Ring Signatures Monero Oct. 14, 2019 Overview Privacy Hierarchy - - PowerPoint PPT Presentation

Ring Signatures Monero

• Oct. 14, 2019

Overview

• Privacy Hierarchy
• Monero
• Secretly signing a transaction
• Secretly receiving a transaction

Privacy Hierarchy

Everything open Pseudonymous, amount open

Bitcoin

Privacy Hierarchy

Everything open Pseudonymous, amount open Pseudonymous, amount secret

Bitcoin MimbleWimble

Privacy Hierarchy

Everything open Pseudonymous, amount open Pseudonymous, amount secret Pseudonymous, amount open miner/coordinator does not know input output

Bitcoin MimbleWimble CoinJoin

Privacy Hierarchy

Everything open Pseudonymous, amount open Pseudonymous, amount secret Pseudonymous, amount open miner/coordinator does not know input output amount open, transaction un-linkable Secret receive/secret sending

Bitcoin MimbleWimble CoinJoin Monero

Privacy Hierarchy

Everything open Pseudonymous, amount open Pseudonymous, amount secret Pseudonymous, amount open miner/coordinator does not know input output amount open, transaction un-linkable Secret receive/secret sending amount secret, transaction un-linkable

Bitcoin MimbleWimble CoinJoin Monero ZCash, ZeroCash, ZeroCoin

Monero

• Anonymously receiving
• Address is created from public key
• Not possible to link target address to public key
• Anonymous sending
• Owner selects an anonymity set
• Shows that one in

signed the transaction

𝒯 = {T1, T2, …, Tn} 𝒯

Anonymous Sending

• Sending a transaction is one with a
• ne-time ring-signature
• one-time: signing a transaction more than once with the

same key can be detected: Prevents double spend

• ring-signature: Given a set of public keys, show that one
• f the corresponding private keys signed it

Ring signature

tx 1: (__, pk) tx 2: (__, pk) tx 3: (__, pk) tx 4: (__, pk) tx 5: (__, pk) tx 6: (__, pk) tx 7: (sk, pk) tx 10: (__, pk) tx 12: (__, pk) tx 11: (__, pk) tx 9: (__, pk) tx 13: (__, pk) tx 8: (__, pk)

Ring signature

tx 1: (__, pk) tx 2: (__, pk) tx 3: (__, pk) tx 4: (__, pk) tx 5: (__, pk) tx 6: (__, pk) tx 7: (sk, pk) tx 10: (__, pk) tx 12: (__, pk) tx 11: (__, pk) tx 9: (__, pk) tx 13: (__, pk) tx 8: (__, pk)

Ring signature

tx 3: (__, pk) tx 4: (__, pk) tx 5: (__, pk) tx 7: (sk, pk) tx 10: (__, pk) tx 12: (__, pk) tx 13: (__, pk) tx 8: (__, pk)

document

sign(document, sk, {pk3, pk4, …, pk13})

Signature

Ring signature

pk 3 pk 4 pk 5 pk 7 pk 10 pk 12 pk 13 pk 8

document

verify(document, s, {pk3, pk4, …, pk13})

Signature {True, False}

Ring Signature

• A signature that uses an anonymity set of public keys
• The signer hides his/her identity in this set
• Verifier can check whether someone of that set signed it
• Verifier cannot identify who exactly signed it
• Possible application: whistleblowing

Single ECC signature

• common group element
• public/private key
• Signature are 2 numbers
• verify via

G P = pG s = (c, d), {c, d} ∈ ℤ c = ℋ (document|G|cP + dG)

Single ECC signature

• common group element

, public/private key

• verify via

G P = pG s = (c, d), {c, d} ∈ ℤ

c = ℋ (document|G|cP + dG)

same value

Single ECC signature

• common group element
• public/private key
• sign:
• random
• G

P = pG r c = ℋ (document|G|rG) rG = (cp + d)G ⇒ d = r − cp c = ℋ (document|G|cpG + dG) c = ℋ (document|G|cP + dG)

2 element ECC ring signature

• common group element
• public keys
• signature
• Signer knows one of the private keys of

G {P1, P2} sring2 = (c1, c2, d1, d2) c1 + c2 = ℋ (document|G|c1P1 + d1G|c2P2 + d2G) {P1, P2}

2 element ECC ring signature

• common group element
• own public/private key

, other person’s key

• sign:
• random
• G

P1 = p1G P2 r, c2, d2 c = ℋ (document|G|rG|c2P2 + d2G) c1 = c − c2 ⇒ c1 + c2 = ℋ( . . . ) rG = (c1p1 + d1) G ⇒ d1 = r − c1p1 c1 + c2 = ℋ (document|G|c1p1G + d1G|c2P2 + d2G)

General ECC ring signature

• common group element
• public keys
• signature
• Signer knows one of the private keys of

G {P1, P2, …, Pn} sring2 = (c1, c2, …, cn, d1, d2, …, dn) ∑

i

ci = ℋ (document|G|c1P1 + d1G|…|cnP2 + dnG) {P1, P2, …, Pn}

General ECC ring signature

• common group element
• own public/private key

, other keys

• sign:
• random

(except )

• G

Pi = piG Pj r, c1, c2, …, cn, d1, d2, …, dn ci, di c = ℋ (document|G|c1P2 + d1G|…|rG|…|cnPn + dnG) ci = c − ∑

k:k≠i

ck ⇒ ∑

k

ck = ℋ( . . . ) rG = (cipi + di) G ⇒ di = r − cipi ∑

i

ci = ℋ (document|G|…|…|(cipi + di)G|…|…)

ECC Ring Signature

• We have now a method to sign a message anonymously
• We pick a set of public keys
• The verifier can not determine who exactly signed it
• It only knows “one of this group”, but not more

One-Time ECC Ring Sign.

• Assuming we have one key for each transaction
• We can send a transaction
• No one knows which one was send
• We can show that it was valid
• What keeps us from double spending?
• If no one knows which transaction was send, why not

send it twice

Unique Element: Key Image

• We add values to the signature to detect double spending
• Public/private key
• Compute the “key image”
• This value is unique to each key
• Given , neither the private key, nor the public key can

be inferred

p, pG = P I = pℋ(P) ∈ ℤ I I

Unique Element: Key Image

• Public/private key

, “key image”

• Signature:
• For each public key:
• p, pG = P

I = pℋ(P) ∈ ℤ s = (I, c1, c2, …, cn, d1, d2, …, dn) Li = ciPi + diG Ri = ciI + diℋ(Pi) ∑ ci = ℋ (document|G|I|L1|L2|…|Ln|R1|R2|…|Rn)

One-Time ECC Ring Sign.

• Create the signature (similar to before):
• Random value for own public key
• Random

for all other public keys

• r

Lown = rG Rown = rI ci, di Pi Li = ciPi + diG Ri = ciI + diℋ(Pi)

One-Time ECC Ring Sign.

• Given:
• Li = ciPi + diG

Ri = ciI + diℋ(Pi) Lown = rG Rown = rI c = ℋ (document|G|I|L1|…|Ln|R1|…|Rn) cown = c − ∑

i

ci down = r − cownp Lown = cownP + downG

One-Time ECC Ring Sign.

• Signature:
• Verify via
• s = (I, c1, c2, …, cn, d1, d2, …, dn)

Li = ciPi + diG Ri = ciI + diℋ(Pi) ∑

i

ci

?

= ℋ (document|G|I|L1|…|Ln|R1|…|Rn)

One-Time ECC Ring Sign.

• Properties:
• Given a valid signature, we can not infer which private key was

known

• The key image is tied to the private key
• Two separate signatures using the same private key need to use the

same key image

s = (I, c1, c2, …, cn, d1, d2, …, dn) ∑

i

ci

?

= ℋ (document|G|I|L1|…|Ln|R1|…|Rn) I I

One-Time ECC Ring Sign. Summary

• A user choses an anonymity set of public keys
• Signs a transaction, so that
• It is impossible to identify who signed it
• Signing more than once with same private key can be

detected

• If each transaction has its own public/private key, we

can detect double-spending

Monero

• Anonymously receiving
• Address is created from public key
• Not possible to link target address to public key
• Anonymous sending
• Owner selects an anonymity set
• Shows that one in

signed the transaction

𝒯 = {T1, T2, …, Tn} 𝒯

Anonymous receiving

• Create a unique address from a user’s public key
• No outside observer can link the address with the key
• User can identify which payment are send to him/her

(sk, pk)

pk

(r)

money for f(pk,r)

that is me!

?

Keys in Monero

• Each user has an address template, consisting of 2 keys
• (private key)
• (public key)
• (tracking key)

a, b ∈ ℤ a ≠ b (aG, bG) = (A, B) (a, B)

Receiving Money

• Alice wants to send money to Bob
• random value, one-time public key
• one-time public key as address
• Alice sends transaction

r R = rG P = ℋ(rA)G + B

Amount : 1234 XMR Public key: Address :

R P

Receiving Money

• Alice wants to send money to Bob
• Alice creates
• Bob sees
• and can check if
• His key

P = ℋ(rA)G + B P = ℋ(aR)G + B (a, b), (aG, bG) = (A, B)

Amount : 1234 XMR Public key: Address :

R P

Receiving Money

• Alice creates
• Bob’s key:

P = ℋ(rA)G + B (a, b), (aG, bG) = (A, B) P = ℋ(rA)G + B = ℋ(raG)G + B = ℋ(arG)G + B = ℋ(aR)G + B

Alice can create this Bob can create this

Receiving Money

• Alice creates
• Bob can detect payments directed to him
• No one else can see that this is a payment for Bob

P = ℋ(rA)G + B = ℋ(aR)G + B

Monero

• Anonymously receiving
• Address is created from public key
• Not possible to link target address to public key
• Anonymous sending
• Owner selects an anonymity set
• Shows that one in

signed the transaction

𝒯 = {T1, T2, …, Tn} 𝒯

Taking ownership of a transaction

• The transaction’s address can be seen as a key
• Everybody knows
• Alice knows how to construct
• Only Bob knows secret

, so that

P P P = ℋ(rA)G + B p = ℋ(rA) + b pG = P

Amount : 1234 XMR Public key: Address :

R P

Lifetime of a Monero Tx

• Bob has secret

and publishes

• Alice as secret

(a, b) (aG, bG) = (A, B) r

(A, B)

Amount: 1234 XMR Public key: Address:

R P

This is for me!

P = ℋ(aR)G + B

Lifetime of a Monero Tx

p = ℋ(aR)G + b I = pℋ(P)

Lifetime of a Monero Tx

p = ℋ(aR)G + b I = pℋ(P)

Amount : .. XMR Public key: Address :

R2 P2

Amount : .. XMR Public key: Address :

R2 P2

Amount : .. XMR Public key: Address :

R2 P2

Amount : .. XMR Public key: Address :

R2 P2

Amount : .. XMR Public key: Address :

R2 P2

Amount : .. XMR Public key: Address :

R2 P2

• ther tx found on the Blockchain

𝒯 = {P, P2, P3, p4, …, Pn} s = (I, c1, c2, …, cn, d1, d2, …, dn)

Lifetime of a Monero Tx

𝒯 = {P, P2, P3, p4, …, Pn} s = (I, c1, c2, …, cn, d1, d2, …, dn)

tx is valid

∑

i

ci = ℋ (tx|G|I|L1|…|Ln|R1|…|Rn)

A complete transaction

Problems with Monero

• Amounts are open
• User choses anonymity set
• Dust attack