms (Setup, P , V ) which run in probabilistic polynomial time. Setup is the common reference string generator, P is the prover, and V is the verifier. The algorithm Setup produces a common reference string σ on inputting 1 λ . The transcript produced by P and V is denoted by t r < P ( s ) , V ( t ) > when they interact on the inputs s and t. We write < P ( s ) , V ( t ) > = b where b = 0 if the verifier rejects, b = 1 if the verifier accepts.
Let R be a polynomial-time-decidable ternary relation. Given a parameter σ , the w is a witness for a statement u only if ( σ , u , w ) R . We define the CRS-dependent language
L σ = { u | w : ( σ , u , w ) R }
as the set of all the statements which have a witness w in the relation R .
Definition 4 (Argument of Knowledge).
( Setup , P , V ) is called an argument of knowledge for relation R if it satisfies both the Perfect Completeness and the Computational Soundness.
Perfect Completeness:
P ( σ ) Setup ( 1 λ ) ; ( u , w ) A ( σ ) | ( σ , u , w ) R o r P ( σ , u , w ) , V ( σ , u ) = 1 = 1 .
Computational Soundness:
P ( σ ) Setup ( 1 λ ) ; u A ( σ ) | u L σ a n d A , V ( σ , u ) = 1 0 .
Definition 5 (Perfect Special Honest-Verifier Zero-Knowledge).
A public coin argument of knowledge ( Setup , P , V ) , as defined in [5], is a perfect special honest verifier zero knowledge (SHVZK) argument of knowledge for R if there exists a probabilistic polynomial time simulator S such that for every pair of interactive adversaries A 1 and A 2 , we have
P ( σ , u , w ) R and A 1 ( t r ) = 1 | σ Setup ( 1 λ ) ( u , w , ρ ) A 2 ( σ ) t r P ( σ , u , w ) V ( σ , u ; ρ ) = P ( σ , u , w ) R and A 1 ( t r ) = 1 | σ Setup ( 1 λ ) ( u , w , ρ ) A 2 ( σ ) t r S ( u , ρ )
where ρ is the public coin randomness used by the verifier. The "transcript" can be simulated by S without knowing w.
Definition 6 (Zero-Knowledge Range Proof).
Given a commitment scheme ( Setup , Com ) over a message space M p p which is a set with a total ordering, a Zero-Knowledge range proof is a SHVZK argument of knowledge for the relation R Range :
( p p , ( com , l , r ) , ( x , ρ ) ) R Range com = Com ( x ; ρ ) ( l x < r ) .
Theorem 1 (Lagrange’s four-square theorem).
Any non-negative integer can be represented as the sum of the squares of four integers.
The proof for Theorem 1 is given in [15] and an algorithm for finding four such squares was provided in [16].
Theorem 2 (Lagrange’s three-square theorem).
If x is a positive integer, then 4 x + 1 can be written as the sum of three integer squares.
The proof for Theorem 2 is given in [17], and ref. [15] offered an efficient and simple algorithm for finding three such squares. Theorem 2 also means writing 4 x + 1 as the sum of three squares implies that x is non-negative.

3. Efficient Range Proof Protocol

In this section, we will present our range proof protocol.

3.1. Four Integer Zero-Knowledge Proof

We now describe how to use the inner-product argument to construct a proof. The prover convinces the verifier that a commitment V contains a number v in a given range without revealing v.
In our proof, a Pedersen commitment V is an element in the group G that is used to perform the inner product argument and λ is the security parameter.
We let v Z n , and an element V G be a Pedersen commitment to v which uses a random number r. The proof system proves the following relation:
{ ( g , h , V G ; v Z n , r Z 2 λ n ) : V = h r g v }
Choose a = ( a 1 , a 2 , a 3 , a 4 ) Z n 4 such that
v = a 1 2 + a 2 2 + a 3 2 + a 4 2 , i . e . a , a = v
Let y Z 2 λ n * and y = 4 · y Z 4 . The prover P uses an element in G to generate a commitment to the vector a . To convince V that v be a positive number, the prover must prove that he knows an opening a Z n 4 satisfying a , a = v . To construct this zero knowledge proof, V should randomly choose z Z 2 λ n , and then the prover proves that
a , a z 2 + a a , y z = v z 2
This equality can be re-written as:
a · z y , a · z + y = v z 2 δ ( y )
The verifier can easily calculate that δ ( y ) = y , y Z . Hence, the problem of proving that Equation (3) holds is reduced to proving a single inner-product identity.
If the prover sends to the verifier the two vectors in the inner product in Equation (5), then the verifier could check Equation (5) itself by using the commitment V to v and be convinced that Equation (3) holds. However, these two vectors reveal the information of a and so the prover cannot send them to the verifier. To solve this problem, we use two additional blinding terms s L , s R Z 2 λ n 4 .
To prove the statement Equation (2), P and V should obey the following protocol:
P inputs v , r and computes :
a = [ a 1 , a 2 , a 3 , a 4 ] Z n 4 s . t . a , a = v
α $ Z 2 λ n
A = h α g a h a G
s L , s R $ Z 2 λ n 4
ρ $ Z 2 λ n
S = h ρ g s L h s R G
P V : A , S
V : y , z $ Z 2 λ n *
V computes : y = g y , z = g z G
V P : y , z
Here, let us expand two linear vector polynomials l ( x ) and r ( x ) in Z 4 [ x ] , and a quadratic polynomial t ( x ) Z [ x ] as follows:
l ( x ) = a z y + s L x Z 4 [ x ] r ( x ) = a z + y + s R x Z 4 [ x ] t ( x ) = l ( x ) , r ( x ) = t 0 + t 1 · x + t 2 · x 2 Z [ x ]
The constant terms of l ( x ) and r ( x ) are the inner product vectors in Equation (5). The blinding vectors s R and s L make sure that the prover can publish l ( x ) and r ( x ) for random x and does not need to reveal any information of a . The constant term t 0 of t ( x ) is the result of the inner product in Equation (5). The prover needs to convince the verifier that the following equation hold:
t 0 = v z 2 δ ( y )
P computes :
τ 1 , τ 2 $ Z 2 λ n
T i = g t i h τ i G , i { 1 , 2 }
P V : T 1 , T 2
V : x $ Z 2 λ n *
V computes : x = g x G
V P : x P computes :
l = l ( x ) = a z y + s L x Z 4
r = r ( x ) = a z + y + s R x Z 4
t ^ = l , r Z
τ x = τ 2 · x 2 + τ 1 · x + z 2 r Z
μ = α z + ρ x Z
P V : τ x , μ , t ^ , l , r
V checks these equations and computes :
P = A z · S x · g y · h y G
P = ? h μ · g l · h r G
g t ^ h τ x = ? V z 2 g δ ( y ) · T 1 x · T 2 x 2 G
t ^ = ? l , r Z
Corollary 1 (Four-Integer Zero-Knowledge Proof).
The Four-Integer Zero-Knowledge Proof presented in Section 3.1 has perfect completeness, perfect special honest verifier zero-knowledge, and computational soundness.
Proof. 
The Four-Integer Zero-Knowledge Proof is a special case of the aggregated logarithmic proof from the following Section 3.2 with m = 1 , hence, it is a direct corollary of Theorem 3. □

3.2. Aggregating Logarithmic Proofs

Bünz et al. [5] stated a type of proof for m values, which is more efficient than conducting m individual range proofs. Based on Bulletproofs, we can also perform a proof for m values as [5] does. In this section, we show that this can be done with some modification to the protocol of zero-knowledge proof in Section 3.1. The relation that we will prove is as follows:
{ ( g , h G , V G m ; v Z n m , r Z 2 λ n m ) : V j = h r j g v j for all j [ m ] } .
The prover does similar work as the prover does for a simple zero-knowledge proof in Section 3.1 except for the following modifications. First, we set y Z 2 λ n * , y = y · 4 m Z 4 m and | 4 m | = 4 m . As in Equation (6), the prover needs to find a Z n 4 m so that
a [ 4 ( j 1 ) : 4 j ] , a [ 4 ( j 1 ) : 4 j ] = v j for all j [ m ] .
We accordingly modify l ( x ) and r ( x ) as follows:
l ( x ) = j = 1 m z · j 0 4 ( j 1 ) a [ 4 ( j 1 ) : 4 j ] 0 4 ( m j ) y + s L · x
r ( x ) = j = 1 m z · j 0 4 ( j 1 ) a [ 4 ( j 1 ) : 4 j ] 0 4 ( m j ) + y + s R · x
To compute τ x , we adjust the randomness r j of each commitment V j such that τ x = τ 1 · x + τ 2 · x 2 + z 2 j = 1 m j 2 · r j . That is, the verification checking Equation (30) needs to be adjusted to include all the V j commitments as follows
g t ^ h τ x = V ( z 2 · m m ) g δ ( y ) T 1 x T 2 x 2
Finally, we change the definition of A as follows:
A = h α j = 1 m g [ 4 ( j 1 ) : 4 j ] j · a [ 4 ( j 1 ) : 4 j ] · j = 1 m h [ 4 ( j 1 ) : 4 j ] j · a [ 4 ( j 1 ) : 4 j ]
Theorem 3 (Aggregate Logarithmic Proof).
The Aggregate Logarithmic Proof presented in Section 3.2 has perfect completeness, perfect honest verifier zero-knowledge, and computational soundness.
The proof for Theorem 3 is presented in Appendix A. This protocol can also be transformed into a NIZK protocol by using the Fiat-Shamir heuristic.

3.3. Our Protocol: Cuproof

In this section, we will demonstrate how to prove that a secret number is within an arbitrary interval. The goal of our range proof protocol is to convince the verifier that the secret number v is in [ a , b ] . Based on Theorem 2, We can find a , b Z n and d = ( d 1 , , d 6 ) Z n 6 such that the following conditions hold:
d 1 2 + d 2 2 + d 3 2 = 4 v 4 a + 1 = v 1 Z , d 4 2 + d 5 2 + d 6 2 = 4 b 4 v + 1 = v 2 Z .
The whole protocol is similar to the special case of the aggregating logarithmic proofs from Section 3.2 for m = 2 and a Z n 6 . In this protocol, we set δ ( y ) Z , y Z 6 . We will prove the following relations:
{ ( g , h G , V = ( V 1 , V 2 ) G 2 ) : V j = h r j g v j j { 1 , 2 } , V = g v h r v [ a , b ] }
The protocol is as follows:
P inputs v , r and computes :
v 1 = 4 v 4 a + 1 , v 2 = 4 b 4 v + 1 Z ,
Finds d = ( d 1 , , d 6 ) satisfying ( 37 )
α $ Z 2 λ n
A = h α j = 1 2 g [ 3 ( j 1 ) : 3 j ] j · d [ 3 ( j 1 ) : 3 j ] · j = 1 2 h [ 3 ( j 1 ) : 3 j ] j · d [ 3 ( j 1 ) : 3 j ] G
s L , s R $ Z 2 λ n 6
ρ $ Z 2 λ n
S = h ρ g s L h s R G
P V : A , S
V : y , z $ Z 2 λ n *
V computes : y = g y , z = g z G
V P : y , z
Here, as shown in Section 3.1, we have
t ( x ) = l ( x ) , r ( x ) = t 0 + t 1 · x + t 2 · x 2 Z [ x ] .
P computes :
τ 1 , τ 2 $ Z 2 λ n
T i = g t i h τ i G , i { 1 , 2 } ( t 1 , t 2 can be computed without knowing x )
P V : T 1 , T 2
V : x $ Z 2 λ n *
V computes : x = g x G
V P : x
P computes : l = z · j = 1 2 j · ( 0 3 ( j 1 ) d [ 3 ( j 1 ) : 3 j ] 0 3 ( 2 j ) )
y + s L x Z 6 . r = z · j = 1 2 j · ( 0 3 ( j 1 ) d [ 3 ( j 1 ) : 3 j ] 0 3 ( 2 j ) )
+ y + s R x Z 6 .
t ^ = l , r = t 0 + t 1 · x + t 2 · x 2 Z
r 1 = 4 r , r 2 = 4 r Z
τ x = τ 2 x 2 + τ 1 x + z 2 j = 1 2 j 2 · r j Z
μ = α z + ρ x Z
P V : τ x , μ , t ^ , l , r V computes and checks these equations :
V 1 = V 4 · g 4 a · g = g 4 v 4 a + 1 h 4 r = g v 1 h r 1 G
V 2 = g 4 b · V 4 · g = g 4 b 4 v + 1 h 4 r = g v 2 h r 2 G
V = ( V 1 , V 2 ) G 2
P = A z S x g y h y G
P = ? h μ g l h r G
g t ^ h τ x = ? V z 2 · ( 2 2 ) g δ ( y ) T 1 x T 2 x 2 G
t ^ = ? l , r Z
Theorem 4.
The protocol for range proof presented here above has perfect completeness, perfect special honest verifier zero-knowledge, and computational soundness.
Proof. 
The protocol for range proof is a special case of the Aggregated Logarithmic Proof in Section 3.2 with m = 2 and a Z n 6 . Hence, this theory is a direct corollary of our Theorem 3. □
In short, we call our given protocol for range proof Cuproof.

4. Performance

In order to evaluate the practical performance of our Cuproof, we provide a reference implementation in Python. We set that the sizes of the two primes p and q are 1024 bits. The prover uses the algorithms of [15,16] to generate the witnesses a and d , and compute the l and r . A Pedersen hash function over an RSA group whose modulo n = p q is benchmarked. We performed our experiments on our computer with an Intel i5-7500 [email protected] GHZ and we used a single thread. Table 1 shows the comparison of our Cuproof with Bulletproofs and the three range proofs put out by Boudot [14], Lipmaa [16] and Groth et al. [24], respectively. It states that the communication cost is const while Bulletproof’s communication cost is sublinear in n. Moreover, Cuproof is more efficient than the three range proof schemes proposed by Boudot [14], Lipmaa [16] and Groth et al. [24], respectively. Table 2 shows the proving time, verification time, and the gates of the range proofs under the different ranges (the final data is the average of the data we obtained by doing 10,000 experiments). Figure 1 shows the line charts of the proving time and the verification time of the Four-Integer Zero-Knowledge Proofs (no including the witness generation) for the secret of the different sizes, respectively. Figure 2 shows the line charts of the proving time and the verification time of the Range Proofs (no including witness generation), respectively. No matter how large the range is, the proving time is near 170 ms and the verification time is near 447 ms. Figure 3 shows the proof sizes in different intervals and it demonstrates that the proof size is near 5500 bytes. Table 3 shows the proof sizes, proving time and the verification time for the interval range proofs on the different sizes, respectively.

5. Conclusions

In this paper, we construct a kind of range proof scheme Cuproof, which can prove v [ a , b ] without revealing v’s actual value. In our protocol, by combining Theorem 2 into Bulletproofs, we reduce the communication cost to the constant sizes, make the computation complexity lower, and enhance the efficiency of our range proof. Compared to the works [14,16], our zero-knowledge proof Cuproof is more efficient. The Cuproof can be applied to cryptocurrencies such as Monero [25] does and it can also be used for personal privacy protection. For example, in a biometric-based identity authentication system, we can use our Cuproof to prove that the Euclidean distance between the two biometric vectors respectively extracted during the registration phase and during authentication phase is within a preset threshold to identify a user’s identity. Besides, we can also use Cuproof to prove that we are adults without exposing our true age. For instance, we can use Cuproof to prove that our age is lager than 18. However, a disadvantage of our range proof is that it still needs a trusted setup. Once the trusted setup is malicious, the secret number needs to be proved whether it has been leaked. In addition, because the security of Cuproof is based on the discrete logarithm problem, it is vulnerable to quantum attacks. Therefore, in our future work, we may use two groups to remove the trusted setting, one is a common group and the other is the verifier’s secret group, that is, Equation (68) is checked in the common group and Equation (69) is checked in the verifier’s secret group. In addition, in order to resist quantum attacks, we will consider to improve Cuproof based on an integer lattice. For example, we will use the elements in some integer lattice to replace the secret vectors of Cuproof.

Author Contributions

Writing, editing, original draft and software, C.D.; Reviewing, revising and innovative ideas, L.Y.; Methodology, X.T.; Reviewing and editing, G.H.; Formal analysis and Revising, S.G. All authors have read and agreed to the published version of the manuscript.

Funding

This research has been partially supported by the Key Program of the Natural Science Foundation of Zhejiang Province of China (No. LZ17F020002) and the National Natural Science Foundation of China (No. 61772166).

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable.

Acknowledgments

We thank the anonymous referees for their valuable comments for the improvement of this paper.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A. Proof of Theorem 3

Proof. 
Perfect completeness always holds as the fact that t 0 = z 2 · m m , v δ ( y , y ) for all valid witnesses. In order to prove perfect honest-verifier zero-knowledge, we construct a simulator that produces a distribution of proofs for a given statement ( g , h G , g , h G 4 · m , V G m ) which is indistinguishable from valid proofs produced by an honest prover interacting with an honest verifier. All the proof elements and the challenges according to the randomness supplied by the adversary from their respective domains are chosen by the simulator or directly computed by the simulator. S and T 1 are computed according to the verification equations, that is,
S = ( h μ · g l y · h y r · A z ) x 1 , T 1 = ( g t ^ δ ( y ) · h τ x · V z 2 · m m · T 2 x 2 ) x 1 .
According to the simulated witness ( l , r ) and the verifier’s randomness, the simulator runs the inner-product argument. In the zero-knowledge proof, all elements are either independently randomly distributed or their relationship is completely defined by the verification equation. Because we can successfully simulate the witness, the inner product argument remains zero knowledge, thus the leaking information about witness does not change the zero-knowledge property of the overall protocol. The simulator is efficient because it runs in time O ( V + P InnerProduct ) . In the Aggregating Logarithmic Proofs, if the proof π passes successfully, then it means:
a [ 4 ( j 1 ) : 4 j ] , a [ 4 ( j 1 ) : 4 j ] = v j for all j [ m ] , ξ ( j , m ) y + s L · x = l ( x ) , ξ ( j , m ) + y + s R · x = r ( x ) , τ x = τ 1 · x + τ 2 · x 2 + z 2 j = 1 m j 2 · r j , t ^ = l , r , μ = α z + ρ x .
Here, ξ ( j , m ) = j = 1 m z · j 0 4 ( j 1 ) a [ 4 ( j 1 ) : 4 j ] 0 4 ( m j ) .
If any of the above equations does not hold and the prover passes the verification as
A z · S x · g y · h y = h μ · g l · h r ,
g t ^ h τ x = V ( z 2 · m m ) g δ ( y ) T 1 x T 2 x 2 .
then we have
h α z + ρ x g ξ ( j , m ) y + s L · x h ξ ( j , m ) + y + s R · x = h μ · g l · h r
and
g t ^ h τ x = g ( z 2 j = 1 m j 2 v j ) δ ( y ) + x t 1 + x 2 t 2 h ( z 2 j = 1 m j 2 r j ) + τ 1 x + τ 2 x 2 .
By shifting the equations to one side we get:
g t ^ ( z 2 j = 1 m j 2 v j ) δ ( y ) + x t 1 + x 2 t 2 h τ x ( z 2 j = 1 m j 2 r j ) + τ 1 x + τ 2 x 2 = 1
and
h α z + ρ x μ g ξ ( j , m ) y + s L · x l h ξ ( j , m ) + y + s R · x r = 1 .
Because some of the above equations do not hold, one or more of the following situations must be encountered:
t ^ ( z 2 j = 1 m j 2 v j ) δ ( y ) + x t 1 + x 2 t 2 0 ,
τ x ( z 2 j = 1 m j 2 r j ) + τ 1 x + τ 2 x 2 0 ,
α z + ρ x μ 0 ,
j = 1 m z · j 0 4 ( j 1 ) a [ 4 ( j 1 ) : 4 j ] 0 4 ( m j ) y + s L · x l 0 ,
j = 1 m z · j 0 4 ( j 1 ) a [ 4 ( j 1 ) : 4 j ] 0 4 ( m j ) + y + s R · x r 0 .
This contradicts the Order Assumption and Discrete Log Relation Assumption. Therefore, our Cuproof has computational soundness. □

References

  1. Tsang, Y.; Wu, C.; Ip, W.; Shiau, W.L. Exploring the intellectual cores of the blockchain–Internet of Things (BIoT). J. Enterp. Inf. Manag. 2021, 34, 1287–1317. [Google Scholar] [CrossRef]
  2. Fedorov, I.R.; Pimenov, A.V.; Panin, G.A.; Bezzateev, S.V. Blockchain in 5G Networks: Perfomance Evaluation of Private Blockchain. In Proceedings of the 2021 Wave Electronics and its Application in Information and Telecommunication Systems (WECONF), St. Petersburg, Russia, 31 May–4 June 2021; pp. 1–4. [Google Scholar] [CrossRef]
  3. Nakamoto, S. Bitcoin: A Peer-to-Peer Electronic Cash System. 2008. Available online: http://www.bitcoin.org/bitcoin.pdf (accessed on 21 February 2022).
  4. Sun, X.; Yu, F.R.; Zhang, P.; Sun, Z.; Xie, W.; Peng, X. A survey on zero-knowledge proof in blockchain. IEEE Netw. 2021, 35, 198–205. [Google Scholar] [CrossRef]
  5. Bünz, B.; Bootle, J.; Boneh, D.; Poelstra, A.; Wuille, P.; Maxwell, G. Bulletproofs: Short Proofs for Confidential Transactions and More. In Proceedings of the 2018 IEEE Symposium on Security and Privacy, San Francisco, CA, USA, 20–24 May 2018; pp. 315–334. [Google Scholar] [CrossRef]
  6. Brickell, E.F.; Chaum, D.; Damgård, I.B.; van de Graaf, J. Gradual and Verifiable Release of a Secret (Extended Abstract). In Advances in Cryptology—CRYPTO ’87; Pomerance, C., Ed.; Springer: Santa Barbara, CA, USA, 1987; pp. 156–166. [Google Scholar]
  7. Gabizon, A.; Williamson, Z.J.; Ciobotaru, O. PLONK: Permutations over Lagrange-Bases for Oecumenical Noninteractive Arguments of Knowledge. Cryptology ePrint Archive, Report 2019/953. 2019. Available online: https://eprint.iacr.org/2019/953 (accessed on 8 December 2021).
  8. Maller, M.; Bowe, S.; Kohlweiss, M.; Meiklejohn, S. Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings. Cryptology ePrint Archive, Report 2019/099. 2019. Available online: https://eprint.iacr.org/2019/099 (accessed on 8 December 2021).
  9. Setty, S.; Angel, S.; Lee, J. Verifiable state machines: Proofs that untrusted services operate correctly. ACM SIGOPS Oper. Syst. Rev. 2020, 54, 40–46. [Google Scholar] [CrossRef]
  10. Ben-Sasson, E.; Bentov, I.; Horesh, Y.; Riabzev, M. Scalable, Transparent, and Post-Quantum Secure Computational Integrity. 2018. Available online: https://eprint.iacr.org/2018/046 (accessed on 15 August 2021).
  11. Ben Sasson, E.; Chiesa, A.; Garman, C.; Green, M.; Miers, I.; Tromer, E.; Virza, M. Zerocash: Decentralized Anonymous Payments from Bitcoin. In Proceedings of the 2014 IEEE Symposium on Security and Privacy, San Jose, CA, USA, 18–21 May 2014; pp. 459–474. [Google Scholar] [CrossRef] [Green Version]
  12. Dong, K.; Lin, R.; Yin, X.; Xie, Z. How does overconfidence affect information security investment and information security performance? J. Enterp. Inf. Syst. 2021, 15, 474–491. [Google Scholar] [CrossRef]
  13. Chan, A.; Frankel, Y.; Tsiounis, Y. Easy come—Easy go divisible cash. In Advances in Cryptology—EUROCRYPT’98; Nyberg, K., Ed.; Springer: Berlin/Heidelberg, Germany, 1998; pp. 561–575. [Google Scholar] [CrossRef] [Green Version]
  14. Boudot, F. Efficient Proofs that a Committed Number Lies in an Interval. In Advances in Cryptology—EUROCRYPT 2000; Preneel, B., Ed.; Springer: Berlin/Heidelberg, Germany, 2000; pp. 431–444. [Google Scholar] [CrossRef] [Green Version]
  15. Rabin, M.O.; Shallit, J.O. Randomized algorithms in number theory. Commun. Pure Appl. Math. 1986, 39, 239–256. [Google Scholar] [CrossRef]
  16. Lipmaa, H. On Diophantine Complexity and Statistical Zero-Knowledge Arguments. In Advances in Cryptology—ASIACRYPT 2003; Laih, C.S., Ed.; Springer: Berlin/Heidelberg, Germany, 2003; pp. 398–415. [Google Scholar] [CrossRef] [Green Version]
  17. Groth, J. Non-interactive Zero-Knowledge Arguments for Voting. In Applied Cryptography and Network Security; Ioannidis, J., Keromytis, A., Yung, M., Eds.; Springer: Berlin/Heidelberg, Germany, 2005; pp. 467–482. [Google Scholar] [CrossRef]
  18. Boneh, D.; Boyen, X. Short Signatures Without Random Oracles. In Advances in Cryptology—EUROCRYPT 2004; Cachin, C., Camenisch, J.L., Eds.; Springer: Berlin/Heidelberg, Germany, 2004; pp. 56–73. [Google Scholar] [CrossRef] [Green Version]
  19. Teranishi, I.; Sako, K. k-Times Anonymous Authentication with a Constant Proving Cost. In Public Key Cryptography—PKC 2006; Yung, M., Dodis, Y., Kiayias, A., Malkin, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2006; pp. 525–542. [Google Scholar] [CrossRef] [Green Version]
  20. Camenisch, J.; Chaabouni, R.; Shelat, A. Efficient Protocols for Set Membership and Range Proofs. In Advances in Cryptology—ASIACRYPT 2008; Pieprzyk, J., Ed.; Springer: Berlin/Heidelberg, Germany, 2008; pp. 234–252. [Google Scholar] [CrossRef] [Green Version]
  21. Belenkiy, M. U-Prove Range Proof Extension. 2014. Available online: https://www.microsoft.com/en-us/research/publication/u-prove-range-proof-extension/ (accessed on 5 September 2021).
  22. Paquin, C.; Zaverucha, G. U-Prove Cryptographic Specification V1.1 (Revision 3). 2013. Available online: https://www.microsoft.com/en-us/research/publication/u-prove-cryptographic-specification-v1-1-revision-3/ (accessed on 8 December 2021).
  23. Bootle, J.; Cerulli, A.; Chaidos, P.; Groth, J.; Petit, C. Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting. In Advances in Cryptology—EUROCRYPT 2016; Fischlin, M., Coron, J.S., Eds.; Springer: Berlin/Heidelberg, Germany, 2016; pp. 327–357. [Google Scholar] [CrossRef]
  24. Groth, J. On the Size of Pairing-Based Non-interactive Arguments. In Advances in Cryptology—EUROCRYPT 2016; Fischlin, M., Coron, J.S., Eds.; Springer: Berlin/Heidelberg, Germany, 2016; pp. 305–326. [Google Scholar] [CrossRef] [Green Version]
  25. Li, K.; Yang, R.; Au, M.H.; Xu, Q. Practical range proof for cryptocurrency monero with provable security. In Proceedings of the International Conference on Information and Communications Security, Beijing, China, 6–8 December 2017; Springer: Berlin/Heidelberg, Germany, 2017; pp. 255–262. [Google Scholar] [CrossRef]
Figure 1. Four-integer zero-knowledge proof time.
Figure 1. Four-integer zero-knowledge proof time.
Entropy 24 00334 g001
Figure 2. Range proof time.
Figure 2. Range proof time.
Entropy 24 00334 g002
Figure 3. Sizes for range proofs.
Figure 3. Sizes for range proofs.
Entropy 24 00334 g003
Table 1. The comparison of Cuproof with Bulletproofs and the three range proofs respectively proposed by Boudot [14], Lipmaa [16] and Groth [24] for arithmetic circuit satisfiability with d the maximum size of the committed polynomials, m wires, SRS (the structured reference string) and n gates. The computational costs are measured in terms of the number of group elements and ring elements. m G means m group elements in the RSA group, E x means group exponentiations. is the number of the elements that the known circuit inputs.
Table 1. The comparison of Cuproof with Bulletproofs and the three range proofs respectively proposed by Boudot [14], Lipmaa [16] and Groth [24] for arithmetic circuit satisfiability with d the maximum size of the committed polynomials, m wires, SRS (the structured reference string) and n gates. The computational costs are measured in terms of the number of group elements and ring elements. m G means m group elements in the RSA group, E x means group exponentiations. is the number of the elements that the known circuit inputs.
SchemeUniversal SRSCircle SRSSize P s Computation V s Computation
Bulletproofs [5] n 2 G 2 log 2 ( n ) + 6 G + 5 Z p 8 n E x 4 n E x
Boudot [14] 16 G 6 G + 19 Z 36 E x 38 E x
Lipmaa [16] 14 G 12 G + 18 Z 36 E x 36 E x
Groth et al. [24] 3 n + m G 3 G 4 n + m E x 3 P + E x
This work 14 G 7 G + 15 Z 28 E x 38 E x
Table 2. Asymptotic efficiency comparison of zero-knowledge proofs for arithmetic circuits. Here n is the number of gates. A white rhombus for post-quantum security denotes that it is feasibly post-quantum secure. A black rhombus for untrusted setup denotes that the scheme is updatable. DL stands for discrete log.
Table 2. Asymptotic efficiency comparison of zero-knowledge proofs for arithmetic circuits. Here n is the number of gates. A white rhombus for post-quantum security denotes that it is feasibly post-quantum secure. A black rhombus for untrusted setup denotes that the scheme is updatable. DL stands for discrete log.
SchemePQ?UniversalUntrusted SetupAssumptionRuntime
ProverVerifier
Bulletproofs [5] D L O ( n log ( n ) ) O ( n log ( n ) )
Boudot [14] D L O ( n log ( 2 n ) ) O ( n log ( n + 2 ) )
Lipmaa [16] D L O ( n log ( 2 n + 4 ) ) O ( n log ( 2 n ) )
This work R S A O ( 6 log ( n ) ) O ( 6 log ( n ) )
Table 3. Our Cuproof’s performances for the different sizes’ range proofs.
Table 3. Our Cuproof’s performances for the different sizes’ range proofs.
Range SizeGatesProof SizeTiming (ms)
(Bytes)ProveVerify
64 bit 65561 175.4 446.2
128 bit 65462 170.8 444.6
256 bit 65681 168.4 452.3
512 bit 65382 167.4 450.7
1024 bit 65763 177.5 449.6
2048 bit 65751 166.8 447.8
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Deng, C.; You, L.; Tang, X.; Hu, G.; Gao, S. Cuproof: Range Proof with Constant Size. Entropy 2022, 24, 334. https://doi.org/10.3390/e24030334

AMA Style

Deng C, You L, Tang X, Hu G, Gao S. Cuproof: Range Proof with Constant Size. Entropy. 2022; 24(3):334. https://doi.org/10.3390/e24030334

Chicago/Turabian Style

Deng, Cong, Lin You, Xianghong Tang, Gengran Hu, and Shuhong Gao. 2022. "Cuproof: Range Proof with Constant Size" Entropy 24, no. 3: 334. https://doi.org/10.3390/e24030334

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop