Ring Confidential Transaction (RingCT)

Ring Confidential Transaction (RingCT) is an advanced privacy protection algorithm. At present, Helicon has proposed a more advanced quantum resistant ring confidential transaction (Quantum Resistant RingCT), which is also quantum resistant, can achieve two-way encryption during the asset transfer process, and achieve high requirements for transaction privacy. RingCT can provide user privacy protection in two aspects:

• The identity of the anonymous sender

• Hide transaction name

The RingCT protocol consists of three technical parts, namely one-time linkable ring signature, homomorphic commitment scheme and scope proof.

The one-time linkable ring signature allows the payer to use his one-time key (corresponding to his one-time public key) to sign the transaction and anonymize the transaction by picking other n-1 public keys from the blockchain. Anyone in the blockchain can only know that the transaction was generated by one of n users (whose public key is included in this transaction). No one can find out who this user is exactly (discover the real sender). The probability of identifying the person is equivalent to a wild guess). Helicon uses this technology to protect the privacy of the sender.

Since the sender is hidden, another method is needed to detect whether the sender is double spending. Here, the link ability of ring signatures can help. Not only does it have anonymity, it will also allow anyone to detect whether the sender is a double spender (by using the same key to generate two or more transactions). This nature provides the necessary security for the rejection of double-spending transactions.

The second part is the homomorphic commitment scheme. Although linkable ring signature can anonymize the identity of the sender, the transaction amount is still opened to the public. In order to hide the transaction amount, a homomorphic commitment scheme is deployed. Similar to an encryption scheme, a commitment scheme allows one to hide a message. On the other hand, there is no decryption algorithm. In other words, only the person who makes the commitment can reveal the committed value by revealing the message and the randomness used in the commitment process. Anyone can then verify the correctness of the commitment. A commitment scheme is homomorphic if commitment of m1±m2 can be obtained from commitments of m1 and m2 without knowing their values (with only the commitment of m1 and m2 known).

If the sum of the input amounts is equal to the sum of the output amounts, the transactions are consistent. To ensure the transaction amount is hidden while still allowing miners to verify transaction consistency, a homomorphic commitment scheme can be used. Specifically, all transaction amounts are stored in the promise. We assume that the random sub used in the commitment scheme is transmitted from the sender to the receiver 1 using a secure channel. Miners can use the homomorphic properties of input and output commitments to verify transaction consistency.

The remaining task is to combine linkable ring signatures and homomorphic commitments to hide the sender's address and transaction amount. The Helicon team plans to achieve this goal in an innovative way. In the future, if the commitment to 0 is the effective public key of the linkable ring signature scheme, and the private key of the linkable ring signature scheme can be derived from the random sub used by the promise, it is possible to achieve this task; at the same time, think It is impossible to derive the private key from any non-zero valued promise.

Firstly, extend the linkable ring signature extension to support the following forms of ring: {(pk11,pk12), (pk21,pk22), …, (pkn1,pkn2)} (For simplicity, we assume that each user has only 2 Package, so there are 2 public keys), where for some jA{1,...,n}, the signer needs to use skj1, skj2 for signing.

Secondly, we combine the homomorphic commitment scheme with the extended linkable ring signature scheme. For the convenience of discussion, we assume the form of each wallet is (pk, cn), where pk is the public key (address) of the wallet, and cn is the homomorphic commitment of the wallet amount v. Suppose the actual spender (spender) is (pkπ, cnπ), and the spender chooses n-1 other addresses and arranges them as (pk1, cn1), (pk2, cn2), …, (pkπ-1, cnπ-1), (pkπ+1, cnπ+1), (pkn, cnn). Suppose the output is (pkout, cnout).

Thirdly, calculate the new "public key" pk'i = eval(cni, cnout, -), where eval is the evaluation function of the homomorphic commitment scheme, and pki is the vi-vout commitment. Now, due to the special properties of the underlying homomorphic commitment scheme and the extended linkable ring signature scheme discussed above, if vi-vout =0, then pki is a valid public key.

Finally, the payer calculates the extended linkable ring signature based on {(pk11, pk12, pk'1), (pk21, pk22, pk'2), …, (pkn1, pkn2, pk'n)}. The theoretical basis is that the payer knows the key of (pki1, pki2, pk'i), because if the transaction is consistent, then pk'i is the promise 0. Otherwise, the user will not be able to calculate the key of pk'i, and thus cannot calculate the required extended linkable ring signature.

When the scheme is extended to support multiple inputs and outputs, the above design is vulnerable to integer overflow/underflow attacks. Specifically, the aforementioned agreement only ensures that the sum of the committed input values is equal to the sum of the committed output values. For example, a malicious spender can create output promises of 100 and -99. If he uses an input value of 1, then the transaction is valid. In addition, in cryptography, we are in a finite field (it is usually a prime number p), so -99 is considered p-99, which is a large value.