You are currently browsing articles tagged Monero.

Download pdf here: The Stealth Address System

1. Introduction

The previous nine parts introduced Monero’s privacy and confidentiality attributes in so far as senders’ identities and transaction amounts were concerned. This part focuses on privacy with respect to the recipients of funds. To that end, we introduce the stealth address system [8] to ensure that any two transactions remain unlinkable, i.e., can not be proven to be destined to the same entity.

We divide this part into two sections. The first is an overview of some of the anonymity limitations of Bitcoin. The second introduces Cryptonote’s stealth address system which when coupled with ringCT, ensures a highly anonymous and confidential environment.

Anonymity over the blockchain

2. On Bitcoin’s anonymity … or lack thereof

In what follows, we describe two avenues that can be used separately or jointly to conduct a deanonymization attack on Bitcoin users. The first has to do with the propagation mechanisms of Bitcoin transactions over the network, and the second with the structure of a transaction. In addition, we describe some common practices that help an attacker link a Bitcoin address to a real-world identity.

Read the rest of this entry »

Tags: , , , , , , , ,

1. Introduction

In part 7 we introduced the MLSAG ring signature scheme. Among other things, it safeguarded the anonymity of the signer. In part 8 we discussed the notions of Pedersen Commitments and Confidential Transactions. They were used to mask transaction amounts without compromising the proper bookkeeping of balances on the network. In this part, we combine the two in a new structure known as ring Confidential Transaction or ringCT.

It turns out that combining both concepts in a single mathematical construct requires additional work. In the first section, we explain why outright combination of the aforementioned concepts fails to preserve the anonymity of the sender.

In the second section we remedy the situation by introducing the notion of a non-zero commitment. This will form the basis of Monero’s ringCT scheme.

The last section goes over the mechanics of how a Monero transaction is created and includes references to relevant parts of the code base. We introduce two variants of ringCT, namely ringCT Type Full and ringCT Type Simple. We finally conclude with a breakdown of the components of a real-life Monero transaction.

Read the rest of this entry »

Tags: , , , , , ,

Download pdf here: CT and Pedersen Commitment

1. Introduction

Pedersen Commitments are at the heart of how Monero conceals transaction amounts. The notion of a confidential transaction as enabled by Pedersen Commitments were outlined and defined by Gregory Maxwell in [1]. In what follows we first introduce the notion of a group homomorphism (of which the Pedersen Commitment map is a particular instance), we then define the Pedersen Commitment map, and finally present the mechanisms of a confidential transaction enabled by a such a map.

2. Group homomorphism

Let (M, \boxplus) and (N, \oplus) be 2 groups with respective group operations \boxplus and \oplus. A function f: M \rightarrow N is called a group homomorphism if and only if

f(u \boxplus v) = f(u) \oplus f(v),\ \forall u, v \in M

In other terms, operating on 2 elements in M and then applying f is equivalent to applying f on each element separately and then operating on the 2 outputs in N.

We now introduce a specific instance of a group homomorphism that we will invoke when concealing transaction amounts with Monero as part of the confidential transaction construct. In particular, we conduct arithmetic in the subgroup \{{G\}} of the elliptic curve group E. introduced in part 5 (refer to the post entitled Elliptic Curve Groups for an introduction to this topic)

Let (N, \oplus) \equiv (\{{G\}}, \oplus), and let (M, \boxplus) \equiv (\mathbb{F}_l \times \mathbb{F}_l, +) where + denotes element-wise addition in modulo l arithmetic over \mathbb{F}_l \times \mathbb{F}_l.

It is a known result in group theory that if a is a generator of a cyclic group \{{a\}} of order m, then there are \phi(m) elements of the group that have order m (\phi is the euler function introduced in part 1). In our case, the generator G of \{{G\}} has prime order l. Moreover \phi(l) = l-1 (since l is prime). Hence we can find l-1 other generators of \{{G\}}. Let H \neq G be another generator such that the DL (discrete logarithm) of H with respect to G is unknown. We define the Pedersen Commitment map (which we will later use to build a confidential transaction) as follows:

k: \mathbb{F}_l \times \mathbb{F}_l \rightarrow \{{G\}}

(x,a) \rightarrow k(x,a) \equiv (x \otimes G) \oplus (a \otimes H)

We claim that the map k is additively homomorphic. To see why, let (x_1,a_1),\ (x_2,a_2)\ \in \mathbb{F}_l \times \mathbb{F}_l. We then have:

k(x_1,a_1) \oplus k(x_2,a_2) = [(x_1 \otimes G) \oplus (a_1 \otimes H)] \oplus [(x_2 \otimes G) \oplus (a_2 \otimes H)]

= ((x_1 + x_2) \otimes G)) \oplus ((a_1 + a_2) \otimes H))
(where + denotes \pmod{l} over \mathbb{F}_l)

=k((x_1+x_2),(a_1+a_2))\ =\ k((x_1,a_1) + (x_2,a_2))

hence k is homomorphic.

Read the rest of this entry »

Tags: , , ,

Download pdf here: MLSAG Signature Scheme

1. Introduction

Monero stands out from other cryptocurrencies in its ability to hide the signer, conceal the transaction amount, and protect the identity of the recepient. Parts 1, 2, 3, 4, 5, and 6 helped us build the foundation to better understand and appreciate the security properties of ring signatures (albeit in the RO model). This part (introduction to MLSAG), as well as part 8 and part 9 will focus on Monero’s privacy in so far as the signer’s identity and the transaction amount are concerned. Part 10 will introduce stealth addresses as a mechanism to protect the identity of the fund’s recipient.

In order to describe how a Monero transaction hides both the signer’s identity and the amount of the transaction, we introduce 2 additional concepts:

  1. A generalization of the LSAG signature (introduced in part 6) to allow each member of the ring to have a key-pair vector [(pk_1,sk_1),.,(pk_n,sk_n)] instead of only one pair (pk,sk).
  2. A particular map known as the Pedersen Commitment that will be used to hide transaction amounts while allowing the network to check that input and output amounts always balance out.

Recall that by proving that a digital signature scheme was unforgeable, one gets the assurance that only the signing algorithm {\Sigma} associated with a given ring member can produce a valid signature (i.e., verified by \mathcal{V}). Any other procedure that bypasses {\Sigma} will result in a failed attempt of forgery with overwhelming probability. We note the following about the verification process of \mathcal{V}:

  • In a “non-ring” setting, the verification is done using a particular public key pk_{\pi}. The validation of a given signature proves that the signer of the message (in this case user \pi) knows the secret key sk_{\pi} associated with pk_{\pi}. Assuming that secret keys are safe-guarded and non-compromised, this actually proves that the user with key-pair (pk_{\pi},sk_{\pi}) signed the message.
  • In a ring setting, the verification is conducted using a public key vector L \equiv [pk_1,...,pk_{\pi},...,pk_n] known as a ring. This vector is used to conceal the identity of the signer. The validation of a given signature proves that the the signer of the message (in this case user \pi) knows the secret key associated with one of the public keys in L. Assuming that secret keys are safe-guarded and non-compromised, this actually proves that the user with key-pair (pk_{\pi},sk_{\pi}) signed the message, for some index 1 \leq \pi \leq n that no one other then the actual signer knows.
  • The ring setting can be generalized further by allowing each ring member i, 1 \leq i \leq n to have a key-pair vector of length m, given by [(pk_{i}^1, sk_{i}^1),...,(pk_{i}^m, sk_{i}^m)], as opposed to a unique key pair (pk_i, sk_i). In this setting, the verification is conducted using a public key matrix

        \[PK= \begin{bmatrix} pk_1^1 & ... & pk_{\pi}^1 & ... & pk_n^1 \\ ... & ... & ... & ... & ...\\ pk_1^m & ... & pk_{\pi}^m & ... & pk_n^m \\ \end{bmatrix} \]

    The validation of the signature proves that the signer knows the secret key associated with each one of its public keys. In other terms, there exists a column in PK (say column 1 \leq \pi \leq n) such that the signer knows the secret key associated with each public key appearing in that column. Assuming that secret keys are safe-guarded and non-compromised, this actually proves that the user with key-pair vector [(pk_{\pi}^1,sk_{\pi}^1),...,(pk_{\pi}^m,sk_{\pi}^m)] signed the message, for some index 1 \leq \pi \leq n (that no one other then the actual signer knows).

Read the rest of this entry »

Tags: , , , , ,

Download pdf here: LSAG Signature Scheme

1. Introduction

For a given ring size n, Cryptonote’s original scheme (as introduced in part 5), generates signatures of the form (I, c_1,..,c_n,r_1,..,r_n) consisting of (2n+1) arguments. It turns out that a more efficient scheme initially introduce in [3] and later adapted by Adam Back in [1] can achieve the same security properties as Cryptonote’s with (n+2) arguments instead (a reduction factor that tends to 2 as n tends to \infty). The scheme introduced in [3] is known as Linkable Spontaneous Anonymous Group signature or LSAG signature scheme for short. In part 7 of this series, we will see how [4] generalizes the LSAG construct to build the foundation of Monero’s current ringCT signature scheme.

2. The LSAG scheme

The LSAG signature introduced in [3] is built on a group E of prime order q and generator G. Moreover, it uses 2 statistically independent ROs:

  • \mathcal{H}_1: \{{0,1\}^*} \longrightarrow \mathbb{F}_q
  • \mathcal{H}_2: \{{0,1\}^*} \longrightarrow E

In what follows we introduce a slightly modified LSAG scheme that will allow an easier comparison to Cryptonote’s original scheme. We carry forward all the notation used in the Cryptonote scheme to the current LSAG definition. In particular, we let E be a large finite group generated by the same elliptic curve introduced in part 5 (refer to the post entitled Elliptic Curve Groups for an introduction to this topic). We also consider the same base point G. Recall that the base point is chosen in such a way to ensure that it has a large prime order l < q. All arithmetic is done in the subgroup \{{G\}} of the elliptic curve group E. As a matter of convention, we write \{{G\}^{*}} \equiv \{{G\}} - e.

Read the rest of this entry »

Tags: , , , , , ,

1. Introduction

In this part, we introduce Monero’s original signature scheme as described in van Saberhagen’s seminal Cryptonote paper [2]. The scheme is an adaptation of the Traceable Ring Signature introduced by Fujisaki and Suzuki [1]. The most recent version of Monero implements a different signature known as RingCT. It modifies the original scheme to accomodate confidential transactions. We will discuss it in detail in parts 7, 8 and 9.

Security analysis of ring schemes consisted primarily in proving a) correctness, b) resilience against EFACM attacks in the RO model (unforgeability), and c) anonymity (i.e., signer ambiguity according to e.g., definition # 1 or # 2 as previously described in part 3). However, none of these security metrics tells if 2 signatures were generated by the same user or not. Doing so does not necessarily break the anonymity of the signer, but rather establishes a relationship between pairs of signatures. Identifying whether 2 signatures are linked or not is essential when dealing with electronic cash for example. In this case, the network must not tolerate the double spending of the same unit of electronic currency on 2 different transactions. In an electronic cash setting, the message typically consists of an unspent transaction output (also known as UTXO) and the objective is to make sure that the owner of a UTXO does not sign it twice (i.e., double spend it). Whenever this happens, the incident must be flagged and proper measures taken.

Monero in particular, and cryptocurrencies in general are prone to the double spending problem. This motivates the need to have an additional security requirement to tell if 2 signatures were issued by the same user. This must be done without releasing the identity of the user. We refer to the new requirement as linkability. It can commonly be achieved by adding to the ring signature a new signer-specific component known as a tag or a key-image.

Formally, we define a linkable ring signature scheme as a set of 4 algorithms:

  • The signer’s key generation algorithm \mathcal{G} (as described in part 1)
  • The ring signing algorithm \Sigma (as described in part 1).
  • The ring verification algorithm \mathcal{V} (as described in part 1)
  • The ring linkability algorithm \mathcal{L}. Its input consists of a set of tags (key-images) and a given signature \sigma. It checks if \sigma‘s tag is included in the tag set. If so, it outputs Linked. Otherwise, it outputs Independent and adds the new tag to the set.

Read the rest of this entry »

Tags: , , , ,

Download pdf here: Ring Signature Schemes

1. Introduction

This is a brief article that introduces the concept of a ring signature. In parts 4, 5, 6, and 7 we will look at specific instances of ring signature schemes — including those used in earlier and more recent versions of the Monero project — and analyze their security properties.

In 1991, Chaum and Van Heyst introduced a new class of signature schemes known as group signatures[2]. The core of the model consisted of a trusted entity known as the group manager that clusters a subset of users together into a group. The group manager provides each member of the group with a separate private key. The ingenuity of this structure lies in the fact that any member can sign messages in an anonymous fashion. This means that anybody who can access the signature, can also verify that it was created by one of the group members without knowing who specifically. The only entity that can identify the real signer is the trusted group manager. In group signature schemes, the anonymity of signers comes at the expense of relinquishing power to the group manager. Indeed, the trusted group manager is the only entity that:

  • Decides who joins the group.
  • Decides which member(s) get(s) banned from the group.
  • Chooses the private key allocated to each member of the group.
  • Identifies the real signer whenever a message is signed.

This setting works best if the group members agreed to cooperate beforehand . The group manager can then serve as the enforcer of this cooperation, revoking the membership of anyone trying to game the system.

The anonymity of group signatures paved the way to another class of signer-ambiguous shemes known as ring signature schemes. The expression ring signature was first coined by Rivest, Shamir, and Tauman[3]. Note that schemes fitting the definition of a ring signature have been proposed way before the publication of this paper. In a ring signature, there does not exist a pre-defined group of users. As a consequence, there does not exist any omnipotent group manager. Instead, the actual signer defines a set of members of her choosing before she signs a message. This set is known as a ring. The only constraint is that the ring must include the actual signer. The signer creates a signature using her private key and all the other ring members’ public keys. The ring can be arbitrary without the need to inform selected members of their participation — (all that is needed is access to their public keys which is usually common knowledge). The reason behind adopting the ring terminology is that “rings are geometric regions with uniform periphery and no center”[3].

Read the rest of this entry »

Tags: , , , ,

1. Introduction

We divide this post into 6 sections. Section 2 is a qualitative description of digital signature schemes. Section 3 motivates the introduction of hash functions along with some of their desired properties. Section 4 describes a hypothetical ideal random function known as a Random Oracle. Section 5 briefly introduces the notion of Probabilistic Turing Machines that will be needed when studying the security of digital signature schemes. Sections 6 and 7 describe 2 pillars introduced by Poitncheval & Stern to prove the resilience of some digital signature schemes against a forgery attack in the Random Oracle model. In particular, Setion 6 describes a reduction model to facilitate the security analysis of signature schemes. Section 7 states and proves an important lemma known as the splitting lemma.

There is one caveat: I assume that the reader is familiar with basic probability theory, modulo arithmetic, as well as some group theoretic concepts including the notions of cyclic groups and finite fields. A concise introduction to group and field theory can be found in this post. For a more detailed treatment, the reader can refer to e.g., [3].

Read the rest of this entry »

Tags: , , , , , , , , , ,