Ring Signature Confidential Transactions

Ring Signature Confidential Transactions

Free Download // Login or Register
Currency
Monero
Ring Signature Confidential Transactions
Monero Research Lab Papers
MRL-0005

Abstract
This article introduces a method of hiding transaction amounts in the strongly decentralized anonymous cryptocurrency Monero. Similar to Bitcoin, Monero is a cryptocurrency which is distributed through a proof of work “mining” process. The original Monero protocol was based on CryptoNote, which uses ring signatures and one-time keys to hide the destination and origin of transactions. Recently the technique of using a commitment scheme to hide the amount of a transaction has been discussed and implemented by Bitcoin Core Developer Gregory Maxwell. In this article, a new type of ring signature, A Multi-layered Linkable Spontaneous Anonymous Group signature is described which allows for hidden amounts, origins and destinations of transactions with reasonable efficiency and verifiable, trustless coin generation. Some extensions of the protocol are provided, such as Aggregate Schnorr Range Proofs, and Ring Multisignature. The author would like to note that early drafts of this were publicized in the Monero Community and on the bitcoin research irc channel. Blockchain hashed drafts are available in showing that this work was started in Summer 2015, and completed in early October 2015.

Spontaneous (Ad Hoc) Ring Signatures in CryptoCurrencies
Recall that in Bitcoin each transaction is signed by the owner of the coins being sent and these signatures verify that the owner is allowed to send the coins. This is entirely analogous to the signing of a check from your bank.

CryptoNote [16] and Ring Coin [2] advanced this idea by using “ring signatures” which were originally described in [15] as a “digital signature that specifies a group of possible signers such that the verifier can’t tell which member actually produced the signature.” The idea therefore is to have the origin pubkey of a transaction hidden in a group of pubkeys all of which contain the same amount of coins, so that no one can tell which user actually sent the coins.

The original CryptoNote protocol as described in [16] implements a slight modification of this to prevent double spends. Namely in [16] a “traceable ring signature,” which is a slight modification of those described in [6] is employed. This type of ring signature has the benefit of not allowing the owner of a coin to sign two differ- ent ring signatures with the same pubkey without being noticed on the blockchain. The obvious reason for this is to prevent “double-spending” which, in Bitcoin, refers to spending a coin twice. Ring coin [2,3] uses a more efficient linkable ring signature which is a slight modification of the Linkable Spontaneous Anonymous Group signatures described in [8].

One benefit of using the above types of ring signatures over other anonymizing techniques, such as CoinJoin [10] or using coin mixing services, is that they allow for “spontaneous” mixing. With CoinJoin or coin mixers, it is similarly possible to hide the originator of a given transaction, however these techniques in practice need some sort of centralized group manager, such as a centralized CoinJoin server, where transactions are combined by a trusted party. In the case that the trusted party is compromised, the anonymity of the transaction is also compromised.

Some coins such as Dash (originally called Darkcoin) [5], attempt to negate this by using a larger number of trusted mixers (in this case masternodes) but this number is still much smaller than the users of the coin. In contrast, with a spontaneous ring signature, transactions can be created by the owner of a given pubkey (this is the spontaneous, or “ad-hoc” property) without relying on any trusted server, and thus providing for safer anonymity.

One possible attack against the original CryptoNote or ring-coin protocol [2,16] is blockchain analysis based on the amounts sent in a given transaction. For example, if an adversary knows that .9 coins have been sent at a certain time, then they may be able to narrow down the possibilities of the sender by looking for transactions containing .9 coins. This is somewhat negated by the use of the one-time keys used in [16] since the sender can include a number of change addresses in a transaction, thus obfuscating the amount which has been sent with a type of “knapsack mixing.” However this technique has the downside that it can create a large amount of “dust” transactions on the blockchain, i.e. transactions of small amounts that take up proportionately more space than their importance. Additionally, the receiver of the coins may have to “sweep” all this dust when they want to send it, possibly allowing for a smart adversary to keep track of which keys go together in some manner. Furthermore, it is easy to establish an upper and lower bound on the amounts sent.

Another downside to the original CryptoNote set-up is that it requires a given pair of (P, A) of pubkey P and amount A to be used in a ring signature with other pubkeys having the same amount. For less common amounts, this means there may be a smaller number of potential pairs (P′,A′) available on the blockchain with A′ = A to ring signature with. Thus, in the original CryptoNote protocol, the potential anonymity set is perhaps smaller than may be desired. Analysis of the above weaknesses is covered in [9].

Ring CT for Monero
An obvious way to negate the downsides of the CryptNote protocol, as described in the previous section, would be to implement hidden amounts for any transaction. In this paper, I describe a modification to the Monero protocol, a proof-of-work cryp- tocurrency extending the original CryptoNote protocol, which allows the amounts sent in a transaction to be hidden. This modification is based on the Confidential Transactions [11] which are used on the Elements side-chain in Bitcoin, except it al- lows for their use in ring signatures. Therefore, the modification is given the obvious name of Ring Confidential Transactions for Monero.

In order to preserve the property that coins cannot be double spent, a generalization of the LSAG’s of [8] is described, a Multilayered Linkable Spontaneous Anonymous Group Signature (MLSAG) which allows for combining Confidential Transactions with a ring signature in such a way that using multiple inputs and out- puts is possible, anonymity is preserved, and double-spending is prevented. The author notes that an essentially similar protocol was proposed by Connor Frenkenecht about a month after the second drafts of this were originally publicized.

Strongly Decentralized Anonymous Payment Schemes
The Ring CT protocol allows hidden amounts, origins, and destinations for transactions which is somewhat similar to Zerocash [4]. One possible differentiator is that the use of proof of work for coin generation is possible with Ring CT as opposed to in ZeroCash, where it seems all coins must be pregenerated by a trusted group.

Note that one of the biggest innovations in Bitcoin [13], was the decentralized distribution model allowing anyone willing to put their computing power to work to participate in the generation of the currency. Some of the benefits of this type of proof-of-work include trustless incentives for securing the network and stronger decentralization (for example, to protect against poison-pill type attacks).
One final obvious benefit of the proof-of-work coin generation is it makes Ring CT immune to a powerful actor somehow acquiring all the pieces of the master key used in coin generation. Since there is an obvious large incentive (the ability to generate free money [1]) to acquire all pieces of the trusted generation key, this is fairly important.

Conclusion
The Ring Confidential Transactions protocol provides a strongly decentralized cryptocurrency (i.e. there is no privileged party) which has provable security estimates regarding the hiding of amounts, origins and destinations. In addition, coin generation in the Ring Confidential Transactions protocol is trustless and verifiably secure. These five factors are a necessity of a cash-like crypto-currency such as Monero.
Top