Skip to content

Commit

Permalink
update composition proof structure to use powers-of-mu like in Triptych
Browse files Browse the repository at this point in the history
  • Loading branch information
UkoeHB committed Oct 2, 2021
1 parent fe4b692 commit 2ebb9e7
Show file tree
Hide file tree
Showing 5 changed files with 17 additions and 57 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

Seraphis is a privacy-focused transaction protocol for p2p electronic cash systems (e.g. cryptocurrencies).

Browsers with built-in PDF readers (e.g. recent versions of Firefox) can display the most recent PDF [with this link](https://raw.githubusercontent.com/UkoeHB/Seraphis/master/Seraphis-0-0-11.pdf). Note that non-supporting browsers may automatically download the PDF if you click the link.
Browsers with built-in PDF readers (e.g. recent versions of Firefox) can display the most recent PDF [with this link](https://raw.githubusercontent.com/UkoeHB/Seraphis/master/Seraphis-0-0-13.pdf). Note that non-supporting browsers may automatically download the PDF if you click the link.


*License*
Expand Down
Binary file renamed Seraphis-0-0-11.pdf → Seraphis-0-0-13.pdf
Binary file not shown.
64 changes: 12 additions & 52 deletions appendix.tex
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ \subsection{Practical considerations}
\section{Composition proofs with Schnorr}
\label{appendix:composition-with-schnorr}

In this Appendix is one approach to satisfying the Seraphis ownership/unspentness proof requirements (Section \ref{subsec:seraphis-ownership-unspentness-proofs}), assuming $J == G_2$. First we lay out the proof system that satisfies those requirements, next we will describe a proof structure in that system, and finally we will apply the Fiat-Shamir transform \cite{fiat-shamir-transform} to that structure.
In this Appendix is one approach to satisfying the Seraphis ownership/unspentness proof requirements (Section \ref{subsec:seraphis-ownership-unspentness-proofs}), assuming $J == G_2$. First we lay out the proof system that satisfies those requirements, then we describe a proof structure in that system.\footnote{We leave applying the Fiat-Shamir transform \cite{fiat-shamir-transform} to the composition proof structure as an exercise for the reader.}


\subsection{Composition proof system}
Expand All @@ -119,7 +119,7 @@ \subsection{Composition proof system}
\begin{enumerate}
\item Assume there is a group point $K = x G_0 + y G_1 + z G_2$.

\item Let\vspace{.115cm}
\item Let
\begin{align*}
K_{t1} &= (1/y)*K \\
\tilde{K} &= (z/y)*G_2 \\
Expand All @@ -137,12 +137,15 @@ \subsubsection{Seraphis requirements satisfaction}

[[[explain how it satisfies the requirements?]]]


\subsection{Composition proof structure}
\label{appendix:composition-proof-structure}

[[[better terminology than `proof structure'?]

Our proof structure is a Schnorr-like $\Sigma$-protocol between prover and verifier. Notably, for the discrete logs of $\tilde{K}$ and $K_{t2}$ from the proof system, we use the concise approach from \cite{clsag-eprint} to reduce proof sizes when constructing multiple proofs in parallel (i.e.\ reduce the number of responses required).
Our proof structure is a Schnorr-like $\Sigma$-protocol between prover and verifier. Notably, for the discrete logs of $\tilde{K}$ and $K_{t2}$ from the proof system, we use the concise approach from \cite{clsag-eprint} to reduce proof sizes when constructing multiple proofs in parallel (i.e.\ reduce the number of responses required). Furthermore, we use the powers-of-$\mu$ approach from \cite{triptych-preprint} (i.e.\ `aggregation coefficients'), instead of distinct per-element hashes, for simplicity.

Note that if a composition proof is made for one input keyset, then the proof structure degenerates into a plain tuple of Schnorr proofs (i.e.\ the aggregation coefficients become irrelevant, since $\mu^0 = 1$).

\begin{enumerate}
\item Suppose the prover has keys $[x_i, y_i, z_i, K_i]$ for $i \in 1,...,n$, where $K_i = x_i G_0 + y_i G_1 + z_i G_2$.
Expand All @@ -151,64 +154,21 @@ \subsection{Composition proof structure}

\item The prover computes $\alpha_a G_0$, $\alpha_b G_2$, $\alpha_i K_i$, $K_{t1,i} = (1/y_i)*K_i$, and $\tilde{K}_i = (z_i/y_i)*G_2$ for $i \in 1,...n$. He sends all of those to the verifier along with the keys $K_i$.

\item The verifier generates a random challenge $c \in_R \mathbb{Z}_l$ and sends it to the verifier.
\item The verifier generates random scalars $c, \mu_a, \mu_b \in_R \mathbb{Z}_l$ and sends them to the prover.

\item The prover computes responses $r_a, r_b, r_1, ..., r_n$ and sends them to the verifier.\vspace{.115cm}
\begin{align*}
r_a &\equiv \alpha_a - c*(\sum^n_{i=1} \mathcal{H}_7(\textrm{``a"}, i, K_{t2,1},...,K_{t2,n})*(x_i/y_i)) \\
r_b &\equiv \alpha_b - c*(\sum^n_{i=1} \mathcal{H}_7(\textrm{``b"}, i, \tilde{K}_1,...,\tilde{K}_n)*(z_i/y_i)) \\
r_a &\equiv \alpha_a - c*(\sum^n_{i=1} \mu_a^{i-1}*(x_i/y_i)) \\
r_b &\equiv \alpha_b - c*(\sum^n_{i=1} \mu_b^{i-1}*(z_i/y_i)) \\
r_i &\equiv \alpha_i - c*(1/y_i)
\end{align*}

\item The verifier computes $K_{t2,i} = K_{t1,i} - G_1 - \tilde{K}_i$, then checks the following equalities. If any of them fail, then the prover has failed to satisfy the composition proof system.\vspace{.115cm}
\item The verifier computes $K_{t2,i} = K_{t1,i} - G_1 - \tilde{K}_i$, then checks the following equalities. If any of them fail (or any of $K_i, K_{t1,i}, \tilde{K}_i$ equal the identity element $I$), then the prover has failed to satisfy the composition proof system.\vspace{.115cm}
\begin{align*}
\alpha_a G_0 &== r_a G_0 + c*(\sum^n_{i=1} \mathcal{H}_7(\textrm{``a"}, i, K_{t2,1},...,K_{t2,n})*K_{t2,i}) \\
\alpha_b G_2 &== r_b G_2 + c*(\sum^n_{i=1} \mathcal{H}_7(\textrm{``b"}, i, \tilde{K}_1,...,\tilde{K}_n)*\tilde{K}_i) \\
\alpha_a G_0 &== r_a G_0 + c*(\sum^n_{i=1} \mu_a^{i-1}*K_{t2,i}) \\
\alpha_b G_2 &== r_b G_2 + c*(\sum^n_{i=1} \mu_b^{i-1}*\tilde{K}_i) \\
\alpha_i K_i &== r_i K_i + c*K_{t1,i}
\end{align*}
\end{enumerate}


\subsection{Non-interactive composition proofs}
\label{appendix:noninteractive-composition-proofs}

Here we apply the Fiat-Shamir transform \cite{fiat-shamir-transform} to the proof structure just described.

\subsubsection{Non-interactive proof}

\begin{enumerate}
\item Suppose the prover has keys $x_i, y_i, z_i$, and $K_i$ for $i \in 1,...,n$, where $K_i = x_i G_0 + y_i G_1 + z_i G_2$.

\item The prover generates random scalars $\alpha_a, \alpha_b, \alpha_1, ..., \alpha_n \in_R \mathbb{Z}_l$.

\item The prover computes $\alpha_a G_0$, $\alpha_b G_2$, $\alpha_i K_i$, $K_{t1,i} = (1/y_i)*K_i$, and $\tilde{K}_i = (z_i/y_i)*G_2$ for $i \in 1,...n$. Let the values $G_0, G_1, G_2, K_i, K_{t1,i}$, and $\tilde{K}_i$ be recorded in a global reference string $R$.

\item The prover computes the challenge:
\[c = \mathcal{H}_8(R, [\alpha_a G_0], [\alpha_b G_2], [\alpha_1 K_1],...,[\alpha_n K_n])\]

\item The prover computes responses $r_a, r_b, r_1, ..., r_n$.\vspace{.115cm}
\begin{align*}
r_a &\equiv \alpha_a - c*(\sum^n_{i=1} \mathcal{H}_7(\textrm{``a"}, i, K_{t2,1},...,K_{t2,n})*(x_i/y_i)) \\
r_b &\equiv \alpha_b - c*(\sum^n_{i=1} \mathcal{H}_7(\textrm{``b"}, i, \tilde{K}_1,...,\tilde{K}_n)*(z_i/y_i)) \\
r_i &\equiv \alpha_i - c*(1/y_i)
\end{align*}
\end{enumerate}

The composition proof is the tuple $\sigma_{cp} = [c, r_a, r_b, r_1, ..., r_n, G_0, G_1, G_2, K_1, K_{t1,1}, \tilde{K}_1, ..., K_n, K_{t1,n}, \tilde{K}_n]$.

\subsubsection{Verification}

The verifier does the following given a proof $\sigma_{cp}$.

\begin{enumerate}
\item Compute the challenge:
\begin{align*}
c' = \mathcal{H}_8(R, &[r_a G_0 + c*(\sum^n_{i=1} \mathcal{H}_7(\textrm{``a"}, i, K_{t2,1},...,K_{t2,n})*K_{t2,i})],\\
&[r_b G_2 + c*(\sum^n_{i=1} \mathcal{H}_7(\textrm{``b"}, i, \tilde{K}_1,...,\tilde{K}_n)*\tilde{K}_i)],\\
&[r_1 K_1 + c*K_{t1,1}],...,[r_n K_n + c*K_{t1,n}])
\end{align*}

\item If $c == c'$ then the proof is valid.
\end{enumerate}

\end{appendices}
6 changes: 3 additions & 3 deletions content.tex
Original file line number Diff line number Diff line change
Expand Up @@ -289,7 +289,7 @@ \subsection{Ownership and unspentness proofs}
\begin{enumerate}
\item Assume there is a group point $K = x G_0 + y G_1 + z G_2$.

\item Demonstrate knowledge of values $x, y, z$ such that $K = x G_0 + y G_1 + z G_2$ and $y/z \neq 0$.
\item Demonstrate knowledge of values $x, y, z$ such that $K = x G_0 + y G_1 + z G_2$ and $y, z/y \neq 0$.

\item Demonstrate that a key $\tilde{K}$ satisfies $\tilde{K} == (z/y)*J$.

Expand Down Expand Up @@ -389,7 +389,7 @@ \subsection{Transaction teleology}

We do not require transaction fees to be committed to by e-note authors (they only need to be committed to it in balance proofs). This facilitates dynamic collaborative funding (see Section \ref{subsec:implementers-modular-tx-building}), where the fee can be undetermined when contributing an input to a transaction.

From a teleological perspective, we do not consider this problematic. If an e-note owner does not construct a transaction's balance proof, then they must delegate that ability to another party. We consider that delegation to count as delegation of the authority to decide transaction fees.
From a teleological perspective, we do not consider this problematic. If an e-note owner does not construct a transaction's balance proof, then they must delegate that ability to another party. We consider balance proof delegation to count as delegation of the authority to decide transaction fees.


\subsection{E-note address model}
Expand Down Expand Up @@ -533,7 +533,7 @@ \subsubsection{Sender-receiver anonymity}

Even if the amount isn't unusual, if the anonymity set size of membership proofs is relatively small, then there is a very low probability that the observer's e-note was randomly selected as a decoy and just happened to have the same amount as the real e-note being spent.

\item If $v_{c,1}$ is used as a secret input to a proof (e.g.\ a discrete log proof of the commitment to zero $C' - C$ with respect to $G$), then the observer may be able to guess and check the proof structure to see if $v_{c,1} = [\sum^{p}_{t=1} y_t]$ is in fact that secret input (depending on the proof structure used).
\item If $v_{c,1}$ is used as a secret input to a proof (e.g.\ a discrete log proof of the commitment to zero $C' - C$ with respect to $G$), then the observer may be able to guess and check the proof structure to see if $v_{c,1} = [\sum^{p}_{t=1} y_t]$ is in fact that secret input (depending on the proof structure used).\footnote{For examples of where this can be a problem, CLSAG \cite{clsag-eprint} and Triptych \cite{triptych-preprint} both require keys (`extra' key images) computed like $t_c P$ (where $P$ is public information). This means if the observer knows the input commitment blinding factor (and all output commitment blinding factors), then they can identify the true spend of a 1-input transaction via guess-and-check.}
\end{enumerate}

Both problems are mitigated or solved by including a `change e-note' in each transaction, even if its amount must be zero.\footnote{There are niche cases where the first problem is unsolvable. For example, the sender could allow a `low bit' fingerprint to propagate from an input to an output. The observer may also be able to infer, by the mere fact an e-note he created was referenced by a membership proof, that his e-note is being spent.} A change e-note is an e-note the transaction author sends to himself if the total output amount of their transaction exceeds the amount they intend to send to other people (unavoidable if no combination of owned e-notes' amounts equals the intended total output amount of their transaction).
Expand Down
2 changes: 1 addition & 1 deletion main.tex
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@


\title{Seraphis: A Privacy-Preserving Transaction Protocol Abstraction (WIP)\footnote{\textbf{License}: Seraphis is released into the public domain.}\\\vspace{.3cm}
\large Draft v0.0.11\footnote{This is just a draft, so it may not always be available wherever it is currently hosted.}\vspace{-.715cm}}
\large Draft v0.0.13\footnote{This is just a draft, so it may not always be available wherever it is currently hosted.}\vspace{-.715cm}}
\author{koe\footnote{Author `koe' worked on this document partly as an employee of MobileCoin, Inc.} \texttt{ ukoe@protonmail.com}}
\date{\vspace{-.5cm}\today\vspace{-1cm}}

Expand Down

0 comments on commit 2ebb9e7

Please sign in to comment.