Confidential and Auditable Payments

Abstract

In this paper, we construct the Confidential and Auditable Payments (CAP) scheme. We keep the transaction confidential by writing ciphertexts of transactions in a ledger. We realize the soundness of the CAP scheme by the soundness of the zero-knowledge proof. A court or an authority controls a unique secret key of the ciphertexts written in the ledger. They can enforce confidential transactions open with the secret key according to the legal procedure. There are many works for protecting the transaction’s privacy strictly. However, these works do not have a forcibly auditable function, to the best of our knowledge. The proposed scheme is both confidential and auditable. It eliminates concerns about money laundering caused by excessively confidential transactions and contributes to the sound use of blockchain.

Supported by Mitsubishi Chemical Corporation.

A Non-interactive Zero-Knowledge Proof

Following Benhamouda et al. [1], and Mitani and Otsuka [11, 12], we describe the non-interactive zero-knowledge proof of plaintext \(m=0\) knowledge. First, we describe the formal definition of the \(\varSigma ^\prime \)-protocol, the protocol and its theorem proving this relationship.

Definition 7

(Definition 2.5. in [1]). Let (P, V) be a two-party protocol, where V is a PPT, and let \(L, L^\prime \subseteq \{ 0, 1 \}^*\) be languages with witness relations \(R,R^\prime \) such that \(R \subseteq R^\prime \). Then (P, V) is called a \(\varSigma ^\prime \)-protocol for \(L, L^\prime \) with completeness error \(\alpha \), a challenge set \(\mathbb {C}\), a public input x and a private input w, if and only if it satisfies the following conditions:

• Three-move form: The prover P, on input (x, w), computes a commitment t and sends it to V. The verifier V, on input x, then draws a challenge \(c \leftarrow \mathbb {C}\) and sends it to P. The prover sends a response s to the verifier. Depending on the protocol transcript (t, c, s), the verifier finally accepts or rejects the proof. The protocol transcript (t, c, s) is called accepting, if the verifier accepts the protocol run.

• Completeness: Whenever \((x,w) \in R\), the verifier V accepts with probability at least \(1-\alpha \).

• Special soundness: There exists a PPT algorithm E (the knowledge extractor) which takes two accepting transcripts \((t, c^\prime , s^\prime ), (t, c^{\prime \prime }, s^{\prime \prime })\) satisfying \(c^\prime \ne c^{\prime \prime }\) as inputs, and outputs \(w^\prime \) such that \((x,w^\prime ) \in R^\prime \).

• Special honest verifier zero knowledge (HVZK): There exists a PPT algorithm S (the simulator) taking \(x \in L\) and \(c \in \mathbb {C}\) as inputs, that outputs (t, s) so that the triple (t, c, s) is indistinguishable from an accepting protocol transcript generated by a real protocol run.

• High-entropy commitments: For all \((y,w) \in R\) and for all t, the probability that an honestly generated commitment by P takes on the value t is negligible.

Let us introduce Pedersen commitments [14] for the zero-knowledge proof. we make use of the commitments as an auxiliary commitment scheme. We denote it as \((\mathsf {aCSetup}, \mathsf {aCCommit}, \mathsf {aCOpen})\).

Pedersen Commitments. Given a family of prime order groups \(\{ \mathbb {G} ( \lambda ) \}_{\lambda \in \mathbb {N}}\) such that the discrete logarithm problem is hard in \( \mathbb {G} ( \lambda )\) with security parameter \(\lambda \), let \(\tilde{q} = \tilde{q} ( \lambda )\) be the order of \(\mathbb {G} = \mathbb {G} ( \lambda )\). To avoid confusion, we denote all elements with order \(\tilde{q}\) with a tilde in the following. We will write the group \(\mathbb {G} ( \lambda )\) additively.

• \(\mathsf {aCSetup}\): This algorithm chooses \(\tilde{g}, \tilde{h} \xleftarrow {\$} \mathbb {G}\) and outputs \( cpars = (\tilde{g}, \tilde{h})\).

• \(\mathsf {aCommit}\): To commit to a message \(m \in \mathbb {Z}_{\tilde{q}}\), it first chooses \(r \xleftarrow {\$} \mathbb {Z}_{\tilde{q}}\). It then outputs a pair \((\widetilde{cmt}, o) = ( m \tilde{g} + r \tilde{h}, r )\).

• \(\mathsf {aCOpen}\): Given a commitment \(\widetilde{cmt}\), an opening o, a public key \( cpars \) and a message m, it outputs \(\mathsf {accept}\) if and only if \((\widetilde{cmt}, o) {\mathop {=}\limits ^{?}} ( m \tilde{g} + r \tilde{h}, r )\).

Lemma 4

(Theorem 2.1. in [1]). Under the discrete logarithm assumption for \(\mathbb {G}\), the Pedersen commitment scheme is perfectly hiding and is computationally binding.

We show a non-interactive zero-knowledge proof of ciphertext of zero in Fig. 6. h is a cryptographic hash function. This protocol satisfies Lemma 5. The parallel protocol satisfies Lemma 6.

Fig. 6.

Non-interactive zero-knowledge proof of a ciphertext of zero regarding RLWE encryption (Figure 3 in [12])

Lemma 5

(Lemma 5 in [12]). The protocol in Fig. 6 is an HVZK \(\varSigma ^\prime \)-protocol for the following relations:

$$\begin{aligned} R_0&= \{ ( (c_1, c_2) , (v, e, f) ) : (c_1, c_2) = (bv+pe, av+pf) \wedge |v|, |e|, |f| \le \tilde{\mathcal {O}} (\sqrt{n_d} \alpha ) \} \\ R_0^\prime&= \{ ( (c_1, c_2) , (v, e, f) ) : (2 c_1, 2 c_2) = (2 b v + 2 p e, 2 a v + 2 p f) \\&\qquad \wedge |2v|, |2e|, |2f| \le \tilde{\mathcal {O}} (n_d^2 \alpha ) \} \end{aligned}$$

where 2v, 2e and 2f are reduced modulo q. The protocol has a knowledge error of \(1/(2n_d)\), a completeness error of \(1-1/M\), and high-entropy commitments.

Lemma 6

(Theorem 6 in [12]). Let us apply the protocol in Fig. 6 for \(\lambda \) times in parallel (the parallel protocol). Let the parallel protocol be accepting if and only if at least \(\lambda / 2M\) out of \(\lambda \) proofs were valid under the condition that an honest verifier rejects no proofs. Then, the parallel protocol has both a completeness error and knowledge error of \(\mathrm {negl}(\lambda )\) under the condition \(n_d \ge 2 M\).