Abstract
In this paper, we construct the Confidential and Auditable Payments (CAP) scheme. We keep the transaction confidential by writing ciphertexts of transactions in a ledger. We realize the soundness of the CAP scheme by the soundness of the zero-knowledge proof. A court or an authority controls a unique secret key of the ciphertexts written in the ledger. They can enforce confidential transactions open with the secret key according to the legal procedure. There are many works for protecting the transaction’s privacy strictly. However, these works do not have a forcibly auditable function, to the best of our knowledge. The proposed scheme is both confidential and auditable. It eliminates concerns about money laundering caused by excessively confidential transactions and contributes to the sound use of blockchain.
Supported by Mitsubishi Chemical Corporation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Benhamouda, F., Camenisch, J., Krenn, S., Lyubashevsky, V., Neven, G.: Better zero-knowledge proofs for lattice encryption and their application to group signatures. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 551–572. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_29
Boyle, E., Kohl, L., Scholl, P.: Homomorphic secret sharing from lattices without FHE. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 3–33. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_1
Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_29
BĂĽnz, B., Agrawal, S., Zamani, M., Boneh, D.: Zether: towards privacy in a smart contract world. IACR Cryptology ePrint Archive 2019/191 (2019)
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 315–334. IEEE (2018)
Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_37
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing. STOC 1909, pp. 169–178. Association for Computing Machinery, New York (2009). https://doi.org/10.1145/1536414.1536440
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM (JACM) 60(6), 43 (2013)
Miers, I., Garman, C., Green, M., Rubin, A.D.: Zerocoin: anonymous distributed e-cash from bitcoin. In: 2013 IEEE Symposium on Security and Privacy, pp. 397–411. IEEE (2013)
Mitani, T., Otsuka, A.: Traceability in permissioned blockchain. In: 2019 IEEE International Conference on Blockchain (Blockchain), pp. 286–293, July 2019. https://doi.org/10.1109/Blockchain.2019.00045
Mitani, T., Otsuka, A.: Traceability in permissioned blockchain. IEEE. Access 8, 21573–21588 (2020). https://doi.org/10.1109/ACCESS.2020.2969454
Nakamoto, S., et al.: Bitcoin: A Peer-to-peer Electronic Cash System (2008)
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9
Sasson, E.B., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Non-interactive Zero-Knowledge Proof
A Non-interactive Zero-Knowledge Proof
Following Benhamouda et al. [1], and Mitani and Otsuka [11, 12], we describe the non-interactive zero-knowledge proof of plaintext \(m=0\) knowledge. First, we describe the formal definition of the \(\varSigma ^\prime \)-protocol, the protocol and its theorem proving this relationship.
Definition 7
(Definition 2.5. in [1]). Let (P, V) be a two-party protocol, where V is a PPT, and let \(L, L^\prime \subseteq \{ 0, 1 \}^*\) be languages with witness relations \(R,R^\prime \) such that \(R \subseteq R^\prime \). Then (P, V) is called a \(\varSigma ^\prime \)-protocol for \(L, L^\prime \) with completeness error \(\alpha \), a challenge set \(\mathbb {C}\), a public input x and a private input w, if and only if it satisfies the following conditions:
-
Three-move form: The prover P, on input (x, w), computes a commitment t and sends it to V. The verifier V, on input x, then draws a challenge \(c \leftarrow \mathbb {C}\) and sends it to P. The prover sends a response s to the verifier. Depending on the protocol transcript (t, c, s), the verifier finally accepts or rejects the proof. The protocol transcript (t, c, s) is called accepting, if the verifier accepts the protocol run.
-
Completeness: Whenever \((x,w) \in R\), the verifier V accepts with probability at least \(1-\alpha \).
-
Special soundness: There exists a PPT algorithm E (the knowledge extractor) which takes two accepting transcripts \((t, c^\prime , s^\prime ), (t, c^{\prime \prime }, s^{\prime \prime })\) satisfying \(c^\prime \ne c^{\prime \prime }\) as inputs, and outputs \(w^\prime \) such that \((x,w^\prime ) \in R^\prime \).
-
Special honest verifier zero knowledge (HVZK): There exists a PPT algorithm S (the simulator) taking \(x \in L\) and \(c \in \mathbb {C}\) as inputs, that outputs (t, s) so that the triple (t, c, s) is indistinguishable from an accepting protocol transcript generated by a real protocol run.
-
High-entropy commitments: For all \((y,w) \in R\) and for all t, the probability that an honestly generated commitment by P takes on the value t is negligible.
Let us introduce Pedersen commitments [14] for the zero-knowledge proof. we make use of the commitments as an auxiliary commitment scheme. We denote it as \((\mathsf {aCSetup}, \mathsf {aCCommit}, \mathsf {aCOpen})\).
Pedersen Commitments. Given a family of prime order groups \(\{ \mathbb {G} ( \lambda ) \}_{\lambda \in \mathbb {N}}\) such that the discrete logarithm problem is hard in \( \mathbb {G} ( \lambda )\) with security parameter \(\lambda \), let \(\tilde{q} = \tilde{q} ( \lambda )\) be the order of \(\mathbb {G} = \mathbb {G} ( \lambda )\). To avoid confusion, we denote all elements with order \(\tilde{q}\) with a tilde in the following. We will write the group \(\mathbb {G} ( \lambda )\) additively.
-
\(\mathsf {aCSetup}\): This algorithm chooses \(\tilde{g}, \tilde{h} \xleftarrow {\$} \mathbb {G}\) and outputs \( cpars = (\tilde{g}, \tilde{h})\).
-
\(\mathsf {aCommit}\): To commit to a message \(m \in \mathbb {Z}_{\tilde{q}}\), it first chooses \(r \xleftarrow {\$} \mathbb {Z}_{\tilde{q}}\). It then outputs a pair \((\widetilde{cmt}, o) = ( m \tilde{g} + r \tilde{h}, r )\).
-
\(\mathsf {aCOpen}\): Given a commitment \(\widetilde{cmt}\), an opening o, a public key \( cpars \) and a message m, it outputs \(\mathsf {accept}\) if and only if \((\widetilde{cmt}, o) {\mathop {=}\limits ^{?}} ( m \tilde{g} + r \tilde{h}, r )\).
Lemma 4
(Theorem 2.1. in [1]). Under the discrete logarithm assumption for \(\mathbb {G}\), the Pedersen commitment scheme is perfectly hiding and is computationally binding.
We show a non-interactive zero-knowledge proof of ciphertext of zero in Fig. 6. h is a cryptographic hash function. This protocol satisfies Lemma 5. The parallel protocol satisfies Lemma 6.
Lemma 5
(Lemma 5 in [12]). The protocol in Fig. 6 is an HVZK \(\varSigma ^\prime \)-protocol for the following relations:
where 2v, 2e and 2f are reduced modulo q. The protocol has a knowledge error of \(1/(2n_d)\), a completeness error of \(1-1/M\), and high-entropy commitments.
Lemma 6
(Theorem 6 in [12]). Let us apply the protocol in Fig. 6 for \(\lambda \) times in parallel (the parallel protocol). Let the parallel protocol be accepting if and only if at least \(\lambda / 2M\) out of \(\lambda \) proofs were valid under the condition that an honest verifier rejects no proofs. Then, the parallel protocol has both a completeness error and knowledge error of \(\mathrm {negl}(\lambda )\) under the condition \(n_d \ge 2 M\).
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Mitani, T., Otsuka, A. (2020). Confidential and Auditable Payments. In: Bernhard, M., et al. Financial Cryptography and Data Security. FC 2020. Lecture Notes in Computer Science(), vol 12063. Springer, Cham. https://doi.org/10.1007/978-3-030-54455-3_33
Download citation
DOI: https://doi.org/10.1007/978-3-030-54455-3_33
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-54454-6
Online ISBN: 978-3-030-54455-3
eBook Packages: Computer ScienceComputer Science (R0)