You are currently browsing articles tagged anonymity.

Download pdf here: The Stealth Address System

1. Introduction

The previous nine parts introduced Monero’s privacy and confidentiality attributes in so far as senders’ identities and transaction amounts were concerned. This part focuses on privacy with respect to the recipients of funds. To that end, we introduce the stealth address system [8] to ensure that any two transactions remain unlinkable, i.e., can not be proven to be destined to the same entity.

We divide this part into two sections. The first is an overview of some of the anonymity limitations of Bitcoin. The second introduces Cryptonote’s stealth address system which when coupled with ringCT, ensures a highly anonymous and confidential environment.

Anonymity over the blockchain

2. On Bitcoin’s anonymity … or lack thereof

In what follows, we describe two avenues that can be used separately or jointly to conduct a deanonymization attack on Bitcoin users. The first has to do with the propagation mechanisms of Bitcoin transactions over the network, and the second with the structure of a transaction. In addition, we describe some common practices that help an attacker link a Bitcoin address to a real-world identity.

Read the rest of this entry »

Tags: , , , , , , , ,

Download pdf here: CT and Pedersen Commitment

1. Introduction

Pedersen Commitments are at the heart of how Monero conceals transaction amounts. The notion of a confidential transaction as enabled by Pedersen Commitments were outlined and defined by Gregory Maxwell in [1]. In what follows we first introduce the notion of a group homomorphism (of which the Pedersen Commitment map is a particular instance), we then define the Pedersen Commitment map, and finally present the mechanisms of a confidential transaction enabled by a such a map.

2. Group homomorphism

Let (M, \boxplus) and (N, \oplus) be 2 groups with respective group operations \boxplus and \oplus. A function f: M \rightarrow N is called a group homomorphism if and only if

f(u \boxplus v) = f(u) \oplus f(v),\ \forall u, v \in M

In other terms, operating on 2 elements in M and then applying f is equivalent to applying f on each element separately and then operating on the 2 outputs in N.

We now introduce a specific instance of a group homomorphism that we will invoke when concealing transaction amounts with Monero as part of the confidential transaction construct. In particular, we conduct arithmetic in the subgroup \{{G\}} of the elliptic curve group E. introduced in part 5 (refer to the post entitled Elliptic Curve Groups for an introduction to this topic)

Let (N, \oplus) \equiv (\{{G\}}, \oplus), and let (M, \boxplus) \equiv (\mathbb{F}_l \times \mathbb{F}_l, +) where + denotes element-wise addition in modulo l arithmetic over \mathbb{F}_l \times \mathbb{F}_l.

It is a known result in group theory that if a is a generator of a cyclic group \{{a\}} of order m, then there are \phi(m) elements of the group that have order m (\phi is the euler function introduced in part 1). In our case, the generator G of \{{G\}} has prime order l. Moreover \phi(l) = l-1 (since l is prime). Hence we can find l-1 other generators of \{{G\}}. Let H \neq G be another generator such that the DL (discrete logarithm) of H with respect to G is unknown. We define the Pedersen Commitment map (which we will later use to build a confidential transaction) as follows:

k: \mathbb{F}_l \times \mathbb{F}_l \rightarrow \{{G\}}

(x,a) \rightarrow k(x,a) \equiv (x \otimes G) \oplus (a \otimes H)

We claim that the map k is additively homomorphic. To see why, let (x_1,a_1),\ (x_2,a_2)\ \in \mathbb{F}_l \times \mathbb{F}_l. We then have:

k(x_1,a_1) \oplus k(x_2,a_2) = [(x_1 \otimes G) \oplus (a_1 \otimes H)] \oplus [(x_2 \otimes G) \oplus (a_2 \otimes H)]

= ((x_1 + x_2) \otimes G)) \oplus ((a_1 + a_2) \otimes H))
(where + denotes \pmod{l} over \mathbb{F}_l)

=k((x_1+x_2),(a_1+a_2))\ =\ k((x_1,a_1) + (x_2,a_2))

hence k is homomorphic.

Read the rest of this entry »

Tags: , , ,

Download pdf here: LSAG Signature Scheme

1. Introduction

For a given ring size n, Cryptonote’s original scheme (as introduced in part 5), generates signatures of the form (I, c_1,..,c_n,r_1,..,r_n) consisting of (2n+1) arguments. It turns out that a more efficient scheme initially introduce in [3] and later adapted by Adam Back in [1] can achieve the same security properties as Cryptonote’s with (n+2) arguments instead (a reduction factor that tends to 2 as n tends to \infty). The scheme introduced in [3] is known as Linkable Spontaneous Anonymous Group signature or LSAG signature scheme for short. In part 7 of this series, we will see how [4] generalizes the LSAG construct to build the foundation of Monero’s current ringCT signature scheme.

2. The LSAG scheme

The LSAG signature introduced in [3] is built on a group E of prime order q and generator G. Moreover, it uses 2 statistically independent ROs:

  • \mathcal{H}_1: \{{0,1\}^*} \longrightarrow \mathbb{F}_q
  • \mathcal{H}_2: \{{0,1\}^*} \longrightarrow E

In what follows we introduce a slightly modified LSAG scheme that will allow an easier comparison to Cryptonote’s original scheme. We carry forward all the notation used in the Cryptonote scheme to the current LSAG definition. In particular, we let E be a large finite group generated by the same elliptic curve introduced in part 5 (refer to the post entitled Elliptic Curve Groups for an introduction to this topic). We also consider the same base point G. Recall that the base point is chosen in such a way to ensure that it has a large prime order l < q. All arithmetic is done in the subgroup \{{G\}} of the elliptic curve group E. As a matter of convention, we write \{{G\}^{*}} \equiv \{{G\}} - e.

Read the rest of this entry »

Tags: , , , , , ,

1. Introduction

In this part, we introduce Monero’s original signature scheme as described in van Saberhagen’s seminal Cryptonote paper [2]. The scheme is an adaptation of the Traceable Ring Signature introduced by Fujisaki and Suzuki [1]. The most recent version of Monero implements a different signature known as RingCT. It modifies the original scheme to accomodate confidential transactions. We will discuss it in detail in parts 7, 8 and 9.

Security analysis of ring schemes consisted primarily in proving a) correctness, b) resilience against EFACM attacks in the RO model (unforgeability), and c) anonymity (i.e., signer ambiguity according to e.g., definition # 1 or # 2 as previously described in part 3). However, none of these security metrics tells if 2 signatures were generated by the same user or not. Doing so does not necessarily break the anonymity of the signer, but rather establishes a relationship between pairs of signatures. Identifying whether 2 signatures are linked or not is essential when dealing with electronic cash for example. In this case, the network must not tolerate the double spending of the same unit of electronic currency on 2 different transactions. In an electronic cash setting, the message typically consists of an unspent transaction output (also known as UTXO) and the objective is to make sure that the owner of a UTXO does not sign it twice (i.e., double spend it). Whenever this happens, the incident must be flagged and proper measures taken.

Monero in particular, and cryptocurrencies in general are prone to the double spending problem. This motivates the need to have an additional security requirement to tell if 2 signatures were issued by the same user. This must be done without releasing the identity of the user. We refer to the new requirement as linkability. It can commonly be achieved by adding to the ring signature a new signer-specific component known as a tag or a key-image.

Formally, we define a linkable ring signature scheme as a set of 4 algorithms:

  • The signer’s key generation algorithm \mathcal{G} (as described in part 1)
  • The ring signing algorithm \Sigma (as described in part 1).
  • The ring verification algorithm \mathcal{V} (as described in part 1)
  • The ring linkability algorithm \mathcal{L}. Its input consists of a set of tags (key-images) and a given signature \sigma. It checks if \sigma‘s tag is included in the tag set. If so, it outputs Linked. Otherwise, it outputs Independent and adds the new tag to the set.

Read the rest of this entry »

Tags: , , , ,

1. Introduction

In the next 4 parts of this series, we look at various ring signature schemes and prove their security in the RO model. This part is dedicated to the analysis of a generic class of ring signature schemes introduced in [1] and inspired by [2]. We also introduce a specific instance of the generic scheme which is itself a generalization of the non-interactive Schnorr signature.

2. Herranz & Saèz generic scheme

The scheme is built on a security parameter k, which by design corresponds to the length in bits of the output of the random oracle \mathcal{H}. Given a message m and a ring L \equiv \{{A_1,...,A_n \}} of n members, the signing algorithm \Sigma outputs a signature \sigma(m,L) \equiv (r_1,...,r_n,h_1,...,h_n,\delta) where:

  • The r_i‘s are pairwise-different random elements chosen from a pre-defined large set. The term pairwise-different means that \forall i,j \in \{{1,...,n\}}, (i \neq j) \Rightarrow (r_i \neq r_j).
  • \forall i \in \{{1,...,n\}}, h_i = \mathcal{H}(m,r_i). That means that h_i is the RO’s output on query (m,r_i).
  • \delta is fully determined by m, r_i, and h_i, for all i \in \{{1,...,n\}}.

By design, we require that the probability of selecting any particular r_i be upper-bounded by \frac{1}{2^{k-1}}. For example, consider the finite field \mathbb{Z}_{q} over a large prime q \geq 2^k. The probability of choosing a particular value for r_i in the mutiplicative cyclic group \mathbb{Z}^{*}_q is equal to \frac{1}{q-1} (assuming a uniform distribution over \mathbb{Z}^{*}_q). Clearly, this is less than or equal to \frac{1}{2^k-1} < \frac{1}{2^{k-1}}.

Read the rest of this entry »

Tags: , , , ,

Download pdf here: Ring Signature Schemes

1. Introduction

This is a brief article that introduces the concept of a ring signature. In parts 4, 5, 6, and 7 we will look at specific instances of ring signature schemes — including those used in earlier and more recent versions of the Monero project — and analyze their security properties.

In 1991, Chaum and Van Heyst introduced a new class of signature schemes known as group signatures[2]. The core of the model consisted of a trusted entity known as the group manager that clusters a subset of users together into a group. The group manager provides each member of the group with a separate private key. The ingenuity of this structure lies in the fact that any member can sign messages in an anonymous fashion. This means that anybody who can access the signature, can also verify that it was created by one of the group members without knowing who specifically. The only entity that can identify the real signer is the trusted group manager. In group signature schemes, the anonymity of signers comes at the expense of relinquishing power to the group manager. Indeed, the trusted group manager is the only entity that:

  • Decides who joins the group.
  • Decides which member(s) get(s) banned from the group.
  • Chooses the private key allocated to each member of the group.
  • Identifies the real signer whenever a message is signed.

This setting works best if the group members agreed to cooperate beforehand . The group manager can then serve as the enforcer of this cooperation, revoking the membership of anyone trying to game the system.

The anonymity of group signatures paved the way to another class of signer-ambiguous shemes known as ring signature schemes. The expression ring signature was first coined by Rivest, Shamir, and Tauman[3]. Note that schemes fitting the definition of a ring signature have been proposed way before the publication of this paper. In a ring signature, there does not exist a pre-defined group of users. As a consequence, there does not exist any omnipotent group manager. Instead, the actual signer defines a set of members of her choosing before she signs a message. This set is known as a ring. The only constraint is that the ring must include the actual signer. The signer creates a signature using her private key and all the other ring members’ public keys. The ring can be arbitrary without the need to inform selected members of their participation — (all that is needed is access to their public keys which is usually common knowledge). The reason behind adopting the ring terminology is that “rings are geometric regions with uniform periphery and no center”[3].

Read the rest of this entry »

Tags: , , , ,