cryptography in blockchain part i: crypto basics and monero · galois fields(gf) •finite fields...

Cryptography in Blockchain Part I:

Crypto Basics and

Monero

Zhiguo Wan

Shandong University

Outline

Crypto Basics

Monero and RingCT

Zero Knowledge

Proof

ZeroCashand ZK-SNARK

Group G<·>, Ring R<+,*> and Field F<+,*>

• Group: a set of “numbers”

• closure:

• associative law: (a·b) ·c = a· (b·c)

• identity e: e·a = a·e = a

• inverses a-1: a·a-1 = e

• Abelian group: commutative a·b=b·a

• e.g <integer,+> <real, *>

• Ring: a set of “numbers” with two operations• an abelian group with addition operation • multiplication:

• has closure

• is associative

• distributive over addition: a(b+c) = ab + ac

• Field: a set of numbers with two operations:

• abelian group for addition

• abelian group for multiplication (ignoring 0)

• Such as:rational number / real

number/complex number

Galois Fields(GF)• finite fields play a key role in cryptography

• number of elements in a finite field must be a power of a

prime: pn

• Galois fields(伽罗瓦域) GF(pn), in particular often use the

fields:• GF(p) ( for n=1)

• GF(2n) (for p=2 )

• GF(p) is the set of integers {0,1, … , p-1} with arithmetic

operations modulo prime p

• these form a finite field• since have multiplicative inverses

• hence arithmetic is “well-behaved”: addition, subtraction,

multiplication, and division without leaving the field GF(p)

Example GF(7)

Assumptions in Cryptography

• From hard problems: NP problems

• DLP: Discrete Logarithm Problem• Given X (= 𝑔𝑥 𝑚𝑜𝑑 𝑝), 𝑔 and 𝑝, compute 𝑥.

• 𝑥 is an integer and 𝑔 is generator of a group, 𝑝 is big prime.

• CDH: Computational Diffie-Hellman • Given 𝑔𝑎𝑎𝑛𝑑𝑔𝑏, compute 𝑔𝑎𝑏.

• ECDLP: Elliptic Curve DLP• Elliptic curve version of DLP

• ECDH: Elliptic Curve DH• Elliptic curve version of CDH

• (Key generation) 𝑛 = 𝑝𝑞

• Choose e and d, s.t. 𝑒𝑑 = 1 𝑚𝑜𝑑 𝜑(𝑛)

• public key : {𝑒, 𝑛}, private key : {𝑑, 𝑛}

• (Signing) 𝑠𝑖𝑔𝐾(𝑥) = 𝑥𝑑 𝑚𝑜𝑑 𝑛

• (Verification)𝑣𝑒𝑟𝐾(𝑥, 𝑦) = true𝑥 = 𝑦𝑒 𝑚𝑜𝑑 𝑛, 𝑥, 𝑦 𝑛

• (Problem) If an adversary know signature of 𝑥1 and 𝑥2 to be

𝑠1 and 𝑠2, he can create signature of 𝑥3 = 𝑥1𝑥2, i.e., 𝑠3{=𝑠1𝑠2 = 𝑥1

𝑑 𝑥2𝑑 = (𝑥1𝑥2)

𝑑} without knowing private key,𝑑. To

prevent this, hashing before signing or other means must be

used.

• Note that 𝐸(𝑚1)𝐸(𝑚2) = 𝐸(𝑚1𝑚2) in RSA

7

RSA Signature

𝑝 : prime, 𝑍𝑝∗ : primitive element,

𝐶ℎ𝑜𝑜𝑠𝑒 𝑎: = 𝑎𝑚𝑜𝑑 𝑝

public: (p,,), private: a

(signing) Secret random 𝑘 𝑍𝑝−1∗

𝑠𝑖𝑔𝐾(𝑚, 𝑘) = (, ) where = 𝑘 𝑚𝑜𝑑 𝑝,

= (𝑚 − 𝑎)𝑘−1 mod (𝑝 − 1)

(verification) 𝑚, 𝑍𝑝∗ and 𝑍𝑝−1

∗

𝑣𝑒𝑟𝐾 𝑚, , = true = 𝑚mod 𝑝

* = 𝑎 𝑘=𝑚mod 𝑝

8

ElGamal Signature(I)

(Preparation) 𝑝 = 467, = 2, 𝑎 = 127 = 𝑎𝑚𝑜𝑑 𝑝 = 2127 𝑚𝑜𝑑 467 = 132

message 𝑚 = 100random 𝑘 = 213 s.t., gcd(213,466) = 1.

213−1mod 466 = 431 signing

= 𝑘 = 2213mod 467 = 29 = (𝑚 − 𝑎)𝑘−1 mod (𝑝 − 1)= (100 − 127 × 29) 431 mod 466 = 51

Verification on m, and

= 𝑚 𝑚𝑜𝑑 𝑝 ? = 132292951 = 189 𝑚𝑜𝑑 467𝑚 = 2100 = 189 𝑚𝑜𝑑 467

9

ElGamal Signature(II)

• Security : without knowing a, forgery of x’s signature is reducible to DLP of finding () chosen ().

• Note• Keep k to be secret

• Not to use k two times.

• Generalization from p* to any finite Abelian

group is possible

10

ElGamal Signature(III)

• After 1991 August for 3-year public debate, NIST announced DSS (Digital Signature Standard) documented FIPS-186 in 1994 December.

• RSA was not selected since its patent

• Introduce efficient operation under subgroup in ElGamal signature scheme

• Used with DHA (Digital Hash Algorithm)

11

DSA (I)

p:512-bit prime, q:160-bit prime, q|p-1, gp*

=g(p-1)/qmod p (q-th root of 1 mod p),

M =p*, K={(p,q,,a,):=a mod p}

public: (p,q,,), private: a.

(signing) secret random k (1k q-1,gcd(k,q)=1),

sigK(m,k) = (,) where = (k mod p) mod q,

=(m+a)k-1 mod q.

(verification) m p* and , q

verK(m,, )=true (e1e2 mod p)mod q = .

e1= m-1 mod q, e2= -1 mod q.

12

DSA(II)

(Ex.) q=101, p=78q+1=7879, g=3, = 378 mod 7879 =170, a=75,

= a mod 7879 = 4567

(signing) message m=1234, random k=50, k-1 mod 101=99.

= (k mod p) mod q=(17050mod 7879) mod101=2518 mod101=94.

=(m+a)k-1 mod q=(1234 +75x94) 99 mod101 = 97.

(verification) sigK(m,k) = (,) =(94,97), m=1234

-1=97-1 mod 101=25, e1= m-1 mod q =1234 x 25 mod 101 =45,

e2= -1 mod q = 94 x 25 mod 101 = 27

(e1e2 mod p)mod q= (17045 4567 27 mod 7879 ) mod 101 = 2518 mod 101=94 ? =94 (valid)

13

DSA(III)

Elliptic Curve Cryptography

Research on EC has a history of more than 150 years

1985

Neal Koblitz of Washington University

Victor Miller of IBM

Applied EC in Cryptography

ECC and RSA are two widely used PKC systems

Elliptic curves over R

• DefinitionLet

• Example:

),( 32 baxxyyxE RR

0274 ,, 23 baba R

xxyE 4: 32

Group operation +

• The point of infinity, , will be the identity elementGiven

• 𝑃 + 𝑄 ! = (𝑥1 + 𝑥2, 𝑦1 + 𝑦2)

),(),,(,, 2211 yxQyxPEQP

)),(),( (i.e.

then , and , If

1111

2121

yxyxP

QPyyxx

PP P=(x,y)

-P=(x,-y)

Group operation +

• GivenCompute

• Addition

• Doubling

),(),,(,, 2211 yxQyxPEQP

),( 33 yxQPR )( QP

)( QP

1313

21

2

3

12

12

)(

yxxy

xxx

xx

yy

1313

1

2

3

1

2

1

)(

2

2

3

yxxy

xx

y

ax

P

Q

R

-R=R’

P=Q

R=2P

-R

Example (addition):

• Given

•

xxyE 25: 32

),( ),0,5(),( ),0,0(),( 332211 yxQPyxQyxP

00050)(

5500

005

00

1313

2

21

2

3

12

12

yxxy

xxx

xx

yy

Example (doubling):

• Given

•

xxyE 25: 32

),(2 ),6,4(),( 2211 yxPyxP

1728

622796

12

23

144

16814)(

144

168142

12

232

12

23

62

2543

2

3

1212

2

1

2

2

2

1

2

1

yxxy

xx

y

ax

Elliptic Curves over GF(p)

• DefinitionLet

• Example:

) (mod ),( 32 pbaxxyyxE pp

) (mod 0274 ,, ,3 23 pbabap p

23

32 over : ZxxyE

Example

•

Find all (x, y) and :

• Fix x and determine y

• is an artificial point

12 (x, y) pairs plus ,

and have #E=13

11

32 over 6: ZxxyE

9,2410

79

8,398

9,247

86

9,245

84

6,533

7,452

81

60

res? quad63

yes

no

yes

yes

no

yes

no

yes

yes

no

no

yxxx

Example (continue):

• There are 13 points on the group E(Z11) and so any non-identity point (i.e. not the point at infinity, noted as ) is a generator of E(Z11).

Choose generatorCompute

)7,2(),(2 22 yx

11 mod 27852)(

11 mod 52282

11 mod 8423214

13

72

123

2

3

1212

2

1

2

2

1

2

1

2

1

yxxy

xx

y

ax

Example (continue):

• Compute

•So, we can compute

)4,2(12)9,5(11)8,8(10

)9,10(9)5,3(8)2,7(7

)9,7(6)6,3(5)2,10(4

)3,8(3)2,5(2)7,2(

),(3 33 yx

11 mod 37282)(

11 mod 8522

11 mod 225

72

1313

2

21

2

3

12

12

yxxy

xxx

xx

yy

Example (continue):

• Let’s modify ElGamal encryption by using the elliptic curve E(Z11).Suppose that and Bob’s private key is 7, so

Thus the encryption operation is

where and , and the decryption operation is

)7,2(

)2,7(7

,)2,7(),7,2(),( kxkkxeK

Ex 120 k

.7),( 1221 yyyydK

Example (continue):

• Suppose that Alice wishes to encrypt the plaintext x = (10,9) (which is a point on E).If she chooses the random value k = 3, then

•Hence . Now, if Bob receives the ciphertext y, he decrypts it as follows:

)2,10()5,3()9,10()2,7(3)9,10(

and )3,8()7,2(3

2

1

y

y

)2,10(),3,8(y

)9,10()6,3()2,10(

)5,3()2,10()3,8(7)2,10(

x

Elliptic Curve Discrete Logarithm Problem

• Basic computation of ECC• Q = kP = P + P+…+P

where P is a curve point, k is an integer

• Strength of ECC• Given curve, the point P, and kP

It is hard to recover k

- Elliptic Curve Discrete Logarithm Problem (ECDLP)

Solve 2x = 8192

x = 13

Solve 2x = 927 (mod 1453)

x = 13

The Elliptic Curve Discrete Log Problem

Given points P and Q on an elliptic curve with

Q = k P

for some integer k.

Find k

Example: On the elliptic curve

y2 = x3 - 5x + 12 (mod 13),

find k such that

k (2,6) = (4,11).

7 (2,6) = (4,11)

The elliptic curve discrete log problem is very hard.

Security of ECC versus RSA/ElGamal

• Elliptic curve cryptosystems give the most security per bit of any

known public-key scheme.

• The ECDLP problem appears to be much more difficult than the

integer factorisation problem and the discrete logarithm problem

of Zp. (no index calculus algo!)

• The strength of elliptic curve cryptosystems grows much faster

with the key size increases than does the strength of RSA.

Elliptic Curve Security

Symmetric Key Size(bits)

RSA and Diffie-HellmanKey Size (bits)

Elliptic Curve Key Size(bits)

80 1024 160

112 2048 224

128 3072 256

192 7680 384

256 15360 521

NIST Recommended Key Sizes

ECC BenefitsECC is particularly beneficial for application where:

• computational power is limited (wireless devices, PC

cards)

• integrated circuit space is limited (wireless devices, PC

cards)

• high speed is required.

• intensive use of signing, verifying or authenticating is

required.

• signed messages are required to be stored or

transmitted (especially for short messages).

• bandwidth is limited (wireless communications and

some computer networks).

Elliptic Curve Diffie-Hellman Key Establishment

Alice and Bob want to establish a secret encryption key .

1. Alice and Bob choose an elliptic curve mod a large prime.

2. They choose a random point P on the curve.

3. Alice chooses a secret integer a and computes aP.

4. Bob chooses a secret integer b and computes bP.

5. Alice sends aP to Bob and Bob sends bP to Alice.

6. Alice computes a(bP) and Bob computes b(aP) .

7. They use some agreed-upon method to produce a key from abP.

The eavesdropper sees only P, aP, bP.

It is hard to deduce abP from this information

without computing discrete logs.

Alice and Bob agree on y2 = x3 – 5x +12 (mod 13)

and take P = (2,6).

Alice Bob

a = 7

7 (2,6) = (4, 11)

b = 5

5 (2,6) = (12, 4)

(4, 11) (12, 4)

7(12, 4) = (8,9) 5(4,11) = (8,9)

Exercises1. Does the elliptic curve equation

y2 = x3 + 10x + 5 define a group over F17? 2. Do the points P(2,0) and Q(6,3)

lie on the elliptic curve y2 = x3 + x + 7 over F17?3. What are the negatives of the following elliptic

curve points over F17?P(5,8) Q(3,0) R(0,6)

4. In the elliptic curve group defined by y2 = x3 + x + 7

over F17, what is P + Q if P = (2,0) and Q = (1,3)? 5. In the elliptic curve group defined by y2 = x3 + x + 7

over F17, what is 2P if P = (1, 3)?

Elliptic Curve Digital Signature Algorithm (ECDSA)Public: G, Q=dG

Private: d

Signature Generation1. A random number 𝑘, 1 ≤ 𝑘 ≤ 𝑛 − 1 is chosen

2. 𝑘𝐺 = (𝑥1, 𝑦1) is computed. 𝑥1 is converted to its corresponding integer 𝑥1'

3. Next, 𝑟 = 𝑥1mod 𝑛 is computed

4. We then compute 𝑘−1 mod 𝑛5. 𝑒 = 𝐻𝐴𝑆𝐻(𝑚) where 𝑚 is the message to be signed

6. 𝑠 = 𝑘−1 (𝑒 + 𝑑𝑟) mod 𝑛where 𝑑 is the private key of the sender.

We have the signature as (𝑟, 𝑠)

ECDSASignature Verification

At the receiver’s end the signature is verified as follows:

1. Verify whether 𝑟 and 𝑠 belong to the interval [1, 𝑛 − 1] for the signature to be valid.

2. Compute 𝑒 = 𝐻𝐴𝑆𝐻(𝑚). The hash function should be the same as the one used for signature generation.

3. Compute 𝑤 = 𝑠−1 mod 𝑛.

4. Compute 𝑢1 = 𝑒𝑤 mod 𝑛 and 𝑢2 = 𝑟𝑤 mod 𝑛.

5. Compute (𝑥1, 𝑦1) = 𝑢1𝐺 + 𝑢2𝑄. (𝑄 = 𝑑𝐺)

6. The signature is valid if 𝑟 = 𝑥1mod 𝑛, invalid otherwise.

The verification works because:

We have 𝑢1𝐺 + 𝑢2𝑄 = 𝑢1 + 𝑢2𝑑 𝐺 = e𝑤 + 𝑟𝑤𝑑 𝐺

= 𝑒𝑠−1 + 𝑟𝑑𝑠−1 𝐺 = 𝑒 + 𝑟𝑑 𝑠−1𝐺

Note that 𝑠 = 𝑘−1 (𝑒 + 𝑑𝑟) mod 𝑛

So 𝑢1𝐺 + 𝑢2𝑄 = 𝑒 + 𝑟𝑑 𝑠−1𝐺 = 𝑘𝐺

• Blind signature

• One-time signature• Lamport scheme or Bos-Chaum scheme

• Undeniable signature• Chaum-van Antwerpen scheme

• Fail-stop signature• van Heyst-Peterson scheme

• Proxy signature

• Group (Ring) signature: group member can generate

signature if dispute occurs, identify member. etc.

36

Advanced Digital Signature

37

Chaum’s Blind Signature(I)

Without B seeing the content of message M, A can get

a signature of M from B.

RSA scheme, B’s public key :{n,e}, private key:{d}

(1) select random k

s.t. gcd(n,k)=1,

1<k<n-1

A(customer) B(Bank)

(2) m*=mke

mod n

m*

(3) s*=

(m*)d mod ns*

(4) s=k-1 s*mod n

(signature of M by B : k-1(mke)d= k-1 md ked = md)

(1)random

number(2)blinding

(3)signing

(4)unblinding

A B

g(SBf(m))=SB(m)

f:blinding ft

g:unblinding ft only A knows

f(m) : blinded message

• (Preparation) p=11, q=3, n=33,(n)= 10 x 2=20

• gcd(d, (n))=1 => d=3, ed =1 mod (n) => 3 d = 1 mod 20 => e=7

• B: public key :{n,e}={33,7}, private key ={d}={3}

(1) A’s blinding of m=5

select k s.t. gcd(k,n)=1. gcd(k,33)=1 => k=2

m* = m ke mod n= 5 27 mod 33 = 640 mod 33 = 13 mod 33

(2) B’s signing without knowing the original m

s*= (m*)d mod n = 133 mod 33 =2197 mod 33 =19 mod 33

(3) A’s unblinding

s=k-1 s* mod n (2 k-1=1 mod 33 => k=17)

= 17 19 mod 33 =323=26 mod 33

* Original Signature : md mod n = 53 mod 33 =125 =26 mod 33

38

Chaum’s Blind Signature(II)

Group Signature

• Only members of the group can sign messages.

• The receiver of the signature can verify that it is a valid signature from the group.

• The receiver of the signature cannot determine which member of the group is the signer.

• In the case of a dispute, the signature can be “opened” to reveal the identity of the signer.

Group Signature with a Trusted Arbitrator

• Receiver can verifies signatures

• Cannot identify which member is signer

• Problems:• Too many keys

• Master list

Trent:

pk1,1/sk1,1

pk1,2/sk1,2

………….

pk1,n/sk1,n

pk2,1/sk2,1

pk2,2/sk2,2

………….

pk2,n/sk2,n

pkm,1/skm,1

pkm,2/skm,2

………….

pkm,n/skm,n

Public Master list:

pk2,1 pk1,3 pk7,1 pk4,5 ..…. pk3,9

Member 1 Member 2 Member m

Ring Signature

• Introduced by Ron Rivest, Adi Shamir, and Yael Tauman at ASIACRYPT 2001

• A message signed by someone in a particular group of people.

• Computationally infeasible to determine which of the group members' keys was used to produce the signature.

• Similar to group signatures but differ in two key ways:

• There is no way to revoke the anonymity of an individual signature,

• Any group of users can be used as a group without additional setup.

https://en.wikipedia.org/wiki/Ron_Rivest

https://en.wikipedia.org/wiki/Adi_Shamir

https://en.wikipedia.org/w/index.php?title=Yael_Tauman&action=edit&redlink=1

https://en.wikipedia.org/wiki/ASIACRYPT

Hands-on Exercises

• Install charm-crypto

• Install pbc (pairing-based crypto)

• sudo apt install charm-crypto

• Using charm-crypto (/root/charm) (run with python3)

1. RSA encryption and signature: rsa_alg_test.py

2. DSA signature algorithm: pksig_dsa.py

3. El Gamal encryption: pkenc_test.py

4. ECDSA signature algorithm: pksig_test.py

5. Group signature: grpsig_test.py

Outline

Crypto Basics

Monero and RingCT

Zero Knowledge

Proof

ZeroCashand ZK-SNARK

Monero Ring ConfidientialTransaction• Based on CryptoNote, which only hides

destination and origin using ring signature

• Multi-layered Linkable Spontaneous Anonymous Group Signature (MLSAG)

• 4 key components• MLSAG signature: hide address

• Commitment scheme: hide amount

• Range proof: ensure amount range

• Tag-linkability: prevent double spending

Monero Overview• Suppose, you pick up 4 random people from the streets.

And merge your signatures with theirs to create a unique signature. Nobody can find out which one is your signature.

• In Monero, Alice has to send 1000 XMR (XMR = Monero) to Bob,

• Firstly, she will determine her “ring size”. The ring size are random outputs taken from the blockchain. She then signs these outputs with her private spend key and sends it to the blockchain.

• Note that Alice doesn’t need to ask the permission of the owners of these previous transactions to use the outputs.

• Suppose Alice chooses a ring size of 5 i.e. 4 decoy outputs and her own transaction, for an outsider, this is what it will look like:

A real monero tx

Monero keys

Private view

key (a)

Private spend

key (b)

Public view

key (A = aG)

Public spend

key (B=bG)

One-time public key

(Stealth address):

P = H(rA)G + B = (H(rA)+b)G

Random r

Key Image:

xHp(P)

Where x=H(rA)+b

For viewing incoming

transactions, cannot

spend

For spending fund

For viewing funds

(R=rG is in TX).

Checking P = H(aR)G + B

Spend with

H(rA)+b=H(aR)+b

Each Tx with a unique

key image

Monero Overview• How to prevent double spending in Monero?

• Every transaction in Monero comes with its own unique key image.

• The miners can simply check it out and know whether a Monero coin is being double spent or not.

• Linkable when double spending!

• Multiple keys

• Public view key and a private view key.

• The public view key is used to generate the one-time stealth public address where the funds will be sent to the receiver.

• The private view key is used by the receiver to scan the blockchain to find the funds sent to them.

• Spend Keys: the spend key is all about the sender.

• The public spend key will help the sender take part in ring transactions and also verify the signature of the key image.

• The private spend key helps in creating that key image which enables them to send transactions.

Monero Overview

• Stealth Addresses: P = H(rA)G + B

• r = Random scalar chosen by Alice. (Alice sends fund to Bob)

• A = Bob’s public view key.

• G = Cryptographic constant.

• B = Bob’s public spend key.

• H() = The Keccak hashing algorithm used by Monero.

• Key image: I = xH(P).

• It is infeasible to derive the one time public address P from the key image “I” and hence Alice’s identity will never be exposed.

• P will always give the same value when it’s hashed, meaning H(P) will always be the same.

• What this means is, since the value of “x” is constant for Alice, she will never be able to generate multiple values of “I”, which makes the key image unique for every transaction.

Stealth address generation

• Alice does ECDH with her randomly-chosen r and Bob's public view key, A. Let's call this point D. No one other than Alice or Bob can compute D (see the discussion above on ECDH).

• Alice uses D to generate a new scalar; we'll call it f. f = H(D). This is the step that actually causes unlinkability between Bob's outputs

• Alice computes F = fG.

• Alice computes P = F + B (Bob's public spend key).

• P is the stealth destination!

Input/Output commitments• Why input commitments? To hide input amounts

• An Example:

• Input: 𝐶𝑖𝑛 = 𝑥𝑐𝐺 + 𝑎𝐻, where a is the input amount， 𝐻 =𝛾𝐺 for an unknown 𝛾.

• Output 1: 𝐶𝑜𝑢𝑡−1 = 𝑦1𝐺 + 𝑏1𝐻, b1 is the output amount

• Output 2: 𝐶𝑜𝑢𝑡−2 = 𝑦2𝐺 + 𝑏2𝐻, b2 is the output amount

• Benefits: amounts are masked!

• Need to ensure: 𝑎 = 𝑏1 + 𝑏2• 𝐶𝑖𝑛 − 𝐶𝑜𝑢𝑡−1 − 𝐶𝑜𝑢𝑡−2 = 𝑥𝑐 − 𝑦1 − 𝑦2 𝐺 iff 𝑎 = 𝑏1 + 𝑏2• Generate a ring signature using 𝑥𝑐 − 𝑦1 − 𝑦2• Cannot produce a signature if 𝑎 ≠ 𝑏1 + 𝑏2

Recall Monero keys

Private view

key (a)

Private spend

key (b)

Public view

key (A = aG)

Public spend

key (B=bG)

One-time public key

(Stealth address):

P = H(rA)G + B = (H(rA)+b)G

Random r

Key Image:

xH(P)

Where x=H(rA)+b

(𝑥𝑐 − 𝑦1 − 𝑦2)

𝐶𝑖𝑛 = 𝑥𝑐𝐺 + 𝑎𝐻

𝐶𝑜𝑢𝑡−1 = 𝑦1𝐺 + 𝑏1𝐻

𝐶𝑜𝑢𝑡−2 = 𝑦2𝐺 + 𝑏2𝐻

(𝑥𝑐−𝑦1 − 𝑦2)G

𝐶𝑖𝑛 − 𝐶𝑜𝑢𝑡−1 − 𝐶𝑜𝑢𝑡−2

Linkable Spontaneous Anonymous Group Signature (LSAG)

• Each of n members has a key pair {𝑥𝑗 , 𝑃𝑗}𝑗=1…𝑛, where 𝑃𝑗 = 𝑥𝑗𝐺.

• For the j-th member, the key image is 𝐼𝑗 = 𝑥𝑗𝐻𝑝(𝑃𝑗)

• M: Message to be signed;α, 𝑠𝑖 : Random numbers for 𝑖 ≠ 𝑗

1n

j

j+1j-1

𝑐𝑗+1 = 𝐻 𝑀, 𝐿𝑗 , 𝑅𝑗

𝐿𝑗 = 𝛼𝐺, 𝑅𝑗 = 𝛼𝐻𝑝(𝑃𝑗),

𝐿𝑗+1 = 𝑠𝑗+1𝐺 + 𝑐𝑗+1𝑃𝑗+1

𝑅𝑗+1 = 𝑠𝑗+1𝐻𝑝(𝑃𝑗+1) + 𝑐𝑗+1𝐼𝑗

𝑐𝑛 = 𝐻 𝑀, 𝐿𝑛−1, 𝑅𝑛−1

𝐿𝑛 = 𝑠𝑛 𝐺 + 𝑐𝑛 𝑃𝑛

𝑅𝑛 = 𝑠𝑛 𝐻𝑝(𝑃𝑛 ) + 𝑐𝑛 𝐼𝑗

𝑐𝑗−1 = 𝐻 𝑀, 𝐿𝑗−2, 𝑅𝑗−2

𝐿𝑗−1 = 𝑠𝑗−1𝐺 + 𝑐𝑗−1𝑃𝑗−1

𝑅𝑗−1 = 𝑠𝑗−1𝐻𝑝(𝑃𝑗−1) + 𝑐𝑗−1𝐼𝑗

Set 𝑠𝑗 = 𝛼 − 𝑐𝑗 𝑥𝑗

Final Sig:

(𝐼𝑗 , 𝑐1, 𝑠1, 𝑠2, … 𝑠𝑛)

𝐿𝑗 = (𝑠𝑗 + 𝑐𝑗𝑥𝑗)𝐺, 𝑅𝑗 = (𝑠𝑗 + 𝑐𝑗𝑥𝑗)𝐻𝑝(𝑃𝑗),

Linkable Spontaneous Anonymous Group Signature (LSAG)

• Verify (𝐼𝑗 , 𝑐1, 𝑠1 , 𝑠2 … , 𝑠𝑛 )

• Calculate all 𝐿𝑖 and 𝑅𝑖 , then compute 𝑐𝑛+1

• Finally, verify 𝑐𝑛+1 = 𝑐1• Signature size O(n)

• Linkable w.r.t. Ij

𝑐𝑘+1 = 𝐻 𝑀, 𝐿𝑘 , 𝑅𝑘

𝐿𝑘+1 = 𝑠𝑘+1𝐺 + 𝑐𝑘+1𝑃𝑘+1

𝑅𝑘+1 = 𝑠𝑘+1𝐻(𝑃𝑘+1) + 𝑐𝑘+1𝐼𝑗

Multi-layered Linkable Spontaneous Anonymous Group Signature (MLSAG)

• Each of n members has m keys for {𝑃𝑖𝑗}𝑖=1…𝑛𝑗=1…𝑚

• For the k-th member, its secret key associated with {𝑃𝑘𝑗} is {𝑥𝑗}, the key image is 𝐼𝑗 = 𝑥𝑗𝐻(𝑃𝑘

𝑗)

• M: Message to be signed; 𝛼𝑗 , 𝑠𝑖𝑗: Random numbers for 𝑗 = {1…𝑚}, 𝑖 = {1…𝑛}/{𝑘}

1n

k

k+1k-1

𝑐𝑘+1 = 𝐻 𝑀, 𝐿𝑘1 , 𝑅𝑘

1, … , 𝐿𝑘𝑚, 𝑅𝑘

𝑚

𝐿𝑘𝑗= 𝛼𝑗𝐺, 𝑅𝑘

𝑗= 𝛼𝑗𝐻(𝑃𝑘

𝑗) ,

(𝑗 = 1,… ,𝑚)

𝐿𝑘+1𝑗

= 𝑠𝑘+1𝑗

𝐺 + 𝑐𝑘+1𝑃𝑘+1𝑗

𝑅𝑘+1𝑗

= 𝑠𝑘+1𝑗

𝐻(𝑃𝑘+1𝑗

) + 𝑐𝑘+1𝐼𝑗

𝑐𝑛 = 𝐻𝑀, 𝐿𝑛−1

1 , 𝑅𝑛−11 ,

… , 𝐿𝑛−1𝑚 , 𝑅𝑛−1

𝑚

𝐿𝑛𝑗= 𝑠𝑛

𝑗𝐺 + 𝑐𝑛 𝑃𝑛

𝑗

𝑅𝑛𝑗= 𝑠𝑛

𝑗𝐻(𝑃𝑛

𝑗) + 𝑐𝑛 𝐼𝑗

𝑐𝑘−1 = 𝐻𝑀, 𝐿𝑘−2

1 , 𝑅𝑘−21 ,

… , 𝐿𝑘−2𝑚 , 𝑅𝑘−2

𝑚

𝐿𝑘−1𝑗

= 𝑠𝑘−1𝑗

𝐺 + 𝑐𝑘−1𝑃𝑘−1𝑗

𝑅𝑘−1𝑗

= 𝑠𝑘−1𝑗

𝐻(𝑃𝑘−1𝑗

) + 𝑐𝑘−1𝐼𝑗

Set 𝑠𝑘𝑗= 𝛼𝑗 − 𝑐𝑘 𝑥𝑗

Final Sig:

(𝐼1, … , 𝐼𝑚, 𝑐1, 𝑠11, … , 𝑠1

𝑚 ,𝑠21… , 𝑠2

𝑚… ,𝑠𝑛1… , 𝑠𝑛

𝑚)

Multi-layered Linkable Spontaneous Anonymous Group Signature (MLSAG)

• Verify (𝐼1, … , 𝐼𝑚, 𝑐1, 𝑠11, … , 𝑠1

𝑚 , 𝑠21… , 𝑠2

𝑚… , 𝑠𝑛1… , 𝑠𝑛

𝑚)

• Calculate all 𝐿𝑖𝑗

and 𝑅𝑖𝑗, then compute 𝑐𝑛+1

• Finally, verify 𝑐𝑛+1 = 𝑐1• Signature size O(mn)

• Linkable if one of the keys are reused in MLSAG signature

𝑐𝑘+1 = 𝐻 𝑀, 𝐿𝑘1 , 𝑅𝑘

1, … , 𝐿𝑘𝑚, 𝑅𝑘

𝑚

𝐿𝑘+1𝑗

= 𝑠𝑘+1𝑗

𝐺 + 𝑐𝑘+1𝑃𝑘+1𝑗

𝑅𝑘+1𝑗

= 𝑠𝑘+1𝑗

𝐻(𝑃𝑘+1𝑗

) + 𝑐𝑘+1𝐼𝑗

The general case of MLSAG in Monero

• 𝑃𝑖𝑗

the stealth address

• 𝐶𝑖𝑗

the payment commitment (masked payment)

• (𝑃𝑖𝑗, 𝐶𝑖

𝑗) can be viewed as Monero address

• m inputs and q decoys

• Normally q = 4 and m = 1 or 2 in Monero

Range Proof: Aggregate SchnorrNon-linkable Ring Signature

• Why range proof?

• -1 is a very large number modulo the curve group order free money has been created

• Binary decomposition:

• 𝑏 = 𝑏020 + 𝑏12

1 +⋯+ 𝑏𝑛2𝑛

• 𝐶𝑜𝑢𝑡 = 𝐶𝑜𝑢𝑡0 + 𝐶𝑜𝑢𝑡

1 + 𝐶𝑜𝑢𝑡2 +⋯+ 𝐶𝑜𝑢𝑡

𝑛

• 𝐶𝑜𝑢𝑡𝑗

= 𝑦𝑗𝐺 + 𝑏𝑗 ∗ 2𝑗𝐻

• Private key (yj) for either of (𝐶𝑜𝑢𝑡𝑗

, 𝐶𝑜𝑢𝑡𝑗

− 2𝑗𝐻) is known.

• A ring signature for two members is generated for n+1 commitments.

• n=40 in Monero, proof size: 6176 bytes/output

𝐶𝑖𝑛 = 𝑥𝑐𝐺 + 10𝐻 𝐶𝑜𝑢𝑡−1 = 𝑦1𝐺 − 1𝐻 𝐶𝑜𝑢𝑡−2 = 𝑦2𝐺 + 11𝐻

A Monero Tx Example

Hands-on Exercises

• MiniNero (run with python)

1. Test.py RingCT/RingCTSimple

2. Test.py MLSAG/MLSAG2

3. Test.py ASNL

• Study monero source code

Questions

• How the range proofs are generated in MiniNero?

• How the MLSAG signatures are generated in MiniNero?

• What is the purpose of ecdhinfo in monero tx?

• Why range proof can prevent payments like -1?

• What private key is used in Monero to generate a MLSAG ring signature?

cryptography in blockchain part i: crypto basics and monero · galois fields(gf) •finite fields...

Documents