LACT+: Practical Post-Quantum Scalable Confidential Transactions

Jayamine Alupotha; Xavier Boyen; Matthew McKague

doi:10.3390/cryptography7020024

Abstract

A “confidential monetary value” carries information about the real monetary value but does not disclose it. Post-quantum private blockchains with confidential monetary values—large-sized blockchains with large verification times—have the least scalability because they need to save and verify more information than those with “plain-text monetary values”. High scalability is an essential security requirement for decentralized blockchain payment systems because the more honest peers who can afford to verify the blockchain copies are, the higher the security. We propose a quantum-safe transaction protocol for confidential monetary blockchains, LACT+ (Lattice-based Aggregable Confidential Transactions), which is more scalable than previous post-quantum confidential blockchains, i.e., many input/output transactions with logarithmic sized complexity.

Keywords:

blockchains; confidential transactions; post-quantum cryptography; scalability; lattice-based cryptography

1. Introduction

Blockchain-based cryptocurrencies have become popular due to the security of decentralization, i.e., there is no single point of failure and no single authority in control. However, decentralization has a downside because it requires many honest peers to keep a copy of the blockchain and constantly verify it. Otherwise, malicious peers can alter the cash system for their gain. The number of honest peers mainly depends on the system’s scalability (size and verification time) because peers have to spend their resources like space and computational power to save and verify blockchains. Despite the security and privacy, “quantum-safe” and “confidential” cryptocurrencies have the least scalability because they need special computations and algorithms that require more space and more computational power. This paper introduces a more scalable quantum-safe confidential blockchain transaction method, LACT+, where we only need 5.7 KB to store a confidential monetary value, whereas refs. [1,2] need >30 KB and 9.6 KB, respectively.

Confidential Transactions. Cryptocurrencies are public records accessible by anyone. Even though pseudonyms are commonly used, refs. [3,4,5,6,7,8,9] show that these identities can be linked to real identities. Therefore, maintaining monetary amounts in “plain text” is a major privacy concern. Confidential transactions (CT) solve this problem by keeping monetary values confidential yet providing tools to verify that hidden coin amounts are not negative, stolen, or double spent. However, this enhanced privacy comes at the cost of scalability because these tools generate proofs that should be stored in the blockchain, and verification of these proofs takes more computational power than simply checking plain-text numbers.

Aggregable Transactions. A transaction takes a set of current coins, changes their ownership, and updates the blockchain with that information. Hence, blockchain verifiers need to know “who has coins? Furthermore, are they only spending what they have?”. Hence, they mainly need to know about current coins and who has them, not who had them. As the name implies, aggregable transactions aggregate multiple transactions into a smaller transaction, and this aggregated transaction shows “who has coins after those transactions”. For example, if

P_{1}

sends coins to

P_{2}

and

P_{3}

, and

P_{2}

sends their coins to

P_{4}

, the aggregated transaction shows that

P_{3}

and

P_{4}

have coins, and forgets that

P_{1}

and

P_{2}

had coins. Hence, an aggregable blockchain is a single aggregated transaction of all previous transactions. This forgotten information reduces the size and verification time and improves scalability significantly. However, previous aggregable blockchains refs. [1,2,10,11,12,13,14] cannot prove that the aggregated blockchain is the aggregated version of the “right” or the consensus accepted blockchain (more theoretically, previous aggregated blockchains are not “immutable”). Hence, despite the high scalability, “peers” have to download and verify the complete blockchain.

Quantum Safety. Recent developments in quantum computing, e.g., IBM’s roadmap ref. [15], show that quantum adversaries can be a real threat even to the current standardized security level in the near future. Post-quantum (we use “post-quantum”, “quantum-safe”, or “quantum-resistant” to describe plausibly quantum-secure protocols) payments started receiving attention because many established decentralized payments are based on the discrete-logarithmic problem (DLP), which is vulnerable to quantum adversaries. Not only transparent payments, but many aggregable confidential transactions refs. [10,11,12,13,14] are also based on DLP and equally vulnerable to quantum adversaries. Ref. [1,2] introduced two quantum-safe aggregable confidential transactions that are based on the short integer solution problem (SIS) and the modular SIS. However, ref. [1] has an inefficient proof system and the transactions of ref. [2] are limited to a maximum two inputs and two outputs.

This paper proposes an immutable aggregable confidential transaction protocol, LACT+ (Lattice-based Aggregable Confidential Transactions), based on approximate modular SIS (approximate SIS), to provide post-quantum security with practical scalability.

1.1. Related Work

Let us explain the key components of decentralized aggregable payments that lead to LACT+. Note that here, we sketch a common protocol that describes refs. [1,2,10,11,12,13,14] generally regardless of their “hardness assumption”, e.g., they can be based on DLP or SIS.

Digital Coins from Cryptographic View. Decentralized payment systems store monetary values as digital coins where each coin represents some amount of the smallest unit (e.g., the number of cents). These digital coins are stored in the public domain, where anyone has access. Therefore, coins need a security mechanism to prevent theft. Let there be a digital signature scheme that signs messages when its key card (secret signing key) is presented and the public key of the key card tells anyone whether it produced the signed message or not. Users attach these public keys to their digital coin(s) and securely keep the key card(s) with them. Wherever they want to spend the coins, they create a signed receipt, and they send the signed receipt to the network. Because the public key verifies the signed receipts without key cards, the whole network can verify that the legitimate owner is spending the coin. However, once the coins are sent, the new owner attaches a new public key to the coins where only he/she has a key card to it. In that way, after sending the coins, previous owners cannot take coins back because they do not have new key cards. The signed receipts are known as digital signatures.

Transparent Digital Coin Transactions. Users create transactions when they want to send digital coins or receive them. A transaction turns a set of current unspent coins (inputs) into spent coins and produces new unspent coins (outputs). However, a transaction should not illegally generate coins—the input coins should be equal to the output coins—or allow coins to be stolen. Therefore, each transaction has a header that proves the total coin amount summation (1. summation proof) and the digital signatures of coins (2. ownership proofs). In transparent coin transactions, the summation proof is simple and only contains the number of supplied coins (e.g., mining reward) and transaction fee because the verifiers can add the numbers and can check that input coins and the supplied coins are equal to the output coins and the transaction fee. However, the ownership proof is linear in the number of unique public keys of inputs, i.e., the ownership proof of the transaction is the set of signatures of all unique input public keys refs. [16,17].

Confidential Digital Coins. Instead of plain-text coins, confidential payment systems keep coins’ value hidden. We call them “confidential coins”. A confidential coin is a commitment for the coin amount and a range proof to prove that the hidden coin amount is in the accepted range, e.g.,

[0, 2^{64})

. A commitment can be viewed as a safe box that hides coins and is locked with a secret key (a.k.a., blinding key or the masking key). Yet, anyone can verify that the hidden coin amount is in the accepted range using the cryptographic range proof (even though proving the range of physical coins is impossible without opening the safe-box, it is actually possible with digital coin commitments!). These range proofs are called “zero-knowledge proofs” because they do not reveal anything other than the designated knowledge statement. In this case, the proofs only show that values are in the accepted range.

Confidential Transactions (CT). There are two categories of CTs; (1) Ring CTs which obfuscate the senders and receivers with shadow participants refs. [18,19,20,21,22] and (2) Aggregable CTs which allow aggregating multiple transactions into one transaction by removing spent coin records refs. [1,2,10,11,12,13,14]. In general, confidential transactions are similar to the transparent transactions but with the following main differences,

they transact confidential coins, and
their headers contain zero-knowledge summation proofs to show that hidden input coins are equal to hidden output coins, along with plain-text supplied coins and fees.

However, Ring CTs and aggregable CTs have different ownership proofs. Ring CTs’ ownership proofs are threshold signatures or one/many-out-of-many proofs that are either linear or logarithmic in the number of unique participants, whereas, aggregable CTs’ reuse their summation proofs as ownership proofs ref. [10]. Due to this reuse and removing spent coin records, aggregable CTs provide better scalability than Ring CTs. From now on, we use CT for aggregable CTs.

Ownership + Summation Proofs. Let there be an additively homomorphic commitment

u = com (v, k)

that hides and binds

(v, k)

when v is the coin amount and k is the secret masking key. Here, “binding” means that it is computationally impossible to find another

(v^{'}, k^{'})

pair for the same u, and “additively homomorphic” denotes that

\sum_{i = 0}^{*} com (v_{i}, k_{i}) = com (\sum_{i = 0}^{*} v_{i}, \sum_{i = 0}^{*} k_{i})

. A confidential coin is a commitment and a range proof of that commitment. For example,

C = (u, π = {range}_{2^{L}} (u))

, and

π

verifies that u’s hidden coin amount is in

[0, 2^{L})

.

Assume that a set of participants want to spend confidential coins

{[u_{i} = com (v_{i}, k_{i})]}_{i = 0}^{*}

and create new confidential coins

{[u_{i}^{'} = com (v_{i}^{'}, k_{i}^{'})]}_{i = 0}^{*}

for the supplied coins s and the transaction fee f. Then they compute a public key out of commitments such that

p k = \sum_{i = 0}^{*} u_{i}^{'} - \sum_{i = 0}^{*} u_{i} + com (f - s, 0) = com (0, \sum_{i = 0}^{*} k_{i}^{'} - \sum_{i = 0}^{*} k_{i})

because

\sum_{i = 0}^{*} v_{i}^{'} - \sum_{i = 0}^{*} v_{i} + f - s = 0

if the owners do not illegally generate coins.

Aggregable CTs’ digital signature schemes use commitments as their public keys. However, a valid signature can be created if and only if the commitments’ value is zero refs. [1,10,11,12,13,14]. In the previous equation, if participants do not generate coins illegally, they can create digital signatures for

p k

using the aggregated secret key

\sum_{i = 0}^{*} k_{i}^{'} - \sum_{i = 0}^{*} k_{i}

. Hence a signature of

p k

can prove (1) the summation and (2) the ownership because a digital signature can only be created if all the secret keys are known.

Lattice-based Ownership+Summation Proofs. Ref. [1] introduced the first quantum-safe aggregable CT protocol. However, ref. [1] is inefficient leading to

> 30

KB commitments. Ref. [2] proposed the first practical aggregable post-quantum CT protocol, LACT, based on the Module-Ring Short Integer Problem (MSIS). LACT significantly improves efficiency by storing coins in their binary forms such that

u = com ([b_{0}, \dots, b_{63}], k)

instead of the full integer, when

v = \sum_{i = 0}^{63} 2^{i} b_{i}

. LACT’s confidential integers are binary commitments and a range proof for all bits, i.e.,

C = (u, π = {range}_{2} (u))

when

π

verifies that the bits of u’s hidden coin amount are in

[0, 1]

. More concretely, LACT’s commitments are only 9.6 KB long for coins in

[0, 2^{64})

.

However, summation does not work anymore because adding two binary commitments does not output a binary commitment due to carries. Therefore, LACT use carry proofs to fix the summation. Each carry proof has a commitment of carries and a range proof to show that each carry is either 0 or 1. Therefore, a LACT header contains supplied coins, transaction fee, a digital signature and a carry proof to prove the ownership and the summation of hidden coins.

Unprovable Immutability. In blockchains refs. [16,17], transaction headers are securely stored with consensus proofs to show that the community has accepted the that version of the blockchain, which is the “right blockchain”. If somebody changes the right blockchain, the consensus proofs will indicate that there was an altercation, i.e., immutability. However, current aggregable CT protocols refs. [2,10,11,12,13,14] do not provide proper immutability proofs for aggregated blockchains, only for complete blockchains. Therefore, despite the aggregation, peers have to keep all coin records for the verification, e.g., Grin ref. [23] and Beam ref. [24]—which use Mimblewimble aggregable transactions refs. [10,11,12,13] keep all transactions to provide immutability. Therefore, aggregable CTs do not reduce the overall blockchain size nor provide trustless verification for aggregable CTs in current settings.

1.2. Our Contribution

We introduce LACT+, a more efficient Lattice-based Aggregable Confidential Transaction protocol with provable immutability. Furthermore, we implement a public LACT+ C library ref. [25] and provide formal security proofs.

Approx-SIS. LACT+ uses the Approximate Module Short Integer Problem (Approx-SIS) ref. [26] which can be tightly reduced to LWE (Learning with Errors ref. [27]) or SIS ref. [28]. Approx-SIS creates shorter proofs by dropping low bits of each polynomial coefficient without affecting security when the dropped bits are smaller than some norm, e.g., each LACT+ commitment drops 14 bits from

256 \times 6

coefficients and reduces the size from 8.4 KB to 5.7 KB.

More than 2 inputs/outputs. LACT’s main constraint was that a maximum of two inputs or outputs could be included in a transaction because the carries must be in [0, 1]. If there are more than two inputs/outputs, they had to be separated into multiple transactions, and each transaction includes an additional carry proof. LACT+ transactions allow having more than two inputs or outputs at a logarithmic cost, i.e.,

O (log (x))

for x number of in/outputs. Hence, LACT+ does not unnecessarily increase the size of the header.

Trustless Immutability. Previous aggregable CTs’ headers are malleable, or the owners of the transactions can use the same header set for different unspent coins. This allows the owners to forge many chains for the same header with different unspent coins or spent coins refs. [10,13]. Hence, preserving headers is not sufficient to provide immutability, and block creators hash the whole transaction and save the transaction hash through the consensus mechanism. Therefore, the peers must download the complete chain (note that we do not consider users who depend on “trusted” peers without verifying the blockchain as peers because they are replicas of the those “trusted” peers). Hence, except for the efficient ownership + summation proofs, the aggregation has no use to the peers who do not blindly trust other peers.

As a solution, LACT+ headers contain aggregable activity proofs ref. [29] to prevent the forging of different blockchains for the consensus accepted headers, i.e., each transaction header contains an activity proof for that transaction, and by giving the same input and output coin records, the activity proof verifies that they existed. More importantly, an aggregated activity proof can verify the activities of an aggregated CT; hence, chains’ unspent coin records cannot be forged. Not only that, activity proofs are constant sizes for any number of inputs and outputs, e.g., 49 bytes in LACT+. Hence, activity proofs do not break transaction aggregation, but at a tiny cost, peers can download a small aggregated chain and verify the existence of coins without blindly trusting other peers.

Table 1 compares LACT+ with other CT protocols.

Table 1. Comparison of Confidential Transactions.

2. Preliminary

An integer ring is

Z / q Z = Z_{q}

which has integers in

[- \frac{q - 1}{2}, \frac{q - 1}{2}]

for an odd prime q. A polynomial ring is

Z [X] / (X^{N} + 1) = R

with

N = 2^{k}

for some integer

k > 0

. A fully splitting ring is

Z_{q} [X] / (X^{N} + 1) = R_{q}

where each polynomial coefficient is in

Z_{q}

for a prime

q = 1 (mod 2 N)

. A polynomial is denoted with an upper arrow, e.g.,

\vec{a}

that is in

R

or

R_{q}

. We denote vectors of n elements in bold letters (

a = {[a_{i}]}_{i = 0}^{n}

) and matrices of m vectors in capital bold letters (

A = {[a_{i}]}_{i = 0}^{m}

). Similarly, polynomial vectors are denoted as

\vec{a} = {[{\vec{a}}_{i}]}_{i = 0}^{n}

, and matrices are denoted as

\vec{A} = {[{\vec{a}}_{i}]}_{i = 0}^{m}

.

\vec{a} \vec{b}

denotes the polynomial multiplication of

\vec{a}

and

\vec{b}

.

x \vec{a}

is a scalar multiplication where each coefficient is multiplied by scalar x.

Uniform sampling of some set S is denoted as

s \overset{$}{\leftarrow} S

. A negligible function of security parameter

λ

is denoted as

ϵ (λ) = 1 / o (λ^{c})

for some natural number c. The security parameter and public parameters are commonly referred as

λ

and

p p_{(λ)}

. We only use the following norms: the infinity norm

∥ \vec{a} ∥ = \max ([| a_{i} {|]}_{i = 0}^{N - 1})

and the level 1 norm

∥ \vec{a} ∥_{1} = \sum_{i = 0}^{N - 1} | a_{i} |

.

0

and

\vec{0}

are a vector of all zero values and a zero polynomial of all zero coefficients, respectively.

binary (v)

either outputs

b

of L elements or

\vec{b} \in R_{q}

such that

v = \sum_{i = 0}^{L} 2^{i} b_{i}

according to the context.

rot (v_{i}, i)

outputs polynomial

\vec{a}

such that the

i^{th}

coefficient of

\vec{a}

is

v_{i}

, and other coefficients are zeros s.t.

{[{\vec{a}}_{j} = 0]}_{j = 0, j \neq i}^{N}

.

{highbits}_{p} (v)

and

{lowbits}_{p} (v)

denote high bits and low bits of

v \in Z_{q}

such that

{highbits}_{p} (v) \cdot 2^{p} + {lowbits}_{p} (v) = v

. Furthermore,

{up}_{p} (v) = v s . \cdot 2^{p}

. We use these functions for polynomial vectors in an element-wise manner, e.g.,

{highbits}_{p} (\vec{a})

to denote high-bit polynomial vectors. Note that we use polynomial rotations to change the locations of bits. For example,

(j, i) \geq 0; j + i < N : \begin{matrix} rot (v, j) rot (1, i) = rot (v, j + i) \end{matrix} \in R

\begin{matrix} (j, i) \geq 0; j - i > 0; i < N : rot (v, j) rot (- 1, N - i) = rot (v, j - i) \end{matrix}

2.1. Common Security Properties

First, we start with the common security definitions of confidential coins, carry proofs, and transactions, i.e., the hiding property, zero-knowledge, and knowledge soundness.

Confidential coins and carry proofs should be hiding, i.e., they should not reveal the committed coin value or the carry vector. We define hiding or indistinguishability of a generic protocol

P

’s outputs below.

Definition 1

(Statistical Hiding). Let

D_{1}

be the output distribution of protocol

P (p p_{λ})

, and

D_{0}

be the simulated distribution created by a simulator

S (p p_{λ}, T)

with a trapdoor

T

of public parameter

p p_{λ}

. For any

A

,

P

’s outputs are hiding if

2 |\frac{1}{2} - P r [b \overset{?}{=} b^{'} | b \overset{$}{\leftarrow} [0, 1]; θ \overset{$}{\leftarrow} D_{b}; b^{'} \leftarrow A (p p_{λ}, θ)]| \leq ϵ (λ) .

Coin and carry proofs contain range proofs. A range proof should not reveal anything about the committed value other than the range. Similarly, summation proofs of transactions should not disclose anything about the coin values other than that input coins are equal to output coins. We define these requirements for a generic protocol

P

and statement(s)

L

. For example, in range proofs,

range (L, b)

outputs 1 if all

b_{i} \in [0, 1]

of

i \in [0, L)

. The statement

L

of a range proof is “

range (L, b)

is 1 for hidden

b

”. Assume the generic protocol

P

reveals a statement

L

about the outputs but nothing else. Then,

P

’s outputs are zero-knowledge except for

L

. We state the zero-knowledge of

P

below.

Definition 2

(Zero-Knowledge Argument). Let

D_{0}

be the simulated distribution of a simulator

S (p p_{λ}, L, T)

with a trapdoor

T

of public parameter

p p_{λ}

for

L

, and

D_{1}

be the real output distribution of protocol

P (p p_{λ})

for statements

L

. For any p.p.t.

A

,

P

’s outputs are zero-knowledge if

2 |\frac{1}{2} - P r [b \overset{?}{=} b^{'} | b \overset{$}{\leftarrow} [0, 1]; θ \overset{$}{\leftarrow} D_{b}; b^{'} \leftarrow A (p p_{λ}, θ, L)]| \leq ϵ (λ) .

Even though coins, carry proofs, and transactions are hiding and zero-knowledge, they should be knowledge sound such that no adversary can create valid proofs for invalid hidden coin amounts or invalid carry vectors. We capture this property by using a simulator

K

with a trapdoor

T

who extracts hidden values from the proofs. This is a stronger version of knowledge soundness, called simulated witness extractability. If a generic protocol is simulated witness extractable, the simulator

K

can always extract valid hidden amounts and carries that satisfy the required statement(s). We state the simulated witness extraction of a generic protocol

P

for statement(s)

L

below.

Definition 3

(Simulated Witness Extractability). Let

P

be a generic zero-knowledge protocol for statement

L

such that

P (p p_{λ}, L, Π)

verifies whether hidden values of Π satisfies

L

or not.

P

is simulated witness extractable if

P r [\begin{matrix} P (p p_{λ}, L, Π) \overset{?}{=} 1 \land \\ L (p p_{λ}, w) \overset{?}{=} 1 \end{matrix} | \begin{matrix} Π \leftarrow A (p p_{λ}) \\ w \leftarrow K (p p_{λ}, T, L, Π) \end{matrix}] \leq ϵ (λ) .

Technically, these extractors do not exist outside the simulated world because public parameters are securely generated to avoid unintentional trapdoors.

2.2. Hardness Assumption

LACT+ depends on the approximate SIS problem ref. [26].

Definition 4

(Approximate Inhomogeneous Module Short Integer Solution Problem (Approx-SIS)). The advantage of an algorithm

A

solving Approx-SIS of

(n, m, q, γ, γ^{'}, N)

after one execution is given by,

P r [\begin{matrix} ∥ \vec{s} ∥ \leq γ \land \\ ∥ \vec{H} \vec{s} - \vec{y} ∥ \leq γ^{'} \end{matrix} | \begin{matrix} \vec{H} \overset{$}{\leftarrow} R_{q}^{n \times m}; \vec{y} \overset{$}{\leftarrow} R_{q}^{n} \\ \vec{s} \leftarrow A (p p_{λ}, \vec{y}, \vec{H}) \end{matrix}]

2.3. Activity Proofs

Let

H

be a multiplicative group of prime order

q_{2} > 2^{3 λ}

and

H : {0, 1}^{*} \overset{}{\to} H

be a secure collision-resistant hash function family. Casually, we use

H

for one randomly chosen but commonly known member of a collision-resistant hash function family for a given

λ

where the key of

H

is random, fixed, and publicly known.

Let there be a non-empty set of data entries

s

that will be updated into a new set

s^{'}

. The proof

δ

of this activity is,

δ = activity (s, s^{'}) : Π_{i = 0}^{*} H (s_{i}^{'}) \cdot {(Π_{i = 0}^{*} H (s_{i}))}^{- 1} \in H .

Definition 5

(Immutability). An activity proof of

(H, q^{'})

is immutable if the following is less than or equal to

ϵ (λ)

.

P r [\begin{matrix} (s_{1}, s_{1}^{'}) \overset{?}{\neq} (s_{2}, s_{2}^{'}) \land \\ activity (s_{1}, s_{1}^{'}) \overset{?}{=} activity (s_{2}, s_{2}^{'}) \end{matrix} | (\begin{matrix} s_{1}, s_{1}^{'} \\ s_{2}, s_{2}^{'} \end{matrix}) \leftarrow A (H, q_{2})]

2.4. Hints

We frequently multiply high-bit polynomials with short challenge polynomials and check equality. Because the multiplication creates large errors that may propagate into higher bits, we use “hints”, a

{- 1, 0, 1}

polynomial vector that holds at most

χ

recovery bits. The way of creating and using hints is stated below.

\begin{matrix} \underset{̲}{hints (χ, \vec{a} \in R_{q}^{n}, \vec{b} \in R_{q}^{n})} : & \underset{̲}{use_hints (χ, \vec{a} \in R_{q}^{n}, \vec{h} \in R_{q}^{n})} : \\ \vec{h} = \vec{a} - \vec{b} \in R_{q}^{n} & if ∥ \vec{h} ∥ > 1 \land ∥ \vec{h} ∥_{1} > χ : \\ if ∥ \vec{h} ∥ > 1 \land ∥ \vec{h} ∥_{1} > χ : return ⊥ & return ⊥ \\ return \vec{h} & return \vec{b} = \vec{a} - \vec{h} \in R_{q}^{n} \end{matrix}

2.5. Public Parameters

We use the following public parameters (Algorithm 1) throughout the remainder of the paper.

Algorithm 1 Public Parameter Generation

Assign $C_{β}^{N}, L^{'}, p_{1}, p_{2}, χ, α, τ, τ_{1}, τ_{2}, τ_{3} \in N$ such that
$L^{'} L \leq N$ ⊳ Maximum number of inputs/outputs is $2^{L^{'}}$ because we only used one polynomial for carry commitments. When using l number of polynomials, this constraint should be $L^{'} L \leq N l$ .
⊳ for negligible soundness error
${log}_{2} (\binom{N}{β}) + β \geq 2 λ$ ,
⊳ for smaller errors targeting different summations
$p_{1} \cdot 2^{16} < 2^{γ^{'}}$ and $p_{2} \cdot 2^{8} < 2^{γ^{'}}$
⊳ Norm 1 limit for hint polynomials is heuristically chosen according to $p_{1}$ and $p_{2}$ aiming to create hints within a reasonable time
$χ \leftarrow heuristic (p_{1}, p_{2})$ s.t. $∥ hint (\cdot) \in R_{q}^{n} ∥_{1} \leq χ$
⊳ for rejection sampling in range proofs
$0 < 2 ≪ α$ , $0 < β^{2} τ + β τ_{1} ≪ τ_{2} \leq γ$ ,
⊳ for rejection sampling in aggregate signatures
$0 < (2^{L^{'}} + 1) β τ ≪ τ_{3}$ and $2^{L^{'}} τ_{3} \leq γ$ ,
⊳ for computational hiding of coin amounts
$(m - 3) N {log}_{2} (2 τ) \geq 6 λ$ ,
$L α ≪ γ$
Get $\vec{H} \overset{$}{\leftarrow} R_{q}^{n \times m}$ s.t. $Approx - {SIS}_{n, m, q, N, γ, γ^{'}}$ is hard.
$C_{β}^{N} = [x \in R_{q} s . t . ∥ x ∥ = {1, ∥ x ∥}_{1} = β]$
return $p p_{(λ, L)} = (n, m, q, N, C_{β}^{N}, L^{'}, p_{1}, p_{2}, χ, α,$ $τ, τ_{1},$
$τ_{2}, τ_{3}, γ, γ^{'}, \vec{H})$

2.6. Fiat–Shamir Signatures

We define a digital signature scheme based on Fiat–Shamir challenges similar to refs. [32,33,34,35,36] in Algorithm 2. This signature scheme is the Approx-SIS version of ref. [36] with (1) a varying key space to allow aggregate keys and (2) beginning zero polynomials to align with commitments.

SIG

provides completeness and strong EUF-CMA (Existential Unforgeability under Chosen Message Attack) due to the security of ref. [36] and the hardness of Approx-SIS.

We define the security properties below.

Definition 6.

SIG

is complete and strong EUF-CMA if

P r [\begin{matrix} SIG . ver (p p_{λ}, p k, m, sig, c) \overset{?}{=} 1 \end{matrix} | \begin{matrix} (k, p k) = SIG . kgen (p p_{λ}, c) \\ sig = SIG . sign (p p_{λ}, k, m, c) \end{matrix}] \geq 1 - ϵ (λ)

{Adv}_{SIG, p p_{λ}}^{EUF, A} : = P r [{Game}_{SIG, p p_{λ}}^{EUF, A} ()] \leq ϵ (λ) .

$\underset{̲}{{Game}_{SIG, p p_{λ}}^{EUF, A} :}$
$c \leftarrow A_{s t e p 1} (p p_{λ})$ ; if $c > 2^{L^{'}}$ : return ⊥
$(k, p k) = SIG . kgen (p p_{λ}, c)$ ; $(m^{'}, {sig}^{'}) \leftarrow A_{s t e p 2}^{{sign}_{k}} (p p_{λ}, p k)$
return $(m^{'}, {sig}^{'}) \notin Q \land SIG . ver (p p_{λ}, p k, m^{'}, {sig}^{'}, c)$
$\underset{̲}{{Oracle sign}_{k} (m, c) :}$ $sig = SIG . sign (p p_{λ}, k, m, c)$
$Q = Q \cup {(m, sig)}$ ; return $sig$

Theorem 1.

SIG

is complete and EUF-CMA when ref. [36] is complete and EUF-CMA, and solving Approx-SIS of

(n, m - 3, q, γ, γ^{'}, N)

is hard.

Algorithm 2 Digital Signatures

1:: ⊳ Here, the key spaces change according to $c \leq 2^{L^{'}}$
2:: ⊳ Recall that $τ_{2} ≫ (2^{L^{'}} + 1) τ β$ and $γ \leq 2^{L^{'}} τ_{3}$
3:: $\underset{̲}{SIG . kgen (p p_{λ}, c) :}$ ⊳ $\vec{k}$ is the secret signing key
4:: $\vec{k} \overset{$}{\leftarrow} {[- c τ, c τ]}^{(m - 3) \times N}$ ; $\vec{pk} = {highbits}_{p_{1}} (\vec{H} [0^{3}, \vec{r}]) \in R_{q}^{n}$
5:: return $(\vec{k}, \vec{pk})$
6:: $\underset{̲}{SIG . sign (p p_{λ}, \vec{k}, m, c) :}$ if $c > 2^{L^{'}}$ : return ⊥
7:: $\vec{pk} = {highbits}_{p_{1}} (\vec{H} [0^{3}, \vec{r}]) \in R_{q}^{n}$
8:: ${\vec{r}}_{0} \overset{$}{\leftarrow} {[- c τ_{3}, c τ_{3}]}^{(m - 3) \times N}$
9:: $\vec{y} = {highbits}_{γ^{'}} (\vec{pk}) \in R_{q}^{n}$
10:: $\vec{x} = hash (\vec{pk}, \vec{y}, m) \in C_{β}^{N}$
11:: $\vec{σ} = {\vec{r}}_{0} + \vec{x} \vec{k} \in R^{m - 3}$
12:: if $∥ \vec{σ} ∥ > (c τ_{3} - c β τ)$ : go to Step 8
13:: ${\vec{y}}^{'} = {highbits}_{γ^{'}} (\vec{H} [0^{3}, \vec{σ}] - \vec{x} {up}_{p_{1}} (\vec{pk})) \in R_{q}^{n}$
14:: $\vec{h} = hints (χ, {\vec{y}}^{'}, \vec{y})$ ; if $\vec{h} = ⊥$ : go to Step 8
15:: return $(\vec{σ}, \vec{h}, \vec{x})$
16:: $\underset{̲}{SIG . ver (p p_{λ}, \vec{pk}, m, \vec{σ}, \vec{x}, c) :}$
17:: if $c > 2^{L^{'}}$ : return 0
18:: ${\vec{y}}^{'} = {highbits}_{γ^{'}} (\vec{H} [0^{3}, \vec{σ}] - \vec{x} {up}_{p_{1}} (\vec{pk})) \in R_{q}^{n}$
19:: $\vec{y} = hints (χ, {\vec{y}}^{'}, \vec{h})$ ; if $\vec{y} = ⊥$ : return 0
20:: return $∥ \vec{σ} ∥ < γ \land \vec{x} \overset{?}{=} hash (\vec{pk}, \vec{y}, m)$

3. LACT+ Protocol

A LACT+ transaction has input confidential coins, output confidential coins, and a header (signature, carry proof, and activity proof), as shown in Figure 1. The input confidential coins are in the blockchain’s set of unspent coins. During the aggregation, they will be removed from the unspent coin set, and output confidential coins will be added to the unspent coin set (see Figure 2) where

coin (s)

was removed). Therefore, an aggregated blockchain can be seen as a big transaction that contains all unspent coins. In this section, we explain confidential coins, carry proofs of the headers, and finally the complete aggregable transactions.

Figure 1. LACT+ transaction structure.

Figure 2. Transaction aggregation.

3.1. Confidential Coins

We begin by building confidential coin records where we can hide coin values but can also verify that the hidden coin amounts are in some range

[0, 2^{L})

.

Let there be a confidential coin scheme

COIN

that supports the following functionalities.

$COIN . gen (p p_{(λ, L)}, v) :$ returns $(k, coin)$ if v is in $[0, 2^{L} - 1]$ ; otherwise returns ⊥. Here, k is a secret key, a.k.a., blinding key, and L is defined in $p p_{(λ, L)}$ .
$COIN . open (p p_{(λ, L)}, v, k, coin) :$ returns 1 if $coin$ is generated for $(v \in [0, 2^{L}), k)$ ; otherwise, returns 0.
$COIN . ver (p p_{(λ, L)}, coin) :$ returns 1 if the hidden coin amount is in $[0, 2^{L})$ otherwise, returns 0.

Protocol Sketch

First, we sketch an interactive version of a 1-bit range proof. Let there be a value b which should be either 0 or 1. For some mask

a \in [- α, α]

and random challenge

x \in [- 1, 0, 1]

, take

z = b x + a

if

z \in [- α + 1, α - 1]

. Otherwise, the process is repeated until a valid z is found. Then

z (z - x) = x a (2 b - 1) + a^{2}

because

x^{2} b (b - 1)

should be zero. We use this method to prove the range of a bit.

Let

P

be a prover and

V

be a verifier.

V

has a commitment

u = com (b, 0, k)

, and

P

who knows

k \in [- τ, τ]

wants to show that the bit b is either 1 or 0 without revealing it. The prover uses commitments to prove the range of b. First,

P

creates commitment

t_{1} = com (b, a (2 b - 1), r_{1})

and sends it to

V

. After receiving a challenge

x_{1}

from

V

,

P

replies with

t_{2} = com (x a, a^{2}, r_{2})

. Then,

V

sends the second challenge

x_{2}

. After that,

P

computes

z = (b x + a)

and

r = x_{2} (x_{1} k + r_{1}) + r_{2}

. If z is in

[- α + 1, α - 1]

and r is in

[- τ + τ_{1} + τ_{2}, τ - τ_{1} - τ_{2}]

, they statistically hide

b, a, k, r_{1}

, and

r_{2}

. Hence,

P

sends z and r to

V

. If z and r are not in the secure ranges,

P

rejects them and restarts the protocol. Finally, the verifier

V

checks that

com (x_{1} z, z (z - x_{2}), r) \overset{?}{=} x_{2} x_{1} u + x_{2} t_{1} + t_{2}

.

V

accepts that b is either 0 or 1 if they are equal.

We use this technique to prove the range of the coin by repeating it for all bits. Furthermore, we increase the range of challenges into

2^{2 λ}

so that

P

cannot cheat. The complete non-interactive protocol

COIN

is given in Algorithm 3, and a graphical overview is provided in Figure 3. Note that all LACT+ commitments have the form of

com (*, *, *, *)

, not

com (*, *, *)

. Hence, the verifier will check

com (x_{1} z, z (z - x_{2}), 0, r) \overset{?}{=} x_{2} x_{1} u + x_{2} t_{1} + t_{2}

with a fixed 0 value. This extra value space is used for carry proofs which will be explained in the next section.

Figure 3. A graphical overview of confidential coins (Algorithm 3).

One-bit Range Proof Sketch (Interactive)
$P$		$V_{2}$
$a \overset{$}{\leftarrow} [- α, α]; r_{1} \overset{$}{\leftarrow} [- τ_{1}, τ_{1}]$
$t_{1} = com (b, a (2 b - 1), r_{1})$	$\underset{\to}{t_{1}}$
$r_{2} \overset{$}{\leftarrow} [- τ_{2}, τ_{2}]$	$\underset{\leftarrow}{x_{1}}$	$x_{1} \overset{$}{\leftarrow} [- 1, 1]$
$t_{2} = com (x a, a^{2}, r_{2})$	$\underset{\to}{t_{2}}$
$z = (b x + a) \in [- α + 1, α - 1]$	$\underset{\leftarrow}{x_{2}}$	$x_{2} \overset{$}{\leftarrow} [- 1, 1]$
$r = x_{2} (x_{1} k + r_{1}) + r_{2} s . t .$
$r \in [- τ + τ_{1} + τ_{2}, τ - τ_{1} - τ_{2}]$	$\underset{\to}{z, r}$	$com (x_{1} z, z (z - x_{2}), r) \overset{?}{=}$
		$x_{2} x_{1} u + x_{2} t_{1} + t_{2}$

Algorithm 3 New Confidential Coins

1:: ⊳ Creates coin records for v coins
2:: $\underset{̲}{COIN . gen (p p_{(λ, L)}, v)}$ :
3:: ⊳ Short vector for the commitment
4:: $\vec{b} = binary (L, v)$ s.t. $v = \sum_{i = 0}^{L - 1} 2^{i} b_{i}$
5:: $\vec{k} \overset{$}{\leftarrow} {[- τ, τ]}^{(m - 3) \times N}$
6:: $\vec{s} = [\vec{b}, \vec{0}, \vec{0}, \vec{k}] \in R_{q}^{m}$
7:: $\vec{u} = {highbits}_{p_{1}} (\vec{H} \vec{s}) \in R_{q}^{n}$ ⊳ Commitment
8:: ⊳ Get masking values for bits from Lazy Sampling
9:: ${[{\vec{a}}_{i} \overset{$}{\leftarrow} {[- (α - (1 - b_{i})), (α - (1 - b_{i}))]}^{N}]}_{i = 0}^{L}$
10:: ⊳ Short key vectors for range proof commitments
11:: ${\vec{r}}_{1} \overset{$}{\leftarrow} {[- τ_{1}, τ_{1}]}^{(m - 3) \times N}$ ; ${\vec{r}}_{2} \overset{$}{\leftarrow} {[- τ_{2}, τ_{2}]}^{(m - 3) \times N}$
12:: ${\vec{s}}_{1} = [\vec{0}, \sum_{i = 0}^{L} {\vec{a}}_{i} rot (2 b_{i} - 1, i), \vec{0}, {\vec{r}}_{1}] \in R^{m}$
13:: ${\vec{t}}_{1} = {highbits}_{p_{2}} (\vec{H} {\vec{s}}_{1}) \in R_{q}^{n}$
14:: ${\vec{x}}_{1} = hash (\vec{u}, {\vec{t}}_{1}) \in C_{β}^{N}$
15:: ${\vec{s}}_{2} = [{\vec{x}}_{1} \sum_{i = 0}^{L} {\vec{a}}_{i}, \sum_{i = 0}^{L} {\vec{a}}_{i} {\vec{a}}_{i}, \vec{0}, {\vec{r}}_{2}] \in R^{m}$
16:: ${\vec{t}}_{2} = {highbits}_{γ^{'}} (\vec{H} {\vec{s}}_{2}) \in R_{q}^{n}$
17:: ${\vec{x}}_{2} = hash (\vec{u}, {\vec{t}}_{1}, {\vec{t}}_{2}) \in C_{β}^{N}$
18:: ${[{\vec{z}}_{i} = {\vec{x}}_{2} rot (b_{i}, i) + {\vec{a}}_{i}]}_{i = 0}^{L} \in R^{L}$
19:: $\vec{r} = {\vec{x}}_{2} ({\vec{x}}_{1} \vec{k} + {\vec{r}}_{1}) + {\vec{r}}_{2} \in R^{m - 3}$
20:: if $∥ \vec{z} ∥ > (α - 1) \lor ∥ \vec{r} ∥ > (τ_{2} - β^{2} τ - β τ_{1})$ :
21:: go to Step 5
22:: ⊳ Check norms
23:: $\hat{\vec{z}} = \sum_{i = 0}^{L} {\vec{z}}_{i} ({\vec{z}}_{i} - {\vec{x}}_{2} rot (1, i)) \in R$
24:: if $∥ \hat{\vec{z}} ∥ > γ$ : go to Step 5
25:: ⊳ Create hints for ${\vec{t}}_{2}$
26:: $\vec{s} = [{\vec{x}}_{1} \sum_{i = 0}^{L} {\vec{z}}_{i}, \hat{\vec{z}}, \vec{0}, \vec{r}] \in R^{m}$
27:: ${\vec{t}}_{2}^{'} = {highbits}_{γ^{'}} (\vec{H} \vec{s} - {\vec{x}}_{2} ({\vec{x}}_{1} {up}_{p_{1}} (\vec{u}) + {up}_{p_{2}} ({\vec{t}}_{1}))) \in R_{q}^{n}$
28:: $\vec{h} = hints (χ, {\vec{t}}_{2}^{'}, {\vec{t}}_{2})$
29:: if $\vec{h} = ⊥$ : go to Step 5
30:: return $\vec{k}$ and $coin = (\vec{z}, \vec{r}, \vec{u}, {\vec{t}}_{1}, \vec{h}, {\vec{x}}_{2})$
31:: ⊳ Open coin records of v coins and key $\vec{k}$
32:: $\underset{̲}{COIN . open (p p_{(λ, L)}, v, \vec{k}, coin) :}$
33:: $(\vec{z}, \vec{r}, \vec{u}, {\vec{t}}_{1}, \vec{h}, {\vec{x}}_{2}) = coin$
34:: $\vec{s} = [binary (v), \vec{0}, \vec{0}, \vec{k}] \in R^{m}$
35:: return $∥ \vec{s} ∥ \overset{?}{\leq} α \land \vec{u} \overset{?}{=} {highbits}_{p_{1}} (\vec{H} \vec{s}) \in R_{q}^{n}$
36:: ⊳ Verify coin records
37:: $\underset{̲}{COIN . ver (p p_{(λ, L)}, coin) :}$
38:: $(\vec{z}, \vec{r}, \vec{u}, {\vec{t}}_{1}, \vec{h}, {\vec{x}}_{2}) = coin$
39:: ${\vec{x}}_{1} = hash (\vec{u}, {\vec{t}}_{1})$
40:: $\hat{\vec{z}} = \sum_{i = 0}^{L} {\vec{z}}_{i} ({\vec{z}}_{i} - {\vec{x}}_{2} rot (1, i)) \in R$
41:: $\vec{s} = [{\vec{x}}_{1} \sum_{i = 0}^{L} {\vec{z}}_{i}, \hat{\vec{z}}, \vec{0}, \vec{r}] \in R^{m}$
42:: ⊳ Use hints to recompute ${\vec{t}}_{2}$
43:: ${\vec{t}}_{2}^{'} = {highbits}_{γ^{'}} (\vec{H} \vec{s} - {\vec{x}}_{2} ({\vec{x}}_{1} {up}_{p_{1}} (\vec{u}) + {up}_{p_{2}} ({\vec{t}}_{1}))) \in R_{q}^{n}$
44:: ${\vec{t}}_{2} = use_hints (χ, {\vec{t}}_{2}^{'}, \vec{h})$
45:: if ${\vec{t}}_{2} = ⊥$ : return 0
46:: return ${\vec{x}}_{2} \overset{?}{=} hash (\vec{u}, {\vec{t}}_{1}, {\vec{t}}_{2}) \land ∥ \vec{s} ∥ \leq γ$

We want

COIN

to be complete, hiding, binding, zero-knowledge, and knowledge sound. Here, we state the undefined security properties of

COIN

; completeness and binding. Other properties, namely, hiding, zero-knowledge, and knowledge soundness, defined in Section 2.1 are valid for

COIN

as well when the statement

L

is

“ all L bits of b = binary (L, v) are either 0 or 1 ” .

Definition 7

(Completeness).

COIN

is complete if honestly generated proofs can be verified for the correct range, or the following is greater than or equal to

1 - ϵ (λ)

.

P r [\begin{matrix} COIN . ver (p p_{(λ, L)}, coin) \end{matrix} | \begin{matrix} v s . \in [0, 2^{L} - 1] \\ (k, coin) = COIN . gen (p p_{(λ, L)}, v) \end{matrix}]

Once a coin record has been published, no one, including the creator who knows the secret key, should be able to claim another coin value for the same coin record. Otherwise, after sending a transaction, owners can illegally generate coins. We capture this security property below.

Definition 8

(Binding).

COIN

is binding if

P r [\begin{matrix} (v, k) \overset{?}{\neq} (v^{'}, k^{'}) \land \\ COIN . open (p p_{(λ, L)}, v, k, coin) \land \\ COIN . open (p p_{(λ, L)}, v^{'}, k^{'}, coin) \end{matrix} | (\begin{matrix} coin \\ v, k \\ v^{'}, k^{'} \end{matrix}) \leftarrow A (p p_{(λ, L)})] \leq ϵ (λ)

Theorem 2.

COIN

is complete, computationally binding, and computational knowledge sound, and zero-knowledge if approx-SIS of

(n, m, q, γ, γ^{'}, N)

is hard (see the security proof in Appendix A).

3.2. Logarithmic-Sized Carry Proofs

Binary commitments are smaller than full integer commitments. However, we cannot directly check summations of transactions’ in/outputs and chains’ total unspent coin amount when they are in binary forms. Therefore, LACT ref. [2] uses static carries with maximum two inputs and two outputs and a static supply.

Unlike traditional blockchains, LACT maintains an unspent coin record (with a zero key) for the coinbase (coin supplier) where the coinbase holds future supply, and those coins do not belong to anyone until they are awarded. The idea is to maintain a constant coin amount on the blockchain all the time. For instance, the coinbase holds the maximum

v_{base} = S

at the beginning and keeps reducing the amount

v_{base} = v_{base} - s^{(t)}

with each rewarded coin

s^{(t)}

of transaction t. Therefore, the blockchain always has S coins. When the coin amount is constant, the following equations can be used to check the summation of individual transactions and the blockchain.

Let the maximum coin amount be in

[0, 2^{L})

. For transaction t, let the inputs be

c

with coins

{[v_{i}]}_{i = 0}^{*}

such that

binary (v_{i}) = {[b_{i, j}]}_{j = 0}^{L}

and outputs be

c^{'}

with coins

{[v_{i}^{'}]}_{i = 0}^{*}

such that

binary (v_{i}^{'})

= {[b_{i, j}^{'}]}_{j = 0}^{L}

. Then, the input carries

{[c_{j}]}_{j = 0}^{L + 1}

are computed as

{[0, (\sum_{i = 1}^{| c |} b_{i, 0} + c_{0}) \div 2, \dots, (\sum_{i = 1}^{| c |} b_{i, L - 2} + c_{L - 2}) \div 2, 0]}_{j = 0}^{L + 1}

where

c_{0}

and

c_{L}

are zeros, and other

c_{j}

s are either 0 or 1. Similarly, the output carries

{[c_{j}^{'}]}_{j = 0}^{L + 1}

are

{[0, (\sum_{i = 1}^{| c^{'} |} b_{i, 0}^{'} + c_{0}^{'}) \div 2, \dots, (\sum_{i = 1}^{| c^{'} |} b_{i, L - 2}^{'} + c_{L - 2}^{'}) \div 2, 0]}_{j = 0}^{L + 1}

such that

c_{0}^{'}

and

c_{L}^{'}

are zeros, and

c_{j}^{'}

s are 0 or 1. Note that ÷ is the integer division and

| \cdot |

is the size of a set/vector.

Then, these binary vectors satisfy Equation (1) if inputs coins are equal to output coins.

{[\sum_{i = 1}^{| c^{'} |} b_{i, j}^{'} - \sum_{i = 1}^{| c |} b_{i, j} + (c_{j}^{' (t)} - 2 c_{j + 1}^{' (t)} - c_{j}^{(t)} + 2 c_{j + 1}^{(t)}) \overset{?}{=} 0]}_{j = 0}^{L}

(1)

Furthermore, due to the constant coin amount, Equation (2) can be used to verify that unspent coins (

ucoins

) are equal to the total supply S of headers (

headers

)

binary (S) = {[S_{j}]}_{j = 0}^{L}

.

{[\sum_{i = 1}^{| ucoins |} b_{i, j} + \sum_{t = 1}^{| headers |} (c_{j}^{' (t)} - 2 c_{j + 1}^{' (t)} - c_{j}^{(t)} + 2 c_{j + 1}^{(t)}) \overset{?}{=} S_{j}]}_{j = 0}^{L}

(2)

Therefore, LACT headers contain carry

com ({[c_{j}^{' (t)} - 2 c_{j + 1}^{' (t)} - c_{j}^{(t)} + 2 c_{j + 1}^{(t)}]}_{j = 0}^{L - 1}, *)

and range proofs of in/output carries (we call them carry proofs) when in/output size is 2. Note that when there is only one in/output, the carries are always zero, in which case no carry proofs are needed. These carries’ range proofs are similar to coins’ carry proofs even though a functional output of the carries is committed. However, a normal transaction has to be separated into multiple LACT transactions if there are more than two inputs or outputs. For example, a transaction of

(2 \Rightarrow 3)

can be separated into two transactions;

(2 \Rightarrow 2)

and

(1 \Rightarrow 2)

with two carry proofs.

We generalize this concept of static carry proofs for more than two input and output transactions at a logarithmic cost to reduce the size impact of carry proofs in LACT+.

Let there be a carry proof protocol,

CARRY

that commits and provides range proofs for maximum

2^{L^{'}}

number of inputs or outputs.

$CARRY . gen (p p_{(λ, L)}, {[v_{i}]}_{i = 0}^{| in |}, {[v_{i}]}_{i = 0}^{| out |}) :$ returns $(k, carry)$ if all $v$ and $v$ are in $[0, 2^{L} - 1]$ ; otherwise returns ⊥. Here, k is the secret key of carry commitment, $| in | \leq 2^{L^{'}}$ and $| out | \leq 2^{L^{'}}$ . At this point, we do not check $\sum v = \sum v^{'}$ , which will be performed in transaction creation. Here, $| in |$ and $| out |$ are the input and output sizes.
$CARRY . ver (p p_{(λ, L)}, carry) :$ returns one if the hidden carries are in $[0, 2^{L^{'}})$ and the carries are committed according to Equation (1); otherwise, it returns zero.

Protocol Sketch

Carry proofs contain a commitment and a range proof to show that each carry is in a proper range, which is

[0, 2^{L^{'}})

for maximum

2^{L^{'}} \geq 2

inputs and outputs. Let there be

2^{L_{in}}

number of inputs and

2^{L_{out}}

number of outputs. A LACT+ carry commitment is

com (c_{j}^{' (t)} - 2 c_{j + 1}^{' (t)} - c_{j}^{(t)} + 2 c_{j + 1}^{(t)}, 0, 0, k)

when

c

and

c^{'}

are input and output carries. Here, except for the 0^th and

{(L - 1)}^{th}

carries, the output carries

{[c_{j}^{'}]}_{j = 1}^{L - 2}

are in

[0, 2^{L_{out}})

, and other input carries

{[c_{j}]}_{j = 1}^{L - 2}

are in

[0, 2^{L_{in}})

. Hence, LACT+ creates range proofs for the following vectors

[binary (L_{in}, c_{1}), \dots, binary (L_{in}, c_{L - 2})] \in R and [binary (L_{out}, c_{1}^{'}), \dots, binary (L_{out}, c_{L - 2}^{'})] \in R .

We define the new carry proof protocol in Algorithm 4. Furthermore, we provide a graphical view of the carry proofs in Figure 4 using the same notation as Algorithm 4.

Algorithm 4 New Confidential Carry Proofs

1:: ⊳ $| in |, | out |$ $(\leq 2^{L^{'}})$ are the number of in/outputs, including supplied coins and transaction fee.
2:: $\underset{̲}{CARRY . gen (p p_{(λ, L)}, {[v_{i}]}_{i = 0}^{| in |}, {[v_{i}]}_{i = 0}^{| out |}) :}$
3:: if $| in | > 2^{L^{'}} \land | out | > 2^{L^{'}}$ :
4:: return ⊥
5:: $L_{in} = ⌈ {log}_{2} (⌊ (2 | in | - 1) ⌋) ⌉$
6:: $L_{out} = ⌈ {log}_{2} (⌊ (2 | out | - 1) ⌋) ⌉$
7:: ${[b_{i} = binary (v^{(i)})]}_{i = 1}^{| in |}$ , ${[b_{i}^{'} = binary (v^{' (i)})]}_{i = 1}^{| out |}$
8:: ⊳ Carries when ÷ is the integer division
9:: $c_{0} = [0, {[c_{0, j + 1} = (\sum_{i = 1}^{| in |} b_{i, j} + c_{0, j}) \div 2]}_{j = 0}^{L - 1}, 0]$
10:: $c_{1} = [0, {[c_{1, j + 1} = (\sum_{i = 1}^{| out |} b_{i, j}^{'} + c_{1, j}) \div 2]}_{j = 0}^{L - 1}, 0]$
11:: ⊳ Bits of input carries
12:: $c_{0}^{'} = {[{binary}_{L_{in}} (c_{0, j})]}_{j = 0}^{L + 1} \in R^{(L + 1) \times L^{'}}$
13:: ⊳ Bits of output carries
14:: $c_{1}^{'} = {[{binary}_{L_{out}} (c_{1, j})]}_{j = 0}^{L + 1} \in R^{(L + 1) \times L^{'}}$
15:: ⊳ Compute random masks for carries
16:: ⊳ Lazy Sampling
17:: ${[{[{\vec{d}}_{0, i, l} \overset{$}{\leftarrow} {[- (α - (1 - c_{0, i, l}^{'})), (α - (1 - c_{0, i, l}^{'}))]}^{N}]}_{i = 1}^{L}]}_{l = 0}^{L_{in}}$
18:: Set ${\vec{d}}_{0, 0} = \vec{0}$ and ${\vec{d}}_{0, L} = \vec{0}$
19:: $[{[{\vec{d}}_{1, i, l} \overset{$}{\leftarrow} {[- (α - (1 - c_{1, i, l}^{'})), {(α - (1 - c_{1, i, l}^{'}))}^{N}]}_{i = 1}^{L}]}_{l = 0}^{L_{out}}$
20:: Set ${\vec{d}}_{1, 0} = \vec{0}$ and ${\vec{d}}_{1, L} = \vec{0}$
21:: ${\hat{\vec{c}}}_{0} = \sum_{l = 0}^{L_{in}} \sum_{j = 0}^{L} {\vec{d}}_{0, j, l} rot (2 c_{0, j, l}^{'} - 1, j L_{in} + l) \in R$
22:: ${\hat{\vec{c}}}_{1} = \sum_{l = 0}^{L_{out}} \sum_{j = 0}^{L} {\vec{d}}_{1, j} rot (2 c_{1, j, l}^{'} - 1, j L_{out} + l) \in R$
23:: ${\hat{\vec{c}}}^{'} = {[(c_{1, j} - c_{0, j}) - 2 (c_{1, j + 1} - c_{0, j + 1})]}_{j = 0}^{L}, 0^{N - L}] \in R$
24:: $t_{in} = N - j \cdot (L_{in} - 1) - l$
25:: $t_{in}^{'} = N - (j + 1) \cdot (L_{in} - 1) - l - 1$
26:: ${\hat{\vec{d}}}_{0}^{'} = \sum_{l = 0}^{L_{in}} \sum_{j = 0}^{L} ({\vec{d}}_{0, j, l} rot (- 2^{l}, t_{in}) - 2 {\vec{d}}_{0, j + 1, l} rot (- 2^{l}, t_{in}^{'}))$
27:: $t_{out} = N - j \cdot (L_{out} - 1) - l$
28:: $t_{out}^{'} = N - (j + 1) \cdot (L_{out} - 1) - l - 1$
29:: ${\hat{\vec{d}}}_{1}^{'} = \sum_{l = 0}^{L_{out}} \sum_{j = 0}^{L} ({\vec{d}}_{1, j, l} rot (- 2^{l}, t_{out}) - 2 {\vec{d}}_{1, j + 1, l} rot (- 2^{l}, t_{out}^{'}))$
30:: ⊳ Pick random masks
31:: $\vec{k} \overset{$}{\leftarrow} {[- τ, τ]}^{(m - 3) \times N}$
32:: ${\vec{r}}_{1} \overset{$}{\leftarrow} {[- τ_{1}, τ_{1}]}^{(m - 3) \times N}$ ; ${\vec{r}}_{2} \overset{$}{\leftarrow} {[- τ_{2}, τ_{2}]}^{(m - 3) \times N}$
33:: ⊳ Carry commitment
34:: $\vec{u} = {highbits}_{p_{1}} (\vec{H} [{\hat{\vec{c}}}^{'}, \vec{0}, \vec{0}, \vec{k}]) \in R_{q}^{n}$
35:: ${\vec{t}}_{1} = {highbits}_{p_{2}} (\vec{H} [\vec{0}, {\hat{\vec{c}}}_{1}, {\hat{\vec{c}}}_{0}, {\vec{r}}_{1}]) \in R_{q}^{n}$
36:: ${\vec{x}}_{1} = hash (\vec{u}, {\vec{t}}_{1}) \in C_{β}^{N}$
37:: ${\vec{s}}_{2} = [{\vec{x}}_{1} ({\hat{\vec{d}}}_{1}^{'} - {\hat{\vec{d}}}_{0}^{'}), \sum_{l = 0}^{L_{out}} \sum_{j = 0}^{L} {\vec{d}}_{1, j, l}^{2}, \sum_{l = 0}^{L_{in}} \sum_{j = 0}^{L} {\vec{d}}_{0, j, l}^{2}, {\vec{r}}_{2}]$
38:: ${\vec{t}}_{2} = {highbits}_{γ^{'}} (\vec{H} {\vec{s}}_{2}) \in R_{q}^{n}$
39:: ${\vec{x}}_{2} = hash (\vec{u}, {\vec{t}}_{1}, {\vec{t}}_{2}) \in C_{β}^{N}$

40:: ${\vec{z}}_{0} = {[{[{\vec{x}}_{2} rot (c_{0, j, l}, j L_{in} + l) + {\vec{d}}_{0, j, l}]}_{j = 1}^{L}]}_{l = 0}^{L_{in}} \in R^{L_{in} \times L}$
41:: ${\vec{z}}_{1} = {[{[{\vec{x}}_{2} rot (c_{1, j, l}, j L_{out} + l) + {\vec{d}}_{1, j, l}]}_{j = 1}^{L}]}_{l = 0}^{L_{in}} \in R^{L_{out} \times L}$
42:: if $∥ {\vec{z}}_{0} ∥ > (α - 1) \lor ∥ {\vec{z}}_{1} ∥ > (α - 1)$ :
43:: go to Step 15
44:: $\vec{r} = {\vec{x}}_{2} ({\vec{x}}_{1} \vec{k} + {\vec{r}}_{1}) + {\vec{r}}_{2} \in R^{m - 3}$
45:: if $∥ \vec{r} ∥ > (τ_{2} - β^{2} τ - β τ_{1}) :$
46:: go to Step 15
47:: ${\hat{\vec{z}}}_{0}^{'} = {\vec{x}}_{1} \sum_{l = 0}^{L_{in}} \sum_{j = 0}^{L} ({\vec{z}}_{0, j, l} rot (- 2^{l}, t_{in})$
48:: $- 2 {\vec{z}}_{0, j + 1, l} rot (- 2^{l}, t_{in}^{'})) \in R$
49:: ${\hat{\vec{z}}}_{1}^{'} = {\vec{x}}_{1} \sum_{l = 0}^{L_{out}} \sum_{j = 0}^{L} ({\vec{z}}_{1, j, l} rot (- 2^{l}, t_{out})$
50:: $- 2 {\vec{z}}_{1, j + 1, l} rot (- 2^{l}, t_{out}^{'})) \in R$
51:: ${\hat{\vec{z}}}_{0} = \sum_{l = 0}^{L_{in}} \sum_{i = 0}^{L} {\vec{z}}_{0, i} ({\vec{z}}_{0, i} - {\vec{x}}_{2} rot (1, i L_{in} + l)) \in R$
52:: ${\hat{\vec{z}}}_{1} = \sum_{l = 0}^{L_{out}} \sum_{i = 0}^{L} {\vec{z}}_{1, i} ({\vec{z}}_{1, i} - {\vec{x}}_{2} rot (1, i L_{out} + l)) \in R$
53:: $\vec{s} = [{\hat{\vec{z}}}_{1}^{'} - {\hat{\vec{z}}}_{0}^{'}, {\hat{\vec{z}}}_{1}, {\hat{\vec{z}}}_{0}, \vec{r}] \in R^{m}$
54:: if $∥ \vec{s} ∥ > γ$ : go to Step 15
55:: ⊳ Compute hints for ${\vec{t}}_{2}$
56:: ${\vec{t}}_{2}^{'} = {highbits}_{γ^{'}} (\vec{H} \vec{s} - {\vec{x}}_{2} ({\vec{x}}_{1} {up}_{p_{1}} (\vec{u}) + {up}_{p_{2}} ({\vec{t}}_{1}))) \in R_{q}^{n}$
57:: $\vec{h} = hints (χ, {\vec{t}}_{2}^{'}, {\vec{t}}_{2})$
58:: if $\vec{h} = ⊥$ : go to Step 15
59:: return $carry = ({\vec{z}}_{0}, {\vec{z}}_{1}, \vec{r}, \vec{u}, {\vec{t}}_{1}, \vec{h}, {\vec{x}}_{2})$
60:: $\underset{̲}{CARRY . ver (p p_{(λ, L)}, | in |, | out |, carry) :}$
61:: ⊳ $(*)$ denotes variables that can be empty
62:: $({\vec{z}}_{0}^{(*)}, {\vec{z}}_{1}^{(*)}, {\vec{r}}^{(*)}, {\vec{u}}^{(*)}, {\vec{t}}_{1}^{(*)}, {\vec{h}}^{(*)}, {\vec{x}}_{2}^{(*)}) : = carry$
63:: if $| in | > 2^{L^{'}} \land | out | > 2^{L^{'}}$ :
64:: return ⊥
65:: $L_{in} = ⌈ {log}_{2} (⌊ (2 | in | - 1) ⌋) ⌉$
66:: $L_{out} = ⌈ {log}_{2} (⌊ (2 | out | - 1) ⌋) ⌉$
67:: $t_{in} = N - j \cdot (L_{in} - 1) - l$
68:: $t_{in}^{'} = N - (j + 1) \cdot (L_{in} - 1) - l - 1$
69:: $t_{out} = N - j \cdot (L_{out} - 1) - l$
70:: $t_{out}^{'} = N - (j + 1) \cdot (L_{out} - 1) - l - 1$
71:: if $∥ {\vec{z}}_{0} ∥ > α \lor ∥ {\vec{z}}_{1} ∥ > α$ :
72:: return 0
73:: ${\hat{\vec{z}}}_{0}^{'} = {\vec{x}}_{1} \sum_{l = 0}^{L_{in}} \sum_{j = 0}^{L} ({\vec{z}}_{0, j, l} rot (- 2^{l}, t_{in})$
74:: $- 2 {\vec{z}}_{0, j + 1, l} rot (- 2^{l}, t_{in}^{'})) \in R$
75:: ${\hat{\vec{z}}}_{1}^{'} = {\vec{x}}_{1} \sum_{l = 0}^{L_{out}} \sum_{j = 0}^{L} ({\vec{z}}_{1, j, l} rot (- 2^{l}, t_{out})$
76:: $- 2 {\vec{z}}_{1, j + 1, l} rot (- 2^{l}, t_{out}^{'})) \in R$
77:: ${\hat{\vec{z}}}_{0} = \sum_{l = 0}^{L_{in}} \sum_{i = 0}^{L} {\vec{z}}_{0, i} ({\vec{z}}_{0, i} - {\vec{x}}_{2} rot (1, i L_{in} + l)) \in R$
78:: ${\hat{\vec{z}}}_{1} = \sum_{l = 0}^{L_{out}} \sum_{i = 0}^{L} {\vec{z}}_{1, i} ({\vec{z}}_{1, i} - {\vec{x}}_{2} rot (1, i L_{out} + l)) \in R$
79:: $\vec{s} = [{\hat{\vec{z}}}_{1}^{'} - {\hat{\vec{z}}}_{0}^{'}, {\hat{\vec{z}}}_{1}, {\hat{\vec{z}}}_{0}, \vec{r}] \in R^{m}$
80:: if $∥ \vec{s} ∥ > γ$ : return 0
81:: ⊳ Recompute ${\vec{t}}_{2}$ from hints
82:: ${\vec{t}}_{2}^{'} = {highbits}_{γ^{'}} (\vec{H} \vec{s} - {\vec{x}}_{2} ({\vec{x}}_{1} {up}_{p_{1}} (\vec{u}) + {up}_{p_{2}} ({\vec{t}}_{1}))) \in R_{q}^{n}$
83:: ${\vec{t}}_{2} = use_hints (χ, {\vec{t}}_{2}^{'}, \vec{h})$
84:: if ${\vec{t}}_{2} = ⊥$ : return 0
85:: return ${\vec{x}}_{2} \overset{?}{=} hash (\vec{u}, {\vec{t}}_{1}, {\vec{t}}_{2})$

Figure 4. Graphical overview of carry proofs (Algorithm 4).

New carry proofs provide the following properties; completeness, knowledge soundness, and zero-knowledge argument. Zero-knowledge and knowledge soundness are defined for a statement

L

,

“ all input and output carries are in [0, 2^{L_{in}}) and [0, 2^{L_{out}}) ”

according to Definitions 2 and 3.

Definition 9

(Completeness).

CARRY

is complete if honestly generated proofs are always valid such that the following is greater than or equal to

1 - ϵ (λ)

.

P r [\begin{matrix} CARRY . ver (p p_{(λ, L)}, \\ | in |, | out |, c) \end{matrix} | \begin{matrix} v, v^{'} \in [0, 2^{L} - 1] s . t . | v |, | v^{'} | ∥ \leq 2^{L^{'}} \\ (k, c) = CARRY . gen (p p_{(λ, L)}, v, v^{'}) \end{matrix}]

Theorem 3.

CARRY

is complete, zero-knowledge, and witness extractable if Approx-SIS of

(n, m, q, γ,

γ^{'}, N)

is hard (see the security proof in Appendix B).

3.3. Aggregable Confidential Transactions with Activity Proofs

In this section, we describe LACT+ transactions,

TX

, with new confidential coins, carry proofs, and activity proofs.

A transaction converts a set of existing coin records (inputs) into new coins (outputs). First, users agree on the inputs and outputs. Then they create a carry proof to show the summation. Finally, they create the transaction by computing a signature to prove the ownership. Let

{[b]}_{i = 0}^{*}

,

{[b^{'}]}_{i = 0}^{*}

,

c_{0}

, and

c_{1}

be the binary inputs, binary outputs, input carries, and output carries accordingly. If the input coins are equal to output coins, they satisfy Equation (1) and a zero-coefficient vector is output. Therefore, the summed commitment

p k

is,

com (\begin{matrix} \sum_{i = 0}^{*} b^{'} - \sum_{i = 0}^{*} b \\ + (c_{j}^{' (t)} - 2 c_{j + 1}^{' (t)} \\ - c_{j}^{(t)} + 2 c_{j + 1}^{(t)}) \end{matrix}, 0, 0, \underset{r}{\underset{︸}{\begin{matrix} \sum_{i = 0}^{*} k_{i}^{'} \\ - \sum_{i = 0}^{*} k_{i} + k \end{matrix}}}) = com (0, 0, 0, r) = p k

when

k, {[k]}_{i = 0}^{*}

, and

{[k^{'}]}_{i = 0}^{*}

are the keys of the carry commitment, input coin commitments, and output coin commitments. Therefore,

TX

asks the users to use

(r, p k)

as the secret–public key pair and create a signature. First, the users picks a random

r^{'}

and computes

y = com (0, 0, 0, r^{'})

. Then, users’ computers receive the challenge

x = hash (u, y)

by hashing

p k

and y, and compute

σ = r^{'} - x r

. The signature is

(σ, x)

. If the input coins are equals to output coins, verifiers can recompute

y^{'} : = com (0, 0, 0, σ) - x \times p k

and check

x \overset{?}{=} hash (p k, y^{'})

. When the challenge is large enough, users cannot cheat and create valid signatures if they illegally generate coins or steal coins.

LACT+ transactions contain activity proofs to enable complete aggregation. Activity proofs are immutable, or it is computationally impossible to find two different input and output sets for the same activity proof. Hence, preserving activity proofs is sufficient to provide immutability to the whole blockchain, including the removed spent coins.

The transaction generation is a multi-party protocol where each sender or receiver keeps their secret keys without sharing and computes a secure partial signature. At the end, those partial signatures are aggregated into a single signature used as the transaction’s signature. Therefore, the senders do not learn the secret keys of other inputs and outputs, and cannot take back the sent coins. We use “green color” to denote the secret computations of each individual.

Before aggregating a transaction into the chain, verifiers check whether the inputs are in the chain or not. If they are in the chain, verifiers check the summation, ownership, and activity of the transaction. When the transaction has valid proofs, the verifiers remove the inputs from the chain, add outputs into the unspent coin set, and preserve the header. The complete protocol of

TX

is stated in Algorithm 5 and an example of transaction aggregation is stated in Figure 2.

Algorithm 5 LACT+ Transactions and Chains

1:: ⊳ $| in |, | out |$ $(\leq 2^{L^{'}})$ are the number of in/outputs.
2:: ⊳ owners do not share secret keys of inputs or outputs.
3:: $\underset{̲}{TX . gen (p p_{(λ, L)}, k, carry, {[k_{i}, v_{i}, {coin}_{i}]}_{i = 1}^{| in |}, {[k_{i}^{'}, v_{i}^{'}, {coin}_{i}^{'}]}_{i = 1}^{| out |})}$ :
4:: if $\sum v \neq \sum v^{'}$ : return ⊥
5:: ⊳ Commitments cannot be repeated
6:: if $⋃ coin . \vec{u} \neq coin . \vec{u} \lor ⋃ {coin}^{'} . \vec{u} \neq {coin}^{'} . \vec{u}$
7:: $\lor coin ⋂ {coin}^{'} \neq ϕ$ : return 0
8:: $Δ \neq activity ({[{coin}_{i}^{'} . \vec{u}]}_{i = 1}^{| out |}, {[{coin}_{i} . \vec{u}]}_{i = 1}^{| in |}) \in H$
9:: Each sender $i \in [1, | in |]$ secretly computes:
10:: ▹ ${\vec{r}}_{3, i} \overset{$}{\leftarrow} {[- τ_{3}, τ_{3}]}^{(m - 3) \times N}$
11:: ▹ ${\vec{y}}_{i} = \vec{H} [\vec{0}, \vec{0}, \vec{0}, {\vec{r}}_{3, i}] \in R_{q}^{n}$ and share ${\vec{y}}_{i}$
12:: Each receiver $i \in [1, | out |]$ secretly computes:
13:: ▹ ${\vec{r}}_{3, i}^{'} \overset{$}{\leftarrow} {[- τ_{3}, τ_{3}]}^{(m - 3) \times N}$
14:: ▹ ${\vec{y}}_{i}^{'} = \vec{H} [\vec{0}, \vec{0}, \vec{0}, {\vec{r}}_{3, i}^{'}] \in R_{q}^{n}$ and share ${\vec{y}}_{i}^{'}$
15:: ⊳ All receivers compute public key $\vec{pk} \in R_{q}^{n}$ .
16:: $\vec{pk} = {highbits}_{p_{1}} (carry . \vec{u} + \sum_{i = 1}^{| out |} {coin}_{i}^{'} . \vec{u} - \sum_{i = 1}^{| in |} {coin}_{i} . \vec{u})$
17:: $\vec{y} = {highbits}_{γ^{'}} (\sum_{i = 1}^{| out |} {\vec{y}}_{i}^{'} - \sum_{i = 1}^{| in |} {\vec{y}}_{i}) \in R_{q}^{n}$
18:: ${\vec{x}}_{0} = hash (\vec{pk}, \vec{y}, Δ) \in C_{β}^{N}$ ⊳ Signature challenge
19:: Each sender $i \in [1, | in |]$ secretly computes:
20:: ▹ ${\vec{σ}}_{i} = {\vec{r}}_{3, i} + {\vec{x}}_{0} {\vec{k}}_{i} \in R^{(m - 3)}$
21:: ▹if $∥ {\vec{σ}}_{i} ∥ > (τ_{3} - β τ)$ : go to Step 9
22:: Each receiver $i \in [1, | out |]$ secretly computes:
23:: ▹ ${\vec{σ}}_{i}^{'} = {\vec{r}}_{3, i}^{'} + {\vec{x}}_{0} {\vec{k}}_{i}^{'} \in R^{(m - 3)}$
24:: ▹if $∥ {\vec{σ}}_{i}^{'} ∥ > (τ_{3} - β τ)$ : go to Step 9
25:: ⊳ All receivers compute the signature
26:: $\vec{σ} = {\vec{x}}_{0} (\vec{k} + \sum_{i = 1}^{| out |} {\vec{σ}}_{i}^{'} - \sum_{i = 1}^{| in |} {\vec{σ}}_{i}) \in R^{(m - 3)}$
27:: if $∥ \vec{σ} ∥ > ((| out | + | in |) τ_{3} - (| out | + | in | + 1) β τ)$ :
28:: go to Step 9
29:: ${\vec{y}}^{'} = {highbits}_{γ^{'}} (\vec{H} \vec{σ} - {\vec{x}}_{0} {up}_{p_{1}} (\vec{pk})) \in R_{q}^{n}$
30:: $\vec{h} = hints (χ, {\vec{y}}^{'}, \vec{y})$ ⊳ Hints for $\vec{y}$
31:: if $\vec{h} = ⊥$ : go to Step 9
32:: $header = (\vec{pk}, \vec{h}, \vec{σ}, {\vec{x}}_{0}, carry, Δ)$
33:: return $tx = (header, {[{coin}_{i}]}_{i = 1}^{| in |}, {[{coin}_{i}^{'}]}_{i = 1}^{| out |})$
34:: ⊳ A chain is an aggregated CT with multiple headers
35:: $\underset{̲}{TX . aggregate (p p_{(λ, L)}, chain, tx) :}$
36:: $(header, in, out)) : = tx$
37:: $(headers, S, ucoins) : = chain$
38:: if $\neg TX . ver (p p_{(λ, L)}, tx) :$ return ⊥
39:: ⊳ Spending coins should be in the chain
40:: if $tx . in \notin ucoins :$ return ⊥
41:: ⊳ Remove spending coins from the chain
42:: $ucoins = (ucoins ∖ tx . in) ⊎ tx . out$
43:: ⊳ Add proofs to the transaction table

44:: $headers = headers ⊎ (| tx . in |, | tx . out |, tx . header)$
45:: ⊳ Commitments cannot be repeated
46:: if $⋃ ucoins . \vec{u} \neq ucoins . \vec{u}$ : return ⊥
47:: return $chain = (headers, S, ucoins))$
48:: $\underset{̲}{TX . header_ver (p p_{(λ, L)}, | in |, | out |, header)}$ :
49:: $(\vec{pk}, \vec{h}, \vec{σ}, {\vec{x}}_{0}, carry, Δ) : = header$
50:: ⊳ Recompute $\vec{y}$ from hints
51:: ${\vec{y}}^{'} = {highbits}_{γ^{'}} (\vec{H} \vec{σ} - {\vec{x}}_{0} {up}_{p_{1}} (\vec{pk})) \in R_{q}^{n}$
52:: $\vec{y} = use_hints (χ, {\vec{y}}^{'}, \vec{h})$
53:: if $\vec{y} = ⊥$ : return 0
54:: return ${\vec{x}}_{0} \overset{?}{=} hash (\vec{pk}, \vec{y}, Δ) \land$
55:: $CARRY . ver (p p_{(λ, L)}, | in |, | out |, carry)$
56:: $\underset{̲}{TX . ver (p p_{(λ, L)}, tx) :}$
57:: $(header, {[{coin}_{i}]}_{i = 1}^{| in |}, {[{coin}_{i}^{'}]}_{i = 1}^{| out |})) : = tx$
58:: $(\vec{pk}, \vec{h}, \vec{σ}, {\vec{x}}_{0}, carry, Δ) : = header$
59:: ⊳ Commitments cannot be repeated
60:: if $⋃ coin . \vec{u} \neq coin . \vec{u} \lor ⋃ {coin}^{'} . \vec{u} \neq {coin}^{'} . \vec{u}$ :
61:: $\lor coin ⋂ {coin}^{'} \neq ϕ$ : return 0
62:: ⊳ Check activity
63:: if $Δ = activity ({[{coin}_{i}^{'} . \vec{u}]}_{i = 1}^{| out |}, {[{coin}_{i} . \vec{u}]}_{i = 1}^{| in |}) \in H$ : return 0
64:: if ${[\neg COIN . ver (p p_{(λ, L)}, {coin}_{i})]}_{i = 1}^{| in |}$ : return 0
65:: if ${[\neg COIN . ver (p p_{(λ, L)}, {coin}_{i}^{'})]}_{i = 1}^{| out |}$ : return 0
66:: if $\neg TX . header_ver (p p_{(λ, L)}, | in |, | out |, header)$ :
67:: return 0
68:: return ${highbits}_{γ^{'} - p 1} (\vec{pk}) = {highbits}_{γ^{'}} (carry . \vec{u}$
69:: $+ \sum_{i = 1}^{| out |} {coin}_{i}^{'} . \vec{u} - \sum_{i = 1}^{| in |} {coin}_{i} . \vec{u}) \in R_{q}^{n}$
70:: $\underset{̲}{TX . chain_ver (p p_{(λ, L)}, chain) :}$
71:: $(headers, S, ucoins) : = chain$
72:: $\vec{pk} = \vec{u} = {\vec{0}}^{n} \in R_{q}^{n}$ ; $\vec{s} = [bin (S), {\vec{0}}^{(m - 1)}] \in R_{q}^{m}$
73:: ⊳ Commitments cannot be repeated
74:: if $⋃ ucoins . \vec{u} \neq ucoins . \vec{u}$ : return 0
75:: for all $({coin}_{i}) \in ucoins$ :
76:: if $\neg COIN . ver (p p_{(λ, L)}, {coin}_{i})$ : return 0
77:: $\vec{u} = \vec{u} + {coin}_{i} . \vec{u} \in R_{q}^{n}$
78:: for all $(| in |, | out |, h_{i}) \in headers$ :
79:: if $\neg TX . header_ver (p p_{(λ, L)}, | in |, | out |, h)$ : d return 0
80:: $\vec{pk} = \vec{pk} + h . {carry}_{i} . \vec{pk} \in R_{q}^{n}$
81:: $\vec{u} = \vec{u} + h . {carry}_{i} . \vec{u} \in R_{q}^{n}$
82:: return ${highbits}_{γ^{'} - p 1} (\vec{pk}) \overset{?}{=} {highbits}_{γ^{'} - p 1} (\vec{u} - \vec{H} \vec{s})$
83:: $\land Π_{Δ \in headers} Δ \overset{?}{=} Π_{c \in ucoins} {hash}_{0} (c . \vec{u}) \in H$

TX

is expected to have the following security properties: completeness, zero-knowledge, knowledge soundness, theft resistance, and immutability. We reuse zero-knowledge and knowledge soundness from Definitions 2 and 3 when the statements of

L

are:

“ all coins are in [0, 2^{L}) ” and “ total unspent coins are equal to total supplied coins ”

Definition 10

(Completeness).

TX

is complete if the honestly generated transactions are always valid, and aggregating a valid transaction into a valid chain always produces a correct chain with the unspent coins of that transaction. Let

G

be an arbitrary chain generator.

P r [arbitrary_tx () \land arbitrary_chain ()] \geq 1 - ϵ (λ) .

$\underset{̲}{arbitrary_tx () :}$
For any ${[v_{i}]}_{i = 1}^{| in |} \in [0, 2^{L} - 1]$ and ${[v_{i}^{'}]}_{i = 1}^{| out |} \in [0, 2^{L} - 1]$
such that $\sum_{i = 1}^{| in |} [v_{i}] = \sum_{i = 1}^{| out |} [v_{i}^{'}] \in [0, 2^{L} - 1]$ :
${[(k_{i}, {coin}_{i}) = COIN . gen (p p_{(λ, L)}, v_{i})]}_{i = 1}^{| in |}$
${[(k_{i}^{'}, {coin}_{i}^{'}) = COIN . gen (p p_{(λ, L)}, v_{i}^{'})]}_{i = 1}^{| out |}$
$tx = TX . gen (p p_{(λ, L)}, {[k_{i}, {coin}_{i}]}_{i = 1}^{| in |}, {[k_{i}^{'}, {coin}_{i}^{'}]}_{i = 1}^{| out |})$
return $tx . in \overset{?}{=} {[coin]}_{i = 1}^{| in |} \land tx . out \overset{?}{=} {[{coin}^{'}]}_{i = 1}^{| out |} \land$
$TX . ver (p p_{(λ, L)}, tx)$
$\underset{̲}{arbitrary_chain () :}$
Get any $chain$ such that
$TX . chain_ver (p p_{(λ, L)} . chain) = 1$ and $T = | headers |$
for $i \in [0, t]$ :
${tx}_{i} \overset{$}{\leftarrow} G (p p_{(λ, L)})$ s.t. $CTx . ver (p p_{(λ, L)}, {tx}_{i}) = 1$
$chain = TX . aggregate (p p_{(λ, L)}, chain, tx)$
if $chain = ⊥$ : continue
if ${headers}_{T + i} \neq tx . carry$
$\lor {tx}_{i} . out ⊄ {chain}^{'} . ucoins$ : return 0
return $TX . chain_ver (p p_{(λ, L)}, chain) \land | headers | \overset{?}{=} T + t$

Even after aggregation,

TX

ensures that unspent coins cannot be spent without their secret keys. We consider strong theft resistance where the adversary has control over everything except an honest user’s secret key. Here, the adversarial algorithm generates a chain (an aggregated CT). In the first step, the algorithm sends some coins to the honest user, where the user locks those coins with a new key. Then, the algorithm tries to spend those coins without obtaining the new secret key. In other words, the network is set to have only one honest user, simulating a real-world decentralized network where everyone can be malicious except the honest user.

Definition 11

(Theft Resistance).

TX

is theft resistant if

{Adv}_{TX, p p_{(λ, L)}}^{TR, A} = P r [{Game}_{TX, p p_{(λ, L)}}^{TR, A} \overset{?}{=} 1] \leq ϵ (λ) .

$\underset{̲}{{Game}_{TX, p p_{(λ, L)}}^{TR, A} :}$ $chain \leftarrow A_{s t e p 1} (p p_{(λ, L)})$
if $TX . chain_ver (p p_{(λ, L)}, chain)$ : return ⊥
$T = | chain . headers |$
⊳ Receive ${coin}^{'} \in tx$ from $A$ s.t. $A$ does not know the key of ${coin}^{'}$ .
$chain = TX . aggregate (p p_{(λ, L)}, chain, tx)$
${chain}^{'} \leftarrow A_{s t e p 2} (p p_{(λ, L)}, chain)$
⊳ Check whether the coin has been spent or not
return $TX . chain_ver (p p_{(λ, L)}, {chain}^{'})$
$\land {coin}^{'} ⊄ {chain}^{'} . ucoins$
$\land {[chain . {headers}_{i}]}_{i = 0}^{T + 1} \overset{?}{=} {[{chain}^{'} . headers]}_{i = 0}^{T + 1}$

Informally, blockchains’ immutability states that generating two different input and output sets for the same consensus data should be computationally infeasible. Because we build

TX

for a generic consensus mechanism, we capture the immutability such that finding two different input and output sets for the same header(s) is computationally difficult. Therefore, preserving headers is sufficient to provide immutability to the whole blockchain, including removed spent coin records.

Definition 12

(Immutability).

TX

ensures immutability if

{Adv}_{TX, p p_{(λ, L)}}^{IM, A} = P r [{Game}_{TX, p p_{(λ, L)}}^{IM, A} \overset{?}{=} 1] \leq ϵ (λ) .

$\underset{̲}{{Game}_{TX, p p_{(λ, L)}}^{IM, A} :}$ $(tx, {tx}^{'}) \leftarrow A (p p_{(λ, L)})$
return $TX . ver (p p_{(λ, L)}, tx) \land TX . ver (p p_{(λ, L)}, {tx}^{'})$
$(tx . in . com, tx . out . com)$ $\overset{?}{\neq} ({tx}^{'} . in . com, {tx}^{'} . out . com)$
$\land tx . header . Δ \overset{?}{=} {tx}^{'} . header . Δ$

Theorem 4.

TX

is complete, computationally theft-resistant, zero-knowledge, and immutable if Approx-SISs of

(n, m, q, γ, γ^{'}, N)

and

(n, m - 3, q, γ, γ^{'}, N)

are hard (see the security proofs in Appendix C).

4. Implementation

We implement a C library ref. [25] for LACT+ aiming to achieve 128-bit security. Therefore, a root-Hermite factor

δ = 1.004

was used for lattices implementations allowing a gap for future attacks ref. [37]. A prime-order multiplicative group

H

with at least multiplicative

2^{384}

elements was used for membership proofs. The prime order of

H

is

q_{2}

such that

(q_{2} - 1) / 2 > 2^{3 λ}

is also prime (

q_{2} =

3a2c6ad1f4ef4084fbf76e7c6201b32850c57c408a6e0c4a6cda6c290c61e6dadd4e6b7312dd3aa6bd610a917c1d42f03). The concrete parameters used for tests are defined in Table 2. According to the parameters, a coin record is 29.9 KB (a commitment and a range proof), and a public key is 5760 Bytes.

Table 2. Concrete Parameters and Variables.

We use two multiplications: number theoretic transform (NTT) for regular polynomials and an easy multiplication when one of the polynomials is a

rot (*, *)

(see below). The C library uses 64-bit integers except for the NTT, which uses 128-bit integers. In NTT multiplication, we convert polynomials to NTT space using Cooley–Tukey butterflies ref. [39], point-wise multiply them using Montgomery point-wise multiplications ref. [40], and then convert them back using inverse-transform from Gentleman–Sande butterflies ref. [41].

Recall that

rot (v_{i}, i)

is a polynomial where coefficient i is

v_{i}

, and all other coefficients are zero. Therefore, a multiplication of

\vec{a} rot (v_{i}, i)

is computed as follows: convert coefficients in

[N - i, N)

into their negative values, rotate all coefficients by i, and multiply all coefficients by

v_{i}

. Because this is faster than NTT multiplication, we use this easy multiplication whenever possible, e.g., most of the short-norm vectors in

CARRY

.

We chose bits’ masking keys from

[- α, α]

such that some functional polynomials like Step 29 in

COIN

and Step 53 in

CARRY

can be larger than

γ

. However, there is a high probability that they will be in the accepted range due to centrally reduced numbers. Therefore, we perform norm checks during the generation of

COIN

and

CARRY

to ensure completeness.

All the benchmarks were configured as follows: The maximum coin amount and the initial coinbase value are

2^{64} - 1

. Here, we use “aggregated size” to denote the database size, which is slightly larger than theoretical sizes due to indexing and identifiers. “Deleted size” means the exact size of deleted coin records as explained in Section 3.1. Therefore, “unaggregated size” is computed as the summation of the aggregated and deleted sizes. The verification times are measured on an i7-1065G7 CPU at 1.30GHz. Furthermore,

[x : y]

denotes that the number of inputs and outputs are randomly chosen from

[1, x]

and

[1, y]

.

Efficiency of New Carry Proofs. First, we run benchmarks to get the sizes of new carry proofs and LACT carry proofs. Recall that LACT creates multiple LACT transactions if the numbers of input coins and out coins are larger than two. Therefore, the size impact of carry proofs to the total blockchain is proportional to the number of transactions, whereas in LACT+, this impact is now logarithmic. We simulate carry proof benchmarks to see this size and verification time impact for normal transactions where the input size can be larger than two. Figure 5 and Figure 6 show the accumulated sizes and total verification times for carry proof(s) of LACT and LACT+. From the graphs, we conclude that new LACT+ carry proofs are more efficient than LACT carry proofs. Therefore, the whole system is more efficient than prior post-quantum CT schemes, from unaggregated ones to aggregated ones like LACT, in spite of its other added benefits such as fully trustless verifiable immutability.

Figure 5. Carry proof sizes.

Figure 6. Carry proof verification times.

Impact of Aggregation. The main efficiency mechanism of LACT+ is transaction aggregation. The impact of the transaction aggregation changes according to input/output rates because more unspent outputs lead to larger blockchains. We ran benchmarks for different input/output rates, and we show the results in Figure 7. From the graph, we see that even if the output rate is higher than the input rate, aggregation achieves significant reductions in size. Verification times for these benchmarks are shown in Figure 8.

Figure 7. Aggregated sizes and unaggregated sizes vs. transactions.

Figure 8. Verification times vs. transactions for different input and output rates.

A Theoretical Comparison with MatRiCT+ Esgin et al. proposed ref. [22], an efficient lattice-based Ring CT protocol that uses the Chinese Remainder Theorem (CRT) packing, e.g., packing all L number of

\vec{z}

into a single polynomial. Even without CRT packing, LACT+ is more efficient than MatRiCT+ as illustrated in Figure 9.

Figure 9. LACT+ and MatRiCT+: For MatRiCT, Coins

(cn)

are 4.48 KB, public keys are 3.4 KB, and (

2 \to 2

) proofs are 47 KB at 1/11 anonymity.

5. Conclusions

Aggregable confidential transactions are more private and scalable than typical transactions. However, the scalability of previous aggregable transactions does not provide trustless verification at the consensus level because real-world transactions should be immutable. LACT+ post-quantum aggregable confidential transactions solve this problem by adding aggregable activity proofs. Equally importantly, LACT+ is more efficient and faster than existing post-quantum aggregable transactions due to our use of approximate SIS and logarithmic carry proofs. LACT+ is the first practical post-quantum aggregable confidential transaction protocol that provides consensus-level aggregation and fully trustless verification.

Author Contributions

Conceptualization, J.A.; Writing-original draft, J.A.; Writing—review, editing, X.B. and M.M.; Supervision, X.B. and M.M. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A. Security Proofs of Confidential Coins

Binding. We claim $COIN$ is binding because finding two openings $(v, \vec{k}) \neq (v^{'}, {\vec{k}}^{'})$ for the same coin record means the adversary finds a solution to the Approx-SIS problem such that

$\vec{s} = [binary (v), \vec{k}, {\vec{0}}^{m - 2}] - [binary (v^{'}), {\vec{k}}^{'}, {\vec{0}}^{m - 2}] \neq {\vec{0}}^{m} ∥ \vec{s} ∥ \leq γ and {highbits}_{γ^{'}} (\vec{H} \vec{s}) = {\vec{0}}^{n} \in R_{q}^{n} .$
Knowledge Soundness. Let there be a p.p.t. algorithm that breaks the knowledge soundness such that the extractor $E$ outputs $\vec{b}$ of number not in $[0, 2^{L})$ for a valid proof. According to the verification in Step 44, the algorithm finds $\vec{s}$ for ${[{\vec{z}}_{i} = {\vec{x}}_{2} rot (b_{i}, i) + {\vec{a}}_{i}]}_{i = 0}^{L^{'} - 1} \in R^{L}$ such that $b_{i}$ is not 0 or 1, but

${highbits}_{γ^{'}} (\vec{H} \vec{s}) \overset{?}{\approx} {highbits}_{γ^{'}} ({\vec{x}}_{2} ({\vec{x}}_{1} \vec{u} + {\vec{t}}_{1}) + {\vec{t}}_{2}) \in R_{q}^{n} .$

Because

b_{i}

is not 0 or 1, the following is true,

{highbits}_{γ^{'}} ({\vec{x}}_{2}^{2} [\vec{H} \underset{\vec{h} \neq {\vec{0}}^{m}}{\underset{︸}{[\vec{0}, \sum_{i = 0}^{L} (rot (b_{i} (b_{1} - 1), i)), {\vec{0}}^{m - 2}}}]) = {\vec{0}}^{n} \in R_{q}^{n} .

Here,

\vec{h}

is a solution to the Approx-SIS problem. Therefore, we claim range proofs are knowledge sound.

Zero-Knowledge Argument of Range Proofs. $\vec{z_{i}}$ statistically hides $b_{i}$ because ${\vec{z}}_{i} = b_{i} {\vec{x}}_{2} + {\vec{a}}_{i} \in [- (α - 1), (α - 1)]$ when the range of ${\vec{a}}_{i}$ is $[- α, α]$ . We claim the computational hiding for commitments ( $\vec{u}, {\vec{t}}_{1}, {\vec{t}}_{2}$ ) of $COIN$ due to dropped bits of Approx-SIS and sufficient randomness of $\vec{k}, {\vec{r}}_{1}, {\vec{r}}_{2}$ (see ref. [26]). If there is a p.p.t. algorithm that breaks the zero-knowledge argument by successfully distinguishing the generated proofs over the simulated proofs, then the algorithm can be used to break the hiding property of the commitments; in other words, solving the Approx-SIS problem. Therefore, we claim that the range proofs satisfy the zero-knowledge argument.

Finally, we prove that Theorem 2 is true because

COIN

is complete (Figure 3), binding, knowledge-sound, and zero-knowledge.

Appendix B. Security Proofs of Carry Proofs

Knowledge Soundness If there is an algorithm that breaks the knowledge soundness of $CARRY$ then it creates

${highbits}_{γ^{'}} ({\vec{x}}_{2}^{2} \vec{H} \underset{\vec{h} \neq {\vec{0}}^{m}}{\underset{︸}{[\begin{matrix} \vec{0}, \sum_{l = 0}^{L_{| out |}} \sum_{i = 0}^{L} (rot (c_{1, i}^{'} (c_{1, i, l}^{'} - 1), i L_{| out |} + l)) \\ \sum_{l = 0}^{L_{| in |}} \sum_{i = 0}^{L} (rot (c_{0, i, l}^{'} (c_{0, i}^{'} - 1), i L_{| in |} + l)), {\vec{0}}^{m - 3} \end{matrix}]}}) = {\vec{0}}^{n}$

(A1)

for invalid binary vectors of carries; $c_{0}^{'}$ and $c_{1}^{'}$ which are not 0 nor 1 (see Step 22).

Here,

\vec{h}

is a solution to Approx-SIS problem. Therefore, we conclude that

CARRY

is knowledge sound.

Zero-Knowledge Argument. Due to the rejection sampling, ${\vec{z}}_{0}$ and ${\vec{z}}_{1}$ statistically hide bits of both input carries and output carries. Furthermore, commitments $\vec{u}$ , ${\vec{t}}_{1}$ and ${\vec{t}}_{2}$ hide their short vectors due to the Approx-SIS problem. Therefore, we claim $CARRY$ holds the zero-knowledge argument property.

Finally, we conclude Theorem 3 is accurate due to the above proofs. Or

CARRY

is complete (Figure 4), computationally knowledge sound, and holds the zero-knowledge argument property.

Appendix C. Security Proofs of Aggregable CT

Theft Resistance. If a p.p.t. algorithm wins the game of theft resistance, then the algorithm creates a transaction with a valid signature unknowing the secret key. In other words, the algorithm breaks EUF-CMA of $SIG$ defined in Section 2.6, knowledge soundness of $COIN$ , or knowledge soundness of $CARRY$ . Therefore, if $COIN$ , $CARRY$ , and $SIG$ are secure, then $TX$ is theft resistant.
Zero-Knowledge and Knowledge Soundness. Suppose a p.p.t. algorithm creates a chain with more or less unspent coins than the supplied coins. In that case, the algorithm either breaks $COIN$ ’s knowledge soundness, $CARRY$ ’s knowledge soundness, or forges a signature for a public key with non-zero beginning polynomials. Therefore, we conclude that $TX$ is knowledge soundness when $COIN$ , $CARRY$ , and $SIG$ are secure. We directly claim the zero-knowledge of $TX$ because $COIN$ , $CARRY$ , and $SIG$ are zero-knowledge.
Immutability. $TX$ ’ immutability states that no p.p.t algorithm can find two different valid transactions with the same membership proof but with different in/out commitment sets. If an algorithm wins the game of immutability, then the algorithm solves the group collision resistance problem (GCR). Therefore, if GCR is computationally hard, $TX$ is computationally immutable.

Therefore, we claim Theorem 4 is true or

TX

is complete, computationally theft-resistant, zero-coin generating, and immutable.

References

Zhang, H.; Zhang, F.; Wei, B.; Du, Y. Implementing confidential transactions with lattice techniques. IET Inf. Secur. 2019, 14, 30–38. [Google Scholar] [CrossRef]
Alupotha, J.; Boyen, X.; Mckague, M. Aggregable Confidential Transactions for Efficient Quantum-Safe Cryptocurrencies. IEEE Access 2022, 10, 17722–17747. [Google Scholar] [CrossRef]
Androulaki, E.; Karame, G.O.; Roeschlin, M.; Scherer, T.; Capkun, S. Evaluating User Privacy in Bitcoin. In Proceedings of the Financial Cryptography and Data Security, Okinawa, Japan, 1–5 April 2013; Sadeghi, A.R., Ed.; Springer: Berlin/Heidelberg, Germany, 2013; pp. 34–51. [Google Scholar]
Spagnuolo, M.; Maggi, F.; Zanero, S. BitIodine: Extracting Intelligence from the Bitcoin Network. In Proceedings of the Financial Cryptography and Data Security, Okinawa, Japan, 1–5 April 2013; Christin, N., Safavi-Naini, R., Eds.; Springer: Berlin/Heidelberg, Germany, 2014; pp. 457–468. [Google Scholar]
Fleder, M.; Kester, M.S.; Pillai, S. Bitcoin transaction graph analysis. arXiv 2015, arXiv:1502.01657. [Google Scholar]
Reid, F.; Harrigan, M. An Analysis of Anonymity in the Bitcoin System. In Proceedings of the 2011 IEEE Third International Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third International Conference on Social Computing, Boston, MA, USA, 9–11 October 2011; pp. 1318–1326. [Google Scholar] [CrossRef]
Herrera-Joancomartí, J. Research and Challenges on Bitcoin Anonymity. In Data Privacy Management, Autonomous Spontaneous Security, and Security Assurance; Garcia-Alfaro, J., Herrera-Joancomartí, J., Lupu, E., Posegga, J., Aldini, A., Martinelli, F., Suri, N., Eds.; Springer International Publishing: Cham, Switzerland, 2015; pp. 3–16. [Google Scholar]
Khalilov, M.C.K.; Levi, A. A survey on anonymity and privacy in bitcoin-like digital cash systems. IEEE Commun. Surv. Tutor. 2018, 20, 2543–2585. [Google Scholar] [CrossRef]
Morris, L. Anonymity Analysis of Cryptocurrencies. Master’s Thesis, Rochester Institute of Technology, Rochester, NY, USA, 2015. Available online: https://scholarworks.rit.edu/theses/8616/ (accessed on 10 January 2023).
Jedusor, T.E. Mimblewimble. 2016. Available online: https://docs.beam.mw/Mimblewimble.pdf (accessed on 10 January 2023).
Poelstra, A. Mimblewimble. 2016. Available online: https://download.wpsoftware.net/bitcoin/wizardry/mimblewimble.pdf (accessed on 10 January 2023).
Poelstra, A.; Back, A.; Friedenbach, M.; Maxwell, G.; Wuille, P. Confidential assets. In Proceedings of the International Conference on Financial Cryptography and Data Security, Nieuwpoort, Curaçao, 26 February–2 March 2018; Springer: Berlin/Heidelberg, Germany, 2018; pp. 43–63. [Google Scholar]
Fuchsbauer, G.; Orrù, M.; Seurin, Y. Aggregate Cash Systems: A Cryptographic Investigation of Mimblewimble. In Proceedings of the Advances in Cryptology—EUROCRYPT 2019, Darmstadt, Germany, 19–23 May 2019; Ishai, Y., Rijmen, V., Eds.; Springer: Cham, Switzerland, 2019; pp. 657–689. [Google Scholar]
Alupotha, J.; Boyen, X.; Foo, E. Compact Multi-Party Confidential Transactions. In Proceedings of the Cryptology and Network Security, Vienna, Austria, 14–16 December 2020; Krenn, S., Shulman, H., Vaudenay, S., Eds.; Springer: Cham, Switzerland, 2020; pp. 430–452. [Google Scholar]
IBM-Research. IBM’s Roadmap for Scaling Quantum Technology. Available online: https://research.ibm.com/blog/ibm-quantum-roadmap (accessed on 21 March 2022).
Nakamoto, S. Bitcoin: A Peer-to-Peer Electronic Cash System. 2008. Available online: https://bitcoin.org/bitcoin.pdf (accessed on 10 January 2023).
Wood, G. Ethereum: A Secure Decentralised Generalised Transaction Ledger; Ethereum project yellow paper; Ethereum: Zug, Switzerland, 2014; Volume 151, pp. 1–32. [Google Scholar]
Noether, S.; Mackenzie, A.; the Monero Research Lab. Ring confidential transactions. Ledger 2016, 1, 1–18. [Google Scholar] [CrossRef]
Sun, S.F.; Au, M.H.; Liu, J.K.; Yuen, T.H. RingCT 2.0: A Compact Accumulator-Based (Linkable Ring Signature) Protocol for Blockchain Cryptocurrency Monero. In Proceedings of the Computer Security—ESORICS 2017, Oslo, Norway, 11–15 September 2017; Foley, S.N., Gollmann, D., Snekkenes, E., Eds.; Springer: Cham, Switzerland, 2017; pp. 456–474. [Google Scholar]
Esgin, M.F.; Zhao, R.K.; Steinfeld, R.; Liu, J.K.; Liu, D. MatRiCT: Efficient, scalable and post-quantum blockchain confidential transactions protocol. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, London, UK, 11–15 November 2019; pp. 567–584. [Google Scholar]
Alberto Torres, W.; Kuchta, V.; Steinfeld, R.; Sakzad, A.; Liu, J.K.; Cheng, J. Lattice RingCT V2.0 with Multiple Input and Multiple Output Wallets. In Proceedings of the Information Security and Privacy, Prague, Czech Republic, 23–25 February 2019; Jang-Jaccard, J., Guo, F., Eds.; Springer: Cham, Switzerland, 2019; pp. 156–175. [Google Scholar]
Esgin, M.F.; Steinfeld, R.; Zhao, R.K. MatRiCT+: More Efficient Post-Quantum Private Blockchain Payments. Cryptol. ePrint Arch. 2021, 545, 1–21. [Google Scholar]
Grin tech.org. Minimal Implementation of the MimbleWimble Protocol. Available online: https://github.com/mimblewimble/grin (accessed on 27 January 2021).
Scalable Confidential Cryptocurrency—MimbleWimble Implementation. Available online: https://www.beam.mw/ (accessed on 27 January 2021).
Alupotha, J. LACT+: Post-Quantum Aggregable Confidential Transactions. 2022. Available online: https://github.com/jaymine/LACTv2 (accessed on 11 January 2023).
Chen, Y.; Genise, N.; Mukherjee, P. Approximate trapdoors for lattices and smaller hash-and-sign signatures. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Kobe, Japan, 8–12 December 2019; Springer: Berlin/Heidelberg, Germany, 2019; pp. 3–32. [Google Scholar]
Regev, O. On lattices, learning with errors, random linear codes, and cryptography. J. ACM 2009, 56, 34. [Google Scholar] [CrossRef]
Ajtai, M. Generating hard instances of lattice problems. In Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, Philadelphia, PA, USA, 22–24 May 1996; ACM: New York, NY, USA, 1996; pp. 99–108. [Google Scholar]
Alupotha, J.; Boyen, X. Origami Store: UC-Secure Foldable Datachains for The Quantum Era. IEEE Access 2021, 9, 81454–81484. [Google Scholar] [CrossRef]
Noether, S.; Noether, S. Monero Is Not That Mysterious. Technical Report. 2014. Available online: https://web.getmonero.org/ru/resources/research-lab/pubs/MRL-0003.pdf (accessed on 11 January 2023).
Maxwell, G. Confidential Transactions. 2015. Available online: https://people.xiph.org/greg/confidential_values.txt (accessed on 11 January 2023).
Fiat, A.; Shamir, A. How To Prove Yourself: Practical Solutions to Identification and Signature Problems. In Proceedings of the Advances in Cryptology—CRYPTO’ 86, Santa Barbara, CA, USA, 1 January 1987; Odlyzko, A.M., Ed.; Springer: Berlin/Heidelberg, Germany, 1987; pp. 186–194. [Google Scholar]
Pointcheval, D.; Stern, J. Security arguments for digital signatures and blind signatures. J. Cryptol. 2000, 13, 361–396. [Google Scholar] [CrossRef]
Abdalla, M.; An, J.H.; Bellare, M.; Namprempre, C. From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security. In Proceedings of the Advances in Cryptology—EUROCRYPT 2002, Amsterdam, The Netherlands, 28 April–2 May 2002; Knudsen, L.R., Ed.; Springer: Berlin/Heidelberg, Germany, 2002; pp. 418–433. [Google Scholar]
Lyubashevsky, V. Lattice-Based Identification Schemes Secure Under Active Attacks. In Proceedings of the Public Key Cryptography—PKC 2008, Barcelona, Spain, 9–12 March 2008; Cramer, R., Ed.; Springer: Berlin/Heidelberg, Germany, 2008; pp. 162–179. [Google Scholar]
Lyubashevsky, V. Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures. In Proceedings of the Advances in Cryptology—ASIACRYPT 2009, Tokyo, Japan, 6–10 December 2009; Matsui, M., Ed.; Springer: Berlin/Heidelberg, Germany, 2009; pp. 598–616. [Google Scholar]
Albrecht, M.R. LWE Estimator. Available online: https://lwe-estimator.readthedocs.io/en/latest/readme_link.html (accessed on 22 October 2021).
Gleen, M.L. Device for and Method of One-Way Cryptographic Hashing. U.S. Patent 6829355, 12 July 2004. [Google Scholar]
Gauss, C.F. Nachlass: Theoria interpolationis methodo nova tractata. Carl Friedrich Gauss Werke 1866, 3, 265–327. [Google Scholar]
Montgomery, P.L. Modular multiplication without trial division. Math. Comput. 1985, 44, 519–521. [Google Scholar] [CrossRef]
Gentleman, W.M.; Sande, G. Fast Fourier transforms: For fun and profit. In Proceedings of the Fall Joint Computer Conference, San Francisco, CA, USA, 7–10 November 1966; pp. 563–578. [Google Scholar]

Figure 1. LACT+ transaction structure.

Figure 2. Transaction aggregation.

Figure 3. A graphical overview of confidential coins (Algorithm 3).

Figure 4. Graphical overview of carry proofs (Algorithm 4).

Figure 5. Carry proof sizes.

Figure 6. Carry proof verification times.

Figure 7. Aggregated sizes and unaggregated sizes vs. transactions.

Figure 8. Verification times vs. transactions for different input and output rates.

Figure 9. LACT+ and MatRiCT+: For MatRiCT, Coins

(cn)

are 4.48 KB, public keys are 3.4 KB, and (

2 \to 2

) proofs are 47 KB at 1/11 anonymity.

Figure 9. LACT+ and MatRiCT+: For MatRiCT, Coins

(cn)

are 4.48 KB, public keys are 3.4 KB, and (

2 \to 2

) proofs are 47 KB at 1/11 anonymity.

Table 1. Comparison of Confidential Transactions.

Implementation	Post Quantum	Security	Aggregable	Immutable Headers
Ring CT ref. [30]	✗	DLP	✗	-
Maxwell’s CT ref. [31]	✗	DLP	✗	-
Mimblewimble ref. [10]	✗	DLP	✓	✗
Ring CT v2 ref. [19]	✗	DLP	✗	-
Fuchsbauer et al. ref. [13]	✗	DLP	✓	✗
Lattice Ring CT ref. [21]	✓	SIS	✗	-
MATRiCT ref. [20]	✓	MSIS	✗	-
Zhang et al. ref. [1]	✓	SIS	✓	✗
MATRiCT+ ref. [22]	✓	MSIS/LWE	✗	-
LACT ref. [2]	✓	SIS/MSIS	✓	✗
Ours (LACT+)	✓	Approx-SIS	✓	✓

Table 2. Concrete Parameters and Variables.

Parameter	Value	Description
$(n, m)$	(6, 4)	Approx-SIS hard
N	256	Polynomial Size
q	$2^{44} - 2^{14} + 1$	$q = 1 (mod 2 N)$
$L, 2^{L^{'}}$	64, 15	Ranges
$γ$	$2^{36}$	Short-Vector Norm
$γ^{'}$	$2^{36}$	Error Norm
$β$	60	${log}_{2} (\binom{N}{β}) + β \geq 256$
$log (p_{1})$ , $log (p_{2})$	17, 29	$< log (γ^{'})$ , $< log (γ^{'})$
$α (+ ⌈ {log}_{2} (\| L^{'} \| / 2) ⌉)$	$2^{9}$ to $2^{11}$	maximum 16 in/outputs
$τ, τ_{1}, τ_{2}$	$2^{4} - 1$ , $2^{7} - 1$ , $2^{28} - 1$	$< γ$
$τ_{3}$	$2^{16}$	$< 2^{L^{'}} γ$
$χ$	60	${∥ \cdot ∥}_{1}$ Norm of Hints
$\| \vec{x} \|$	48 bytes	SHAKE256 ref. [38]
$\| Δ \|$	49 bytes	Activity Proofs
${highbits}_{p_{1}} (\cdot)$	5.7 KB	Packed High-bits
${highbits}_{p_{2}} (\cdot)$	3.1 KB	Packed High-bits

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

Article Metrics

Citations

Article Access Statistics

Journal Statistics

Multiple requests from the same IP address are counted as one view.