Suyash Bagad
Department of Electrical Engineering, IIT Bombay
As a Part of Dual Degree (B.Tech + M.Tech) Project
Prof. Saravanan Vijayakumaran
Guide
June 29, 2020
Shorter, Privacy-Enhancing
Proof of Reserves
Proof of Reserves
Outline
Log-sized Privacy-Enhancing Proofs of Reserves Protocol
Motivation and main idea
Confidentiality of Amounts in Grin
Presented at Crypto Valley Conference on Blockchain Technology, 2020
Focus on performance trade-offs and implementation
Work accepted at IEEE Security & Privacy on Blockchain, 2020
Graph-based analysis of the Grin Blockchain
Main challenge in design
Adaptability to Edwards and Ristretto curves
MimbleWimble
Monero
Revelio
Each output in MimbleWimble is a Pedersen Commitment
For an amount \(a \in \{0,1,\dots,2^{64}-1\}\) and blinding factor \(k \in \mathbb{Z}_q\)
where \(g,h \in \mathbb{G}\) such that DL relation between them is unknown
Revelio
For each \(C_i \in \mathcal{C}_{\text{anon}},\) publish the tags \((I_1, \dots, I_n) \in \mathbb{G}^n\) where \( n = |\mathcal{C}_{\text{anon}}|\)
Publish \(C_{\text{assets}} = \prod_{i \in [n]} I_i,\) and NIZK proofs \(\sigma_i \in \mathbb{Z}_q^5 \ \forall i \in [n]\)
where \(y_i = \mathcal{H}(k_{\text{exch}}, C_i) \in \Z_q\)
Drawbacks of Revelio
Proof size linear in anonymity set size
Can we shrink proofs sizes to \(\mathcal{O}( \text{log}_2(n))\)?
Can we link the blockchain state to the proof of reserves?
Privacy of outputs depends on the anonymity set \(n\)
RevelioBP!
RevelioBP!
Publish tag vector \((I_1, I_2, \dots, I_s),\) \(C_{\text{assets}} = \prod_{i \in [n]} I_i\) and NIZK \(\Pi_{\text{RevBP}}\)
More on RevelioBP
To build \(\Pi_{\text{RevBP}},\) we combine the constraints using a scalar \(u \leftarrow \mathbb{Z}_q\)
We then use Inner Product Argument of the form
RevelioBP proof size | Revelio proof size |
Performance Trade-offs
RevelioBP | Revelio | |
---|---|---|
Proof size | ||
Scalability | ||
Blockchain state | ||
Output privacy | ||
Inflation resistance | ||
Own set size | ||
Running times |
For UTXO set size \(n=1.6\times 10^5\) and \(s=10^2\)
Proof Sizes
We implemented RevelioBP in Rust over \( \mathbb{G} = \texttt{secp256k1}\) elliptic curve
Note: All plots are in log-log scale.
RevelioBP proofs are \(\ge 10X\) shorter that that of Revelio
Running Times
RevelioBP proof generation is \(\approx 2X\) slower that of Revelio
Note: All plots are in log-log scale.
RevelioBP ver. is \(\approx 3X\) faster than its gen. due to multi-exponentiation
MProve+
Key challenge: Unlinking key-images & one-time addresses in MProve
Use an approach similar to RevelioBP
An MProve+ proof looks like
Implementation Challenges
Implemented MProve+ and MProve in Rust over \(\texttt{ed25519, ristretto}\)
Small subgroup attack possible in \(\texttt{ed25519}\)
Implementation Challenges
Implemented MProve+ and MProve in Rust over \(\texttt{ed25519, ristretto}\)
Small subgroup attack possible in \(\texttt{ed25519}\). For a prime \(q\)
Ristretto constructs a prime order group from an Edwards curve
MProve+ over \(\texttt{ristretto}\) allows generalisation for other Edwards curves
We show conversion of Ristretto points to Edwards
Wrote an Elligator support over \(\texttt{ed25519}\) to generate random curve points
Running Times for \(\mathbb{G}_{\textsf{ris}}\)
Note: All plots are in log-log scale.
Thank
Happy to answer any questions!
you!
Aztec-Suyash-Round#2
By Suyash Bagad
Aztec-Suyash-Round#2
Short Presentation of thesis project for Aztec Protocol.
- 72