RingCT in Zecrey

Blockchain is a distributed ledger of transaction records among nodes, without relying on a trusted authority. Transaction records are synchronized to all nodes by a consensus algorithm, in order to provide a globally agreed, immutable history. However, all transaction data, including the sender’s public key, the recipient’s public key and the transaction amount, are publicly available. It may not be desirable for sensitive transaction in the area of FinTech. As a result, privacy-preserving blockchain has received a lot of attention both in the industry and academia.

In the last medium, we presented a detailed introduction to Pedersen Commitment, which is of great benefit for transaction privacy preservation. However, as discussed earlier, the commitment schemes can not be directly employed without any improvement and regulation. One of the essential points is that the inputs of the commitment are supposed to be valid, i.e., the parameters should be constrained within the legal range. This has become an intractable issue since the receivers can not get any useful knowledge about the input information assuming that the designed privacy-preserving scheme is efficient, which gives the message senders chances to do evil. Therefore, a range proof is needed to provide the verifiers with assurance of the legality of the commitment inputs. In Zecrey, we designed a novel range proof scheme like RingCT, to which we are going to make a high-level explanation in this article.

The first blockchain Confidential Transaction (CT) [1] is a proposed enhancement to the Bitcoin protocol for hiding payment values in the blockchain. To further achieve sender anonymity, a number of coin mixing protocols are proposed with CT. For cryptocurrency Monero [2], linkable ring signature is used with CT to give a Ring Confidential Transaction (RingCT) protocol [3]. For a set of M transaction inputs, the M transaction inputs correspond to M ring signatures of ring size O(n) each, where n is the number of possible signer. In addition, the net transaction amount also corresponds to a ring signature of ring size O(n). Therefore, Monero’s RingCT1.0 has (M +1) signatures of size O(n) each. Since the large signature size limits the the number n of possible signers, the value of n in Monero’s official wallet software ranges from 5 to 20 only. As a result, the sender anonymity for RingCT1.0 is at most 1-out-of-20. Due to the small ring size, there are various kinds of attacks to the anonymity of Monero users. By launching an analysis of the Monero blockchain data, the signer anonymity can be revoked with a significant non-negligible probability. Moreover, the RingCT1.0 paper does not give any notion and security model of RingCT and then a RingCT2.0 protocol with (M + 1) signatures of size O(1) was proposed by using trusted public parameters. However, the use of trusted public parameters is not desirable in the setting of public blockchain. Hence, we make a brief overall here to RingCT3.0 [4].

RingCT3.0 is the most competent blockchain ring confidential transaction protocol for protecting the privacy of the sender’s identity, the recipient’s identity and the confidentiality of the transaction amount. For a typical 2-input transaction with a ring size of 1024, the ring signature size of a RingCT3.0 protocol is 98% less than the ring signature size of the original RingCT1.0 protocol used in Monero. Note that transaction fee depends on the length of the transaction data, which is dominated by the signature length of the senders. For Bitcoin, a typical transaction of 2-input-2-output contains 2 ECDSA signatures, the length of which is 1kB. As of April 2018, the average transaction fee of Bitcoin is USD 1 and the daily transaction fee of the whole Bitcoin system is USD 160,000. For Monero, the total signature size for a typical confidential transaction is 13.2kB. Therefore, any effort to reduce the signature size will have a significant impact to the crypto-economy. The improvement in signature size is relatively more important than that in computation efficiency for public blockchains. Thus, taking the advantage of the compact RingCT3.0 transcript size, privacy-preserving cryptocurrencies can enjoy a much lower transaction fee, which will have a significant impact to the cryptoeconomy.

In addition to the significant improvement in terms of efficiency, RingCT3.0 is proven secure in a stronger security model. The trusted setup assumption used in RingCT2.0 is also removed through using a zero-knowledge range proof of a value committed in a Pederson commitment [5]. Besides, RingCT3.0 is anonymous against ring insider (non-signing users who are included in the ring). RingCT3.0 protocol relies on a brand new designed ring signature scheme as an underlying primitive, which is believed to be the most efficient ring signature scheme up-to-date (in terms of signature size) without trusted setup. The novel ring signature scheme is derived from an efficient set membership proof of n public keys, with the proof size of O(log n). This is the first set membership proof without trusted setup for public keys in the base group, instead of in the exponent.

After this brief introduction to RingCT protocol, we will give a concrete instruction to its core supporting technology — — ring signature, which has already been widely adopted in the security field. Ring signature is a type of digital signature that can be performed by any member of a set of users that each have keys. Therefore, a message signed with a ring signature is endorsed by someone in a particular set of people. One of the security properties of a ring signature is that it should be computationally infeasible to determine which of the set’s members’ keys was used to produce the signature, and thus provides precious anonymity. The learning of ring signatures will help us enhance our understanding of the core privacy protocols in the mainstream blockchain privacy protection projects.

Zecrey official website: Zecrey

Welcome to join our communities and follow us on twitter:

Medium：https://medium.com/@zecrey

Twitter: https://twitter.com/zecreyprotocol

Telegram: https://t.me/zecrey

Discord: https://discord.com/invite/U98ghQsJE5

Reference

[1] Maxwell, G.: Confidential transactions (2015), https://people.xiph.org/ ~ greg/confidential_ values.txt

[2] https://www.investopedia.com/tech/introduction-monero-xmr/

[3] Noether, S.: Ring Signature Confidential Transactions for Monero. Cryptology ePrint Archive, Report 2015/1098 (2015), http://eprint.iacr.org/

[4] Yuen T H, Sun S, Liu J K, et al. RingCT 3.0 for blockchain confidential transaction: Shorter size and stronger security[C]//International Conference on Financial Cryptography and Data Security. Springer, Cham, 2020: 464–483.

[5] https://crypto.stackexchange.com/questions/64437/what-is-a-pedersen-commitment