Once again, it's report time.
This month has been a lot of miscellaneous work on proofs and papers. I and my DLSAG collaborators have submitted versions of the DLSAG signature paper to conference proceedings and to the IACR preprint archive, now that we've made some edits to account for key images in the protocols. The common basepoint used in key images would presently necessitate a self-spend to avoid identification by a sender. This introduces subtleties to avoid metadata leaking and would slow down peer-to-peer direct transactions, but may be less important for payment channels. We will be eager to receive comments and review on the preprint.
The new CLSAG signature scheme has undergone significant additional analysis and updates. There is sample code and timing codeavailable currently, which show excellent efficiency improvements. The final version of a paper with full details and security proofs has a pending merge request to the internal archive. Comments on the paper are welcome.
There is sample code demonstrating a version of the Bulletproofs inner product proving system that allows arbitrary input vector size. Verification uses the same number of rounds as the prover, making it inefficient. While it may be possible to reduce the verifier's complexity to a single multiexponentiation (as we do for the current version in production), it is not clear how to do so.
I have a draft writeup for a merged-input system called MoJoin that allows multiple parties to generate a single transaction. The goal is to complete the transaction merging with no trust in any party, but this introduces significant complexity and may not be possible with the known Bulletproofs multiparty computation scheme. My current version of MoJoin assumes partial trust in a dealer, who learns the mappings between input rings and outputs (but not true spends or Pedersen commitment data).
Additionally, I am performing a comparative analysis of three different sublinear transaction protocols. Each of Lelantus, RingCT3.0, and Omniring have preprints available. The different approaches to transaction privacy come with tradeoffs that deserve careful investigation to determine their applicability and feasibility to Monero.
And now on to Sarang's Reading Corner, a short listing of some interesting papers that I have come across this month. The appearance of a paper in this list does not mean that I necessarily agree with its contents or correctness, or that I endorse it. Papers are in no particular order.
- Another Look at ALGORAND
- New Number-Theoretic Cryptographic Primitives
- UC-Secure CRS Generation for SNARKs
- FloodXMR: Low-cost transaction flooding attack with Monero’s bulletproof protocol
- Further Disclosure on Zerocoin vulnerability
- New Number-Theoretic Cryptographic Primitives
- Two-Party ECDSA from Hash Proof Systems and Efficient Instantiations
- A Deep Dive into Bitcoin Mining Pools: An Empirical Analysis of Mining Shares
- Spartan: Efficient and general-purpose zkSNARKs without trusted setup
- RingCT 3.0 for Blockchain Confidential Transaction: Shorter Size and Stronger Security
- (Linkable) Ring Signature from Hash-Then-One-Way Signature
- Lattice RingCT v2.0 with Multiple Input and Output Wallets
- Bandwidth-Efficient Transaction Relay for Bitcoin
- Omniring: Scaling Up Private Payments Without Trusted Setup - Formal Foundations and Constructions of Ring Confidential Transactions with Log-size Proofs
SarangNoether