Cuproof: Range Proof with Constant Size

Zero-Knowledge Proof is widely used in blockchains. For example, zk-SNARK is used in Zcash as its core technology to identifying transactions without the exposure of the actual transaction values. Up to now, various range proofs have been proposed, and their efficiency and range-flexibility have also been improved. Bootle et al. used the inner product method and recursion to construct an efficient Zero-Knowledge Proof in 2016. Later, Benediky Bünz et al. proposed an efficient range proof scheme called Bulletproofs, which can convince the verifier that a secret number lies in [0,2κ−1] with κ being a positive integer. By combining the inner-product and Lagrange’s four-square theorem, we propose a range proof scheme called Cuproof. Our Cuproof can make a range proof to show that a secret number v lies in an interval [a,b] with no exposure of the real value v or other extra information leakage about v. It is a good and practical method to protect privacy and information security. In Bulletproofs, the communication cost is 6+2logκ, while in our Cuproof, all the communication cost, the proving time and the verification time are of constant sizes.


Introduction
The blockchain technology is the most well-known decentralized and tamper-proof information technology, and it can be applied to construct many different digital service systems or application platforms, such as digital currencies, supply systems and so on. Wu et al. [1] elaborated the intellectual cores of the blockchain-Internet of Things (BIoT). Fedorov et al. [2] stated how to apply blockchain technology to 5G. Cryptocurrencies were the first to bring the concept of blockchain into the world. The blockchain-based cryptocurrencies enable peer-to-peer transactions and make sure that the transactions are valid. In the Bitcoin [3] system, all the transactions are recorded in a public ledger, and everyone can check whether the transactions in the ledger are valid. The hash function used in the blockchains ensures that the transaction data cannot be tampered with. However, every coin has two sides. Despite its advantage, the transparency in Bitcoin also has a disadvantage. In a transaction of Bitcoin, the transaction data, the addresses of the senders and the receivers are almost transparent, and it means that Bitcoin cannot achieve anonymity and cannot provide the same level of privacy as paper cash.
In order to offset the disadvantages that exist in Bitcoin, people have start to think about using zero-knowledge proof to protect the privacy of blockchain users, because a zero-knowledge proof is a cryptographic protocol that has strong privacy protection function. In [4], Sun et al. showed how zero-knowledge proof technology is applied to the blockchain. There are lots of blockchain-based cryptocurrencies using range proofs [5,6] or zk-SNARKs [7][8][9][10] such as Zcash [11]. The transactions between the shielded addresses are what makes Zcash special. In these transactions, although the traders' addresses and the amount of the transactions are all covert, the validity of these transactions can still be checked because zk-SNARKs have been applied. According to the property of protecting anonymity, more and more cryptocurrencies apply range proof as a tool to avoid the disclosure of users' information.
In 2018, Bünz et al. proposed a type of range proof that is called Bulletproofs [5]. The efficiency of Bulletproofs is particularly well suited for the blockchains. However, its communication cost, which is 6 + 2 log κ, grows with larger κ. In this paper, we combine the Lagrange's four-square theorem with Bulletproofs [5] to construct a range proof for arbitrary interval [a, b]. In our scheme, the communication cost is 4 elements of G and 18 elements of Z. Our Cuproof is a good method to protect uers' privacy and information security. For example, we can use the Cuproof scheme to declare that our age v lies in some interval. Because of the RSA assumption and discrete logarithm problems, it is hard for the verifier to get the secret v but still believe that v is in this interval.

Related Work
Nowadays, information security or privacy protection has become more and more important for each of us. A number of works on information security or privacy protect have been published. For example, Dong et al. [12] elaborated how overconfidence affects information security investment and information security performance. Range proof technology, a kind of zero-knowledge proof protocol, is a good method for protecting information security or privacy. There have been lots of research works on range proof since the first relevant algorithm of range proof was proposed. Brickel et al. [6] first stated the correlative algorithm of range proof in 1987. Its purpose was to send reliable values to other participants, which can allow a user with a discrete logarithm to disclose one bit of information to another user so that any other user can verify the equations as they receive each bit. In 1998, Chan et al. [13] showed how to use the algorithm given in [6] to verify the non-negative transaction amount and they also enhanced the algorithm in [6]. Their improved proof method was called CTF proof. In 2000, Boudot [14] used the square numbers to build an effective range proof which was based on CTF.
By using the Lagrange's four-square theorem [15], that is, any non-negative integer can be represented as the sum of squares of four integers, Lipmaa [16] proposed a proof of any range for the first time. In 2005, Groth [17] pointed out that if y is a non-negative integer, then 4y + 1 could be represented as the sum of the squares of three integers. Using Boneh-Boyen signature [18], Teranishi et al. [19] proposed many anonymous authentication methods in 2006. In 2008, Camenisch et al. [20] used signature method that relies on the security of the q-Strong Diffie-Hellman assumptions to construct a range proof. In 2014, Belenkiy [21] designed a scheme to extend the u-proof cryptographic specification [22] by making use of the membership proof of a set. This scheme can be used twice to compare the size of one committed value with some other committed value, and therefore it can be used to construct a range proof.
Bootle et al. [23] made a step forward on the efficiency of space in Zero-Knowledge Proof based on discrete logarithms. They combined the inner product method and recursion to enhance the efficiency of Zero-Knowledge Proof. Based on this work, Bünz et al. [5] improved the inner product method for zero certificate range proof and proposed a more efficient Zero-Knowledge Proof scheme called Bulletproofs.

Contributions
Our scheme, called Cuproof for conveniency, is established on the techniques of Bulletproofs and Lagrange's three-square theorem given in [17]. Our protocol can be used to construct a range proof for arbitrary range. The argument of our scheme has low computation complexity. The main difference between Bulletproofs and ours is that Bulletproofs's communication cost [5] is logarithmic in κ, where κ is the exponent in the proving range [0, 2 κ − 1], while the cost in our scheme is constant. The key is that we combine the following Theorem 2 with Bulletproofs. Our Cuproof satisfies the three security properties required for a secure Zero-Knowledge Proof: completeness, soundness, and zero-knowledge.

Structure of the Paper
In Section 2, some mathematical symbols, definitions, and theorems are given. The framework and construction of our range proof protocol are stated in Section 3. In Section 3.1, we show how to construct a proof that convinces the verifier that the prover knows the secret number v. In Section 3.2, we describe our range proof protocol Cuproof in detail. The performance comparisons among Bulletproofs, some other range proof protocols and Cuproof are shown in Section 4. Finally, the proof of Theorem 3 about our Cuproof will be given in Appendix A.

Preliminaries
Before we state our protocol, we first state some of the underlying tools. In this paper, A is a PPT adversary, which is a probabilistic interactive Turing Machine that runs in polynomial time in the security parameter λ.

Notation
Let [N] denote the set {1, ..., N − 1}. Let p and q denote two prime numbers. Let G denote the multiplicative group of integers modulo n, where n is the product of p and q, i.e., G is a RSA group. Let Z denote the set of all integers. Let Z n denote the ring of integers modulo n. Let G j and Z j n be vector spaces of dimension j over G and Z n , respectively. Let Z * n denote Z n \ {0}. Group elements which represent commitments are capitalized. For example, C = g a h α is a Pedersen commitment to a for g, h ∈ G. x $ ← Z * n means the uniform sampling of an element from Z * n . In this paper, a ∈ F j is a vector with elements a 1 , ..., a j ∈ F. For an element c ∈ Z n and a vector a ∈ Z j n , we denote by where each coefficient p i is a vector in Z j . The inner product between two vector polynomials l(x) and r(x) is defined as Let a b denote the concatenation of two vectors: if a ∈ Z j n and b ∈ Z m n then a b ∈ Z j+m n . For 0 s, we use Python notation to denote slices of vectors:

Assumptions
Groups of Unknown Order: In order to achieve the soundness of our range proof, we use the RSA group G where the order of the group is unknown. The RSA group is generated by a trusted setup.
RSA Group: In the multiplicative group G of the integers modulo n where n is the product of the large primes p and q. The hardness of computing the order of the group G is the same as the hardness of factoring n.

Assumption 1 (Discrete Log Relation Assumption).
For all PPT adversaries A and j ≥ 2, there exists a negligible function µ(λ) such that: As Bünz et al. [5] stated, ∏ j i=1 g a i i = 1 is a non trivial discrete log relation among g 1 , ..., g j . The discrete log relation assumption makes sure that an adversary cannot find a non-trivial relation between randomly selected group elements. This assumption is equivalent to the discrete-log assumption when j ≥ 1.

Assumption 2 (Order Assumption).
For any efficient adversary A there exists a negligible function µ(λ) such that:

Lemma 1. A PPT adversary A breaking Order Assumption can also break Discrete Log Relation Assumption easily.
Proof. We show that if an adversary A Ord breaks the Order Assumption, then we can construct A DL which breaks the Discrete Log Relation Assumption with overwhelming probability. In order to get a vector (g 1 , g 2 , ..., g j ) ∈ G j and a vector (a 1 , a 2 , ..., a j ) ∈ Z j 2 λn such that g a 1 1 · g a 2 2 · · · g a j j = 1 where g i = 1, a i = 0 and i ∈ {1, 2, . . . , j}, we run A Ord for n times and it will output g j ∈ G and a j ∈ Z such that g a j j = 1 for j = 1, . . . , n. It follows that ∏ n j=1 g a j j = 1.

Commitments
Definition 1 (Commitments). A non-interactive commitment scheme consists of a pair of probabilistic polynomial time algorithms (Setup, Com). The setup algorithm pp ← Setup(1 λ ) generates the public parameters pp with the security parameter λ. The commitment algorithm Com pp defines a function M pp × R pp → C pp for a message space M pp , a randomness space R pp , and a commitment space C pp determined by pp. For a message x ∈ M pp , the algorithm draws r $ ← R pp uniformly at random, and computes commitment com = Com pp (x, r).

Definition 2 (Pedersen Commitment).
Let M pp = Z n , R pp = Z 2 λ n and C pp = (G, * ) be a multiplicative group, the commitment is generated as follows: Definition 3 (Pedersen Vector Commitment). Let M pp = Z j n , R pp = Z 2 λ n and C pp = (G, * ) being a multiplicative group, the commitment is generated as follows:

Zero-Knowledge Arguments of Knowledge
A Zero-Knowledge Argument consists of three interactive algorithms (Setup, P, V) which run in probabilistic polynomial time. Setup is the common reference string generator, P is the prover, and V is the verifier. The algorithm Setup produces a common reference string σ on inputting 1 λ . The transcript produced by P and V is denoted by tr ←< P (s), V (t) > when they interact on the inputs s and t. We write < P (s), Let R be a polynomial-time-decidable ternary relation. Given a parameter σ, the w is a witness for a statement u only if (σ, u, w) ∈ R. We define the CRS-dependent language as the set of all the statements which have a witness w in the relation R.

Definition 5 (Perfect Special Honest-Verifier Zero-Knowledge).
A public coin argument of knowledge (Setup, P, V ), as defined in [5], is a perfect special honest verifier zero knowledge (SHVZK) argument of knowledge for R if there exists a probabilistic polynomial time simulator S such that for every pair of interactive adversaries A 1 and A 2 , we have P     (σ, u, w) ∈ R and A 1 (tr) = 1 where ρ is the public coin randomness used by the verifier. The "transcript" can be simulated by S without knowing w.
Definition 6 (Zero-Knowledge Range Proof). Given a commitment scheme (Setup, Com) over a message space M pp which is a set with a total ordering, a Zero-Knowledge range proof is a SHVZK argument of knowledge for the relation R Range : (pp, (com, l, r), (x, ρ)) ∈ R Range com = Com(x; ρ) ∧ (l ≤ x < r).
Theorem 1 (Lagrange's four-square theorem). Any non-negative integer can be represented as the sum of the squares of four integers.
The proof for Theorem 1 is given in [15] and an algorithm for finding four such squares was provided in [16].
Theorem 2 (Lagrange's three-square theorem). If x is a positive integer, then 4x + 1 can be written as the sum of three integer squares.
The proof for Theorem 2 is given in [17], and ref. [15] offered an efficient and simple algorithm for finding three such squares. Theorem 2 also means writing 4x + 1 as the sum of three squares implies that x is non-negative.

Efficient Range Proof Protocol
In this section, we will present our range proof protocol.

Four Integer Zero-Knowledge Proof
We now describe how to use the inner-product argument to construct a proof. The prover convinces the verifier that a commitment V contains a number v in a given range without revealing v.
In our proof, a Pedersen commitment V is an element in the group G that is used to perform the inner product argument and λ is the security parameter.
We let v ∈ Z n , and an element V ∈ G be a Pedersen commitment to v which uses a random number r. The proof system proves the following relation: Let y ∈ Z * 2 λ n and y = 4 · y ∈ Z 4 . The prover P uses an element in G to generate a commitment to the vector a. To convince V that v be a positive number, the prover must prove that he knows an opening a ∈ Z 4 n satisfying a, a = v. To construct this zero knowledge proof, V should randomly choose z ∈ Z 2 λ n , and then the prover proves that a, a z 2 + a − a, y z = vz 2 (4) This equality can be re-written as: The verifier can easily calculate that δ(y) = y, y ∈ Z. Hence, the problem of proving that Equation (3) holds is reduced to proving a single inner-product identity. If the prover sends to the verifier the two vectors in the inner product in Equation (5), then the verifier could check Equation (5) itself by using the commitment V to v and be convinced that Equation (3) holds. However, these two vectors reveal the information of a and so the prover cannot send them to the verifier. To solve this problem, we use two additional blinding terms s L , s R ∈ Z 4 2 λ n .
To prove the statement Equation (2), P and V should obey the following protocol: P inputs v, r and computes : V computes : y = g y , z = g z ∈ G (14) V → P : y, z Here, let us expand two linear vector polynomials l(x) and r(x) in Z 4 [x], and a quadratic polynomial t(x) ∈ Z[x] as follows: The constant terms of l(x) and r(x) are the inner product vectors in Equation (5). The blinding vectors s R and s L make sure that the prover can publish l(x) and r(x) for random x and does not need to reveal any information of a. The constant term t 0 of t(x) is the result of the inner product in Equation (5). The prover needs to convince the verifier that the following equation hold: t 0 = vz 2 − δ(y) P computes : P computes : V checks these equations and computes : Corollary 1 (Four-Integer Zero-Knowledge Proof). The Four-Integer Zero-Knowledge Proof presented in Section 3.1 has perfect completeness, perfect special honest verifier zero-knowledge, and computational soundness.
Proof. The Four-Integer Zero-Knowledge Proof is a special case of the aggregated logarithmic proof from the following Section 3.2 with m = 1, hence, it is a direct corollary of Theorem 3.

Aggregating Logarithmic Proofs
Bünz et al. [5] stated a type of proof for m values, which is more efficient than conducting m individual range proofs. Based on Bulletproofs, we can also perform a proof for m values as [5] does. In this section, we show that this can be done with some modification to the protocol of zero-knowledge proof in Section 3.1. The relation that we will prove is as follows: The prover does similar work as the prover does for a simple zero-knowledge proof in Section 3.1 except for the following modifications. First, we set y ∈ Z * 2 λ n , y = y · − → 4m ∈ Z 4m and | − → 4m| = 4m. As in Equation (6), the prover needs to find a ∈ Z 4m n so that We accordingly modify l(x) and r(x) as follows: To compute τ x , we adjust the randomness r j of each commitment V j such that τ That is, the verification checking Equation (30) needs to be adjusted to include all the V j commitments as follows Finally, we change the definition of A as follows: The proof for Theorem 3 is presented in Appendix A. This protocol can also be transformed into a NIZK protocol by using the Fiat-Shamir heuristic.

Our Protocol: Cuproof
In this section, we will demonstrate how to prove that a secret number is within an arbitrary interval. The goal of our range proof protocol is to convince the verifier that the secret number v is in [a, b]. Based on Theorem 2, We can find a, b ∈ Z n and d = (d 1 , . . . , d 6 ) ∈ Z 6 n such that the following conditions hold: The whole protocol is similar to the special case of the aggregating logarithmic proofs from Section 3.2 for m = 2 and a ∈ Z 6 n . In this protocol, we set δ(y) ∈ Z, y ∈ Z 6 . We will prove the following relations: The protocol is as follows: P inputs v, r and computes : V computes : y = g y , z = g z ∈ G (48) Here, as shown in Section 3.1, we have P computes : (t 1 , t 2 can be computed without knowing x) P → V : T 1 , T 2 (52) P computes : V computes and checks these equations : Theorem 4. The protocol for range proof presented here above has perfect completeness, perfect special honest verifier zero-knowledge, and computational soundness.
Proof. The protocol for range proof is a special case of the Aggregated Logarithmic Proof in Section 3.2 with m = 2 and a ∈ Z 6 n . Hence, this theory is a direct corollary of our Theorem 3.
In short, we call our given protocol for range proof Cuproof.

Performance
In order to evaluate the practical performance of our Cuproof, we provide a reference implementation in Python. We set that the sizes of the two primes p and q are 1024 bits. The prover uses the algorithms of [15,16] to generate the witnesses a and d, and compute the l and r. A Pedersen hash function over an RSA group whose modulo n = p * q is benchmarked. We performed our experiments on our computer with an Intel i5-7500 CPU@3.4 GHZ and we used a single thread. Table 1 shows the comparison of our Cuproof with Bulletproofs and the three range proofs put out by Boudot [14], Lipmaa [16] and Groth et al. [24], respectively. It states that the communication cost is const while Bulletproof's communication cost is sublinear in n. Moreover, Cuproof is more efficient than the three range proof schemes proposed by Boudot [14], Lipmaa [16] and Groth et al. [24], respectively. Table 2 shows the proving time, verification time, and the gates of the range proofs under the different ranges (the final data is the average of the data we obtained by doing 10,000 experiments). Figure 1 shows the line charts of the proving time and the verification time of the Four-Integer Zero-Knowledge Proofs (no including the witness generation) for the secret of the different sizes, respectively. Figure 2 shows the line charts of the proving time and the verification time of the Range Proofs (no including witness generation), respectively. No matter how large the range is, the proving time is near 170 ms and the verification time is near 447 ms. Figure 3 shows the proof sizes in different intervals and it demonstrates that the proof size is near 5500 bytes. Table 3 shows the proof sizes, proving time and the verification time for the interval range proofs on the different sizes, respectively. Table 1. The comparison of Cuproof with Bulletproofs and the three range proofs respectively proposed by Boudot [14], Lipmaa [16] and Groth [24] for arithmetic circuit satisfiability with d the maximum size of the committed polynomials, m wires, SRS (the structured reference string) and n gates. The computational costs are measured in terms of the number of group elements and ring elements. mG means m group elements in the RSA group, Ex means group exponentiations. is the number of the elements that the known circuit inputs.

Scheme
Universal SRS Circle SRS Size P s Computation V s Computation

Conclusions
In this paper, we construct a kind of range proof scheme Cuproof, which can prove v ∈ [a, b] without revealing v's actual value. In our protocol, by combining Theorem 2 into Bulletproofs, we reduce the communication cost to the constant sizes, make the computation complexity lower, and enhance the efficiency of our range proof. Compared to the works [14,16], our zero-knowledge proof Cuproof is more efficient. The Cuproof can be applied to cryptocurrencies such as Monero [25] does and it can also be used for personal privacy protection. For example, in a biometric-based identity authentication system, we can use our Cuproof to prove that the Euclidean distance between the two biometric vectors respectively extracted during the registration phase and during authentication phase is within a preset threshold to identify a user's identity. Besides, we can also use Cuproof to prove that we are adults without exposing our true age. For instance, we can use Cuproof to prove that our age is lager than 18. However, a disadvantage of our range proof is that it still needs a trusted setup. Once the trusted setup is malicious, the secret number needs to be proved whether it has been leaked. In addition, because the security of Cuproof is based on the discrete logarithm problem, it is vulnerable to quantum attacks. Therefore, in our future work, we may use two groups to remove the trusted setting, one is a common group and the other is the verifier's secret group, that is, Equation (68) is checked in the common group and Equation (69) is checked in the verifier's secret group. In addition, in order to resist quantum attacks, we will consider to improve Cuproof based on an integer lattice. For example, we will use the elements in some integer lattice to replace the secret vectors of Cuproof. G 4·m , V ∈ G m ) which is indistinguishable from valid proofs produced by an honest prover interacting with an honest verifier. All the proof elements and the challenges according to the randomness supplied by the adversary from their respective domains are chosen by the simulator or directly computed by the simulator. S and T 1 are computed according to the verification equations, that is, S = (h −µ · g −l−y · h y−r · A z ) −x −1 , According to the simulated witness (l, r) and the verifier's randomness, the simulator runs the inner-product argument. In the zero-knowledge proof, all elements are either independently randomly distributed or their relationship is completely defined by the verification equation. Because we can successfully simulate the witness, the inner product argument remains zero knowledge, thus the leaking information about witness does not change the zero-knowledge property of the overall protocol. The simulator is efficient because it runs in time O(V + P InnerProduct ). In the Aggregating Logarithmic Proofs, if the proof π passes successfully, then it means: a [4(j−1):4j] , a [4(j−1):4j] = v j for all j ∈ [m], ξ(j, m) − y + s L · x = l(x), ξ(j, m) + y + s R · x = r(x), Here, ξ(j, m) = m ∑ j=1 z · j 0 4(j−1) a [4(j−1):4j] 0 4(m−j) .
Because some of the above equations do not hold, one or more of the following situations must be encountered:t − (z 2 m ∑ j=1 j 2 v j ) − δ(y) + xt 1 + x 2 t 2 = 0,