WO2021062468A1 - Confidential validation of summations - Google Patents

Confidential validation of summations Download PDF

Info

Publication number
WO2021062468A1
WO2021062468A1 PCT/AU2020/051039 AU2020051039W WO2021062468A1 WO 2021062468 A1 WO2021062468 A1 WO 2021062468A1 AU 2020051039 W AU2020051039 W AU 2020051039W WO 2021062468 A1 WO2021062468 A1 WO 2021062468A1
Authority
WO
WIPO (PCT)
Prior art keywords
result
summands
value
summation
digits
Prior art date
Application number
PCT/AU2020/051039
Other languages
French (fr)
Inventor
Muhammed ESGIN
Original Assignee
Commonwealth Scientific And Industrial Research Organisation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2019903694A external-priority patent/AU2019903694A0/en
Application filed by Commonwealth Scientific And Industrial Research Organisation filed Critical Commonwealth Scientific And Industrial Research Organisation
Publication of WO2021062468A1 publication Critical patent/WO2021062468A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/38Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation
    • G06F7/48Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation using non-contact-making devices, e.g. tube, solid state device; using unspecified devices
    • G06F7/50Adding; Subtracting
    • G06F7/505Adding; Subtracting in bit-parallel fashion, i.e. having a different digit-handling circuit for each denomination
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3823Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/405Establishing or using transaction specific rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3093Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving Lattices or polynomial equations, e.g. NTRU scheme
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/04Payment circuits
    • G06Q20/06Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme
    • G06Q20/065Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme using e-cash
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q2220/00Business processing using cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Abstract

This disclosure provides an improved method for validating a summation on a blockchain, for example. Instead of adding summands directly and checking the result against the purported value, such as available amount, the improved method checks individual digits or sets of digits. As a result, the modulus can be chosen to be smaller than with existing methods leading to advantages in computation and communication. So for 64bit summands, the calculating and checking on the entire summands and result would require more that 64bit registers due to potential overflow. The claimed method, however, executes significantly faster on existing computer hardware because the register bit width is significantly reduced. That is, the summation at one position and the result at that position fit into a 64bit register, for example. Further, smaller modulus for the validation also gives smaller proof sizes.

Description

"Confidential validation of summations"
Cross-Reference to Related Applications
[0001] The present application claims priority from Australian Patent Application No 2020213375 filed on 7 August 2020 and Australian Provisional Patent Application No 2019903694 filed on 1 October 2019, the contents of which are incorporated herein by reference in their entirety.
Technical Field
[0002] This invention relates to computationally efficient validation of results of summations.
Background
[0003] Public, distributed databases are well suited to store numerical data and associations between different addresses, such as public keys. Numerical data may represent a variety of different physical items and the addresses may be related to individuals. The most successful public distributed databases may be blockchain databases, such as the Bitcoin distributed ledger, where the numerical values are interpreted to hold monetary value. However, this interpretation is not necessary from a technical point of view and almost irrelevant. The fundamental idea is the mathematical operations can be performed on the numerical data without monetary value being involved. In other words, the public database stores individual numbers and these numbers can be used to calculate results by performing mathematical operations.
[0004] The most important mathematical operation in this environment is the summation operation especially where the association of the number can be changed to different public keys but the overall sum is required to remain constant. In the Bitcoin environment this simply means that a user is only allowed to spend the same amount of ‘coins’ as the user owns. The ‘spending’ of ‘coins’ is referred to as a ‘transaction’ but this term can be misleading. The term ‘transaction’ creates an analogy with the financial world but ultimately, a ‘transaction’ in the database area of technology relates to computer science in the sense that a series of cryptographic steps need to be taken according to a well defined protocol. It is not even necessary for any monetary value to change ownership because the underlying functions are simply executed on the numbers and cryptographic keys. ‘Coins’ can be used for a variety of different purposes, including as a reference to monetary value (fiat currency), as a reference to physical items or simply as a record of arbitrary data. So throughout this disclosure, when reference is made to related terms, such as ‘transaction’, ‘commitment’, ‘proof, ‘coin’ and the like, these are not understood to represent corresponding abstract ideas but to relate to a collection of mathematical, algorithmic and/or cryptographic functions that create a result that may have an analogy in other areas.
[0005] When it comes to technical problems, especially with implementing some of these functions, there is one specific limitation of typical computer architectures, which is the width of computation registers. For example, many existing computers have a register width of 64 bits. This means that many operations using 64 bits can be performed relatively efficiently. This also means that operations that need less than 64 bits, for example calculating 1+1, require the same amount of time than operations that utilise the full 64 bit width. In other words, operations up to 64 bits execute at relatively constant time.
[0006] However, once a function requires more than the register bit width, the computation becomes inefficient and the computation time rises dramatically. Of course, this is a major problem if the same operation is performed many times.
[0007] In the context of public databases of transactions, such as blockchains, the size of each block containing the transactions is also a major concern. That is, the size of each block contributes to storage size and computational complexity and may be reflected by transaction costs. Therefore, larger numbers lead to larger block sizes making the overall operation of a blockchain less efficient from a computer technology point of view.
[0008] Another challenge arises with the advent of quantum technology because quantum algorithms exist for the factoring of prime numbers from a given product. Since many cryptographic methods, such as RSA, rely on prime factorisation being very hard, quantum computation will make RSA insecure. As an alternative, lattice- based cryptography has been suggested and appears secure against quantum attacks. However, lattice-based cryptography relies heavily on a modulus value and as a result, a larger modulus increases computational complexity. Again, using a modulus that is larger than the register bit-width of the computer, leads to excessive computational complexity. However, when adding two 64 bit numbers the result may be more than 64 bits long and therefore, the modulus should be more than 64 bits with the associated problems of computational complexity.
[0009] Y et another difficulty exists when the actual numbers are confidential in the sense that the public that receives the copy of the public ledger cannot discern or determine the numbers of the transaction. At the same time, however, any participant should be able to validate the mathematical operation on those numbers. It is possible to use a cryptographic commitment to these numbers but again, validating a sum of committed values in lattice-based cryptography leads to significant computational complexity.
[0010] A technique for design and analysis of efficient lattice-based zero-knowledge proofs (ZKP) is disclosed in Esgin, Muhammed F., et al. "Lattice-based Zero- Knowledge Proofs: New Techniques for Shorter and Faster Constructions and Applications." IACR Cryptology ePrint Archive 2019 (2019): 445, which is included herein by reference in full.
[0011] Throughout this specification the word "comprise", or variations such as "comprises" or "comprising", will be understood to imply the inclusion of a stated element, integer or step, or group of elements, integers or steps, but not the exclusion of any other element, integer or step, or group of elements, integers or steps.
[0012] Any discussion of documents, acts, materials, devices, articles or the like which has been included in the present specification is not to be taken as an admission that any or all of these matters form part of the prior art base or were common general knowledge in the field relevant to the present disclosure as it existed before the priority date of each of the appended claims.
Summary
[0013] This disclosure provides an improved method for validating a summation on a blockchain, for example. Instead of adding summands directly and checking the result against the purported value, such as available amount, the improved method checks individual digits or sets of digits. As a result, the modulus can be chosen to be smaller than with existing methods leading to advantages in computation and communication.
[0014] A computer-implemented method for validating a result (a_out) of a summation of summands comprises storing the summands and the result in a respective, limited-width processor register; and separately validating the result at each of multiple positions (j) within the summands and the result, by testing the summation at that position against the result at that position subject to an error value that represents a combination of carry values from adjacent positions.
[0015] It is an advantage that different locations of summands and the result are processed separately. Therefore, the steps of validating the result can be performed within a smaller number of computer registers. So for 64bit summands, the calculating and checking on the entire summands and result would require more that 64bit registers due to potential overflow. The claimed method, however, executes significantly faster on existing computer hardware because the register bit width is significantly reduced. That is, the summation at one position and the result at that position fit into a 64bit register, for example. [0016] As a further advantage, the ability to use a smaller modulus for the validation also gives smaller proof sizes. In a cryptocurrency environment, where all the proofs are stored by each verifier/miner, this results in a significant saving and it is often the case that the proof should be as short as possible.
[0017] The summands and the result may be confidential according to a cryptographic primitive (Com) that allows to commit to the summands and the result while keeping the summands and the result hidden from a receiver. The cryptographic primitive may be based on a modulus (q). The cryptographic primitive may use lattice -based cryptography. The result and the summands may be defined by sets (a_in,i[j]; a_out[j]) of one or more digits at the multiple positions, and the number of digits in each set is less than the modulus. A product of the number of digits multiplied with a base value may be less than by the modulus.
[0018] Validating the result at each of the multiple positions may comprise calculating multiple error values by calculating, for each position, an error value (e _j ) representing a difference between the result at that position (a_out[j]) and a sum (sum_i) of the summands (a_in,i[j]) at that position. Validating the result may comprise checking that the multiple error values together have zero value when combined into a single number using a base value (beta) according to their respective position (j).
[0019] Checking that the multiple error values together have zero value may comprise determining, for each position, that a corrector value (c_j) exists for that position that, in combination with a corrector value of an adjacent position (c_j+l), represents the error value (e_j) at that position.
[0020] The corrector value of the adjacent position may be multiplied by the base value. The corrector value cj at position j may be chosen to satisfy ej = cj -βc +1 for error value e j and base value β . [0021] Validating the result subject to the error value may comprise testing whether a commitment, based on the carry values, from a prover to a verifier, is a commitment to zero.
[0022] The method may further comprise determining that the summands are commitments to digits.
[0023] The result may be a result of multiple input summands.
[0024] The method may be used to validate a balance of a transaction to be zero.
[0025] A computer system for validating a result of a summation of summands comprises multiple, limited-width processor registers to store the summands and the result in respective registers. The computer system is configured to separately validate the result at each of multiple positions (j) within the summands and the result, by testing the summation at that position against the result at that position subject to an error value that represents a combination of carry values from adjacent positions.
[0026] A computer-implemented method of validating a result (a_out) of a summation comprises: receiving, by a receiver, summands (a_in,i) of the summation and the result of the summation, and storing the summands and the result in respective, limited-width processor registers, wherein the summands and the result are confidential according to a cryptographic primitive (Com) that allows to commit to the summands and the result while keeping the summands and the result hidden from the receiver, the cryptographic primitive is based on a modulus (q), each of the summands and the result is formed by respective multiple sets (a_in,i[j]; a_out[j]) of one or more digits, and the number of digits in each set is less than the modulus; calculating multiple error values (e_j) representing differences between sets of the result (a_out[j]) and a sum (sum_i) of corresponding sets of the summands (a_in,i[j]) while maintaining the summands and the result hidden, each error value being associated with a position (j) within the summands and the result; and checking that the multiple error values together have zero value when combined into a single number using a base value (beta) according to their respective position (j), by determining that corrector values (c_j) exist that represent each error value (e_j) as a function of one corrector value at the position (j) of that error value, another corrector value (c_j+l) at an adjacent position (j+l) and the base value (beta).
Brief Description of Drawings
[0027] Fig. 1 illustrates an example computer network where a summation is provided by a first computer and the summation is to be validated by a second computer.
[0028] Fig. 2 illustrates a blockchain including two blocks.
[0029] Fig. 3 illustrates a method for validating a result ( aout ) of a summation of summands in order to validate that the balance is zero.
[0030] Fig. 4 illustrates a number example of how to calculate corrector values.
[0031] Fig. 5 illustrates proof length growth (including the cost of serial numbers) with anonymity set (ring) size.
[0032] Fig. 6 illustrates proof length growth with the number of input accounts. Proof length also includes the cost of serial numbers.
Description of Embodiments
Computer network [0033] Fig. 1 illustrates an example computer network 100 comprising a first computer 101, second computer 102 and third computer 103. The first computer 101 has available a first public key PK1 and a first private key SKI associated with the first computer 101. First computer 101 also has access to second public key PK2 and third public key PK3 associated with second and third computer system 102, 103, respectively.
[0034] It is noted that the different entities are described as computer systems for sake of simplicity but other configurations are also possible. For example, the three key pairs could be associated with the same computer or are generally not associated other than by virtue of where they are stored. However, it is convenient to present the key holders as different computers to highlight the fact that secret keys are generally not provided to other computers but kept locally secret. It is also noted that the keys used herein may be understood in the sense of asymmetric key pairs of public and secret keys similar to the RSA encryption framework. However, some cryptographic primitives in this disclosure may be performed using lattice based cryptography as opposed to the prime number factorisation in RSA. More details on how to use lattice based cryptography can be found in Martin R. Albrecht, Rachel Player, and Sam Scott. “On the concrete hardness of learning with errors”. Journal of Mathematical Cryptology, 9(3): 169-203, 2015, which is included herein by reference.
[0035] In the example of Fig. 1, first computer 101 wishes to transfer an amount of ‘3’ to second computer 102 and an amount of ‘2’ to third computer 103. This transfer can be stored in a blockchain environment. For the sake of simplicity, computer 102 is herein described to verify a transaction or more generally a summation. It is noted, however, that anybody, not just computer 10, can verify this. In fact, if the computer 102 is the receiver in a transaction, computer 102 may itself not verify this transaction but a previous transaction to check that computer 101 has made a valid transaction. In any event, all transactions can be verified by the public or at least by any entity that has access to the transaction data but without knowing the actual transaction amounts.
Blockchain [0036] Fig. 2 illustrates a blockchain 200 comprising a first block 201 and a second block 202. Of course, this is only an illustrative representation and most blockchains would include many more blocks, such as over one thousand blocks. Computer 101 makes the transfer of the above amounts persistent by creating a transaction 203 comprising two outputs: the first output transfers a value of ‘3’ to PK2 and amount of ‘2’ to PK3. The public key placeholders PK2 and PK3 would be replaced by the actual values of the respective public keys. Computer 101 then signs the transaction 203 using the first private key SKI and the signature 204 is included into the transaction 203. This enables the public to verify that computer 101 has authorised the transfer, which makes it difficult for an attacker without the private key SKI to make a transfer.
[0037] In order to produce a complete ledger, computer 101 calculates a hash value 205 of the transaction 203 combined with a hash value 206 of the previous block 201. Second computer 102 can now check that the total amount of ‘5’ (3+2) is available to first computer 101 because it was transferred to PK1 in a previous transaction 207. If an attacker now wanted to forge the previous transaction 207, the attacker would need to re-generate both hashes 205 and 206, which means the transactions get secured further and further as the blockchain 200 grows in length.
[0038] It is noted that a public ledger and blockchain are provided here as an example but other ways of creating transactions and other uses of summations of quantitative data can be used with this disclosure. For example, control parameters of a machine may be based on summations of measurement parameters and the control and measurement parameters are confidential so that they are hidden from any party in the middle of the communication and from the receiver.
Commitment scheme
[0039] As mentioned above, the amounts may be confidential and it is possible to use a cryptographic primitive (commit) that allows to commit to the amounts (i.e. summands aout , i and result ain ) while keeping the actual summands and result hidden from the second computer 102 and in fact, hidden from everybody without access to the private key SKI. The commit primitive may also be realised by encryption and may be based on a modulus that defines operations in a lattice-based cryptographic method as further explained below.
[0040] Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding. Interactions in a commitment scheme may take place in two phases: the commit phase during which a value is chosen and specified and the reveal phase during which the value is revealed and checked. In some protocols, the commit phase consists of a single message from the sender to the receiver. This message is called the commitment. It is important that the specific value chosen cannot be known by the receiver at that time (this is called the hiding property). A reveal phase would consist of a single message, the opening, from the sender to the receiver, followed by a check performed by the receiver. The value chosen during the commit phase must be the only one that the sender can compute and that validates during the reveal phase (this is called the binding property).
[0041] This also relates to zero-knowledge proofs (ZKP). A zero-knowledge proof or zero-knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that they know a value x, without conveying any information apart from the fact that they know the value x. The essence of zero- knowledge proofs is that it is trivial to prove that one possesses knowledge of certain information by simply revealing it; the challenge is to prove such possession without revealing the information itself or any additional information. In this case, the prover (computer 101) can prove that they know the value of the summands and the output to the verifier (computer 102).
[0042] One example commitment scheme has two ingredients: a message (i.e. summands, result), that computer 101 wants to commit to, and a randomness, used to hide the message. The commitment scheme that can be used here (and many other commitment schemes) allow committing to a vector of messages. So, for example, computer 101 can create C = Com(m0,m1,...,mk;*) . This notation means that C is a commitment to a vector m = (m0,...,mk) with some randomness, denoted by * (note the semicolon that separates the message part from the randomness part in C above).
[0043] For simplicity we simply write * for all the randomness parts and sometimes it may even be removed completely from the notation. Note that when the randomness changes, the commitment value C also changes even when the message m remains the same. Therefore, there are many ways to commit to the same message. In the present case, the message space is the set of vectors of bounded-degree polynomials with integer coefficients in Z . That is, m = (m0,...,mk) for some k>=0 where m ∈ Rq =Zq[X]/(Xd + 1) .
[0044] Due to the homomorphic properties of the commitment scheme, we have Com(m :*) +Com( m2;*) = Com(m1 + m2;*) . Therefore, addition here happens coordinate-wise.
[0045] More information about commitment schemes can be found in Esgin, Muhammed F., et al. "Lattice-based Zero-Knowledge Proofs: New Techniques for Shorter and Faster Constructions and Applications." IACR Cryptology ePrint Archive 2019 (2019): 445, which is incorporated herein by reference.. Put simply,
Com( m; r) = A * r + B * m where A, B are some public matrices (of appropriate dimensions) and everything is defined over R q = Zq[X] / (Xd +1) with modulus q.
[0046] However, for this disclosure, the exact definition of the commitment scheme is not essential and other definitions can be used. If it is an additively homomorphic commitment scheme, it can be used. So, there is used herein a commitment function that satisfies c*Com(m0;*) +Com{m1*) = Com{c*m0 +m1;*) for any scalar c, and that has a message space supporting integers. The inner workings of the commitment function is not critical, and it can be instantiated based on various different assumptions including lattice-based and discrete logarithm based ones. The proposed methods can equally be implemented using the Pedersen commitment scheme, which is a commitment scheme based on the Discrete Logarithm Problem (DLP).
Balance proof
[0047] Returning back to validating the summation, in a mathematical sense, second computer 102 would need to validate
Figure imgf000014_0001
for some input amounts ain ,0,..., ain,M-1 and output amounts aout,0, .. , aout, S-1 where
Figure imgf000014_0002
. In the example of Fig. 1, M would be 1 there is only one input ain ,0 or simply ain .
[0048] This disclosure refers to ‘summand’ and ‘result’ to indicate that the summation in equation (1) could be on one side (the input or the output) or on both sides. In other words, the ‘result’ is the result of the summation and not to be confused with the output of the transaction. This creates three possibilities:
1. The result ain of the summation appears at the input and the summands aout ,i are summed up at the output of the transaction as shown in Fig. 1;
2. The summands ain ,i are summed up at the input of the transaction and the result aout appears at the output.
3. The result itself represents a summation, so there is a summation over ain ,i at the input and a summation over aout ,i at the output (see equation (1)).
[0049] The general idea to prove (1) while hiding the amounts is to commit to each amount value using a homomorphic commitment scheme, and then show that 1) each committed value is in a valid positive range, and 2) the sum of output commitments minus the sum of the input commitments is a commitment to zero. For the lattice-based schemes, there does not exist a range proof that is significantly shorter than the generic approach: first, prove that some masked values encode bits, and then that these bits construct the committed integer. One important detail that especially has an effect for the lattice-based schemes is that (1) must hold over
Figure imgf000015_0001
, not just
Figure imgf000015_0002
, which makes the process computationally complex.
[0050] Therefore, there is now provided a more efficient balance proof. Fig. 3 illustrates a method 300 for validating a result ( aout ) of a summation of summands in order to validate that the balance is zero, which means that the summands added together are equal to the output. In the practical application of transactions, validation of the summation checks that the amount spent is equal to the amount received or in other words, the payee can validate that the payer legitimately had the funds that the payer claims to have paid. It is noted that mathematical symbols are provided in the claims and elsewhere for clarity in a similar fashion to reference numerals in relation to drawings. Of course, this is not meant in a limiting sense and any other implementation with different mathematical symbols or in a different mathematical arrangement is also intended to be within the scope of this invention.
[0051] Method 300 comprises separately validating 301 the result ( aout ) at each of multiple positions (j) within the summands (ain,i) and the result, so there is the output aout[j] at position j and /th summand ain ,i[j] at position j. The result is validated in step 301 by testing 302 the summation at that position j against the result at that position j subject to an error value e . The error value e represents 303 a combination of carry values from adjacent positions, which allows the validation at each position separately and without considering the other positions at the same time.
[0052] In most examples, there is provided a base value β ≥ 2 and the amounts are represented by r digits. The disclosed method provides a balance proof for digits individually, which significantly reduces computational complexity. While this disclosure uses the case of individual ‘digits’ as an example, it is noted that more generally, sets of multiple digits can also be used. In that case, reference is generally made to a ‘position’ j within the summands, which is essentially a counter across the sets from the beginning of the number ‘string’, such as a position counter from the least significant bit or the most significant bit as the case may be. When each set includes multiple digits, the number of digits in each set should be less than the modulus and more specifically, the number of digits multiplied with the base value is less than the modulus. As a result, the summation does not ‘overflow’ and gains in computational complexity are achieved.
[0053] When working with individual digits, the position j essentially indicates how far from the left or the right the current digit is located within the number. In the most common case, the position j is also the exponent of the base value to convert the number into the decimal system. So for example a binary ‘010’ is 0*22 +l*21 + 0*2° , so j is the exponent (and location within ‘010’) and ranges from 2 to 0.
Mathematical formulation of efficient balance proof
[0054] Mathematically, we can write a =
Figure imgf000016_0001
for any amount a with the digits a[ j] ’s at positions j and base β . Hence, re-arranging equation (1) provides:
Figure imgf000016_0002
[0055] It is noted that the outer sum in equation (2) is over the digit positions j, while the inner sums are over the summands i. The aim is now to re-formulate equation (2) so that each ‘j' can be checked individually. The difficulty with that approach however , is that there may be a carry over from one digit to the next. In other words, there is a trivial case where both sums are identical at each position j. However, there are other cases where equation (2) holds where the digit-wise addition results in different output digits but the carry from one digit results in the next digit being identical between the sum and the output since the carry from one digit affects the result of the next digit. Considering the digits at position j without regards to the other digits would result in an error at that digit. It is therefore possible to represent that error as error ‘digits’ (or simply error values) ej per position j and add that to the summation in equation (2):
Figure imgf000017_0001
[0056] This is valid as long as the error values together add up to exactly zero according to:
Figure imgf000017_0002
[0057] Since the error value ej can only depend on adjacent digits, the error values can be re-written using “corrector values” ∈ and
Figure imgf000017_0004
ej = Cj - βcj+1 , resulting in:
Figure imgf000017_0003
Therefore, instead of using the general idea of equation (1) that requires a very large modulus, computer 101 can proceed as follows. Setting b = 2 as an example, for each amount, computer 101 commits to the bits (i.e. digits) as cin,i Com(ain ,i[0], ... , ain ,i[r - 1];*), Cout,i = Com( aout,i [0], ... , aout,i[r - 1] ;*).
Then, computer 101 also create a “corrector” commitment
C = Com(c0 -2c1,...,cr-1 -2cr;*) with c0 = cr = 0.
[0058] Computer 101 proves to computer 102 that 1) Cin ; ’s and Cout ; ’s are commitments to bits, 2)
Figure imgf000018_0001
C is a commitment to zero, and 3) C is well-formed as above.
[0059] These proofs guarantee that
1) the opening message for any commitment to an amount represents a unique value in a positive range [0, 2r - 1] ,
2) for any j ∈ {0, ... , r - 1 } , the following equality holds
Figure imgf000018_0002
and
3) C does not add any value in this representation.
[0060] By verifying all the proofs, computer 102 will be convinced of Equation (4), but without knowing the actual values in the equation. This is due to the fact that the proof is done over commitments, which hide the actual committed values. Equation (4) essentially means that computer 102 validates the result separately at each of the multiple positions j within the summands aout ,i and the result ∑ain, i . This way, computer 102 tests the summation at that position j against the result at that position j subject to an error value ( c j -2 cj+1 ) that represents the combination of carry values c j and 2 cj+1 from adjacent positions j and j + 1. In this sense, equation (4) is a mathematical expression of method 300 in Fig. 3. +0061] Therefore, computer 101 proves (3) and equivalently (1) to computer 102. Since a range proof already decomposes a value to its bits, from a practical perspective, computer 101 replaces the reconstruction part of the range proof by the proof that shows C is well-formed. Importantly, though, computer 101 does not need to use a very large modulus since the modulus just needs to be large enough to guarantee that (4) holds over
Figure imgf000019_0001
, which is a very weak condition in a practical proof system.
[0062] The reason why it is difficult to simply use (2) is that, when amounts are represented by commitments to their bits, the addition of the commitments adds the corresponding bits over
Figure imgf000019_0002
where q » 2 . Therefore, for Bits(a) denoting the bits of a positive integer a ,
Com(Bits(al); *) + Com(Bits(a2); * ) Com(Bits(al + a2);*),
Figure imgf000019_0003
and hence the proof does not work without the corrector C . More implementation details on an efficient commitment can be found in: Carsten Baum, Ivan Damgard, Vadim Lyubashevsky, Sabine Oechsner, and Chris Peikert. “More efficient commitments from structured lattice assumptions”. In SCN, pages 368-385. Springer, 2018, which is incorporated herein by reference.
Commitments of corrector values
[0063] It is noted that the above Cin ,i 's can be referred to as input coins (i.e., commitment to /-th input amount), Cout ,i 's are the output coins (i.e., commitment to i-th output amount) and C is a commitment to the corrector values, or more specifically C is a commitment to the error values ej . Here, when reference is made to a commitment to an amount, this is to be understood as a commitment to the bits (digits or sets of digits, in general) of the amount. For example, for a,b∈ Z +, computer 101 generates Ca = Com(a[0],...,a[r-1];*) and Cb = Com(b[0],...,b[r-1];*) . When computer 102 computes Ca +Cb, the result is Com(a[0] + b[0],...,a[r-1] + b[r-1] ;*) . That is, sum of the commitments gives exactly the digit- wise addition in parallel. If we then focus on the message inside , it will be a vector, say, v = (v0 , ... , vr-
Figure imgf000020_0004
1 )
Figure imgf000020_0005
Figure imgf000020_0003
where This is exactly the right hand side of
Figure imgf000020_0006
Eqn (4).
[0064] Now when the prover (computer 101) proves to computer 102 that is a commitment to zero, this means that v = (0, ... , 0) , i .e . ,
Figure imgf000020_0007
Vj = Q for all j = 0,...,r-1. That is, for all
Figure imgf000020_0008
j = 0,...,r-1. This proves that Eqn (4) holds for all j = 0, ... , r - 1 , which proves that Eqn 3 and equivalently Eqn 1 are satisfied.
[0065] As a result, verifying that
1) the input and output coins are well-formed (i.e., they are commitment to the digits in base β), commitment to zero, and
Figure imgf000020_0001
3) C is a commitment to
Figure imgf000020_0002
is sufficient to convince computer 102 that the balance is preserved.
[0066] Even though the message space of our commitment covers a much larger set of elements, all the messages used here in the balance proof (for example, digits and corrector values) are simply integers and zero is indeed the integer zero. It is understood that "... is a commitment to zero" means "... is a commitment to the all zero vector" .
[0067] Examples [0068] Below are a number of examples, where the example numbers are very short for illustrative purposes. In most practical applications, the numbers would be significantly larger, such as 64 bits.
[0069] Again, let β be the base value in which the integers will be represented (often β = 2) and r be the total number of digits used at any time. In this example, for ease of notation, denote the input amounts by a. ’s and output amounts by bi ’s, and let a[j] be the j -th digit of an integer a in base β for 0 ≤ j ≤ r- 1 . Also, let
Figure imgf000021_0001
(\boxplus) denote the digit-wise addition of base representations without any modular reduction, i.e., ( 1 1 )2
Figure imgf000021_0003
( 1 1 )2 = (22) . The important observation here is that the reconstruction of a sum of integers from the sum of digit-wise additions is equal to the sum of integers. That is, (11)2 + (11)2 = 3 + 3 = 6 and the reconstruction from (22) is
2· 2° + 2· 21 = 2 + 4 = 6.
[0070] Example 1: As an easy example, let’s first take β = 2 and r = 2 . Further, let’s choose the integer input/output amounts so that there is no carry value. Suppose that we have two input amounts a0 = 1 , a1 = 2 and one output amount b0 = 3 . It is easy to see that a0 + ax = h0 = 3 , so it is balanced. Writing the amounts in base 2 , we have a0 = (01)2 b0 = (11)2. (5) a1 = (10)2
[0071] In this case, (01)2
Figure imgf000021_0002
(10)2 = (11) = (11)2 . So, in this case, clearly proving that b0[0] = a0[0] + a1[0] and b0[ 1 ] = a0[ 1 ] + a1 [ 1 ] is sufficient to prove balance. However, this gets more complicated when there are carry values involved.
[0072] Example 2: This example is shown graphically in Fig. 4. Take again β = 2 and r = 3 . Suppose that we have a0 = (001)2
¾ = (100 (6) flj = (011)2 )2-
[0073] This means a0 401 and at 402 are two summands and Z¾ 403 is the result.
[0074] In this case, (001)2 EB(011)2 = (012) ¹ (100)2 . (see 404) and comparing the bit-wise sum 404 to the result 403 shows that the bit-wise error is (1,-1, -2) as shown at 405. Therefore, it is not possible to prove that b0[j] = a0[j ] + a2[j] for j = 0,1,2. However, we still have
0 · 22 + 1 · 21 + 2 · 2° = 4 = 1 · 22 + 0 · 21 + 0 · 2°.
[0075] It is can be seen that
(001)2 ffl(011)2 ffl(l,-l,-2) = (100) = (100)2, and the reconstruction from (1,-1, -2) is 1 · 22 - 1 · 21 - 2 · 2° = 0 . In fact, balance is preserved if and only if the digit-wise additions on both the input and the output match with some additional “error values” 405, whose reconstruction is equal to zero. For this example, (1,-1, -2) are the error values (e2 ,e1,e0) . The error values represent a difference between the sum of input summands at that position and the sum of output summands at that position and the multiple error values together have zero value when combined into a single number using the base value according to their respective position as in 1 · 22 - 1 · 21 - 2 · 2° = 0 above. It is noted that all the digits of all the input/output amounts are integers between 0 and b - 1 , and therefore, the digit-wise representations of input/output amounts in base b are well-formed. However, there is no such requirement for the error values. In particular, an error value may be negative as above [0076] Observe that for chosen “corrector values” c0 = 0,c4 = l,c2 = 1 at 406 and c3 = 0 at 406 , each error value is of the form c] - 2 cj+1 , which is indicated by the bold lines between the error values 405 and the corrector values 406. That is, a corrector value exists for each position j that, in combination with a corrector value of an adjacent positon cj+1 represents the error value ej at that position, For this example,
-2 = c0 - 2 = 0-2-1 and -1 = - 2c2 = 1 - 2 · 1 .
[0077] More generally, when the error values are of the form c] - b(' i+ί and c0 = cr = 0 , then the reconstruction as
Figure imgf000023_0001
= c0 -cr, (3) always gives zero.
[0078] Example3: The idea clearly works for any base value b ³ 2 as we do not exploit the fact that b = 2 . In fact, even in the previous examples, the error values are not always binary. Let’s take b = 4 and r = 4 .
Figure imgf000023_0002
[0079] We have (1202)4 ffl(0133)4 ffl (0201)4 = (1536) and
(2000)4 ffl (0202)4 = (2202) . Then, we also have (1536) ffl (1,-3, -3, -4) = (2202) .
[0080] Computer 101 first fixes c0 = c4 = 0 . The condition above means -4 = c0 -4 cx , which gives cY = 1. Then, -3 = r, -4c2 gives c2 = 1 . Then, -3 = c2 -4c3 again gives c3 = 1. Finally, 1 = c3 - 4 c4 is also satisfied for c3 = 1 and c4 = 0 . This way, computer 101 calculates the corrector values for position j that, in combination with a corrector value of an adjacent position ( cj+l), represents the error value ( ) at that position
[0081] Such Cj values can always be found provided that sum of input amounts equals the sum of output amounts. Then, using the equivalence of Eqn. (1) and Eqn. (3) above, it is sufficient to prove that each digit of the sum of inputs and sum of outputs differ by values of the form c - b('i-] as shown in Eqn. (7).
Mathematical proof of corrector values
[0082] The following section shows mathematically that the above corrector values indeed exist and can be computed by the prover (e.g. computer 101).
[0083] Lemma: Let A,B be two sets of non-negative integers and a = («[0], ... , a[r - 1]) be the representation of a non-negative integer a in base b ³ 2 . If V a = b, then for any b > 2, there exists c0,...,c e [-(| B | — 1),| A | -1] with c0 = 0 such that
Figure imgf000024_0001
[0084] Further, cr = 0 if the result of the sum is of at most r digits in base b .
[0085] Proof: Let b ³ 2 . For any set A of non-negative integers and any 0 £ i < r where r is the maximum number of digits needed to represent elements in A , we can write
Figure imgf000024_0002
for the carries C1, . . ., Cr and C0 since there is no carry for the least significant bit. Now, fix A, B as two sets of non-negative integers where the sum over A equals the sum over B . Clearly, we have
Figure imgf000025_0001
for any 0 £ i < r . Using (8) and (9), for any 0 < i < r , we get
Figure imgf000025_0002
r r r for some carries C0,C0,. . ^Cr,Cr where C0 — C0 — U . Defining
Figure imgf000025_0003
concludes the first part. Note that due to
Figure imgf000025_0004
being carry values, C e [0, | A —1] and c, [0,| B \ —1] , and thus ct G [-(| B\ — 1),| A\ —1] . When neither of the sums exceed r digits, Cr =Cr =0. and thus Cr =0.
Implementation and Parameters
[0086] In one example implementation, system 100 targets any anonymity level 1 IN for N £ 1 ()()() . 64 -bit precision for amounts (i.e., r = 64 ) and the most common transaction settings where there are at most two input/output accounts (i.e., M , S < 2 ). For all these settings, the following example parameters may be sufficient: B = 1 , (d, w, p) = (64,56,8) , q=231 -218 +23 +1, q=(227 -211 +l)-(226 -212 +1), k = 1 , ns = 1, (n,m) = (18,38) and (n, m) = (32, 65) . With these parameters, a single public costs 4.36 KB and a single serial number costs 248 bytes. The rationale behind the parameter setting is as follows.
[0087] First, experimental analysis shows that d = 64 is the best choice to optimize the proof length. Having set d = 64 , we get (w, p) = (56,8) to have about 256-bit Ή output. To measure the practical security of our scheme we aim for a “root Hermite factor” of d ~ 1.0045 for both M-LWE and M-SIS. For M-LWE security, we use a “LWE estimator”, which tells us that d ~ 1.0045 provides 128-bit post-quantum security. We chose B = 1 .
[0088] We can simply set >f = 1 q is chosen to allow Rq to split into 4 factors while having y = x- x’ (challenge differences) invertible in Rq for any x,x'e C' p . In order to be able to use the number theoretic transform (NTT), the other modulus q is chosen to have two “NTT-friendly” prime factors
Figure imgf000026_0001
and /¾ so that both R and R fully splits, allowing efficient polynomial multiplication using NTT. All these primes
Figure imgf000026_0002
and q are chosen to have a form similar to 2>' - 2 2 + l . which enables the fast modulo reduction technique for the input smaller than 2>' ‘2 times the modulus. By using this technique, we only apply one modulo reduction at the end when computing
Figure imgf000026_0003
Xj e Rq or x, e Rq. such as in the commitments.
[0089] To reduce the number of NTT transformations, system 100 samples uniformly at random directly from the NTT domain, which, in the case of Rq is the four factors the NTT domain for Rq splits into. Also, all commitment outputs (including pk and CH
) are in the NTT domain (i.e., without any inverse NTT during commitment computations). However, since the secrets (notably Cl, r , and p) are involved in the norm checks of Spend , and norm checks are also used for the output / and z of Spend during Verify , we keep these elements in their normal domain and perform NTT when computing the commitments. Therefore, only forward NTT is needed and we eliminate all the inverse NTT from the implementation.
[0090] To accelerate the norm checks and avoid unnecessary overhead during the rejection of Spend , we adapt an early-evaluation rejection technique. In particular, we check the infinity or Euclidean norm and restart immediately during each ring element computation of / , g , and all z ’s. However, for / , we need to hide what index may give a rejection due to the application of our rejection sampling technique for fixed Hamming weight binary secrets. Therefore, a restart happens only after / is completely iterated over. In addition, since Tg is larger than 64 bits, we use the GMP library [11] to compute || g || and make the comparison.
[0091] To implement the NTT efficiently, we adapt for both factors
Figure imgf000027_0001
and R of during the NTT butterfly computations, the lazy Montgomery reduction. However, for multiplication in Rq, since the input would be reduced to [0, 2q - 1] in the lazy reduction, the intermediate value during multiplication reduction may exceed 64 bits for the input less than 4c/2. Thus, we use the full Montgomery reduction for Rq instead. In addition, we also adapt the constant-time comparison techniques in our NTT implementation and uniform samplers (e.g., {-B .6 } or [—/¾„, ..
Figure imgf000027_0002
for the secrets.
[0092] In our implementation, we use the AES-NI hardware instructions on Intel CPUs to implement the pseudorandom generator and use the SHAKE-256 to implement the hash function L . We compile our implementation by using GCC 8.3.0 with the compiler switch -03 -march=native during the benchmarks.
[0093] The computational evaluation of our construction is given in Table below, where the running times are the average number of cycles in 1000 runs divided by 3 · 10s . Asymptotically, the proof generation and verification times are 0(M N) as M ring signatures are run, each with O(N) computation. Further, Fig. 4 shows that the proof length scales very slowly with anonymity set size N . The proof length scale linearly with the number of input accounts as shown in Fig. 5. Asymptotically, the proof length grows poly-logarithmically in N and linear in M , i.e.,
I P |= 0(M log N) for a small constant c . [0094] The following table provides proof length comparison (in KB) of “postquantum” RingCT proposals, supporting multiple inputs/outputs, where MatRiCT is the method proposed herein.
Figure imgf000028_0001
[0095] The following table provides running times (in ms) of the proposed (MatRiCT) method at 3 GHz.
Figure imgf000028_0002
Mathematical details
[0096] The following part of the description provides further mathematical details on the security proofs. An algorithm to verify a transaction may be as follows:
Figure imgf000029_0001
Figure imgf000029_0002
Figure imgf000029_0003
[0097] To calculate the binding requirements of the commitment scheme, the norms of some proof components are bounded in the following sequences of lemmas,. The following holds for the vector g in the above algorithm
||gf £ d3 [ *kfiifi + l) + *r(S + l)).
[0098] The extracted opening (a,fa) of A for A defined in the algorithm satisfies the following
Figure imgf000030_0001
[0099] The extracted opening (c. r ) of C for C defined in the algorithms satisfies the following
Figure imgf000030_0002
[0100] Further, the same bound as above also holds for the Euclidean norm of an extracted opening of mout ; for any 0 < i £ S - 1.
[0101] We then summarize the relations proved by our binary zero knowledge proof (ZKP) and one-out-of-many ZKP. Assume that the following holds
Figure imgf000030_0003
[0102] For an input commitment Be R- , a commitment key ck and proof output (A,c,ΐ^ΐ , zb), our binary proof proves knowledge of (y. b.c. f) such that
Figure imgf000030_0004
• yB = Comck(yb,c;r) ,
• All coordinates I of b is in {0,1} ,
• c is uniquely determined by nT,.G ..r and b, •Forthe first k[3 coordinates
Figure imgf000031_0001
= 0. i.e., there is only a single
Figure imgf000031_0002
forall 0</<&-l,
• ||(yb,c,f)|| < Ybin .
[0103] Assume that q > (2r[Έ)k and º2A + lmod4A for some 1 <K£d where A is a power of 2. On input a commitment key ck and a set of commitments (P0 , ... , Pv_, ) , the underlying one-out-of-many proof of our ring signature proves knowledge of (y,£, f) such that
• e{0,...,A-l},
• yPe = Comck( 0;f),
• y is a product of k elements i
Figure imgf000031_0003
\y\£ d -(2pfw l ,
Figure imgf000031_0004
[0104] Further, the proof is L:' -special sound where k' = max{k + 1,3} .
[0105] (Balance) Assume that q >
Figure imgf000031_0005
and q º 2K + lmod4A for some 1 < K £ d where A is a power of 2. Let k = k(k + 1) / 2 and Q be a positive real number such that the Euclidean norm of any product of K-\ elements in C p is at are hard where
Figure imgf000031_0006
then no PPT adversary can win without shuffling with non-negligible probability. [0106] Proof:. First, due to the M-SIS assumptions, HMC is y -binding when instantiated with parameters n. m, q, B and ybin -binding when instantiated with parameters n, m,q,B . We separate the proof into three cases.
[0107] Case 1 (forgery): Let Sf be the event that A wins the game in a way that there exists s e SN with 0 £ i* £ M -l and 1 < f £ t such that s , º C and i j i
£[s „ ] .IsCrpt = 0 .
[0108] creates an invalid public key pk for PkGen(l) query such that
Figure imgf000032_0001
pk is computationally indistinguishable from a valid public key by M-LWE m-n m q B hardness assumption. A runs A until Sf occurs k' = maxjL + 1.3 } times in total with respect to distinct Ή. outputs and the same Ή. inputs where
• the indices / and i are the same for all k' £forge events,
• pk£ e Ai J n and it is not corrupted.
[0109] k' -special soundness of the underlying one-out-of-many proof holds when
HMC is g- and ybin -binding, which is satisfied if M-SIS „,m+r, ,,2 and M-SIS A vA^bn are hard. Therefore, there exists a PPT extractor that recovers an opening (0, s) of a public key pk y in the i row of Ajn such that y · pk y = Comck ( 0;s) where ye ACw p is some relaxation factor with
Figure imgf000032_0002
g and ||s|| < g by Lemma 0.2. With probability 1 / (M - N) , pk = pk y . Hence,
Figure imgf000032_0003
. Since (y, 0, ... , 0, yr) ¹ (0, s) , this violates the y -binding property of the commitment scheme and also gives a solution to M-SIS n m q lr, which gives a contradiction. [0110] Case 2 (double-spend): Let £lxspend be the event that L wins the game in a way that there exists s , e SN , with 0 < i < M - 1 and 1 < / < t such that s , g C . i j *
Assume that the assumptions in the statement of the lemma hold and £lxspend happens.
We show that this gives a contradiction. Since the transactions output by L are valid, we have from the algorithm above
Figure imgf000033_0001
where pk . is an honestly generated public key for all i e [0, N - 1] . Again using the i extractor of the underlying ZKP as in Case 1, A , who runs L multiple times, obtains a witness s such that y -pkf < = G -s, (13) y · s., = H s, (14) for some 0 < l < A -1 where y is a product of k elements i
Figure imgf000033_0002
and ||s|| < g by Lemma 0.2. Since pk . ^ is an honestly generated public key, we also have ypk = G - yrt (15)
Figure imgf000033_0003
for some . Using (13), right side of (15)
Figure imgf000033_0004
and y -binding of HMC with respect to G, we get s = yr . Then, from (14), we get y-s.. 11 .M s . H r (16) since y is invertible because all its factors are invertible by the assumption on q . From right side of (16) and left side of (15), we conclude that s , = s e £ . which gives a contradiction. [0111] Case 3 (unbalanced amounts): Let £unbalanced be the event that A wins the game in a way that for all s; e SN « where 0 < i £ M -1 , s, e C and £[s,].IsCrpt = 1.
Assume that the assumptions in the statement of the lemma hold and there exists a PPT who runs A .
[0112] As in Case 1, A runs A until £unbalanced occurs k’ = max]/: + 1.3} times with respect to distinct Ή outputs and the same Ή inputs where the index / is the same for all k' events. Then, it uses the extractor of the underlying ZKP of the / -th transaction to obtain the following, for all / e [0, S - 1] , x-C = Comck (xc0 - x 2cx , ... , xcr-x - x 2c. ;rc ), (17) · ¥«,,, = Comck (¾ o , · · · , xboir- iL»,, )· (18)
Figure imgf000034_0001
where
co =cr = 0 and cl,...,cr-iº [-( -1),(5-1)],
Figure imgf000034_0002
• y is a product of k elements in AC' where one of its factors is x ,
• ||r|| < g by Lemma 0.2,
Figure imgf000034_0003
II ¾0,---,¾ iAIi., ||£ 7l(S + l)0y[d) ,
• b ol, e {°,! } for all i {0,...,5-l} and all j {0,...,r-l}.
[0113] Multiplying (7) and (8) by y' = y /x , we get y -C = Comck ( yc0 - y2cx,... , ycr-x - y2cr;y'rc ), (20) y^u,., =ComAybl^---Ablr-,y'ru,,\ (2|) where 11 (yc0 - y2c1 , ... , ycr-x - y2cr , yrc ) 11< g! (S + 1) , and
Figure imgf000034_0004
[0114] Since the input coins are generated honestly, we also have
Cn /, = C°mck (b 0 hr- 1 ·' ) (22)
Figure imgf000035_0001
r all iº {0 ,. .,M -1} and all jº {0,...,r-l} . Substituting (10), (11) and (12) into (9), we get
Figure imgf000035_0002
[0115] Observe that the input of the commitment on the left hand side has Euclidean norm at most g . Similarly, after using the homomorphic properties of the commitment scheme, the input of the commitment on the right hand side has norm at most g (here we neglect the norm of (yli yli
Figure imgf000035_0003
. yr ) as that is much smaller in comparison). Then, using y -binding property of HMC, we get
Figure imgf000035_0004
for all / e {()..... /· - 1 [ with r1 = c = 0 . By the assumption on q and the above Lemma, y is invertible in Rq , and we have
Figure imgf000035_0005
where with c0 = cr = 0 . Since HMC is /-binding we have q > ¾> max{4M.4.S’} .
Hence, (24) holds over R . Since all the values are just integers, (24) in fact holds over Z .
By the definition of Exp : Balance , the sum of the amounts in AmC (i.e., the amounts corresponding to uncorrupted output public keys) can be at most the sum of the amounts in all output coins. Using this fact, we look at the following sum where amt„, , = £|s, [amt for s; = SN . | / 1 [0116] The above implies
Figure imgf000036_0001
, giving a contradiction with the winning assumption of L in Exp : Balance .
[0117] Remark 1 Note that the factor q^[ά can be taken to be 1, when k = 1. This is due to fact that in this case, K= 1, and thus y = x . Hence, there is no need to do cross multiplication to have (17), (18) and (19) multiplied by the same relaxation factor y .
[0118] It will be appreciated by persons skilled in the art that numerous variations and/or modifications may be made to the above-described embodiments, without departing from the broad general scope of the present disclosure. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive.

Claims

CLAIMS:
1. A computer-implemented method for validating a result (a out) of a summation of summands, the method comprising: storing the summands and the result in a respective, limited-width processor register; and separately validating the result at each of multiple positions (j) within the summands and the result, by testing the summation at that position against the result at that position subject to an error value that represents a combination of carry values from adjacent positions.
2. The method of claim 1, wherein the summands and the result are confidential according to a cryptographic primitive (Com) that allows to commit to the summands and the result while keeping the summands and the result hidden from a receiver.
3. The method of claim 2, wherein the cryptographic primitive is based on a modulus (q).
4. The method of claim 3, wherein the cryptographic primitive uses lattice-based cryptography.
5. The method of claim 3 or 4, wherein the result and the summands are defined by sets (a_in,i[j]; a_out[j]) of one or more digits at the multiple positions, and the number of digits in each set is less than the modulus.
6. The method of claim 5, wherein a product of the number of digits multiplied with a base value is less than by the modulus.
7. The method of any one of the preceding claims, wherein validating the result at each of the multiple positions comprises calculating multiple error values by calculating, for each position, an error value (ej) representing a difference between the result at that position (a_out[j]) and a sum (sum i) of the summands (a_in,i[j]) at that position.
8. The method of claim 7, wherein validating the result comprises checking that the multiple error values together have zero value when combined into a single number using a base value (beta) according to their respective position (j).
9. The method of claim 8, wherein checking that the multiple error values together have zero value comprises determining, for each position, that a corrector value (c_j) exists for that position that, in combination with a corrector value of an adjacent position (c_j+l), represents the error value (ej) at that position.
10. The method of claim 9, wherein the corrector value of the adjacent position is multiplied by the base value.
11. The method of claim 10, wherein the corrector value cj at position j is chosen to satisfy e; = r; - bn i for error value ej and base value b .
12. The method of any one of the preceding claims, wherein validating the result subject to the error value, comprises testing whether a commitment, based on the carry values, from a prover to a verifier, is a commitment to zero.
13. The method of any one of the preceding claims, wherein the method further comprises determining that the summands are commitments to digits.
14. The method of any one of the preceding claims, wherein the result is a result of multiple input summands.
15. The method of any one of the preceding claims, wherein the method is used to validate a balance of a transaction to be zero.
16. A computer system for validating a result of a summation of summands, the computer system comprising multiple, limited-width processor registers to store the summands and the result in respective registers, the computer system being configured to separately validating the result at each of multiple positions (j) within the summands and the result, by testing the summation at that position against the result at that position subject to an error value that represents a combination of carry values from adjacent positions.
17. A computer-implemented method of validating a result (a out) of a summation, the method comprising: receiving, by a receiver, summands (a_in,i) of the summation and the result of the summation, and storing the summands and the result in respective, limited-width processor registers, wherein the summands and the result are confidential according to a cryptographic primitive (Com) that allows to commit to the summands and the result while keeping the summands and the result hidden from the receiver, the cryptographic primitive is based on a modulus (q), each of the summands and the result is formed by respective multiple sets (a_in,i [j ] ; a_out[j]) of one or more digits, and the number of digits in each set is less than the modulus; calculating multiple error values (e J) representing differences between sets of the result (a_out[j]) and a sum (sum i) of corresponding sets of the summands (a_in,i[j]) while maintaining the summands and the result hidden, each error value being associated with a position (j) within the summands and the result; and checking that the multiple error values together have zero value when combined into a single number using a base value (beta) according to their respective position (j), by determining that corrector values (c_j) exist that represent each error value (ej) as a function of one corrector value at the position (j) of that error value, another corrector value (c_j+l) at an adjacent position (j+1) and the base value (beta).
PCT/AU2020/051039 2019-10-01 2020-09-30 Confidential validation of summations WO2021062468A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
AU2019903694 2019-10-01
AU2019903694A AU2019903694A0 (en) 2019-10-01 Confidential validation of summations
AU2020213375A AU2020213375B1 (en) 2019-10-01 2020-08-07 Confidential validation of summations
AU2020213375 2020-08-07

Publications (1)

Publication Number Publication Date
WO2021062468A1 true WO2021062468A1 (en) 2021-04-08

Family

ID=73690586

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2020/051039 WO2021062468A1 (en) 2019-10-01 2020-09-30 Confidential validation of summations

Country Status (2)

Country Link
AU (1) AU2020213375B1 (en)
WO (1) WO2021062468A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023236899A1 (en) * 2022-06-10 2023-12-14 华为技术有限公司 Data processing method, apparatus, device and storage medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022221926A1 (en) * 2021-04-23 2022-10-27 Commonwealth Scientific And Industrial Research Organisation Summation validation method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4679236A (en) * 1984-12-21 1987-07-07 Davies Richard E Identification verification method and system
US8160242B2 (en) * 2008-10-07 2012-04-17 Lsi Corporation Efficient implementation of arithmetical secure hash techniques
US9395952B2 (en) * 2012-05-19 2016-07-19 Olsen Ip Reserve, Llc Product summation apparatus for a residue number arithmetic logic unit
US9569771B2 (en) * 2011-04-29 2017-02-14 Stephen Lesavich Method and system for storage and retrieval of blockchain blocks using galois fields

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4679236A (en) * 1984-12-21 1987-07-07 Davies Richard E Identification verification method and system
US8160242B2 (en) * 2008-10-07 2012-04-17 Lsi Corporation Efficient implementation of arithmetical secure hash techniques
US9569771B2 (en) * 2011-04-29 2017-02-14 Stephen Lesavich Method and system for storage and retrieval of blockchain blocks using galois fields
US9395952B2 (en) * 2012-05-19 2016-07-19 Olsen Ip Reserve, Llc Product summation apparatus for a residue number arithmetic logic unit

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023236899A1 (en) * 2022-06-10 2023-12-14 华为技术有限公司 Data processing method, apparatus, device and storage medium

Also Published As

Publication number Publication date
AU2020213375B1 (en) 2020-12-10

Similar Documents

Publication Publication Date Title
Esgin et al. MatRiCT: efficient, scalable and post-quantum blockchain confidential transactions protocol
Bos et al. Selecting elliptic curves for cryptography: an efficiency and security analysis
Narula et al. {zkLedger}:{Privacy-Preserving} auditing for distributed ledgers
Boneh et al. Batching techniques for accumulators with applications to IOPs and stateless blockchains
PUB Digital signature standard (DSS)
Koziel et al. A high-performance and scalable hardware architecture for isogeny-based cryptography
CN109074562B (en) Combined data transmission control method and system based on block chain
Dagher et al. Provisions: Privacy-preserving proofs of solvency for bitcoin exchanges
US4949380A (en) Returned-value blind signature systems
CN110730963B (en) System and method for information protection
Dixon Factorization and primality tests
CN107040362A (en) Modular multiplication apparatus and method
De Mulder et al. Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA: extended version
Courtois et al. Speed optimizations in Bitcoin key recovery attacks
WO2021062468A1 (en) Confidential validation of summations
Eisenbarth et al. Faster hash-based signatures with bounded leakage
Devillez et al. How to verifiably encrypt many bits for an election?
Wang Secure implementation of ECDSA signatures in bitcoin
Sutherland Computing Galois groups of polynomials (especially over function fields of prime characteristic)
Hong et al. A new appraoch to server-aided secret computation.
RU2392736C1 (en) Method for generation and authentication of electronic digital signature that verifies electronic document
Dugardin et al. Using modular extension to provably protect Edwards curves against fault attacks
Schmid ECDSA-application and implementation failures
WO2022221926A1 (en) Summation validation method and system
Lochter Blockchain as cryptanalytic tool

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20871636

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20871636

Country of ref document: EP

Kind code of ref document: A1