Verifiable Timed Linkable Ring Signatures for Scalable Payments for Monero

Abstract

Decentralized cryptocurrencies still suffer from three interrelated weaknesses: Low transaction rates, high transaction fees, and long confirmation times. Payment Channels promise to be a solution to these issues, and many constructions for cryptocurrencies, such as Bitcoin and Ethereuem, are known. Somewhat surprisingly, no solution is known for Monero, the largest privacy-preserving cryptocurrency, without requiring system-wide changes like a hard-fork of its blockchain like prior solutions.

In this work, we close this gap for Monero by presenting the first provably secure payment channel protocol that is fully compatible with Monero’s transaction scheme. Notably, the payment channel related transactions are identical to standard transactions in Monero, therefore not hampering the coins’ fungibility. With standard techniques, our payment channels can be extended to support atomic swap of tokens in Monero with tokens of several other major currencies like Bitcoin, Ethereum, Ripple, etc., in a fungible and privacy-preserving manner.

Our main technical contribution is a new cryptographic tool called verifiable timed linkable ring signatures (VTLRS), where linkable ring signatures can be hidden for a pre-determined amount of time in a verifiable way. We present a practically efficient construction of VTLRS which is fully compatible with the transaction scheme of Monero, and allows for users to make timed payments to the future which might be of independent interest to develop other applications on Monero.

Our implementation results show that even with high network latency and with a single CPU core, two regular users can perform up to 93500 payments over 2 min (the block production rate of Monero). This is approximately five orders of magnitude improvement over the current payment rate of Monero.

Appendices

A APreliminaries

Time-Lock Puzzles. Time-lock puzzles [28] allow one to conceal a secret for a certain amount of time \(\textbf{T}\). Homomorphic Time-Lock Puzzles (HTLPs) [24] allow one to perform homomorphic computation on honestly generated puzzles. It consists of a setup algorithm (\(\textsf{PSetup}\)), that takes as input a time hardness parameter \(\textbf{T}\) and outputs public parameters of the system \( pp \), a puzzle generation algorithm \((\textsf{PGen})\) that, on input a message, generates the corresponding puzzle. One can then evaluate homomorphically functions over encrypted messages (\(\textsf{PEval}\)) and solve the resulting puzzle in time \(\textbf{T}\) (\(\textsf{PSolve}\)). The security requirement is that for every PRAM adversary \(\mathcal {A}\) of running time \(\le \textbf{T}^\varepsilon (\lambda )\) the messages encrypted are computationally hidden. Malavolta and Thyagarajan [24] show an efficient construction that is linearly homomorphic over the ring \(\mathbb {Z}_{N^s}\), where N is an RSA modulus and s is any positive integer. The scheme is perfectly correct and is secure under the sequential squaring assumption [28].

Non-interactive Zero-Knowledge. Let \(R:\{ 0,1\}^{*}\times \{ 0,1\}^{*}\rightarrow \{ 0,1\}\) be an \(\textsf{NP}\) relation with corresponding \(\textsf{NP}\)-language \(\mathcal {L}:= \{ stmt :\exists w \ { s.t.}\ R( stmt , w ) = 1\}\). A non-interactive zero-knowledge proof (NIZK) [13] system for \(\mathcal {L} \) is initialized with a setup algorithm \(\textsf{Setup} (1^\lambda )\) that outputs a common reference string \( crs \). A prover can show the validity of a statement \( stmt \) with a witness \( w \) by invoking \(\mathcal {P} _{\textsf{NIZK},\mathcal {L}}( crs , stmt , w )\), which outputs a proof \(\pi \). The proof \(\pi \) can be efficiently checked by the verification algorithm \(\mathcal {V} _{\textsf{NIZK},\mathcal {L}}( crs , stmt ,\pi )\). A NIZK proof for language \(\mathcal {L} \) is simulation extractable if one can extract a valid \( w \) from adversarially generated proofs, even if the adversary sees arbitrarily many simulated proofs. A NIZK must also be zero knowledge in the sense that nothing beyond the validity of the statement is leaked to the verifier.

Threshold Secret Sharing. Secret sharing is a method of creating shares of a given secret and later reconstructing the secret itself only if given a threshold number of shares. Shamir [31] proposed a threshold secret sharing scheme where the sharing algorithm takes a secret \(s\in \mathbb {Z}_q\) and generates shares \((s_1,\ldots ,s_n)\) each in \(\mathbb {Z}_q\). The reconstruction algorithm takes as input at least t shares and outputs a secret s. The security demands that knowing only a set of shares smaller than the threshold size does notreveal any information about s.

B BTransaction Scheme of Monero

We review the basic definitions of Linkable Ring Signatures (LRS) following Lai et al. [20]. In contrast to their work, our definitions do not consider the “confidential transaction” part, and only focus on the signature of the transaction scheme, for conceptual simplicity.

1.1 A.1 B.1Definition

A ring signature [29] scheme allows to sign messages such that the signer is anonymous within a set a possible signers, called the ring. The members associated to the ring are chosen “on-the-fly” by the signer using their public-keys. Linkability [21] means that anonymity is retained unless the same user signing key is used to sign twice. This is achieved by associating a unique linkability tag to each signing key that is revealed while generating a signature.

In a transaction scheme, we have a block of data referred to as a transaction, that determines the amount of coins transferred from one user address (source) to another user address (target) and it is accompanied by an authentication token (signature) of the sending user. Since the sending user is represented through the source address in the transaction, the signature is checked for validity with respect to the source account. Combining linkable ring signatures and a transaction scheme, we have a linkable ring signature based transaction scheme (LRS-TS), where the message signed is the transaction which consists of: A ring of addresses (LRS public keys) and their associated coins (out of which one of the addresses is the source account), and one or more target addresses. The authentication token of the transaction is a linkable ring signature on the transaction (as message), with the ring of addresses as the ring, and the secret authentication key of the source address as the signing key of the linkable ring signature scheme. To prevent leakage of the source address it is assumed that each address in the ring of addresses have the same amount of associated coins³.

Definition 4

A Linkable Ring Signature (LRS) transaction scheme \(\varSigma \) consists of the \(\textsf{PPT}\) algorithms \((\textsf{Setup}, \textsf{OTKGen}, \textsf{TgGen}, \textsf{Spend}, \textsf{Vf})\) which are defined as follows:

\(\underline{ pp \leftarrow \textsf{Setup} (1^\lambda )\textit{:}}\) outputs the public parameter \( pp \).

\(\underline{( pk , sk ) \leftarrow \textsf{OTKGen} ( pp )\textit{:}}\) The one-time key generation algorithm outputs a public-secret key-pair \(( pk , sk )\).

\(\underline{ tag \leftarrow \textsf{TgGen} ( sk )\textit{:}}\) The tag-generation algorithm takes as input a secret key \( sk \). It outputs a tag \( tag \).

\(\underline{( tx , \sigma ) \leftarrow \textsf{Spend}(\mathcal {R},\mathcal {I},\mathcal {O},\mu )\textit{:}}\) The spend algorithm takes as input a set \(\mathcal {R}\) of public keys with each key associated with c coins, a tuple \(I= (j, sk , tag )\) consisting of an index j, a secret key \( sk \), and a tag \( tag \), a set \(\mathcal {O} \) consisting of target public keys and some metadata \(\mu \). It outputs a transaction \( tx := \left( \mathcal {R}, tag , \mathcal {O}, \mu \right) \) and a signature \(\sigma \).

\(\underline{b \leftarrow \textsf{Vf}( tx , \sigma )\textit{:}}\) The verify algorithm inputs a transaction \( tx \) and a signature \(\sigma \). It outputs a bit b denoting the validity of \(\sigma \).

Security. We have three properties of LRS-TS, namely (1) Privacy: LRS-TS should ensure privacy of the source account, meaning an adversarial observer on the blockchain should not learn any information about the source address from a transaction other than the fact that it is a member of the ring of one-time addresses, (2) Non-Slanderability (Unforgeability): LRS-TS must ensure that an adversarial user cannot steal the coins of an honest user (unforgeability) or spend coins on behalf of an honest user (non-slanderability), and (3) Linkability: LRS-TS must ensure that an adversary cannot double spend his coins and any such attempts must be linkable. We refer the reader to [35] for the formal definitions.