How does the Zecrey Protocol protect account privacy?

There are two main methods to save transaction records in the current blockchain world — — the UTXO model (Unspent Transaction Output) and the Account model. Due to the outstanding merits such as programmability and flexibility, the Account model is adopted by a larger number of projects than the UTXO model, such as Ethereum and EOS. The Account model is similar to the pattern in the real world since the address or account name can be depicted as a blockchain account. After each specific transaction (such as deduction, collection, handling fee, etc.), the balance of the account will be refreshed and recorded in the distributed ledger. Note that the account is stateful. The transaction that occurs on the blockchain is an event that triggers the migration of the state machine.

For example, there is a user Alice with 10 tokens in her account and a user Bob with 20 tokens in his account. Alice issues a transaction that transfers 5 tokens to Bob. As long as this transaction is verified and permitted, the token balance in Alice’s account will decrease by 5 tokens accordingly. Thus, the alteration of the account balance is dependent on the transaction that happened on the blockchain. However, this dependency raises a concern on the risk that adversaries are able to derive account balance information through eavesdropping and tracking transactions. As the awareness for personal privacy is growing rapidly, it urgently requires an account privacy protection scheme.

Normally, encryption is a crucial mechanism to preserve the privacy of sensitive account information. Nevertheless, the conventional encryption schemes cannot work on the encrypted data without decrypting it first. Thus, to alter the account balance while keeping the account encrypted, we adopt the advanced homomorphic encryption scheme [1]. Homomorphism is a mapping from an algebraic structure (such as a group, ring, or vector space) to a similar algebraic structure, which keeps all related structures unchanged. To put it bluntly, homomorphic encryption allows users to perform specific algebraic operations on the ciphertext directly, and the result obtained is the same as performing the same operation on the plaintext and then encrypting the result. Actually, the well-known public-key encryption schemes have homomorphic properties. However, they only support partial homomorphism, i.e., they only support addition or multiplication operations on the ciphertext and cannot enable addition and multiplication. For example, the well-known RSA [2] and ElGamal encryption [3] only support homomorphic multiplication, while the Paillier encryption scheme supports homomorphic addition.

Homomorphic encryption can be classified into three main categories according to the type of mathematical operations performed on its ciphertext.

• Partially homomorphic encryption (PHE) [4]: PHE means that users can perform a specific operation (such as addition or multiplication) on the ciphertext indefinitely. Standard algorithms that use partially homomorphic encryption schemes include RSA, ElGamal encryption algorithm (with multiplicative homomorphism), and Paillier encryption algorithm [5] (with additive homomorphism).

• Somewhat homomorphic encryption (SHE) [6]: SHE supports limited operations (for example, addition or multiplication) up to a certain complexity, but these operations can only be performed a certain number of times. This is the pioneer of fully homomorphic encryption.
• Fully homomorphic encryption (FHE) [7]: This encryption scheme satisfies the properties of additive homomorphism and multiplication homomorphism at the same time. Users can use any effective computable function (such as addition and multiplication) in FHE. Unlike other forms of homomorphic encryption, it can handle arbitrary calculations of ciphertext.

For a better understanding, we take the simplified version of the ElGamal encryption scheme as an example to describe the procedures of homomorphic encryption:

Assume that the ciphertext of the ElGamal encryption scheme is calculated as:

where r is an arbitrary random, g is a generator, h is the public key, and m is the corresponding plaintext.

Now, if we have two ciphertexts denoted as CT₁ and CT₂ as follows:

Then, through multiplying the first part and second part of CT₁ and CT₂, respectively, we can get:

It is obvious that the ciphertext obtained after multiplication is exactly the ciphertext corresponding to m₁ ⋅ m₂. In this way, users can get the result of m₁⋅ m₂ just by decrypting CT.

Limited to its functionality, PHE is too simple to be adopted in real-life applications. To achieve account-based privacy in blockchain systems, Zecrey uses twisted ElGamal [8] to design fully homomorphic encryption schemes. Twisted ElGamal encryption is a public key encryption scheme improved based on the simplified version of the ElGamal. There are four primary algorithms in twisted ElGamal, as presented below.

Twisted ElGamal retains additive homomorphism and is as efficient and secure as the standard exponential ElGamal. More importantly, it is zero-knowledge friendly. Note that the second part of twisted ElGamal ciphertext can be viewed as Pedersen commitment [9] under the same commitment key, whose DL (discrete logarithm) relation is unknown to all users. Such structure of twisted ElGamal makes it compatible with all zero-knowledge proofs whose statement is of the form Pedersen commitment. In particular, one can directly employ Bulletproofs[10] to generate range proofs for values encrypted by twisted ElGamal in a black-box manner, and these proofs can be easily aggregated. Therefore, Twisted ElGamal enables us to easily devise zero-knowledge proofs for essential correctness of transactions and various application-dependent policies in a modular fashion.

Moreover, twisted ElGamal is very efficient. Compared with the most efficient reported implementation of Paillier PKE, twisted ElGamal is an order of magnitude better in key and ciphertext size and decryption speed (for small message space), two orders of magnitude better in encryption speed. Consequently, we achieve an efficient and effective protection approach for account privacy by designing a twist EIGamal-based homomorphic encryption scheme.

Zecrey Protocol was started in Feb, 2021 by a few PhDs with backgrounds. As part of its first milestone, Zecrey Protocol will launch the test network in July.

Zecrey official website is live now: Zecrey

Welcome to join our communities and follow us on twitter:

Medium：https://medium.com/@zecrey
Twitter: https://twitter.com/zecreyprotocol
Telegram: https://t.me/zecrey
Discord: https://discord.com/invite/U98ghQsJE5

References

[1] Ogburn M, Turner C, Dahal P. Homomorphic encryption[J]. Procedia Computer Science, 2013, 20: 502–509.
[2] Milanov E. The RSA algorithm[J]. RSA Laboratories, 2009: 1–11.
[3] Meier A V. The elgamal cryptosystem[C]//Joint Advanced Students Seminar. 2005.
[4] Morris L. Analysis of partially and fully homomorphic encryption[J]. Rochester Institute of Technology, 2013: 1–5.
[5] Paillier P. Paillier Encryption and Signature Schemes[J]. 2005.
[6] Fan J, Vercauteren F. Somewhat practical fully homomorphic encryption[J]. IACR Cryptol. ePrint Arch., 2012, 2012: 144.
[7] Gentry C. A fully homomorphic encryption scheme[M]. Stanford: Stanford university, 2009.
[8] Chen Y, Ma X, Tang C, et al. PGC: Decentralized confidential payment system with auditability[C]//European Symposium on Research in Computer Security. Springer, Cham, 2020: 591–610.
[9] Metere R, Dong C. Automated cryptographic analysis of the pedersen commitment scheme[C]//International Conference on Mathematical Methods, Models, and Architectures for Computer Network Security. Springer, Cham, 2017: 275–287.
[10] Bunz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., & Maxwell, G. (2018). Bulletproofs: Short Proofs for Confidential Transactions and More. Proceedings — IEEE Symposium on Security and Privacy, 2018-May, 315–334. https://doi.org/10.1109/SP.2018.00020