MProve+

Privacy Enhancing Proof of Reserves for Monero

A. Dutta\(^{\dagger}\), Suyash Bagad\(^{\star}\), S. Vijayakumaran\(^{\dagger}\)

\(^{\dagger}\)Department of Electrical Engineering, IIT Bombay

Monero Konferenco 2023

June 23, 2023

\(^{\star}\)Aztec Protocol

Exchanges

  • Not your key, not your coins!
  • Cryptocurrency exchanges store your private keys
    • \(\color{lightgreen}{\text{Good:}}\) Seamless onboarding, trading
    • \(\color{red}{\text{Bad:}}\) Hacks, frauds, exit scams, fractional reserves! 

Solutions

  • Hardware wallets
    • Hard to use for general masses
    • Credit cards as HW wallets? Long way to go
  • Proof of solvency for exchanges:
  • Sensitive exchange data revealed
  • Still possible for public blockchains
  • What about Monero?
  • Hint: \(C^{\textcolor{lightgreen}{\text{Assets}} }\cdot C^{-\textcolor{red}{\text{Liabilities}}}>1\)
\textcolor{lightgreen}{\text{Assets}} - \textcolor{red}{\text{Liabilities}} \ge 0

BNB

USDC

BUSD

BTC

ETH

USDT

Challenges in

  • Proof of reserves with privacy is hard
  • A Monero tx hides the spending address using ring signatures 
  • For a public key \(P=xG,\) we define key-image: \(I = xH(P)\)
  • A ring signature \(\sigma\) over \(\{P_1, P_2, \dots, P_{11}\}\) proves:
    • The tx sender owns one of the public keys in the ring
    • The key image \(I\) helps detect double-spending
  • Idea: Prove that we own multiple UTXOs from a large set of keys
1
2
3
4
5
6
7
8
9
10
11

MProve

\mathcal{P}_{\text{own}}
  • Suppose the exchange owns five addresses on Monero
  • It chooses an anonymity set to hide its addresses

MProve

\mathcal{P}_{\text{anon}}
1
2
3
4
5
6
7
8
9
10
12
11
13
  • Suppose the exchange owns five addresses on Monero
  • It chooses an anonymity set to hide its addresses
C_i = g^{\textcolor{orange}{y_i}} \cdot h^{\textcolor{red}{a_i}}
C'_i = \begin{cases} g^{\textcolor{orange}{z_i}} & P_i\in\mathcal{P}_{\text{own}} \\ g^{\textcolor{orange}{z_i}} \cdot C_i & P_i\notin\mathcal{P}_{\text{own}} \end{cases}
  • For each address \(P_i\in\mathcal{P}_{\text{anon}},\) the commitment is:
  • For each address it owns \(P_i\in\mathcal{P}_{\text{own}},\) it knows \((\textcolor{orange}{y_i}, \textcolor{red}{a_i})\)
  • It computes modified commitment s.t. \(\textcolor{orange}{z_i}\leftarrow \mathbb{F}\)

MProve

\mathcal{P}_{\text{anon}}
1
2
3
4
5
6
7
8
9
10
12
11
13
C_i = g^{\textcolor{orange}{y_i}} \cdot h^{\textcolor{red}{a_i}}
C'_i = \begin{cases} g^{\textcolor{orange}{z_i}} & P_i\in\mathcal{P}_{\text{own}} \\ g^{\textcolor{orange}{z_i}} \cdot C_i & P_i\notin\mathcal{P}_{\text{own}} \end{cases}
C_i\cdot C_i^{'-1} = \begin{cases} g^{\textcolor{orange}{y_i - z_i}} \cdot h^{\textcolor{red}{a_i}} & P_i\in\mathcal{P}_{\text{own}} \\ g^{\textcolor{orange}{z_i}} & P_i\notin\mathcal{P}_{\text{own}} \end{cases}

// commitment to amount \(\color{red}{a_i}\)

// commitment to amount \(\color{red}{0}\)

\prod_{i\in [n]} C_i\cdot C_i^{'-1} = g^{\textcolor{orange}{\dots}} \cdot h^{\textcolor{red}{\sum_j a_j}}

// commitment to total reserves \(\color{red}{\sum_ja_j}\)

  • We still need to prove that \(C'_i\) was correctly computed

MProve

\mathcal{P}_{\text{anon}}
1
2
3
4
5
6
7
8
9
10
12
11
13
C'_i = \begin{cases} g^{\textcolor{orange}{z_i}} & P_i\in\mathcal{P}_{\text{own}} \\ g^{\textcolor{orange}{z_i}} \cdot C_i & P_i\notin\mathcal{P}_{\text{own}} \end{cases}
\implies \text{keypair:} \left(\textcolor{orange}{z_i}, \ C'_i\right)
\implies \text{keypair:} \left(\textcolor{orange}{z_i}, \ C'_iC^{-1}_i\right)
  • Thus, we can compute a ring signature such that: 
\gamma_i \leftarrow \left(\textcolor{lightgreen}{C'_i}, \ \ \textcolor{orange}{C'_i \cdot C_i^{-1}}\right)
  • Still need to prove that already-spent addresses were not used 
\sigma_i \leftarrow \left(\textcolor{lightgreen}{P_i}, \ \ \textcolor{orange}{C'_i\cdot C_i^{-1}}\right)

// regular ring signature

// linkable ring signature

Drawbacks of MProve

  • Scales linearly in the size \(n\) of the anonymity set
  • Adds limits on the size of the anonymity set
  • The linkable ring signatures reveal the key image \(I^{\star}\) of \(P_i\in\mathcal{P}_{\text{own}}\)
  • A future transaction from \(P_i\) will reveal the same key image \(I^{\star}\)
  • Harms privacy of the exchange in the future

MProve+

1
2
3
4
5
6
7
8
9
10
12
11
13
0
1
0
0
0
0
0
0
0
0
0
0
0
(
)
\textbf{e}_1 =
0
0
0
0
0
1
0
0
0
0
0
0
0
(
)
\textbf{e}_2 =
0
0
0
0
0
0
0
0
1
0
0
0
0
(
)
\textbf{e}_3 =
0
0
0
0
0
0
0
0
0
1
0
0
0
(
)
\textbf{e}_4 =
0
0
0
0
0
0
0
0
0
0
0
0
1
(
)
\textbf{e}_5 =
y_1
y_2
y_3
y_4
y_5
(
)
\textbf{y} =
a_1
a_2
a_3
a_4
a_5
(
)
\textbf{a} =
C_1
C_2
C_3
C_4
C_5
C_6
C_7
C_8
C_9
C_{10}
C_{11}
C_{12}
C_{13}
(
)
\textbf{C} =
P_1
P_2
P_3
P_4
P_5
P_6
P_7
P_8
P_9
P_{10}
P_{11}
P_{12}
P_{13}
(
)
\textbf{P} =

MProve+

1
2
3
4
5
6
7
8
9
10
12
11
13
0
1
0
0
0
0
0
0
0
0
0
0
0
\textbf{e}_1
C_1
C_2
C_3
C_4
C_5
C_6
C_7
C_8
C_9
C_{10}
C_{11}
C_{12}
C_{13}
(
)
\textbf{C} =
\implies \textbf{C}^{\textbf{e}_j} = g^{\textcolor{orange}{y_j}} \cdot h^{\textcolor{red}{a_j}}
\implies \textbf{P}^{\textbf{e}_j} = g^{\textcolor{orange}{x_j}}
\implies \textbf{H}_P^{\textbf{e}_j} = I_j^{\textcolor{orange}{x_j^{-1}}}
  • Pattern: vectorise all the relations and combine into one equation
\implies \left(\textbf{C} \circ \textbf{P}^u \circ \textbf{H}_P^{u^2}\right)^{\textbf{e}_j} = g^{\textcolor{orange}{\langle ., . \rangle}} h^{\textcolor{red}{\langle ., . \rangle}} \textbf{I}^{\textcolor{green}{\langle ., . \rangle}}

MProve+

1
2
3
4
5
6
7
8
9
10
12
11
13
  • Pattern: vectorise all the relations and combine into one equation
\implies \left(\textbf{C} \circ \textbf{P}^u \circ \textbf{H}_P^{u^2}\right)^{\textbf{e}_j} = g^{\textcolor{orange}{\langle ., . \rangle}} h^{\textcolor{red}{\langle ., . \rangle}} \textbf{I}^{\textcolor{green}{\langle ., . \rangle}}
  • We can then use inner product argument of the form:
PoK \left\{ (\textbf{a}, \textbf{b}) \in \mathbb{Z}_q^N \ | \ P = u^{c}\textbf{g}^{\textbf{a}} \textbf{h}^{\textbf{b}} \wedge c = \langle \textbf{a}, \textbf{b} \rangle \ \right\}
  • Proof size in an inner product argument is \(\mathcal{O}(\text{log}(N))\)
  • MProve+ proof size \(\approx (n + s + \text{log}(ns))\) vs MProve was \(\approx 12n\)

Performance

  • MProve+ proofs are \(\ge 8\text{x}\) shorter that that of MProve 
  • MProve+ proof generation is \(4-6\text{x}\) slower than MProve
  • MProve+ proof verification is \(8\text{x}\) faster than proof generation
n \ \longrightarrow
n \ \longrightarrow
\text{Proof size in KB} \longrightarrow

Note: All plots are in log-log scale.

\text{Time in min} \longrightarrow

Future work

  • MProve+ solves the key-image linkability of MProve
  • MProve+ proof sizes are much smaller than MProve
  • Thus, running MProve+ is possible for exchanges
  • But is it practical?
    • For \(n=50000\) the it takes \(\approx 2\) hours to generate a proof using an 2.6GHz i7 computer
    • Impractical to include all of UTXOs as anon set
    • Our group from IIT Bombay is working on Monero proof of reserves using Nova proof system

References

MProvePlus at Monerokon 2023

By Suyash Bagad

MProvePlus at Monerokon 2023

MProve+ presentation at Monerokon 2023.

  • 39