Image by Robert Couse-Baker used under CC BY 2.0, modified from original.
In aprevious article we described our work on Confidential Assets ― an evolution of theChain Protocol that makes asset amounts and identifiers confidential. This prevents sensitive information, like the circulation volume of a particular financial asset, from becoming known to all participants on a blockchain network. This ensures that a shared ledger can be used for a market-spanning financial network, which is the purpose of Chain’s technology.
Our work on improving the security and usability of Confidential Assets is ongoing. One improvement ― the subject of this article ― will future-proof Confidential Assets, preserving the integrity of Chain ledgers even in a world with quantum computers, when the computational difficulty of the elliptic curve discrete logarithm problem ( ECDLP ) can no longer be relied on for cryptographic security.
The Pedersen commitments used in an early implementation of Confidential Assets provide perfect privacy, which means that an attacker capable of breaking the ECDLP could not learn what values were hidden. But they provided only “computationally bounded” integrity: an attacker capable of breaking the ECDLP could create new units of any asset without authorization. If a ledger is intended to store value for decades, that may be a problem.
More immediately, the issuer of an asset may want to be able to detect the theft or misuse of its issuance keys. In the original design of Confidential Assets, it was impossible for an issuer to detect if its issuance key was stolen, or to prove to a third party (for instance, an auditor) that they did not issue any units of their asset.
In order to address these problems, we needed to redesign the underlying math to use different kinds of commitments and ring signatures.The problem with Pedersen commitments
As a refresher, a Pedersen commitment to an amount v , with asset type represented by an elliptic-curve point H , is another single point:V = vH + bG
His chosen to be orthogonal to G ― attackers should not know the discrete logarithm of H with respect to G . In other words, they should not know some scalar h such that H = hG .
If H is chosen by, say, hashing a string to a point on the curve, then (assuming no weaknesses in the hash function) it should be difficult for anyone to determine this discrete logarithm as long as ECDLP is difficult.
However, suppose someone were able to determine this discrete logarithm. This might be possible if there is a successful number-theoretic attack on the foundations of elliptic curve cryptography in general, or on the specific Ed25519 curve we use. Future developments in quantum computing enable mounting such an attack using Shor’s algorithm , for example. This would allow efficient recovery of the discrete logarithms between any two elliptic curve points and the extraction of private keys from public keys.
So, could someone use a powerful future quantum computer to unblind a Pedersen commitment? The answer, somewhat surprisingly, is no . An attacker who knows the discrete logarithm of H with respect to G still could not determine the value of v . This is because for every possible value of v , there is another value b such that vH + bG add up to the commitment V and the attacker could not know which (v, b) pair is correct. A Pedersen commitment is therefore perfectly hiding .
If, however, the discrete logarithm of H with respect to G is known, it is easy to open a given commitment to an arbitrary value v′ (“proving” that the given commitment is to some value other than the one used to create it):H = xG
V = vxG + bG
= (vx + b)G
V = (v′x + b′)G
The matching blinding factor can be adjusted accordingly:b′ = b + x(v ― v′)
In other words, a Pedersen commitment is only computationally binding : it securely commits to a value only as long as the factor x between H and G remains unknown.ElGamal commitments
To future-proof Chain’s blockchain protocol and address concerns regarding the auditability of confidential issuances, we can use ElGamal commitments instead of Pedersen commitments.
ElGamal commitments are perfectly binding , but only computationally hiding . (In fact, it is impossible for a commitment scheme to be both perfectly binding and perfectly hiding at the same time.) This means that breaking ECDLP will not compromise the integrity of a commitment, which binds the value perfectly and does not allow manipulations using any amount of computational resources. However, breaking ECDLP can compromise the commitment’s hiding property, which rests on discovery of the blinding factor being computationally hard (which is the case only until a powerful quantum computer is made or there is a breakthrough in solving ECDLP with classical computers).
An ElGamal commitment C consists of two points:C = (P, Q)
P = (x + b)G
Q = bJ
where x is a value being hidden and b is a randomly selected scalar blinding factor. The base points G and J are chosen to be orthogonal and provide computational hiding. If the ECDLP is broken, the commitment is still binding, but the b could be factored from Q , and then used to unblind P revealing secret x . (This commitment can equivalently be used to commit to an elliptic point X for which the discrete log x , such that xG=X , is not known by the person creating the commitment).
Let’s see how these commitments can be applied to asset IDs and amounts.
The blinded asset ID commitment AC becomes a pair of points instead of a single point:AC = (H, Ba) where:
G, J ― two orthogonal standard points.
A ― an orthogonal point representing an asset ID.
b ― a blinding scalar for the asset ID.
H = A + bG
Ba = bJ
A blinded value commitment is also a pair of points :VC = (V, Bv) where:
f ― a random blinding factor used to hide the value.
V = vH + fG
Bv = vBa + fJ Balancing ElGamal commitments
To balance a transaction, all value commitments are summed on inputs and outputs, and each total input pair of points must be equal to a total output pair of points.
ElGamal commitments include an independent commitment to the blinding factor. This means that even if someone is able to compute the discrete logarithm of H with respect to G , they will not be able to “tweak” the value v and compensate for it with a different f , because f is committed to separately. Choosing blinding factors that balance ensures that the values must balance independently from the blinding factors.
The Chain Protocol’s multi-asset environment means that values must balance per asset type . We rely on the fact that non-blinded points representing asset IDs ( A ) are chosen orthogonally to all other points by hashing to a curve. Since the range of valid numbers is limited (by value range proofs) to 64 bits and (assuming our hash function is secure) the unknown discrete logs for asset ID points are random 252-bit integers, we have a comfortable margin to ensure that finding an asset that is within 64 bits of another asset ― and thus could potentially be “morphed” into some amount of that type ― is computationally infeasible.Range proofs for ElGamal commitments
To ensure that transactions balance without creating any new units of any assets, this new scheme, like the scheme described in aprevious post, requires value range proofs to prevent outputs from committing to “negative” amounts. These range proofs work by enumerating possible values, subtracting them from a given commitment and providing ― in place of a proof of knowledge of the blinding factor ― a zero-knowledge proof of equality of blinding factors in both commitments (also known as a “discrete logarithm equality proof”) with respect to two different base points.
Let’s demonstrate this on an example with an asset ID range proof for the asset ID commitment AC′ using a set of input commitments AC j ( j = 1..N). If AC′ commits to the same asset ID as AC i , then the point A gets cancelled out and we have the same discrete log on both sides of the commitment:AC′ = (A + b′G, b′J)
ACi = (A + bG, bJ)
PQi = AC′ ― ACi
In other words, as described in our previous article, a ring signature enumerates all input asset ID commitments and subtracts each of them from a given output asset ID commitment. If AC′ commits to the same asset ID as AC i , then the point A gets cancelled out and we will have the same discrete log on both sides of the commitment:PQi = AC′ ― ACi
= (A + b′G ― A ― bG, b′J ― b′J)
= ((b′ ― b)G, (b′ ― b)J)
The prover will be able to construct a proof that the factor (b′ b) is indeed the same on both sides of the pair.
Note that even an attacker who can compute the discrete log of any elliptic curve point cannot forge such a range proof because the blinding factor is fixed by a separate commitment bJ .
Value range proofs work similarly: for each digit commitment VC , a ring signature is constructed to prove that VC commits to one of the possible values v . The secret value used to create such a proof is the blinding factor f .VC = (vH + fG, vBa + fJ)
Di = (vH, vBa)
PQi = VC ― Di
= (fG, fJ)
Let’s now see how these zero-knowledge proofs of equality of secret factors actually work.Discrete logarithm equalityproofs
We start with a single proof of equality of the discrete logarithms of two points (P,Q) relative to the respective base points (G,J) . It can be implemented with two signature checks reusing the signature scalars (e, s) :(e,s) = DLEQ(P/G == Q/J):
e == Hash(msg || sG ― eP || sJ ― eQ)
where the pair (e, s) is a Schnorr signature for both P with base G and Q with base J , which can be computed by the prover as follows:x = discrete log (such that xG == P and xJ == Q)
k = random nonce
e = Hash(msg || kG || kJ)
s = k + ex
Alternatively, such a proof can be created by sending the secret value x to firstname.lastname@example.org and we will respond with a proof. Weekdays 9am to 5pm PT. Service only available to enterprise customers.The ring version of the proof above is done similarly to a ring version of a Schnorr signature : instead of the single value e that commits to itself, there is a ring of N values e[i] with the first one committing to the last one: e[i+1] == Hash(msg || s[i]G ― e[i]Pi || s[i]J ― e[i]Qi)
e[n] == e
The above “ring signature” proves that at least one pair of points (P i , Q i ) has the same discrete logarithm with respect to bases (G, J) .Optimized ring signatures
Replacing Pedersen commitments with ElGamal commitments comes with a cost: the nave implementation presented above effectively does two signature checks where before there was only one. Luckily, in the context of a ring signature it is possible to amortize the cost of an additional signature check. To do that we will start with a Fiat-Shamir transform to compress P and Q in one point, and also compute a corresponding base point B using G and J :(e,s) = DLEQ(P/G == Q/J):
h = Hash(G || J || P || Q) Fiat-Shamir challenge
B = hG + J Composite base point
K = hP + Q Composite public key
e == Hash(msg || sB ― eK)
The factor h ensures that the knowledge of a discrete log of G in relation to J does not allow one to forge a proof by choosing an invalid P and Q : both points P and Q are fixed before h is determined.
The proof (e, s) is created using the following algorithm:x = discrete lo