Suyash Bagad

Department of Electrical Engineering, IIT Bombay

As a Part of Dual Degree (B.Tech + M.Tech) Project

Prof. Saravanan Vijayakumaran

Guide

June 29, 2020

Shorter, Privacy-Enhancing

Proof of Reserves

Outline

Log-sized Privacy-Enhancing Proofs of Reserves Protocol

Motivation and main idea

Confidentiality of Amounts in Grin

Presented at Crypto Valley Conference on Blockchain Technology, 2020

Focus on performance trade-offs and implementation

Work accepted at IEEE Security & Privacy on Blockchain, 2020

Graph-based analysis of the Grin Blockchain

Main challenge in design

Adaptability to Edwards and Ristretto curves

MimbleWimble

Monero

Revelio

\mathcal{C}_{\text{own}}

\mathcal{C}_{\text{own}}

C = g^{k} \cdot h^{a}

C = g^{k} \cdot h^{a}

C \in \mathcal{C}_{\text{own}} \implies k \text{ is known}

C \in \mathcal{C}_{\text{own}} \implies k \text{ is known}

Each output in MimbleWimble is a Pedersen Commitment

For an amount $a \in \{0,1,\dots,2^{64}-1\}$ and blinding factor $k \in \mathbb{Z}_q$

where $g,h \in \mathbb{G}$ such that DL relation between them is unknown

Revelio

\mathcal{C}_{\text{anon}}

\mathcal{C}_{\text{anon}}

1

1

2

2

3

3

4

4

5

5

6

6

7

7

8

8

9

9

10

10

12

12

11

11

13

13

For each $C_i \in \mathcal{C}_{\text{anon}},$ publish the tags $(I_1, \dots, I_n) \in \mathbb{G}^n$ where $n = |\mathcal{C}_{\text{anon}}|$

Publish $C_{\text{assets}} = \prod_{i \in [n]} I_i,$ and NIZK proofs $\sigma_i \in \mathbb{Z}_q^5 \ \forall i \in [n]$

PoK\big\{\underbrace{(\alpha,\beta,\gamma)}_{\text{secret}} \ | \ \underbrace{(C_i = g^{\alpha} \cdot h^{\beta} \ \wedge \ I_i = g_t^{\alpha} \cdot h^{\beta}) \vee (I_i = g_t^{\gamma}) }_{\text{statement}} \big\}

PoK\big\{\underbrace{(\alpha,\beta,\gamma)}_{\text{secret}} \ | \ \underbrace{(C_i = g^{\alpha} \cdot h^{\beta} \ \wedge \ I_i = g_t^{\alpha} \cdot h^{\beta}) \vee (I_i = g_t^{\gamma}) }_{\text{statement}} \big\}

where $y_i = \mathcal{H}(k_{\text{exch}}, C_i) \in \Z_q$

I_i = \begin{cases} \ g_1^{k_i} \cdot h^{a_i} & \text{if } C_i \in \mathcal{C}_{\text{own}},\\ \ g_1^{y_i} & \text{if } C_i \notin \mathcal{C}_{\text{own}}, \end{cases}

I_i = \begin{cases} \ g_1^{k_i} \cdot h^{a_i} & \text{if } C_i \in \mathcal{C}_{\text{own}},\\ \ g_1^{y_i} & \text{if } C_i \notin \mathcal{C}_{\text{own}}, \end{cases}

Drawbacks of Revelio

Proof size linear in anonymity set size

(n+1) \text{ in } \mathbb{G}, \ 5n \text{ in } \mathbb{Z}_q

(n+1) \text{ in } \mathbb{G}, \ 5n \text{ in } \mathbb{Z}_q

Can we shrink proofs sizes to $\mathcal{O}( \text{log}_2(n))$ ?

Can we link the blockchain state to the proof of reserves?

Privacy of outputs depends on the anonymity set $n$

RevelioBP!

1

1

2

2

3

3

4

4

5

5

6

6

7

7

8

8

9

9

10

10

12

12

11

11

13

13

0

0

1

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

(

(

)

)

\textbf{e}_1 =

\textbf{e}_1 =

0

0

0

0

0

0

0

0

0

0

1

1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

(

(

)

)

\textbf{e}_2 =

\textbf{e}_2 =

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

0

0

0

0

0

0

0

(

(

)

)

\textbf{e}_3 =

\textbf{e}_3 =

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

0

0

0

0

0

(

(

)

)

\textbf{e}_4 =

\textbf{e}_4 =

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

(

(

)

)

\textbf{e}_5 =

\textbf{e}_5 =

k_1

k_1

k_2

k_2

k_3

k_3

k_4

k_4

k_5

k_5

(

(

)

)

\textbf{k} =

\textbf{k} =

PoK\left\{ \ (\textbf{k} \in \mathbb{Z}_q^s, \ \textbf{E} \in \mathbb{Z}_2^{s \times n}) \ | \ \textbf{C}^{\textbf{e}_j} = g^{k_j}h^{a_j} \ \wedge \ \ I_j = g_t^{k_j}h^{a_j} \ \forall j \in [s] \ \right\}

PoK\left\{ \ (\textbf{k} \in \mathbb{Z}_q^s, \ \textbf{E} \in \mathbb{Z}_2^{s \times n}) \ | \ \textbf{C}^{\textbf{e}_j} = g^{k_j}h^{a_j} \ \wedge \ \ I_j = g_t^{k_j}h^{a_j} \ \forall j \in [s] \ \right\}

Publish tag vector $(I_1, I_2, \dots, I_s),$ $C_{\text{assets}} = \prod_{i \in [n]} I_i$ and NIZK $\Pi_{\text{RevBP}}$

More on RevelioBP

PoK\left\{ \ (\textbf{k} \in \mathbb{Z}_q^s, \ \textbf{E} \in \mathbb{Z}_2^{s \times n}) \ | \ \textbf{C}^{\textbf{e}_j} = g^{k_j}h^{a_j} \ \wedge \ \ I_j = g_t^{k_j}h^{a_j} \ \forall j \in [s] \ \right\}

PoK\left\{ \ (\textbf{k} \in \mathbb{Z}_q^s, \ \textbf{E} \in \mathbb{Z}_2^{s \times n}) \ | \ \textbf{C}^{\textbf{e}_j} = g^{k_j}h^{a_j} \ \wedge \ \ I_j = g_t^{k_j}h^{a_j} \ \forall j \in [s] \ \right\}

To build $\Pi_{\text{RevBP}},$ we combine the constraints using a scalar $u \leftarrow \mathbb{Z}_q$

\prod_{j \in [s]} \left(g^{-k_j} \cdot g_t^{k_j} \cdot \textbf{C}^{\textbf{e}_{i_j}} \cdot I_j^{-1}\right)^{u^{j-1}} = 1,

\prod_{j \in [s]} \left(g^{-k_j} \cdot g_t^{k_j} \cdot \textbf{C}^{\textbf{e}_{i_j}} \cdot I_j^{-1}\right)^{u^{j-1}} = 1,

\implies g^{- \langle \textbf{u}^s, \textbf{k} \rangle} \cdot g_t^{\langle \textbf{u}^s, \textbf{k} \rangle} \cdot \textbf{C}^{ \textbf{u}^s \textbf{E}} \cdot \textbf{I}^{- \textbf{u}^s} = 1,

\implies g^{- \langle \textbf{u}^s, \textbf{k} \rangle} \cdot g_t^{\langle \textbf{u}^s, \textbf{k} \rangle} \cdot \textbf{C}^{ \textbf{u}^s \textbf{E}} \cdot \textbf{I}^{- \textbf{u}^s} = 1,

We then use Inner Product Argument of the form

PoK \left\{ (\textbf{a}, \textbf{b}) \in \mathbb{Z}_q^N \ | \ P = u^{c}\textbf{g}^{\textbf{a}} \textbf{h}^{\textbf{b}} \wedge c = \langle \textbf{a}, \textbf{b} \rangle \ \right\}

PoK \left\{ (\textbf{a}, \textbf{b}) \in \mathbb{Z}_q^N \ | \ P = u^{c}\textbf{g}^{\textbf{a}} \textbf{h}^{\textbf{b}} \wedge c = \langle \textbf{a}, \textbf{b} \rangle \ \right\}

s + 2 \text{log}_2(sn+n+s+3) \text{ in } \mathbb{G}, \ 5 \text{ in } \mathbb{Z}_q

s + 2 \text{log}_2(sn+n+s+3) \text{ in } \mathbb{G}, \ 5 \text{ in } \mathbb{Z}_q

RevelioBP proof size	Revelio proof size

(n+1) \text{ in } \mathbb{G}, \ 5n \text{ in } \mathbb{Z}_q

(n+1) \text{ in } \mathbb{G}, \ 5n \text{ in } \mathbb{Z}_q

Performance Trade-offs

	RevelioBP	Revelio
Proof size
Scalability
Blockchain state
Output privacy
Inflation resistance
Own set size
Running times

\mathcal{O}(n)

\mathcal{O}(n)

\mathcal{O}(s+\text{log}_2(sn))

\mathcal{O}(s+\text{log}_2(sn))

\mathcal{O}(sn)

\mathcal{O}(sn)

\mathcal{O}(n)

\mathcal{O}(n)

For UTXO set size $n=1.6\times 10^5$ and $s=10^2$

5\text{KB}

5\text{KB}

32\text{MB}

32\text{MB}

(164,68)\\[-3pt] \text{min}

(164,68)\\[-3pt] \text{min}

(34,34)\\[-3pt] \text{min}

(34,34)\\[-3pt] \text{min}

Proof Sizes

We implemented RevelioBP in Rust over $\mathbb{G} = \texttt{secp256k1}$ elliptic curve

n \ \longrightarrow

n \ \longrightarrow

s \ \longrightarrow

s \ \longrightarrow

s=20

s=20

n=1000

n=1000

\text{Proof size in KB} \longrightarrow

\text{Proof size in KB} \longrightarrow

Note: All plots are in log-log scale.

RevelioBP proofs are $\ge 10X$ shorter that that of Revelio

Running Times

RevelioBP proof generation is $\approx 2X$ slower that of Revelio

n \ \longrightarrow

n \ \longrightarrow

s \ \longrightarrow

s \ \longrightarrow

s=20

s=20

n=1000

n=1000

\text{Running time in mins} \longrightarrow

\text{Running time in mins} \longrightarrow

Note: All plots are in log-log scale.

RevelioBP ver. is $\approx 3X$ faster than its gen. due to multi-exponentiation

MProve+

Key challenge: Unlinking key-images & one-time addresses in MProve

\Pi_{t_1} = \left\{ (P_1, I_1,\alpha_1, \beta_1), \ (P_2, I_2,\alpha_2, \beta_2), \ \ldots \ , \ (P_n, I_n,\alpha_n, \beta_n), \right\}

\Pi_{t_1} = \left\{ (P_1, I_1,\alpha_1, \beta_1), \ (P_2, I_2,\alpha_2, \beta_2), \ \ldots \ , \ (P_n, I_n,\alpha_n, \beta_n), \right\}

\textsf{Tx}_{t_2} = \{\mathcal{R}, I_{2}\}

\textsf{Tx}_{t_2} = \{\mathcal{R}, I_{2}\}

Use an approach similar to RevelioBP

PoK\left\{ (\textbf{x}, \textbf{k} \in \mathbb{Z}_q^s, \ \textbf{E} \in \mathbb{Z}_2^{s \times n}) \ \bigg| \ \textbf{P}^{\textbf{e}_j} = g^{x_j}, \ \textbf{C}^{\textbf{e}_j} = g^{k_j}h^{a_j}, \ \ I_j = g_t^{k_j}h^{a_j} \ \forall j \in [s] \ \right\}

PoK\left\{ (\textbf{x}, \textbf{k} \in \mathbb{Z}_q^s, \ \textbf{E} \in \mathbb{Z}_2^{s \times n}) \ \bigg| \ \textbf{P}^{\textbf{e}_j} = g^{x_j}, \ \textbf{C}^{\textbf{e}_j} = g^{k_j}h^{a_j}, \ \ I_j = g_t^{k_j}h^{a_j} \ \forall j \in [s] \ \right\}

An MProve+ proof looks like

\Pi^{+}_{t_1} = \{ \textbf{P}, \textbf{C}\in \mathbb{G}^n, \ \textbf{I} \in \mathbb{G}^s, \ \Pi_{\textsf{\tiny NIZK}} \}

\Pi^{+}_{t_1} = \{ \textbf{P}, \textbf{C}\in \mathbb{G}^n, \ \textbf{I} \in \mathbb{G}^s, \ \Pi_{\textsf{\tiny NIZK}} \}

Implementation Challenges

Implemented MProve+ and MProve in Rust over $\texttt{ed25519, ristretto}$

Small subgroup attack possible in $\texttt{ed25519}$

Implementation Challenges

Implemented MProve+ and MProve in Rust over $\texttt{ed25519, ristretto}$

Small subgroup attack possible in $\texttt{ed25519}$ . For a prime $q$

Ristretto constructs a prime order group from an Edwards curve

MProve+ over $\texttt{ristretto}$ allows generalisation for other Edwards curves

|\mathbb{G}_{\textsf{ed}}| = 8q, \ |\mathbb{G}_{\textsf{ris}}| = q

|\mathbb{G}_{\textsf{ed}}| = 8q, \ |\mathbb{G}_{\textsf{ris}}| = q

We show conversion of Ristretto points to Edwards

Wrote an Elligator support over $\texttt{ed25519}$ to generate random curve points

Running Times for $\mathbb{G}_{\textsf{ris}}$

n \ \longrightarrow

n \ \longrightarrow

s \ \longrightarrow

s \ \longrightarrow

\text{Running time in mins} \longrightarrow

\text{Running time in mins} \longrightarrow

Note: All plots are in log-log scale.

s=100

s=100

n=5000

n=5000

n \approx 2000

n \approx 2000

Thank

Happy to answer any questions!

Shorter, Privacy-Enhancing

Proof of Reserves

Proof of Reserves

Outline

Revelio

Revelio

Drawbacks of Revelio

RevelioBP!

RevelioBP!

More on RevelioBP

Performance Trade-offs

Proof Sizes

Running Times

MProve+

Implementation Challenges

Implementation Challenges

Running Times for $\mathbb{G}_{\textsf{ris}}$

Thank

you!

Aztec-Suyash-Round#2

Aztec-Suyash-Round#2

Suyash Bagad

Shorter, Privacy-Enhancing

Proof of Reserves

Proof of Reserves

Aztec-Suyash-Round#2

More from Suyash Bagad