From 002479b1e87e62c8c0a51b08dfe441a798b99464 Mon Sep 17 00:00:00 2001 From: nothingmuch Date: Tue, 5 May 2020 01:06:03 +0000 Subject: [PATCH] Numerous fixes and clarifications - partial use of abstract algorithms for clarity - define generator selection with HashToG - renamed `t` to `n` to avoid confusion with `t_i` - replaced undefined shorthand notation from CPZ19 `W` with `{G_w}^w` - specify that `s_i`, `r_{v_i}` and `r_{s_i}` are chosen randomly - minor typographic fixes - various grammatical fixes - polyglossia instead of babel --- main.tex | 103 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 54 insertions(+), 49 deletions(-) diff --git a/main.tex b/main.tex index ea1b330..c57a524 100644 --- a/main.tex +++ b/main.tex @@ -1,7 +1,8 @@ \documentclass{article} -\usepackage[english]{babel} \usepackage{amsmath} \usepackage{amssymb} +\usepackage{polyglossia} +\setdefaultlanguage{english} \newtheorem{definition}{Definition}[section] @@ -81,7 +82,7 @@ \subsection{High-level functionalities} \subsubsection{Commitment schemes} A commitment scheme allows a party to commit to a message without enabling them to change their mind about the committed message after publishing the commitment. On the other hand the commitment should not reveal anything about the committed message. -\noindent$\mathsf{Com}(m,r)\xrightarrow{}\mathcal{C}$. The $\mathsf{Com}$ algorithm generates a commitment $\mathcal{C}$ to message $m$ using randomness $r$. +\noindent$\mathsf{Commit}(m,r)\xrightarrow{}\mathcal{C}$. The $\mathsf{Com}$ algorithm generates a commitment $\mathcal{C}$ to message $m$ using randomness $r$. \noindent$\mathsf{OpenCom}(\mathcal{C},m,r)\xrightarrow{}\{\mathit{True},\mathit{False}\}$: one can verify the correctness of the opening of a commitment by checking $\mathcal{C}\stackrel{?}{=}\mathsf{Com}(m,r)$. If equality holds the algorithm outputs $\mathit{True}$, otherwise $\mathit{False}$. @@ -107,7 +108,7 @@ \subsubsection{Zero-knowledge proofs of knowledge} \subsection{Input Registration} -The user, acting as Alice, submits her input of value $v_{\mathit{in}}$ along with $k$ pairs of group attributes, +The user, acting as Alice, submits an input of value $v_{\mathit{in}}$ along with $k$ pairs of group attributes, $(M_{v_i}, M_{s_i})$. She proves in zero knowledge that the sum of the requested sub-amounts is equal to $v_{\mathit{in}}$ and that the individual amounts are positive integers in the allowed range. @@ -129,27 +130,31 @@ \subsection{Output Registration} The user submits these proofs, the randomized attributes, and the serial numbers. The coordinator verifies the proofs, and if it accepts the output will be included in the transaction. \subsection{Signing phase} -The coordinator sends out the final unsigned transaction to the different Alices who will sign if they see their registered output included in the transaction. + +The user fetches the finalized but unsigned transaction as Satoshi, and if she sees her registered outputs she will sign, submitting the signature as Alice(s). \section{Cryptographic Details} -Following \cite{chase2019signal}, the scheme is defined in a group \(\mathbb{G}\) of prime order \(q,\) written in multiplicative notation. +Following \cite{chase2019signal}, the scheme is defined in a group \(\mathbb{G}\) of prime order \(q,\) written in multiplicative notation. +$\mathsf{HashTo\mathbb{G}} : {0,1}^* \mapsto \mathbb{G}$ is a function from strings to group elements, based on a cryptographic hash function. -We require the following fixed set of group elements: +We require the following fixed set of group elements for use as generators with different purposes: \[ -G_{w}, G_{w^{\prime}}, G_{x_{0}}, G_{x_{1}}, -G_{v}, G_{s}, G_g, G_h, -G_{V}. +\underbrace{G_{w}, G_{w^{\prime}}, G_{x_{0}}, G_{x_{1}}, G_{V}}_{\mathsf{MAC} \text{~and~} \mathsf{Show}} +\qquad +\underbrace{G_{v}, G_{s}}_{\text{attributes}} +\qquad +\underbrace{G_g, G_h}_{\text{commitments}} \] +chosen so that nobody knows the discrete logarithms between any pair of them, e.g. $G_h = \mathsf{HashTo\mathbb{G}}(``\texttt{h}")$. This notation deviates slightly from \cite{chase2019signal}, in that we subscript the attribute generators $G_{y_i}$ as $G_v$ and $G_s$ instead of using numerical indices, and we require two additional generators $G_g$ and $G_h$ for constructing the attributes $M_v$ and $M_s$ as Pedersen commitments. -We assume that all generator points used throughout the protocol are generated in a way that nobody knows the discrete logarithms between any pair of them. - -As with the generators we denote the secret key -\( \mathrm{sk} := \left(w, w^{\prime}, x_{0}, x_{1},y_{v}, y_{s}\right) \). +As with the generator names, we modify the names of the attribute related components of the secret key +$\mathrm{sk} := (w, w^{\prime}, x_{0}, x_{1}, y_{v}, y_{s}) \in_R {\mathbb{Z}_q}^6$ +according to our fixed set of group attributes. -The issuer parameters +The coordinator parameters $\mathit{iparams} = (C_{W}, I)$ are computed as: \[ @@ -157,16 +162,14 @@ \section{Cryptographic Details} \quad I=\frac{G_{V}}{{G_{x_0}}^{x_0} {G_{x_1}}^{x_1} {G_{y_v}}^{y_v} {G_{y_s}}^{y_s}} \] - +These are used by the coordinator to prove correctness of issued MACs, and by the users to prove knowledge of a valid MAC. \subsection{Input Registration} -Alice wants to register an input UTXO with value $v_{\mathit{in}}$, broken into sub-amounts $v_i$ where $i \in \left[1,k\right]$. -She submits amount and serial number commitments: -\[ \forall i \in \left[1,k\right]: M_{v_i}={G_g}^{r_{v_i}}{G_h}^{v_i} \] -\[ \forall i \in \left[1,k\right]: M_{s_i}={G_g}^{r_{s_i}}{G_h}^{s_i} \] +Acting as Alice, the user wants to register an input with value $v_{\mathit{in}}$, arbitrarily dividing it into amounts $v_i$ where $i \in \left[1,k\right]$. For each $i \in [1, k]$ she chooses a serial number and randomness $s_i \in_R \mathbb{Z}_q$ and commits to these with randomness $r_{v_i}, r_{s_i} \in_R \mathbb{Z}_q$: +\[ M_{v_i}={G_g}^{r_{v_i}}{G_h}^{v_i} \qquad M_{s_i}={G_g}^{r_{s_i}}{G_h}^{s_i} \] -For each amount she includes a range proof: +These commitments will be used as attributes in the credential request. For each amounts she also computes a range proof which ensures there are no negative values: \[ \pi^{\mathit{range}}_i := \operatorname{PK}\left\{\left(v_i, r_{v_i} \right) : M_{v_i} = {G_g}^{r_{v_i}}{G_h}^{v_i} @@ -174,34 +177,35 @@ \subsection{Input Registration} 0 \leq v_i < v_{\mathit{max}} \right\} \] -Alice also needs to convince the coordinator that the sent amount commitments add up to the registered input UTXO value, hence she sends the following proof: +Alice also needs to convince the coordinator that the amounts add up to $v_{\mathit{in}}$, which she can prove by including the following witness-hiding proof: \[ \pi^{\mathit{sum}}=\sum_{i=1}^{k} r_{v_i} \] -The coordinator can then calculate the product of the amount commitments and check: +Finally, to request the credentials she submits the input, the $k$ pairs of attributes, and the proofs. The coordinator calculates the product of the amount commitments and checks: \[ \prod_{i=1}^{k} M_{v_i} \stackrel{?}{=} {G_g}^{\pi^{\mathit{sum}}}{G_h}^{v_{\mathit{in}}} \] -Note that this equality over the product of commitments implies the sum is correct: +Note that this equality over the product of the commitments implies the following equality of the sum of the amounts is correct: \[\prod_{i=1}^{k} M_{v_i} -= {G_h}^{\sum_{i=1}^{k} v_i} {G_g}^{\sum_{i=1}^{k} r_{v_i}} += {G_g}^{\sum_{i=1}^{k} r_{v_i}} {G_h}^{\sum_{i=1}^{k} v_i} \iff \sum_{i=1}^{k} v_i = v_{\mathit{in}} \] -If the coordinator accepts it issues the credentials by responding with a MAC -$(t_i, U_i, V_i) \in \mathbb{Z}_q \times \mathbb{G} \times \mathbb{G}$ for each credential -where -$t_i \in_{R} \mathbb{Z}_{q}, U_i \in_{R} \mathbb{G}$ -and +If the coordinator accepts then for each $i \in [1,k]$ it issues a credential by responding with +$(t_i, U_i, V_i) \in \mathbb{Z}_q \times \mathbb{G} \times \mathbb{G}$, +which is the output of +$\mathsf{MAC}_{\mathsf{sk}}(M_{v_i}, M_{s_i})$, +where: \[ +t_i \in_{R} \mathbb{Z}_{q}, U_i \in_{R} \mathbb{G} +\qquad V_i=W {U_i}^{x_{0}+x_{1} t_i}{M_{v_i}}^{y_v} {M_{s_i}}^{y_s} \] -To avoid tagging individual users the coordinator must also prove knowledge of the secret key, and that $(t_i, U_i, V_i)$ is correct relative to $\mathit{iparams}=(C_{W}, I)$ with the following proof of knowledge: -% TODO rephrase this a little so it's not plagiarism +To rule out tagging individual users the coordinator must prove knowledge of the secret key, and that $(t_i, U_i, V_i)$ is correct relative to $\mathit{iparams}=(C_{W}, I)$: \begin{align*} \pi_{i}^{\mathit{iparams}}=\operatorname{PK}\{ & (w, w^{\prime}, x_{0}, x_{1}, y_v, y_s): \\ @@ -211,14 +215,15 @@ \subsection{Input Registration} \} \end{align*} + \subsection{Output Registration} -After the input registration the user may have up to $t$ credentials from all of her input registration requests made as one or more Alice identities. -Let $S \subseteq \left[1,t\right]$ be the indices of credentials that she wants to consolidate into a single output registration. +After the input registration the user may have up to $n$ credentials from all of her input registration requests made as one or more Alice identities. +Let $S \subseteq \left[1,n\right]$ be the indices of credentials that she wants to consolidate into a single output registration. \subsubsection{Credential validity} -For each credential $i \in S$ Bob executes the $\mathsf{Show}$ protocol as in~\cite{chase2019signal}: +For each credential $i \in S$, now acting as Bob, the user executes the $\mathsf{Show}$ protocol as described in~\cite{chase2019signal}. \begin{enumerate} @@ -233,39 +238,43 @@ \subsubsection{Credential validity} C_{s_i} &= {G_s}^{z_i} M_{s_i} \\ C_{x_{0_i}} &= {G_{x_0}}^{z_i} {U_i} \\ C_{x_{1_i}} &= {G_{x_1}}^{z_i} {U_i}^{t_i} \\ -C_{V_i} &= {G_V}^{z_i} V \\ +C_{V_i} &= {G_V}^{z_i} V_i \end{align*} -\item To prove to the coordinator that she is in posession of a valid MAC on her amount and serial number commitments, Bob computes the following proof of knowledge: +\item To prove to the coordinator that she is in possession of a valid credential, Bob computes a proof of knowledge of the MAC on her attributes: \begin{align*} -\pi_{i}^{\mathit{MAC}}=\operatorname{PK}\{ +\pi_{i}^{\mathsf{MAC}}=\operatorname{PK}\{ & (z_i, z_{0_i},t_i): \\ & Z_i =I^{z_i} \land \\ %% does this proof need to say anything about C_{m_i} or C_{s_i} or is this statement about Z enough? & C_{x_{1_i}} = {C_{x_{0_i}}}^{t_i} {G_{x_0}}^{z_{0_i}} {G_{x_1}}^{z_i}\} \end{align*} %% if we go with OR proof, then \lor M_{v_i} = {G_g}^{r_{v_i}} {G_h}^0 -\end{enumerate} +which implies the following without allowing the verifier to link $\pi_{i}^\mathit{MAC}$ to the underlying attributes $(M_{v_i}, M_{s_i})$: +\[ +\mathsf{Verify}((C_{x_{0_i}}, C_{x_{1_i}}, C_{V_i}, C_{v_i}, C_{s_i}, Z_i), \pi_i^{\mathit{MAC}}) \iff \mathsf{VerifyMAC}_{\mathsf{sk}}(M_{v_i}, M_{s_i}) +\] + -Finally, Bob sends $(C_{x_{0_i}}, C_{x_{1_i}}, C_{V_i}, C_{v_i} C_{s_i} \pi_i^{\mathit{MAC}})$ to the coordinator, who computes: +\item Bob submits $(C_{x_{0_i}}, C_{x_{1_i}}, C_{V_i}, C_{v_i}, C_{s_i}, \pi_i^{\mathit{MAC}})$ and the coordinator computes: \[ -Z_i=\frac{C_{V_i}}{W {C_{x_{0_i}}}^{x_0} {C_{x_{1_i}}}^{x_{1}} -{C_{v_i}}^{y_v} {C_{s_i}}^{y_s} %%% FIXME WTF WTF is this even correct? +Z_i=\frac{C_{V_i}}{{G_w}^w {C_{x_{0_i}}}^{x_0} {C_{x_{1_i}}}^{x_{1}} +{C_{v_i}}^{y_v} {C_{s_i}}^{y_s} } \] -using the secret key $(W, x_{0}, x_{1}, y_v, y_s)$ and verifies $\pi_i^{\mathit{MAC}}$. +independently of Bob's derivation by using the secret key , and verifies $\pi_i^{\mathit{MAC}}$. -% note Z_i is calculated independently by ``Bob'' and the coordinator +\end{enumerate} \subsubsection{Over-spending prevention by proving sum of amounts} -The product of randomized commitments amounts to: +The product of the randomized amount commitments is: \[\prod_{i \in S} C_{{v_i}} = \prod_{i \in S} {G_v}^{z_i}M_{v_i} = {G_v}^{\sum_{i \in S} z_i}{G_g}^{\sum_{i \in S} r_{v_i}}{G_h}^{\sum_{i \in S} v_i} \] -Therefore we can obtain a witness-indistinguishable proof for the sum of the committed values $v_i$ in the randomized commitments: +Therefore we can obtain a witness-hiding proof for the sum of the committed values $v_i$ in the randomized commitments: \[ \pi^{v_{out}}=\left(\sum_{i \in S}z_i,\sum_{i \in S}r_{v_i}\right) \] @@ -280,10 +289,6 @@ \subsubsection{Over-spending prevention by proving sum of amounts} \subsubsection{Double-spending prevention by revealing serial numbers} -Bob randomizes her serial number commitments: - -\[ \forall i \in S: C_{{s_i}}={G_s}^{z_i}M_{s_i}={G_s}^{z_i}{G_g}^{r_{s_i}}{G_h}^{s_i} \] - Bob proves knowledge of representation of her submitted randomized serial number commitments, namely: \[ \pi_{i}^{\mathit{serial}}=\operatorname{PK}\{ (s_i, z_i, r_{s_i}):C_{s_i} = {G_s}^{z_i}{G_g}^{r_{s_i}}{G_h}^{s_i}