Abstract
Decentralized financial applications demand fast, cheap, and privacy-preserving cryptocurrency systems to facilitate high transaction volumes and provide privacy for users. Off-chain Layer-2 scaling solutions such as Plasma, ZK-Rollup, NOCUST are appealing innovations devised to enable the scalability and extensibility account-based blockchains that support smart contracts. The essential idea is simple yet powerful: move expensive computations off-chain and commit the abbreviated transaction data on-chain. Nevertheless, these solutions do not provide privacy for the users’ balances and off-chain transaction data. In this paper, we propose PriBank, a novel privacy-preserving cryptocurrency system that enables private balances and transaction values on top of these Layer-2 scaling solutions. To construct PriBank system, we propose a Commit-and-Prove short NIZK argument for quadratic arithmetic programs. The Commit-and-Prove short NIZK argument is built on top of the existing zero-knowledge proof scheme: Bulletproof. It allows a prover to commit to an arbitrary set of witnesses by Pedersen commitments before proving, which may be of independent interest. We construct security models and definitions for Layer-2 privacy-preserving scaling solutions and analyse the security of our scheme under the security model. We also implement and evaluate the system, and present a comparative analysis with the existing solutions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Agrawal, S., Ganesh, C., Mohassel, P.: Non-interactive zero-knowledge proofs for composite statements. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 643–673. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_22
Back, A., et al.: Enabling blockchain innovations with pegged sidechains, vol. 72 (2014). http://www.opensciencereview.com/papers/123/enablingblockchain-innovations-with-pegged-sidechains
Benarroch, D., Campanelli, M., Fiore, D., Kolonelos, D.: Zero-knowledge proofs for set membership: efficient, succinct, modular. IACR Cryptol. ePrint Arch. 2019, 1255 (2019)
Bonneau, J., Narayanan, A., Miller, A., Clark, J., Kroll, J.A., Felten, E.W.: Mixcoin: anonymity for bitcoin with accountable mixes. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 486–504. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45472-5_31
Bowe, S., Chiesa, A., Green, M., Miers, I., Mishra, P., Wu, H.: Zexe: enabling decentralized private computation. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 947–964 (2020). https://doi.org/10.1109/SP40000.2020.00050
Bünz, B., Agrawal, S., Zamani, M., Boneh, D.: Zether: towards privacy in a smart contract world. In: Bonneau, J., Heninger, N. (eds.) FC 2020. LNCS, vol. 12059, pp. 423–443. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51280-4_23
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 315–334. IEEE (2018)
Campanelli, M., Fiore, D., Querol, A.: LegoSNARK: modular design and composition of succinct zero-knowledge proofs. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 2075–2092 (2019)
Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable two-party and multi-party secure computation. In: Proceedings of the Thiry-fourth Annual ACM Symposium on Theory of Computing, pp. 494–503 (2002)
Cecchetti, E., Zhang, F., Ji, Y., Kosba, A., Juels, A., Shi, E.: Solidus: confidential distributed ledger transactions via PVORM. In: Proceedings of 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 701–717 (2017)
Danezis, G., Meiklejohn, S.: Centrally banked cryptocurrencies. arXiv preprint arXiv:1505.06895 (2015)
Decker, C., Wattenhofer, R.: A fast and scalable payment network with bitcoin duplex micropayment channels. In: Pelc, A., Schwarzmann, A.A. (eds.) SSS 2015. LNCS, vol. 9212, pp. 3–18. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21741-3_1
Diamond, B.E.: Many-out-of-many proofs and applications to anonymous zether. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 1800–1817. IEEE Computer Society, Los Alamitos, May 2021. https://doi.org/10.1109/SP40001.2021.00026
Dziembowski, S., Fabiański, G., Faust, S., Riahi, S.: Lower bounds for off-chain protocols: exploring the limits of plasma. In: 12th Innovations in Theoretical Computer Science Conference (ITCS 2021) (2021)
Fauzi, P., Meiklejohn, S., Mercer, R., Orlandi, C.: Quisquis: a new design for anonymous cryptocurrencies. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 649–678. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_23
Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_37
Gluchowski, A.: Zk rollup: scaling with zero-knowledge proofs. Matter Labs (2019)
Kerber, T., Kiayias, A., Kohlweiss, M.: Kachina-foundations of private smart contracts. In: 2021 IEEE 34th Computer Security Foundations Symposium (CSF), pp. 1–16. IEEE (2021)
Khalil, R., Zamyatin, A., Felley, G., Moreno-Sanchez, P., Gervais, A.: Commit-chains: secure, scalable off-chain payments. Cryptology ePrint Archive, Report 2018/642 (2018)
Kilian, J.: Uses of Randomness in Algorithms and Protocols. Massachusetts Institute of Technology (1990)
Kosba, A., Miller, A., Shi, E., Wen, Z., Papamanthou, C.: Hawk: the blockchain model of cryptography and privacy-preserving smart contracts. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 839–858 (2016). https://doi.org/10.1109/SP.2016.55
Maxwell, G.: CoinJoin: bitcoin privacy for the real world. In: Post on Bitcoin Forum (2013)
Miller, A., Bentov, I., Kumaresan, R., McCorry, P.: Sprites: payment channels that go faster than lightning. CoRR arXiv:1702.05812 306 (2017)
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2009). http://bitcoin.org/bitcoin.pdf
Narula, N., Vasquez, W., Virza, M.: zkLedger: privacy-preserving auditing for distributed ledgers. In: 15th \(\{\)USENIX\(\}\) Symposium on Networked Systems Design and Implementation (\(\{\)NSDI\(\}\) 18), pp. 65–80 (2018)
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9
Poon, J., Buterin, V.: Plasma: scalable autonomous smart contracts. White paper (2017)
Sasson, E.B., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE (2014)
Steffen, S., Bichsel, B., Gersbach, M., Melchior, N., Tsankov, P., Vechev, M.: zkay: specifying and enforcing data privacy in smart contracts. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1759–1776 (2019)
The Monero Project: Monero (2014). https://web.getmonero.org
Wood, G.: Ethereum: a secure decentralised generalised transaction ledger. Yellow Paper (2014)
Zyskind, G., Nathan, O., et al.: Decentralizing privacy: using blockchain to protect personal data. In: 2015 IEEE Security and Privacy Workshops, pp. 180–184. IEEE (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Commit-Prove Zero-Knowledge Proof Construction
Circuit: The arithmetic circuit C of the zero-knowledge proof is in Fig. 11
B Proof of Protocol 3.1
Proof
Soundness. By the rewinding, the prover, the extractor \(\mathcal {X}\) gets two valid transcripts that have the same commitments:
\((d_1,d_2,c_0,c_1,x,\theta _a,\theta _b,\theta _1,\theta _2,\theta _{ab})\), \((d_1,d_2,c_0,c_1,x',\theta _a',\theta _b',\theta _1',\theta _2',\theta _{ab}')\) from the verification, we get equations
By the binding property of Pedersen commitment, This implies \(a=\frac{\theta _a'-\theta _a}{x-x'}\), by the same technique, \(\mathcal {X}\) can compute \(b=\frac{\theta _b'-\theta _b}{x-x'}\) and \(\alpha ,\beta \).
Next, assume c is a commitment that committed to z, we will prove \(z=ab\). Assume \(c_0=g^uh^{r_{c_0}}, c_1=g^vh^{r_{c_1}}\), observe that \(g^{\theta _a\theta _b}h^{\theta _{ab}}c_0^x=c^{x^2}c_1\), it implies
Since \(a,b,\alpha ,\beta ,u,v\) are all predefine value, either \(\mathcal {X}\) can extract non-trivial relation between g, h or \(u=\alpha b+\beta a\) and the extractor can extract \(z=ab=\frac{\theta _a\theta _b-\theta '_a\theta '_b+(\alpha b+\beta a)(x-x')}{x^2-{x'}^2}\).
Perfect special honest-verifier zero-knowledge. The simulator randomly chooses \(\theta _1,\theta _2,\theta _a,\theta _b,\theta _{ab},u,r\leftarrow \mathbb {Z}_p\) and randomly chooses a challenge \(x\leftarrow \mathbb {Z}_p\), it computes \(d_1=c_a^xg^{\theta _a}h^{\theta _1}\), \(d_2=c_b^xg^{\theta _b}h^{\theta _2}, c_0=g^uh^r,c_1=g^{\theta _a\theta _b}h^{\theta _{ab}}c_0^x/c^{x^2}\). Thus the simulator produces a valid transcript \((d_1,d_2,c_0,c_1,x,\theta _a,\theta _b,\theta _1,\theta _2,\theta _{ab})\) that has the identical probability distributions with the real proof. \(\square \)
C Proof of Protocol 3.2
Proof
Soundness. For an accepting transcripts \((c_0,\varOmega ,d_1,d_2,x,\theta _1,\theta _2)\), assume that
since \(d_1=c_0^xh^{\theta _1}\), \( d_2=\varOmega ^x\tau ^{\theta _1}h^{\theta _2}\) we have
If \(u\ne \gamma \) then it means \(\theta _1=\frac{\delta \gamma -u\alpha }{\gamma -u}\) and \(x=\frac{\alpha -\delta }{\gamma -u}\) or the cheating prover is able to compute the Pedersen commitment key \(\log _gh\). Since \(\alpha ,\delta ,\gamma \) are pre-defined values, \(\Pr [x=\frac{\alpha -\delta }{u-\gamma }]=\frac{1}{p}\).
Since in the verification, \(c=\prod \limits _{i=1}^{n}c_i^{b_i}/\varOmega \), assume \(c=g^wh^t\), this implies
Hence, either \(w=\sum \limits _{i=1}^n a_i b_i\) or the prover is able to compute the discrete logarithm.
\(\square \)
Perfect special honest-verifier zero-knowledge. The simulator randomly chooses \(\gamma ,\theta _1,\theta _2\leftarrow \mathbb {Z}_p\) and computes \(c_0=h^{\gamma }, \varOmega =\prod \limits _{i=1}^nc_i^{b_i}/c\). Then the simulator chooses a challenge randomly \(x\leftarrow \mathbb {Z}_p\) and computes \(d_1=c_0^xh^{\theta _1}, d_2=\varOmega ^x\tau ^{\theta _1}h^{\theta _2}\). The transcript \(trs=(c_0,d_1,d_2,x,\theta _1,\theta _2)\) is a valid transcript that has the identical probability distributions with the real proof.
D Proof of Protocol 3.3
Proof
We follow the proof of [9] for the soundness, and give our proof for the zero-knowledge property.
Soundness. We firstly construct an extractor \(\mathcal {X}_1\) of protocol \(\mathsf {Prove}\), then construct an extractor \(\mathcal {X}_2\) for protocol 3.3. For \(\mathcal {X}_1\), we use an inductive argument showing that in each step, we either extract a witness or a discrete log relation. If \(n=|g|=1\), rewinding \(\mathcal {P}\) to get 2 transcripts with the same randomness used by \(\mathcal {P}\) but different challenges from \(\mathcal {V}\), assume the witness of \(\mathcal {P}\) are \((a_1,c,r)\), \(d=g_1^{t_1}u^{t_2}h^{t_3},\) the transcripts are
then we get \(g_1^{a_1x+\theta _1}u^{cx+b_1\theta _1}h^{\theta _2+xr}=g_1^{a_1x'+\theta _1'}u^{cx'+b_1\theta '_1}h^{\theta '_2+x'r}=d\).
Since \(a_1,c,d\) are predefined value, either extractor can compute
or \(a_1=\frac{\theta _1-\theta '_1}{x'-x}\) and \(c=a_1b_1\)
Next, on the k-th recursive step that on input(\(\boldsymbol{g},u,h,c,\boldsymbol{b}\)), assume that the \((k+1)\)th recursive step has input(\(\boldsymbol{g}',u,h,c',\boldsymbol{b}'\)) and the witness can be extracted from this recursive are \(r',\boldsymbol{a}',\langle \boldsymbol{a}',\boldsymbol{b}'\rangle \). We show that with the witness of the \((k+1)\)th recursive step, an extractor can effectively compute a witness of the k-th recursive step or a non-trivial discrete logarithm relation between the generators.
On k-th recursive step, the extractor runs the prover to get L and R. Then, by rewinding the prover four times and giving it four different challenges \(x_1, x_2, x_3, x_4\), the extractor obtains four \(\boldsymbol{a}'_i \in \mathbb {Z}_p^{n'}\) such that
compute \(v_1,v_2,v_3 \in \mathbb {Z}_p\) such that
Then taking a linear combination of the first three equations with \(v_1,v_2,v_3\) as the coefficients,
we can compute
Repeating this process with different combinations (compute \(v_1,v_2,v_3\) of Eq. 2 with different summations), we can also compute R, c such that
Now, we can rewrite Eq. 1, for each \(x\in \{x_1,x_2,x_3,x_4\}\) as
This implies that
Either the extractor can obtain a non-trivial discrete logarithm relation between the generators (\(\boldsymbol{g},h,u\)) if these equations do not hold, or we can deduce that for each challenge \(x\in \{x_1,x_2,x_3,x_4\}\)
The only way the above equation hold for all challenges is if
Thus \(\boldsymbol{a}'=x{\boldsymbol{a}_{c}}_{[:n']}+x^{-1}{\boldsymbol{a}_c}_{[n':]}\) Using these values we can see that:
Since the relation holds for all \(x\in \{x_1,x_2,x_3,x_4\}\), it must be that
The extractor, thus, either extracts a discrete logarithm relation between the generators, or the witness \(\boldsymbol{a}_c\).
We now show that at the beginning of the protocol 3.3, on input \((c_{\boldsymbol{a}},c_{\boldsymbol{ab}},\boldsymbol{g},\boldsymbol{b})\), the extractor \(\mathcal {X}_2\) runs \(\mathcal {P}\) with challenge x and uses \(\mathcal {X}_1\) to obtain a witness \(\boldsymbol{a},r\) such that \(c_{\boldsymbol{a}}c_{\boldsymbol{ab}}^x=\boldsymbol{g}^{\boldsymbol{a}}g^{x\langle \boldsymbol{a},\boldsymbol{b}\rangle }h^{r}\). Rewinding \(\mathcal {P}\) with a different challenge \(x'\) and \(\mathcal {X}_1\) extracts new witness \(\boldsymbol{a}',r'\) such that \(c_{\boldsymbol{a}}c_{\boldsymbol{ab}}^{x'}=\boldsymbol{g}^{\boldsymbol{a}'}g^{x\langle \boldsymbol{a}',\boldsymbol{b}\rangle }h^{r'}\). Then we get
Unless \(\boldsymbol{a}=\boldsymbol{a}'\) we get a not trivial discrete log relation between \(\boldsymbol{g}, h\)and g. Otherwise we get \(s=\langle \boldsymbol{a},\boldsymbol{b}\rangle , r_{ab}=\frac{r-r'}{x-x'}, r_a=r-\frac{x(r-r')}{x-x'}.\) \(\square \)
Perfect Zero-Knowledge. The simulator chooses randomly a vector \(\boldsymbol{a}\in \mathbb {Z}_p^n\) as witness and we show it can generate a valid transcripts for this vector.
For each recursive step when a prover asks for L, R, the simulator chooses randomly \(r_1,r_2\in \mathbb {Z}_p^* \), and computes
Assume that at the last recursive step the input commitment is \(c'\), the challenge is x. The simulator randomly choose \(\theta _1,\theta _2\in \mathbb {Z}_p^*\), compute \(d=c'^x g_1^{\theta _1}u^{b_1\theta _1}h^{\theta _2}\).
The transcript \(trs=(c,L_1,R_1,x_1,L_2,R_2,x_2,...,d,x,\theta _1,\theta _2)\) is a valid transcript that has the identical probability distributions with the real proof.
E Proof of Protocol 3.4
Proof
Soundness. A valid transcript of protocol 3.4 consists of 8 sub-transcripts: three transcripts of Protocol 3.1 on statements
respectively; four transcripts of Protocol 3.2 on statements \((\boldsymbol{g},\boldsymbol{b}:=\{u_{k+1}(x_1),...,u_{l}(x_1)\},c_{l},c_{\boldsymbol{u}})\), \((\boldsymbol{g},\boldsymbol{b}:=\{v_{k+1}(x_1),...,v_{l}(x_1)\},c_{l},c_{\boldsymbol{v}})\), \((\boldsymbol{g},\boldsymbol{b}:=\{w_{k+1}(x_1),...,u_{l}(x_1)\},c_{l},c_{\boldsymbol{w}})\) and \((\boldsymbol{g},\boldsymbol{b}:=\{xz(x_1),...,x^{n-2}z(x_1)\},c_{h},c_{hz})\) respectively; one transcript of Protocol 3.3 on statement \((c_a,c_b,c_c)\).
The soundness of protocol 3.1 implies
The soundness of protocol 3.3 implies
The knowledge extractor described in the proof of Protocol 3.1 can extract \(a,r_a\) and \(b,r_b\) such that
which means
Apart from the challenge \(x_1\), all the variables in the above equation are predefined, therefore either the prover can compute the non-trivial discrete logarithm relation between the generators or \(\sum \limits _{i=1}^na_iu_i(X) \cdot \sum \limits _{i=1}^na_iv_i(X)=\sum \limits _{i=1}^na_iw_i(X)+h(X)z(X).\)
Perfect special honest-verifier zero-knowledge. The zero-knowledge property follows by the zero-knowledge properties of the sub-protocols. The simulator can utilize the sub-protocols’ simulator to produce a valid transcript without knowing the witnesses. \(\square \)
F Definitions for Commit-and-Prove Zero-Knowledge Proof
Definition 7
(Perfect Completeness). The triple \((\mathcal {G},\mathcal {V},\mathcal {P})\) has perfect completeness if for all non-uniform PPT adversary \(\mathcal {A}\) such that
Definition 8
(Computational Soundness). \((\mathcal {G},\mathcal {V},\mathcal {P})\) has computational soundness if it is not possible to prove a false statement where no witness exist, i.e. for all non-uniform polynomial time interactive adversary \(\mathcal {A}_1,\mathcal {A}_2\), the function \(\mathsf {negl}(\lambda )\) is negligible.
Definition 9
(Computational Knowledge Soundness). \((\mathcal {G},\mathcal {V},\mathcal {P})\) has computational knowledge soundness if for all deterministic polynomial time \(\mathcal {P}^*\), there exists an polynomial time knowledge extractor \(\mathcal {E}\) such that for all non-uniform polynomial time interactive adversary \(\mathcal {A}_1,\mathcal {A}_2\), the function \(\mathsf {negl}(\lambda )\) is negligible.
where the oracle is given by \(\mathcal {O}=\langle \mathcal {P}^*(\sigma ,c,x,s),\mathcal {V}(\sigma ,c,x)\rangle \).
The oracle \(\mathcal {O}\) permits rewinding to a specific point and resuming with fresh randomness for the verifier from this point onwards. Informally, if there is an adversary that can produce an argument that satisfies the verifier with some probability, then there exists an emulator that can extract the witness. The value s is the internal state of \(\mathcal {P}^*\), including randomness. The emulator is permitted to rewind the interaction between the prover and verifier to any move, then resuming with fresh randomness for the verifier.
Definition 10
(Perfect Special Honest-Verifier Zero-Knowledge). A triple \((\mathcal {G},\mathcal {P},\mathcal {V})\) is a perfect special honest verifier zero knowledge argument of knowledge for \(\mathcal {R}_\lambda ^{\mathsf {Com}}\) if there exists a probabilistic polynomial time simulator \(\mathcal {S}\) such that for all pairs of interactive adversaries \(\mathcal {A}_1,\mathcal {A}_2\)
where \(\rho \) is the randomness used by the verifier.
Definition 11
(Commit-and-Prove Zero-knowledge Argument of Knowledge). The triple \((\mathcal {S},\mathcal {P},\mathcal {V})\) is a commit-and-prove zero-knowledge argument of knowledge for a family of relations \(\mathcal {R}^{\mathsf {Com}}\) if it satisfies the perfect completeness, perfect special honest-verifier zero-knowledge and computational soundness or computational knowledge soundness.
G Notations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Gjøsteen, K., Raikwar, M., Wu, S. (2022). PriBank: Confidential Blockchain Scaling Using Short Commit-and-Proof NIZK Argument. In: Galbraith, S.D. (eds) Topics in Cryptology – CT-RSA 2022. CT-RSA 2022. Lecture Notes in Computer Science(), vol 13161. Springer, Cham. https://doi.org/10.1007/978-3-030-95312-6_24
Download citation
DOI: https://doi.org/10.1007/978-3-030-95312-6_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-95311-9
Online ISBN: 978-3-030-95312-6
eBook Packages: Computer ScienceComputer Science (R0)