Skip to content

Commit

Permalink
Numerous fixes and clarifications
Browse files Browse the repository at this point in the history 
- partial use of abstract algorithms for clarity
- define generator selection with HashToG
- renamed `t` to `n` to avoid confusion with `t_i`
- replaced undefined shorthand notation from CPZ19 `W` with `{G_w}^w`
- specify that `s_i`, `r_{v_i}` and `r_{s_i}` are chosen randomly
- minor typographic fixes
- various grammatical fixes
- polyglossia instead of babel
  • Loading branch information
@nothingmuch
nothingmuch committed May 5, 2020
1 parent 7dbe0d3 commit 002479b
Showing 1 changed file with 54 additions and 49 deletions.
103 changes: 54 additions & 49 deletions main.tex
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
\documentclass{article}
\usepackage[english]{babel}
\usepackage{amsmath}
\usepackage{amssymb}
\usepackage{polyglossia}
\setdefaultlanguage{english}

\newtheorem{definition}{Definition}[section]

Expand Down Expand Up @@ -81,7 +82,7 @@ \subsection{High-level functionalities}
\subsubsection{Commitment schemes}
A commitment scheme allows a party to commit to a message without enabling them to change their mind about the committed message after publishing the commitment. On the other hand the commitment should not reveal anything about the committed message.

\noindent$\mathsf{Com}(m,r)\xrightarrow{}\mathcal{C}$. The $\mathsf{Com}$ algorithm generates a commitment $\mathcal{C}$ to message $m$ using randomness $r$.
\noindent$\mathsf{Commit}(m,r)\xrightarrow{}\mathcal{C}$. The $\mathsf{Com}$ algorithm generates a commitment $\mathcal{C}$ to message $m$ using randomness $r$.

\noindent$\mathsf{OpenCom}(\mathcal{C},m,r)\xrightarrow{}\{\mathit{True},\mathit{False}\}$: one can verify the correctness of the opening of a commitment by checking $\mathcal{C}\stackrel{?}{=}\mathsf{Com}(m,r)$. If equality holds the algorithm outputs $\mathit{True}$, otherwise $\mathit{False}$.

Expand All @@ -107,7 +108,7 @@ \subsubsection{Zero-knowledge proofs of knowledge}

\subsection{Input Registration}

The user, acting as Alice, submits her input of value $v_{\mathit{in}}$ along with $k$ pairs of group attributes,
The user, acting as Alice, submits an input of value $v_{\mathit{in}}$ along with $k$ pairs of group attributes,
$(M_{v_i}, M_{s_i})$.
She proves in zero knowledge that the sum of the requested sub-amounts is equal to $v_{\mathit{in}}$ and that the individual amounts are positive integers in the allowed range.

Expand All @@ -129,79 +130,82 @@ \subsection{Output Registration}
The user submits these proofs, the randomized attributes, and the serial numbers. The coordinator verifies the proofs, and if it accepts the output will be included in the transaction.

\subsection{Signing phase}
The coordinator sends out the final unsigned transaction to the different Alices who will sign if they see their registered output included in the transaction.

The user fetches the finalized but unsigned transaction as Satoshi, and if she sees her registered outputs she will sign, submitting the signature as Alice(s).

\section{Cryptographic Details}

Following \cite{chase2019signal}, the scheme is defined in a group \(\mathbb{G}\) of prime order \(q,\) written in multiplicative notation.
Following \cite{chase2019signal}, the scheme is defined in a group \(\mathbb{G}\) of prime order \(q,\) written in multiplicative notation.
$\mathsf{HashTo\mathbb{G}} : {0,1}^* \mapsto \mathbb{G}$ is a function from strings to group elements, based on a cryptographic hash function.

We require the following fixed set of group elements:
We require the following fixed set of group elements for use as generators with different purposes:
\[
G_{w}, G_{w^{\prime}}, G_{x_{0}}, G_{x_{1}},
G_{v}, G_{s}, G_g, G_h,
G_{V}.
\underbrace{G_{w}, G_{w^{\prime}}, G_{x_{0}}, G_{x_{1}}, G_{V}}_{\mathsf{MAC} \text{~and~} \mathsf{Show}}
\qquad
\underbrace{G_{v}, G_{s}}_{\text{attributes}}
\qquad
\underbrace{G_g, G_h}_{\text{commitments}}
\]
chosen so that nobody knows the discrete logarithms between any pair of them, e.g. $G_h = \mathsf{HashTo\mathbb{G}}(``\texttt{h}")$.

This notation deviates slightly from \cite{chase2019signal}, in that we subscript the attribute generators $G_{y_i}$ as $G_v$ and $G_s$ instead of using numerical indices, and we require two additional generators $G_g$ and $G_h$ for constructing the attributes $M_v$ and $M_s$ as Pedersen commitments.

We assume that all generator points used throughout the protocol are generated in a way that nobody knows the discrete logarithms between any pair of them.

As with the generators we denote the secret key
\( \mathrm{sk} := \left(w, w^{\prime}, x_{0}, x_{1},y_{v}, y_{s}\right) \).
As with the generator names, we modify the names of the attribute related components of the secret key
$\mathrm{sk} := (w, w^{\prime}, x_{0}, x_{1}, y_{v}, y_{s}) \in_R {\mathbb{Z}_q}^6$
according to our fixed set of group attributes.

The issuer parameters
The coordinator parameters
$\mathit{iparams} = (C_{W}, I)$
are computed as:
\[
C_{W}={G_w}^{w} {G_{w^\prime}}^{w^\prime}
\quad
I=\frac{G_{V}}{{G_{x_0}}^{x_0} {G_{x_1}}^{x_1} {G_{y_v}}^{y_v} {G_{y_s}}^{y_s}}
\]

These are used by the coordinator to prove correctness of issued MACs, and by the users to prove knowledge of a valid MAC.

\subsection{Input Registration}

Alice wants to register an input UTXO with value $v_{\mathit{in}}$, broken into sub-amounts $v_i$ where $i \in \left[1,k\right]$.
She submits amount and serial number commitments:
\[ \forall i \in \left[1,k\right]: M_{v_i}={G_g}^{r_{v_i}}{G_h}^{v_i} \]
\[ \forall i \in \left[1,k\right]: M_{s_i}={G_g}^{r_{s_i}}{G_h}^{s_i} \]
Acting as Alice, the user wants to register an input with value $v_{\mathit{in}}$, arbitrarily dividing it into amounts $v_i$ where $i \in \left[1,k\right]$. For each $i \in [1, k]$ she chooses a serial number and randomness $s_i \in_R \mathbb{Z}_q$ and commits to these with randomness $r_{v_i}, r_{s_i} \in_R \mathbb{Z}_q$:
\[ M_{v_i}={G_g}^{r_{v_i}}{G_h}^{v_i} \qquad M_{s_i}={G_g}^{r_{s_i}}{G_h}^{s_i} \]

For each amount she includes a range proof:
These commitments will be used as attributes in the credential request. For each amounts she also computes a range proof which ensures there are no negative values:
\[
\pi^{\mathit{range}}_i := \operatorname{PK}\left\{\left(v_i, r_{v_i} \right) :
M_{v_i} = {G_g}^{r_{v_i}}{G_h}^{v_i}
\land
0 \leq v_i < v_{\mathit{max}} \right\}
\]

Alice also needs to convince the coordinator that the sent amount commitments add up to the registered input UTXO value, hence she sends the following proof:
Alice also needs to convince the coordinator that the amounts add up to $v_{\mathit{in}}$, which she can prove by including the following witness-hiding proof:
\[ \pi^{\mathit{sum}}=\sum_{i=1}^{k} r_{v_i} \]

The coordinator can then calculate the product of the amount commitments and check:
Finally, to request the credentials she submits the input, the $k$ pairs of attributes, and the proofs. The coordinator calculates the product of the amount commitments and checks:

\[ \prod_{i=1}^{k} M_{v_i}
\stackrel{?}{=}
{G_g}^{\pi^{\mathit{sum}}}{G_h}^{v_{\mathit{in}}}
\]

Note that this equality over the product of commitments implies the sum is correct:
Note that this equality over the product of the commitments implies the following equality of the sum of the amounts is correct:
\[\prod_{i=1}^{k} M_{v_i}
= {G_h}^{\sum_{i=1}^{k} v_i} {G_g}^{\sum_{i=1}^{k} r_{v_i}}
= {G_g}^{\sum_{i=1}^{k} r_{v_i}} {G_h}^{\sum_{i=1}^{k} v_i}
\iff
\sum_{i=1}^{k} v_i = v_{\mathit{in}}
\]

If the coordinator accepts it issues the credentials by responding with a MAC
$(t_i, U_i, V_i) \in \mathbb{Z}_q \times \mathbb{G} \times \mathbb{G}$ for each credential
where
$t_i \in_{R} \mathbb{Z}_{q}, U_i \in_{R} \mathbb{G}$
and
If the coordinator accepts then for each $i \in [1,k]$ it issues a credential by responding with
$(t_i, U_i, V_i) \in \mathbb{Z}_q \times \mathbb{G} \times \mathbb{G}$,
which is the output of
$\mathsf{MAC}_{\mathsf{sk}}(M_{v_i}, M_{s_i})$,
where:
\[
t_i \in_{R} \mathbb{Z}_{q}, U_i \in_{R} \mathbb{G}
\qquad
V_i=W {U_i}^{x_{0}+x_{1} t_i}{M_{v_i}}^{y_v} {M_{s_i}}^{y_s}
\]

To avoid tagging individual users the coordinator must also prove knowledge of the secret key, and that $(t_i, U_i, V_i)$ is correct relative to $\mathit{iparams}=(C_{W}, I)$ with the following proof of knowledge:
% TODO rephrase this a little so it's not plagiarism
To rule out tagging individual users the coordinator must prove knowledge of the secret key, and that $(t_i, U_i, V_i)$ is correct relative to $\mathit{iparams}=(C_{W}, I)$:

\begin{align*}
\pi_{i}^{\mathit{iparams}}=\operatorname{PK}\{ & (w, w^{\prime}, x_{0}, x_{1}, y_v, y_s): \\
Expand All @@ -211,14 +215,15 @@ \subsection{Input Registration}
\}
\end{align*}


\subsection{Output Registration}

After the input registration the user may have up to $t$ credentials from all of her input registration requests made as one or more Alice identities.
Let $S \subseteq \left[1,t\right]$ be the indices of credentials that she wants to consolidate into a single output registration.
After the input registration the user may have up to $n$ credentials from all of her input registration requests made as one or more Alice identities.
Let $S \subseteq \left[1,n\right]$ be the indices of credentials that she wants to consolidate into a single output registration.

\subsubsection{Credential validity}

For each credential $i \in S$ Bob executes the $\mathsf{Show}$ protocol as in~\cite{chase2019signal}:
For each credential $i \in S$, now acting as Bob, the user executes the $\mathsf{Show}$ protocol as described in~\cite{chase2019signal}.

\begin{enumerate}

Expand All @@ -233,39 +238,43 @@ \subsubsection{Credential validity}
C_{s_i} &= {G_s}^{z_i} M_{s_i} \\
C_{x_{0_i}} &= {G_{x_0}}^{z_i} {U_i} \\
C_{x_{1_i}} &= {G_{x_1}}^{z_i} {U_i}^{t_i} \\
C_{V_i} &= {G_V}^{z_i} V \\
C_{V_i} &= {G_V}^{z_i} V_i
\end{align*}

\item To prove to the coordinator that she is in posession of a valid MAC on her amount and serial number commitments, Bob computes the following proof of knowledge:
\item To prove to the coordinator that she is in possession of a valid credential, Bob computes a proof of knowledge of the MAC on her attributes:
\begin{align*}
\pi_{i}^{\mathit{MAC}}=\operatorname{PK}\{
\pi_{i}^{\mathsf{MAC}}=\operatorname{PK}\{
& (z_i, z_{0_i},t_i): \\
& Z_i =I^{z_i} \land \\ %% does this proof need to say anything about C_{m_i} or C_{s_i} or is this statement about Z enough?
& C_{x_{1_i}} = {C_{x_{0_i}}}^{t_i} {G_{x_0}}^{z_{0_i}} {G_{x_1}}^{z_i}\}
\end{align*}
%% if we go with OR proof, then \lor M_{v_i} = {G_g}^{r_{v_i}} {G_h}^0
\end{enumerate}
which implies the following without allowing the verifier to link $\pi_{i}^\mathit{MAC}$ to the underlying attributes $(M_{v_i}, M_{s_i})$:
\[
\mathsf{Verify}((C_{x_{0_i}}, C_{x_{1_i}}, C_{V_i}, C_{v_i}, C_{s_i}, Z_i), \pi_i^{\mathit{MAC}}) \iff \mathsf{VerifyMAC}_{\mathsf{sk}}(M_{v_i}, M_{s_i})
\]


Finally, Bob sends $(C_{x_{0_i}}, C_{x_{1_i}}, C_{V_i}, C_{v_i} C_{s_i} \pi_i^{\mathit{MAC}})$ to the coordinator, who computes:
\item Bob submits $(C_{x_{0_i}}, C_{x_{1_i}}, C_{V_i}, C_{v_i}, C_{s_i}, \pi_i^{\mathit{MAC}})$ and the coordinator computes:
\[
Z_i=\frac{C_{V_i}}{W {C_{x_{0_i}}}^{x_0} {C_{x_{1_i}}}^{x_{1}}
{C_{v_i}}^{y_v} {C_{s_i}}^{y_s} %%% FIXME WTF WTF is this even correct?
Z_i=\frac{C_{V_i}}{{G_w}^w {C_{x_{0_i}}}^{x_0} {C_{x_{1_i}}}^{x_{1}}
{C_{v_i}}^{y_v} {C_{s_i}}^{y_s}
}
\]
using the secret key $(W, x_{0}, x_{1}, y_v, y_s)$ and verifies $\pi_i^{\mathit{MAC}}$.
independently of Bob's derivation by using the secret key , and verifies $\pi_i^{\mathit{MAC}}$.

% note Z_i is calculated independently by ``Bob'' and the coordinator
\end{enumerate}

\subsubsection{Over-spending prevention by proving sum of amounts}

The product of randomized commitments amounts to:
The product of the randomized amount commitments is:

\[\prod_{i \in S} C_{{v_i}}
= \prod_{i \in S} {G_v}^{z_i}M_{v_i}
= {G_v}^{\sum_{i \in S} z_i}{G_g}^{\sum_{i \in S} r_{v_i}}{G_h}^{\sum_{i \in S} v_i}
\]

Therefore we can obtain a witness-indistinguishable proof for the sum of the committed values $v_i$ in the randomized commitments:
Therefore we can obtain a witness-hiding proof for the sum of the committed values $v_i$ in the randomized commitments:

\[ \pi^{v_{out}}=\left(\sum_{i \in S}z_i,\sum_{i \in S}r_{v_i}\right) \]

Expand All @@ -280,10 +289,6 @@ \subsubsection{Over-spending prevention by proving sum of amounts}

\subsubsection{Double-spending prevention by revealing serial numbers}

Bob randomizes her serial number commitments:

\[ \forall i \in S: C_{{s_i}}={G_s}^{z_i}M_{s_i}={G_s}^{z_i}{G_g}^{r_{s_i}}{G_h}^{s_i} \]

Bob proves knowledge of representation of her submitted randomized serial number commitments, namely:
\[
\pi_{i}^{\mathit{serial}}=\operatorname{PK}\{ (s_i, z_i, r_{s_i}):C_{s_i} = {G_s}^{z_i}{G_g}^{r_{s_i}}{G_h}^{s_i}
Expand Down

0 comments on commit 002479b

Please sign in to comment.