Bitcoin Forum
May 07, 2024, 10:10:11 PM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1]
1  Alternate cryptocurrencies / Altcoin Discussion / Cryptonote auditability and efficient scheme for anonymous key vector proof. on: January 09, 2020, 07:33:48 PM
Hello all,

Some time ago I read the Cryptonote original whitepaper and became interested in the possibility
of adding an optional wallet balance audit to it.

The balance audit seems a quite desirable option for an anonymous cryptocurrency, together with other
types of audits like total coins amount (that is trivial for a currency without hidden amounts).

As I wasn't able to find any publication describing any ready cryptographic scheme for the wallet
balance audit, I tried to think out mine.

This resulted in a series of posts that I put to the medium:
https://medium.com/@coffeemas1/cryptonote-auditability-how-to-append-the-wallet-balance-audit-b2e5b47b69a6
Maybe, it could be of interest to someone.


As of today, I have obtained the following optimized scheme, that takes only
sizeof(ec_point)*2+sizeof(int)*(n+1) for the auditable wallets signature size:
https://medium.com/@coffeemas1/multi-signature-within-lsag-one-more-memory-efficient-approach-to-unlinkable-auditable-wallets-b70cc86d7c30

Also, I provide a generalized scheme for arbitrary key vectors, that takes
sizeof(ec_point)*m+sizeof(int)*(n+1) for NIZK proof of m key images.

The idea is that it's possible to combine a BN-style multi-signature formula with a method used in the
LSAG to significantly reduce the number of integers in the signature.

Namely, suppose we want to prove the following statement:
I know a private key vector (x1, x2, ..., xm), such that
the corresponding public key vector is one of:
(X11, X12, ..., X1m)
(X21, X22, ..., X2m)
           ...
(Xn1, Xn2, ..., Xnm),
and the corresponding key image vector is:
(I1, I2, ..., Im),
    where the key images are defined as:
    (I1=x1*Hp(Xs1), I2=x2*Hp(Xs1), ..., Im=xm*Hp(Xs1)),
        where s is an index of true public key vector
        between the decoys above.


Then we can build a Schnorr-type ring signature as:
L1=r1*G+c11*X11+c12*X12+...+c1m*X1m
R1=r1*Hp(X11)+c11*I1+c12*I2+...+c1m*Im

L2=r2*G+c21*X21+c22*X22+...+c2m*X2m
R2=r2*Hp(X21)+c21*I1+c22*I2+...+c2m*Im
                                              ...
                                              ...
Ln=rn*G+cn1*Xn1+cn2*Xn2+...+cnm*Xnm
Rn=rn*Hp(Xn1)+cn1*I1+cn2*I2+...+cnm*Im
Where for each i the row (ci1, ci2, ..., cim) is generated as for the BN using some random seed ci,
and all n ci's are reduced to single c1 the same way as in the LSAG.

This gives the following signature:
signature=(I1, I2, ..., Im, c1, r1, r2, ..., rn)

Any comments are welcome)
Pages: [1]
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!