Simple Schnorr Signature with Pedersen Commitment as Key

In a transaction-output-based blockchain system, where each transaction spends UTXOs (the previously unspent transaction outputs), a user must provide a signature, or more precisely a $\textit{scriptSig}$ for Bitcoin, to spend an UTXO, which proves the ownership of the spending output. When Pedersen commitment $g^xh^a$ or ElGamal commitment $(g^xh^a,h^x)$ introduced into blockchain as transaction output, for supporting confidential transaction feature, where the input and output amounts in a transaction are hidden, the prior signature schemes such as Schnorr signature scheme and its variants does not directly work here if using the commitment as the public key, since nobody including the committer knows the private key of a $g^xh^a$ when $a$ is not zero, meaning no one knows the $c$ such that $(g^c=g^xh^a)$. This is a signature scheme which is able to use the $C=g^xh^a$ as the signature public key for any value of $a$. The signer, proceeding from a random Pedersen commitment $R=g^{k_1}h^{k_2}$, generates a random bit sequence $e$, by multiplication of a stored private key $x$ with the bit sequence $e$ and by addition of the random number $k_1$ to get the $u$, by multiplication of the committed value $a$ with the bit sequence $e$ and by addition of the random number $k_2$ to get the $v$, finally constructs $\sigma=(R,u,v)$ as the signature, with the corresponding public key $C$. In turn, the verifier calculates a Pedersen commitment $S=g^uh^v$, and accepts the signature if $S=RC^e$. For an electronic signature, a hash value $e$ is calculated from a random Pedersen commitment $R$, the Pedersen commitment $C$, and from the message $m$ to be signed. This signature scheme will be very helpful in the design of a non-interactive transaction in Mimblewimble

A formal analysis of the mimblewimble cryptocurrency protocol with a security approach

A cryptocurrency is a digital currency that can be exchanged online for goods and services. Cryptocurrencies are deployed over public blockchains which have the transactions duplicated and distributed across the nodes of a computer network. This decentralized mechanism is devised in order to achieve reliability in a network consisting of unreliable nodes. Privacy, anonymity and security have become crucial in this context. For that reason, formal and mathematical approaches are gaining popularity in order to guarantee the correctness of the cryptocurrency implementations. Mimblewimble is a privacy-oriented cryptocurrency technology which provides security and scalability properties that distinguish it from other protocols of its kind. It was proposed by an anonymous developer, who posted a link to a text file on the IRC channel by the name Tom Elvis Jedusor (french name for Voldemort) in mid-2016. Mimblewimble’s cryptographic approach is based on Elliptic Curve Cryptography which allows to verify a transaction without revealing any information about the transactional amount or the parties involved. Mimblewimble combines Confidential transactions, CoinJoin and cut-through to achieve a higher level of privacy and security, as well as, scalability. In this thesis, we present and discuss these security properties and outline the basis of a model-driven verification approach to address the certification of the correctness of the protocol implementations. In particular, we propose an idealized model that is key in the described verification process. The main components of our idealized model are transactions, blocks and chain. Then, we identify and precisely state the conditions for our model to ensure the verification of relevant security properties of Mimblewimble. In addition, we analyze the Grin and Beam implementations of Mimblewimble in their current state of development. We present detailed connections between our model and their implementations regarding the Mimblewimble structure and its security properties

Variance: Secure Two-Party Protocol for Solving Yao\u27s Millionaires\u27 Problem in Bitcoin

Secure multiparty protocols are useful tools for parties wishing to jointly compute a function while keeping their input data secret. The millionaires’ problem is the first secure two-party computation problem, where the goal is to securely compare two private numbers without a trusted third-party. There have been several solutions to the problem, including Yao’s protocol [Yao, 1982] and Mix and Match [Jakobsson and Juels, 2000]. However, Yao’s Protocol is not secure in the malicious model and Mix and Match unnecessarily releases theoretically breakable encryptions of information about the data that is not needed for the comparison. In addition, neither protocol has any verification of the validity of the inputs before they are used. In this thesis, we introduce Variance, a privacy-preserving two-party protocol for solving the Yao’s millionaires’ problem in a Bitcoin setting, in which each party controls several Bitcoin accounts (public Bitcoin addresses) and they want to find out who owns more bitcoins without revealing (1) how many accounts they own and the balance of each account, (2) the addresses associated with their accounts, and (3) their total wealth of bitcoins while assuring the other party that they are not claiming more bitcoin than they possess. We utilize commitments, encryptions, zero knowledge proofs, and homomorphisms as the major computational tools to provide a solution to the problem, and subsequently prove that the solution is secure against active adversaries in the malicious model

A Privacy-preserving Central Bank Ledger for Central Bank Digital Currency

Central banks around the world are actively exploring the issuance of retail central bank digital currency (rCBDC), which is widely seen as a key upgrade of the monetary system in the 21st century. However, privacy concerns are the main impediment to rCBDC’s development and roll-out. A central bank as the issuer of rCBDC would typically need to keep a digital ledger to record all the balances and transactions of citizens. These data, when combined with other data, could possibly disclose the spending habits of all citizens. On the one hand, the eligible rights of people to keep their transactions private should be protected, including against central bank surveillance. On the other hand, the central bank needs to ensure that no over-issuance of money or other frauds occur, necessarily demanding a certain form of knowledge of rCBDC transactions to safeguard against malicious users who create counterfeit money or spend duplicated money. This work investigates cryptographic tools and privacy-enhancing technology with the aim to craft a scalable solution to strike a balance between user privacy and transaction verifiability. Different from the current mainstream thought among central banks, it assumes that the central bank maintains a ledger to record all balances and transactions of citizens, but in a concealed form. Specifically, this work focuses on rCBDC architectures based on the unspent transaction output (UTXO) data model and tackles the research problem of preserving a sufficient degree of privacy for UTXO transaction records while allowing the central bank to verify their correctness. While UTXO-based rCBDC architectures were widely tested among major central banks, user privacy is not adequately addressed. The adoption of evolving public keys as pseudonyms to hide the real identities of users is the most advanced privacy design for UTXO-based rCBDC, but it only solves the privacy issue partially. Some information could still be leaked out. This work investigates techniques to address the shortcomings of the pseudonym approach. First, a Pedersen commitment scheme is applied to hide the transaction values of a UTXO transaction while allowing the central bank to verify that no over-issuance of rCBDC has occurred in the transaction. Contrary to the conventional approach, which applies a zero knowledge proof to prove no over-issuance, this work uses a Schnorr signature. This not only reduces the overheads but also enables a non-interactive proof. Then, Coinjoin is applied to aggregate UTXO transactions from different users into one larger UTXO transaction to obfuscate the payer-payee relationship while preserving the correctness of the amount of money flow. This work applies a well-developed notion in database research, namely, k-anonymity, to analyse the privacy guarantee of Coinjoin. Through modelling the transaction traffic by a Poisson process, the trade-off between anonymity and transaction confirmation time of Coinjoin is analysed

Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma

Multisignatures allow n signers to produce a short joint signature on a single message. Multisignatures were achieved in the plain model with a non-interactive protocol in groups with bilinear maps, by Boneh et al [4], and by a three-round protocol under the Discrete Logarithm (DL) assumption, by Bellare and Neven [3], with mul-tisignature verification cost of, respectively, O(n) pairings or ex-ponentiations. In addition, multisignatures with O(1) verification were shown in so-called Key Verification (KV) model, where each public key is accompanied by a short proof of well-formedness, again either with a non-interactive protocol using bilinear maps, by Ristenpart and Yilek [15], or with a three-round protocol under the Diffie-Hellman assumption, by Bagherzandi and Jarecki [1]. We improve on these results in two ways: First, we show a two-round O(n)-verification multisignature secure under the DL as

MPC for Group Reconstruction Circuits

In this work, we generalize threshold Schnorr signatures, ElGamal encryption, and a wide variety of other functionalities, using a novel formalism of group reconstruction circuits (GRC)s. We construct a UC secure MPC protocol for computing these circuits on secret shared inputs, even in the presence of malicious parties. Applied to concrete circuits, our protocol yields threshold signature and encryption schemes with similar round complexity and concrete efficiency to functionality-specific protocols. Our formalism also generalizes to other functionalities, such as polynomial commitments and openings

Stamp \& Extend -- Instant but Undeniable Timestamping based on Lazy Trees

We present a Stamp\&Extend time-stamping scheme based on linking via modified creation of Schnorr signatures. The scheme is based on lazy construction of a tree of signatures. Stamp\&Extend returns a timestamp immediately after the request, unlike the schemes based on the concept of timestamping rounds. Despite the fact that all timestamps are linearly linked, verification of a timestamp requires a logarithmic number of steps with respect to the chain length. An extra feature of the scheme is that any attempt to forge a timestamp by the Time Stamping Authority (TSA) results in revealing its secret key, providing an undeniable cryptographic evidence of misbehavior of TSA. Breaking Stamp\&Extend requires not only breaking Schnorr signatures, but to some extend also breaking Pedersen commitments