Lelantus: Towards Confidentiality and Anonymity of Blockchain Transactions From Standard Assumptions

[nopara73]

Found another interesting paper: https://eprint.iacr.org/2019/373.pdf

We achieve transaction anonymity with a Zerocoin setup which is implemented through 1-out-of-many proofs over generalized Pedersen commitments as is discussed in [4]. Each coin is associated with a unique serial number and a monetary value. The serial number is explicitly revealed during the spend operation in order to prevent the double-spending of the coin. The users will be able to merge, split and redeem multiple
coins while also providing a balance proof to ensure that the transaction’s input and output values add up and no value is generated out of thin air. This proof generation method leverages the unique design properties of 1-out-of-many protocol, which is used to prove the validness of spent coins without revealing their origins and also encode coin value information necessary for generating a zero-knowledge balance proof.

[nothingmuch]

Since this scheme relies on decoy inputs, it would require the blindedcommitments to be published by the coordinator before output registration can proceed.

The coordinator may lie about the set of commitments, showing individual users disjoint sets. Mitigating this his requires an additional synchronous phase similar to the transaction signing phase, where all users sign the set of commitments, and only proceed to output registration if all other users have signed, otherwise their output registrations may be linked to their inputs.

[nopara73]

#30