Sending Cryptocurrencies Confidentially: Ring Signature, Homomorphic Commitment, and Zero-Knowledge Range Proofs

Sending Cryptocurrencies Confidentially

Once public coins are shielded, they will be confidentially sent, received, stored, and traded as privacy coins. Custodians may retain records of the total number of privacy coins minted but will have no visibility into how these privacy coins are utilized afterward. Every privacy coin transaction will remain confidential and untraceable, even to custodians and validators. Chameleon will employ advanced cryptographic primitives, including linkable ring signature schemes, homomorphic commitment schemes, and zero-knowledge range proofs, to obscure sending addresses, receiving addresses, and transacted amounts.

Fungibility: The Basis of Monetary Privacy

All privacy coins issued on the Chameleon network will be fungible—fulfilling one of the fundamental requirements of money. A unit of currency must be identical and interchangeable with another.

Ring Signatures: Shielding Sending Addresses

A ring signature scheme will enable a member of a group to sign a message on behalf of the group without revealing the signer’s identity [Chaum and Van Heyst, 1991; Fujisaki and Suzuki, 2007; Van Saberhagen, 2013]. Signer anonymity is maintained by ensuring each group member has an equal probability of being the actual signer.

Group formation in a ring signature scheme will be spontaneous, with no centralized manager to uncover the identity of the true signer. Due to these characteristics, such groups are referred to as ad hoc groups or rings. A signer will form a group by collecting public keys from other group members. These additional group members, known as decoys or mixins, will be drawn from historical transactions. The unified signature generated by the ring provides anonymity for the true signer.

In Chameleon, ring signatures will be utilized to authorize the spending of an Unspent Transaction Output (UTXO) [Nakamoto, 2008], without exposing the identity of the spender. Each ring will comprise the actual UTXO being spent along with its decoys, which will consist of random outputs from historical transactions. Together, the actual UTXO and its decoys will form the transaction inputs.

From a public perspective, any of these inputs could plausibly be the actual output being spent. This uncertainty ensures that the true spender remains indistinguishable within the group, thereby safeguarding the privacy of the transaction.

Since it will be impossible to determine which UTXO is being spent in a ring signature scheme, there is the potential for a double-spending problem [Finney, 1993]. To mitigate this, Chameleon will implement a variant of the ring signature called Linkable Ring Signature [Liu et al., 2004]. This approach adds a crucial property: linkability.

With linkability, any signature issued under the same public key—whether for the same or different messages—will have a unique identifier called a serial number. These serial numbers enable verification of whether two signatures originate from the same group member without disclosing the signer’s identity.

In Chameleon’s implementation, a serial number will be derived from each UTXO being spent and included in every ring signature. To prevent double-spending, a list of used serial numbers will be permanently stored as part of the transaction data. If a new ring signature attempts to reuse an existing serial number, it will be automatically rejected, ensuring robust protection against double-spending.

This combination of anonymity and accountability ensures that privacy is preserved while maintaining the integrity of the Chameleon network.

Stealth Addresses: Shielding Receiving Addresses

In traditional cryptonetworks like Bitcoin or Ethereum, a public address is all that is required to view the complete history of incoming and outgoing transactions associated with that address [Reid and Harrigan, 2013]. This level of transparency can reveal total balances, spending patterns, and other details, making it easy to link transactions.

To prevent such linking and ensure privacy, Chameleon introduces stealth addresses—a type of one-time public key. For every incoming transaction, Chameleon automatically generates a unique one-time public key. These stealth addresses act as one-time deposit boxes, ensuring that:

  1. Only the intended receiver can access the contents of the deposit box.
  2. Each incoming transaction appears independent, making it impossible to correlate transactions or infer the receiver’s total balance.

By using stealth addresses, Chameleon ensures that the sender, receiver, and transacted amount remain confidential. This cryptographic mechanism significantly enhances user privacy while maintaining the flexibility and functionality of a decentralized network.

Stealth addresses in Chameleon are built on the Diffie-Hellman key exchange protocol [Diffie and Hellman, 1976], a cryptographic method enabling two users to create a shared secret, even in the presence of an eavesdropper monitoring all communications.

A Chameleon address is composed of:

  • A public view key, which is used to receive transactions.
  • A public spend key, which is paired with a private spend key to authorize outgoing transactions.

How Stealth Addresses Work

  1. Transaction Setup
    When Alice wants to send privacy coins to Bob, she uses:

    • Bob’s public view key and public spend key.
    • A piece of fresh randomness.
  2. Using these inputs, Alice derives a one-time public key for Bob’s new UTXO. This derivation is done such that only Bob can compute the corresponding one-time private key.

  3. Receiving the UTXO

    • Bob scans all incoming transactions using his private view key to identify the UTXO intended for him.
    • Once identified, Bob computes the one-time private key corresponding to the one-time public key.
  4. Spending the UTXO

    • Bob can spend the UTXO using his private spend key, maintaining control over his funds.

Privacy Benefits

  • The transaction data is recorded on the Chameleon public ledger, allowing anyone to see that a transaction occurred.
  • However, the one-time public key in the transaction cannot be linked to Bob or his Chameleon address.

For example, if Bob is a merchant, observers cannot determine that he and Alice are conducting business, preserving their privacy.
Stealth addresses ensure that Chameleon transactions remain unlinkable and confidential, even in a fully transparent public ledger environment.

The transaction data is on the Chameleon public ledger. Anyone can see that a new transaction has occurred, but cannot link the one-time public key in the transaction to Bob. If Bob were a merchant, for example, no one would be able to determine that he and Alice are doing business together.

Confidential Transactions: Shielding Transacted Amounts

Confidential transactions are employed to shield the transacted amounts on the Chameleon public ledger [Maxwell, 2015]. While the occurrence of privacy coin transactions remains visible, the exact amounts involved are concealed.

The fundamental approach involves committing both input and output amounts of a transaction using Pedersen commitments [Pedersen, 1991]. A commitment combines the value of a transaction with a blinding factor, which serves as randomness that prevents others from determining the value. The value and blinding factor can later be revealed by the committer, allowing others to verify the validity of the commitment.

Addressing Validation Challenges

The first challenge arises when validators can no longer verify the transaction due to the inability to confirm that the sum of inputs matches the sum of outputs. To resolve this, zero-knowledge proofs [Goldreich et al., 1991] are integrated into each transaction, enabling the prover to demonstrate knowledge of a statement’s truth without revealing any additional details beyond its validity.

Thanks to the homomorphic property [Gentry and Boneh, 2009], all input commitments can be aggregated into a single input commitment, and all output commitments can be aggregated into a single output commitment. The sum of these commitments represents a commitment to the total value, with the blinding factor serving as the sum of individual blinding factors in the commitments.

A commitment to zero emerges as a valid public key, with its corresponding private key being the blinding factor. The sender then signs the difference between two such commitments, proving that the balance has been maintained. By including this commitment in the ring signature, the sender can demonstrate the validity of the transaction while using the blinding factor as one of the private spend keys.

Preventing Inflation through Range Proofs

The second issue is the potential for an attacker to generate coins arbitrarily and inflate the supply of privacy coins by committing to negative amounts. To mitigate this, each output commitment is paired with a range proof [Boudot, 2000; Morais et al., 2019]. A range proof verifies that the output amounts lie within a positive range, specifically within the interval [0, 2⁶⁴), without disclosing the actual amounts.

Validators can now confirm the legitimacy of a transaction without needing to know the exact amounts being transferred. To implement these range proofs efficiently, Bulletproofs [Bünz et al., 2018] are utilized. Bulletproofs are short, non-interactive zero-knowledge proofs designed to

enable confidential transactions without requiring a trusted setup. The size of the range proof is significantly reduced from approximately 5KB to just 700 bytes, enhancing efficiency. Furthermore, Bulletproofs support aggregation, meaning that combining several range proofs results in only a minimal increase in size.

3 Likes