Practical Range Proof for Cryptocurrency Monero with Provable Security
With a market cap of about 1.5 billion US dollar, Monero is one of the most popular crypto-currencies at present. Much of its growing popularity can be attributed to its unique privacy feature. Observing that no formal security analysis is presented, we initiate a formal study on Monero’s core protocol. In this study, we revisit the design rationale of an important component of Monero, namely, range proof. Our analysis shows that the range proof may not be a proof-of-knowledge even if the underlying building block, ring signature, is secure. Specifically, we show that if a certain secure ring signature scheme is used, it is impossible to construct a witness extractor unless the Computational Diffie-Hellman problem is equivalent to the Discrete Logarithm problem. This shows that the design rationale is to possibly flawed. Then, we present a new range proof protocol that enjoys a few advantages. Firstly, it is a zero-knowledge proof-of-knowledge protocol. Secondly, it is compatible with the Monero’s wallet and algebraic structure and thus does not require extensive modification in the codebase. Finally, the efficiency is comparable to Monero’s version which does not admit a formal security proof.
This work was supported by the National Natural Science Foundation of China (Grant No. 61602396, U1636205, 61572294, 61632020).
- 2.Bender, A., Katz, J., Morselli, R.: Ring signatures: stronger definitions, and constructions without random oracles. Cryptology ePrint Archive, Report 2005/304 (2005). http://eprint.iacr.org/2005/304
- 8.Maxwell, G.: Confidential transactions. Web, June 2015Google Scholar
- 9.Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. White paper (2009). https://bitcoin.org/bitcoin.pdf
- 10.Noether, S., Mackenzie, A., Monero Core Team: Ring confidential transactions. Monero research lab report MRL-0005, February 2016Google Scholar