CTA: Confidential Transactions Protocol with State Accumulator

Abstract

Considering the increasingly large storage of post-quantum RingCT-like protocols, we construct a blockchain-based confidential transactions protocol with state accumulator (CTA), where each user only needs to store a concise state of the blockchain. More precisely, CTA can compress the historical data of all transactions into a short deterministic state, while preserving privacy and post-quantum security. The key component of our CTA is an efficient zero-knowledge lattice-based accumulator, which is based on Peikert et al.’s vector commitment scheme proposed in TCC 2021. We have modified their construction to ensure that the length of the underlying M-SIS parameters is kept short for the Merkle-tree structure. At a 128-bit security level, the membership proof size for our accumulator with \(2^{20}\) members is only 225 KB under the Module-SIS and Extended-MLWE assumptions. Compared with previous lattice-based works where the time and storage complexity of each user is linear with the number of coins, our CTA is capable of achieving logarithmic storage space and computational time. Specifically, the concrete transaction size of spending a coin in CTA is around 236 KB, when the size of anonymity set is \(2^{20}\).

Appendices

A More on Preliminaries

1.1 A.1 Challenge Space

Let \(q = q_1 q_2\) be a product of two odd primes where \(q_1 < q_2\). Suppose each \(q_i\) splits into g prime ideals of degree d/g in \(R_{q}\). That is, \(X^{d}+1\) can factor into g irreducible polynomials of degree d/g modulo q. Assuming \(Z_{q}\) contains a primitive 2g-th root of unity \(\zeta _i\in Z_{q}\) and \(q_i\equiv 2g+1\pmod {4g}\), we have \(X^{d}+1 \equiv \prod _{j\in Z_{g}}(X^{d/g} - \zeta _i^{2j+1})\bmod {q_i}\) where \(\zeta _i^{2j+1}\) (\(j\in Z_{g}\)) ranges over all the g primitive 2g-th roots of unity. The ring R has a group of automorphisms \(\textsf{Aut}(R_q)\) which is isomorphic to \(Z_{2d}^{\times }\). Let \(\sigma _i\in \textsf{Aut}(R_q)\) be defined by \(\sigma _i(X) = X^i\), which is applied to the challenge set [18]. The challenge space \(\mathcal {C}\) is defined as \(\mathcal {C} = \{c\in S_{\kappa }^{\sigma }: \sqrt{\Vert \sigma _{-1}(c)c\Vert _{1}}\le \eta \}\), where \( S_{\kappa }^{\sigma }= \{c\in R_q: \Vert c\Vert _{\infty }\le \kappa \wedge \sigma (c) = c\}\). We can compute \(\Vert c\boldsymbol{r}\Vert \le \eta \Vert \boldsymbol{r}\Vert \) when \(c\in \mathcal {C}\) and \(\boldsymbol{r}\in R_q^{n}\). [18] shows that the difference of any two distinct elements of \(\mathcal {C}\) is invertible over \(R_q\) if \(\kappa < \frac{1}{2\sqrt{g}}q_1^{1/g}\). The concrete parameters proposed in [18] satisfy that for \(d = 128, g = 4, \kappa = 2, \eta = 73, q_1 > 2^{20}\) and a automorphisms \(\sigma _{-1}\), \(|\mathcal {C}| = 2^{147}\) and the invertibility property of the challenge space holds.

1.2 A.2 Rejection Sampling

During the zero-knowledge proofs, the prover computes \(\boldsymbol{z} = \boldsymbol{y} + c\boldsymbol{r}\) where \(\boldsymbol{r}\) is the secret vector, \(c\leftarrow \mathcal {C}\) is a challenge polynomial, and \(\boldsymbol{y}\) is a masking vector. The distribution of the prover’s output \(\boldsymbol{z}\) should be independent of the secret randomness vector \(\boldsymbol{r}\), so that any information on the prover’s secret cannot be obtained from \(\boldsymbol{z}\). To remove the dependency of \(\boldsymbol{z}\) on \(\boldsymbol{r}\), we use the rejection sampling technique by Lyubashevsky [17]. In order to reduce the standard deviation \(\sigma \), recent work [21] modifies rejection sampling algorithm to force \(\langle \boldsymbol{z},\boldsymbol{v}\rangle \)⁵\( \ge 0\) in Algorithm 2, which leaks one bit of information about the secret. We need to rely on the Extended-MLWE problem as analysed in [22] to show the advantage of distinguishability with the revealed one bit information.

B Proof for Theorem 2

Proof

Completeness: Completeness follows directly from the discussion in Sect. 3.2. Following [4] [Lemma 1.5(i)], with overwhelming probability, we have \(\Vert \boldsymbol{f}\Vert \le 2\phi _{1}T_{1}\sqrt{(k+1)l\alpha d}\), \(\Vert \boldsymbol{f}_{b}\Vert \le \phi _{2}T_{2}\sqrt{2ld\log {h}}\ \text {and}\ \Vert \boldsymbol{z}\Vert \) \( \le \phi _{3}T_{3}\sqrt{2md}\).

Zero-Knowledge: Firstly, randomly choose the challenges \(x\in \mathcal {C}\). (Note that, in the random oracle model, the hash function \(\mathcal {H}\) is modeled as a random oracle, which can be programmed by the simulator.) Compute \((C_0\Vert C_1\Vert \cdots \Vert C_3) = (\boldsymbol{B}_1\Vert \boldsymbol{B}_2\Vert \cdots \Vert \boldsymbol{B}_4)\cdot \boldsymbol{r}'\) by \(\boldsymbol{r}'\leftarrow \{-\beta ,\cdots ,\beta \}^{md}\), i.e., the message committed in this commitment is \(\boldsymbol{0}\). This commitment is computationally indistinguishable from the real case due to the computationally hiding property of the underlying commitment schemes, which are based on the Extended-MLWE\(_{m-n-v,n,\sigma _{3}}\) assumption. Here v denotes the height of commitments \((C_1\Vert C_2\Vert C_3)\), i.e., it is the dimension of the committed messages of \((C_1\Vert C_2\Vert C_3)\). Then, generate \(\boldsymbol{f}\leftarrow D_{\phi _{1} T_{1}}^{2l\alpha (k+1)d}\), \(\boldsymbol{z} \leftarrow D_{\phi _{2} T_{2}}^{md}\) and also \(\boldsymbol{f}_{b}\leftarrow D_{\phi _{1} T_{1}}^{2ld\log {h}}\), which are computationally indistinguishable from that of the real execution due to the reject sampling technique. At last, compute \(D'\), \(\boldsymbol{g}''_0\), \(\boldsymbol{t}''_0\) and \(\{\boldsymbol{t}'_{i,1},\boldsymbol{t}'_{i,2}\}_{i=0}^{l-1}\) as Step 1 of \(\varPi _{\textsf{acc}}\).Verify. Therefore, \(D'\), \(\boldsymbol{g}''_0\), \(\boldsymbol{t}''_0\) and \(\{\boldsymbol{t}'_{i,1},\boldsymbol{t}'_{i,2}\}_{i=0}^{l-1}\) are computationally indistinguishable from D, \(\boldsymbol{g}'_0\), \(\boldsymbol{t}'_0\) and \(\{\boldsymbol{t}_{i,1},\boldsymbol{t}_{i,2}\}_{i=0}^{l-1}\) of the real case. Thus we can obtain non-interactive \(\varPi _{\textsf{acc}}\) which is zero-knowledge through Fiat-Shamir transform [13].

Soundness: The proof of soundess follows the idea of [2]. Define the matrix H, where the rows are indexed by all possible random tapes \(\xi \in \{0,1\}^{*}\) and columns of H are indexed by all possible values for different challenge x. Let \(H[\xi ][x] = 1\) be the entry corresponding to randomness \(\xi \) and challenge \(x\in \mathcal {C}\). Obviously, an extractor can check values of each entry in H in time at most T.

The extractor \(\mathcal {E}\) is constructed as follows: Run \(\mathcal {P}^{*}\) on random tape \(\xi \leftarrow \{0,1\}^{*}\) and challenge x until it succeeds, which means \(H[\xi ][x] = 1\). Then, run \(\mathcal {P}^{*}\) on \(\xi \) and new challenges \(x',x''\) until \(H[\xi ][x'] = H[\xi ][x''] = 1\). The expected time of \(\mathcal {E}\) is at most 3T and \(\mathcal {E}\) extracts three valid transcripts with probability at least \(\epsilon - 2/|\mathcal {C}|\), where the success probability of the protocol is \(\epsilon \).

Considering the following two accepting protocol transcripts with \(x\ne x'\), \(t =\big ((C_0\Vert C_1\Vert C_2\Vert C_3); x; \boldsymbol{f}; \boldsymbol{f}_{b}; \boldsymbol{z}\big ), t' = \big ((C_0\Vert C_1\Vert C_2\Vert C_3); x'; \boldsymbol{f}'; \boldsymbol{f}'_{b}; \boldsymbol{z}'\big )\). With the following verification equation

$$\begin{aligned} xC_0 + D' = \boldsymbol{B}_1\boldsymbol{z} + \boldsymbol{B}_0(\boldsymbol{f}\Vert \boldsymbol{f}_b) \end{aligned}$$

(10)

$$\begin{aligned} x'C_0 + D' = \boldsymbol{B}_1\boldsymbol{z}' + \boldsymbol{B}_0(\boldsymbol{f}'\Vert \boldsymbol{f}'_b) , \end{aligned}$$

(11)

we have \( (x - x')\cdot C_0 = \boldsymbol{B}_1\cdot (\boldsymbol{z} - \boldsymbol{z}') + \boldsymbol{B}_0\big ((\boldsymbol{f}\Vert \boldsymbol{f}_b) - (\boldsymbol{f}'\Vert \boldsymbol{f}'_b)\big ) \). So we extract the openings \((\boldsymbol{a}^{*}, \boldsymbol{b}^{*},\boldsymbol{r}_a^{*})\) of \(C_0\), where \(\boldsymbol{a}^{*} = \bar{x}^{-1}(\boldsymbol{f} - \boldsymbol{f}')\), \(\boldsymbol{b}^{*} = \bar{x}^{-1}(\boldsymbol{f}_b - \boldsymbol{f}_b')\), \(\boldsymbol{r}_a^{*} = \bar{x}^{-1}(\boldsymbol{z} - \boldsymbol{z}')\) and \(\bar{x} := x - x'\).

Subtracting \(x\cdot \)(11) from \(x'\cdot \)(10), we get \( (x - x')\cdot D' = \boldsymbol{B}_0\cdot (x'\boldsymbol{z} - x\boldsymbol{z}') + \boldsymbol{B}_1(x'\boldsymbol{f} - x\boldsymbol{f}'\Vert x'\boldsymbol{f}_b - x\boldsymbol{f}_b'). \) Thus, we can extract the openings \((\boldsymbol{m}_a^{*}, \boldsymbol{m}^{*},\boldsymbol{d}^{*})\) of \(D'\) such that \(\boldsymbol{f} = x\boldsymbol{a}^{*}+\boldsymbol{m}_a^{*}\) and \(\boldsymbol{f}_b = x\boldsymbol{b}^{*}+\boldsymbol{m}^{*}\) hold, where \(\boldsymbol{m}_a^{*} = \bar{x}^{-1}(x\boldsymbol{f}' - x'\boldsymbol{f})\), \(\boldsymbol{m}^{*} = \bar{x}^{-1}(x\boldsymbol{f}_b' - x'\boldsymbol{f}_b)\) and \(\boldsymbol{d}^{*} = \bar{x}^{-1}(x\boldsymbol{z}' - x'\boldsymbol{z})\).

Consider an arbitrary accepting transcript with different challenge \(x''\ne x' \ne x\) and response \(\boldsymbol{f}''\), \(\boldsymbol{f}_b''\) and \(\boldsymbol{z}''\). Define \(\hat{x} = x - x''\), \(\boldsymbol{a}^{+} = \hat{x}^{-1}(\boldsymbol{f} - \boldsymbol{f}'')\), \(\boldsymbol{b}^{+} = \hat{x}^{-1}(\boldsymbol{f}_b - \boldsymbol{f}_b'')\) and \(\boldsymbol{r}_a^{+} = \hat{x}^{-1}(\boldsymbol{z} - \boldsymbol{z}'')\). We claim that \(\boldsymbol{a}^{+} = \boldsymbol{a}^{*}\), \(\boldsymbol{b}^{+} = \boldsymbol{b}^{*}\) and \(\boldsymbol{r}_a^{+} = \boldsymbol{r}_a^{*}\). Indeed, due to the opening equations of \(C_0\), we have \(\boldsymbol{B}_0\bar{x}\hat{x}(\boldsymbol{a}^{*} - \boldsymbol{a}^{+}\Vert \boldsymbol{b}^{*} - \boldsymbol{b}^{+}) + \boldsymbol{B}_1\bar{x}\hat{x}(\boldsymbol{r}_a^{*} - \boldsymbol{r}_a^{+}) = \boldsymbol{0}\).

Since \(\Vert \bar{x} \hat{x}(\boldsymbol{a}^{*} - \boldsymbol{a}^{+}, \boldsymbol{b}^{*} - \boldsymbol{b}^{+},\boldsymbol{r}_a^{*} - \boldsymbol{r}_a^{+})\Vert \le 8\eta (B_{f}+B_{b}+B_{z})\) based on the challenge space in Appendix A.1, we have \(\boldsymbol{a}^{+} = \boldsymbol{a}^{*}\), \(\boldsymbol{b}^{+} = \boldsymbol{b}^{*}\) and \(\boldsymbol{r}_a^{+} = \boldsymbol{r}_a^{*}\) unless we find a M-SIS\(_{8\eta (B_{f}+B_{b}+B_{z})}\) solution for \([\boldsymbol{B}_{0}\Vert \boldsymbol{B}_{1}]\). Set \(\boldsymbol{b}^* = \{\boldsymbol{o}_{1}^ {*i}\Vert \boldsymbol{o}_{2}^{*i}\}_{i=l}^1\) and \(\boldsymbol{o}_{1}^ {*i}\otimes \boldsymbol{o}_{2}^{*i} = (b^*_{i,0},\cdots ,b^*_{i,h-1})\) for all \(i\in [1,l]\). The verification equation of \(\varPi _{\textsf{acc}}\).Verify can be rewritten with \(\boldsymbol{f} = x\boldsymbol{a}^{*}+\boldsymbol{m}_a^{*}\) and \(\boldsymbol{f}_b = x\boldsymbol{b}^{*}+\boldsymbol{m}^{*}\) as follows, \((\hat{\boldsymbol{H}} - x^2 q_1\hat{\boldsymbol{G}})\boldsymbol{f} = x^{3} q_1(\boldsymbol{H} - \hat{\boldsymbol{G}})\boldsymbol{a}^* - x^2\textsf{QuaT} - x\textsf{PrimT}-\textsf{ConsT}\), where the coefficient \(\textsf{QuaT}\), \(\textsf{PrimT}\) and \(\textsf{ConsT}\) are independent from x. Recall Step 1 in \(\varPi _{\textsf{acc}}\).Verify, the following equation holds \((\hat{\boldsymbol{H}} - x^2 q_1\hat{\boldsymbol{G}})\boldsymbol{f} = x^{3}q_1\boldsymbol{g} + x(xC_2 - \boldsymbol{B}_3\boldsymbol{z}) + (xC_1 - \boldsymbol{B}_2\boldsymbol{z}) - \boldsymbol{g}''_0\).

The coefficient of \(x^3\) in the above verification equation is \(q_1\boldsymbol{g}\) which is independent from x, so we have \( q_1(\boldsymbol{H} - \hat{\boldsymbol{G}})\boldsymbol{a}^* = q_1\boldsymbol{g}. \) Similarly, we compute that \(\boldsymbol{f}_b\circ (\boldsymbol{x}-\boldsymbol{f}_b) = (x\boldsymbol{b}^*+\boldsymbol{m}^*)\circ [x(\boldsymbol{1}-\boldsymbol{b}^*) - \boldsymbol{m}^*] = x^2\boldsymbol{b}^*\circ (\boldsymbol{1}-\boldsymbol{b}^*)+x\textsf{P} + \textsf{T}\). In verification, \(\boldsymbol{f}_b\circ (\boldsymbol{x} - \boldsymbol{f}_b) = (xC_3 - \boldsymbol{B}_4\boldsymbol{z}) - \boldsymbol{t}''_{0}\) holds, where the coefficient of \(x^2\) is \(\boldsymbol{0}\). Thus we get that \(\boldsymbol{b}^*\circ (\boldsymbol{1}-\boldsymbol{b}^*) = \boldsymbol{0}\). \(\text {For all} \ i\in [1,l] \ \text {and}\ j\in [1,2]\), \(\sum _{k=0}^{\log {h}}\boldsymbol{f}_{j}^{i}[k]\) can be computed as \(x\sum _{k=0}^{\log {h}}\boldsymbol{o}_j^{*i}[k]+\textsf{T}'\). Through the verification equation \(\boldsymbol{t}'_{i,j} = \sum _{k=0}^{h_{i}}\boldsymbol{f}_{j}^{i}[k] - x\) in Step 1 in \(\varPi _{\textsf{acc}}.{\textbf {Verify}}\), we obtain that the coefficient of x is equal to \(\sum _{k=0}^{\log {h}}\boldsymbol{o}_j^{*i}[k]\), i.e., \(\sum _{k=0}^{\log {h}}\boldsymbol{o}_j^{*i}[k] = 1\) holds.

C Proof of Theorem 3

Proof

Consider the following games. \(\varepsilon _{\mathcal {A}}^{\textsf{Game}_i}\) denotes the probability that \(\mathcal {A}\) wins \(\textsf{Game}_i\). \(\textsf{Game}_{0}\): This is identical to the game Exp-Anony.

\(\textsf{Game}_{1}\): same as \(\textsf{Game}_{0}\) except that the challenger simulates the responses where the reject sampling is applied. In Algorithm Spend-II, it replaces \(\boldsymbol{f}\) with random samples from \(D_{\phi _{1} T_{1}}^{2l\alpha (k+1)d}\), \(\boldsymbol{f}_b\) with random samples from \(D_{\phi _{2} T_{2}}^{2ld\log {h}}\), \(\boldsymbol{z}\) with random samples from \(D_{\phi _{3} T_{3}}^{md}\) and \(\boldsymbol{z}_{i=0}^{S-1},\boldsymbol{z}_{sk},\boldsymbol{z}_k\) with random samples from \(D_{\phi _{4} T_{4}}^{\hat{m}d}\). This game is statistically indistinguishable from the previous game \(\textsf{Game}_{0}\) due to rejection sampling. Thus \( \vert \varepsilon _{\mathcal {A}}^{\textsf{Game}_{0}} - \varepsilon _{\mathcal {A}}^{\textsf{Game}_{1}} \vert \le \sum _{i=1}^{4}\varepsilon (\phi _i). \)

\(\textsf{Game}_{2}\): same as \(\textsf{Game}_{1}\) except that the challenger replaces the serial number \(\textsf{sn}\) by uniformly random elements in \(R_q\). This game is computationally indistinguishable from \(\textsf{Game}_{1}\) by Extended M-LWE\(_{1,\hat{m}-1, \sigma _4}\) assumption. We get that \( \vert \varepsilon _{\mathcal {A}}^{\textsf{Game}_{2}} - \varepsilon _{\mathcal {A}}^{\textsf{Game}_{1}} \vert \le \textsf{Adv}_{\mathcal {A}}^{\textsf{LWE}}. \)

\(\textsf{Game}_{3}\): same as \(\textsf{Game}_{2}\) except that the challenger replaces the commitment \((C_0\Vert C_1\Vert \cdots \Vert C_3)\) by uniformly random elements in \(R_q^{n+5}\). Considering the instantiation of \(\varPi _{\textsf{acc}}\), the eventual dimension of the commitment is \(n+5\). This game is computationally indistinguishable from \(\textsf{Game}_{2}\) by Extended M-LWE\(_{n+5,m-n-5, \sigma _3}\) assumption. Thus \( \vert \varepsilon _{\mathcal {A}}^{\textsf{Game}_{3}} - \varepsilon _{\mathcal {A}}^{\textsf{Game}_{2}} \vert \le \textsf {Adv}_{\mathcal {A}}^{\textsf{LWE}_1}. \)

\(\textsf{Game}_{4}\): same as \(\textsf{Game}_{3}\) except that the challenger replaces each output coin \(\textsf{cn}_{\textsf{new},i}\) by uniformly random elements in \(R_q^{2\hat{n}+1}\), for all \(i\in [S]\). This game is computationally indistinguishable from \(\textsf{Game}_{3}\) by Extended M-LWE\(_{2\hat{n}+1,\hat{m} - 2\hat{n} - 1, \sigma _4}\) assumption. Thus \( \vert \varepsilon _{\mathcal {A}}^{\textsf{Game}_{3}} - \varepsilon _{\mathcal {A}}^{\textsf{Game}_{2}} \vert \le S\cdot \textsf {Adv}_{\mathcal {A}}^{\textsf{LWE}_4}. \) Thus, we can get \(\varepsilon _{\mathcal {A}}^{\textsf{Game}_0} - \varepsilon _{\mathcal {A}}^{\textsf{Game}_4}\le \textsf {Adv}_{\mathcal {A}}^{\textsf{LWE}}+ \textsf {Adv}_{\mathcal {A}}^{\textsf{LWE}_1} + S\cdot \textsf {Adv}_{\mathcal {A}}^{\textsf{LWE}_2} + \sum _{i=1}^{4}\varepsilon (\mu (\phi _i) )\).

Note that the output of Algorithm Spend in \(\textsf{Game}_4\) is independent of \(\mathsf {Act_{new}}\), \(\mathsf {Act_{old}}\) and \(\mathsf {Amt_{old}}\), and thus independent of b. Hence \(\mathcal {A}\) has probability 1/2 of outputting \(b = b'\) in \(\textsf{Game}_4\). Finally, the probability \(\varepsilon _{\mathcal {A}}^{\textsf{Game}_0}\) that \(\mathcal {A}\) wins \(\textsf{Game}_0\) is \(\varepsilon _{\mathcal {A}}^{\textsf{Game}_0} \le 1/2 + \textsf {Adv}_{\mathcal {A}}^{\textsf{LWE}}+ \textsf {Adv}_{\mathcal {A}}^{\textsf{LWE}_1} + S\cdot \textsf {Adv}_{\mathcal {A}}^{\textsf{LWE}_2} + \sum _{i=1}^{4}\varepsilon (\mu (\phi _i) )\).

D Proof for Lemma 2

Proof

With the same strategy as the soundness proof of Theorem 2, \(\mathcal {E}\) can get the following two accepting protocol transcripts with two distinct challenges \(x_{1}, x_{2}\), \(t =( \textsf{st}, x_1, \boldsymbol{z}_{\textsf{sk}}, \{\boldsymbol{z}_{i}\}_{i=0}^{S-1}, \boldsymbol{z}_{k};\textsf{cn}_{\textsf{new},0},\cdots ,\textsf{cn}_{\textsf{new},S-1}, \textsf{sn}), t' = ( \textsf{st}, x_2, \boldsymbol{z}'_{\textsf{sk}}, \{\boldsymbol{z}'_{i}\}_{i=0}^{S-1}, \boldsymbol{z}'_{k};\textsf{cn}_{\textsf{new},0},\cdots ,\textsf{cn}_{\textsf{new},S-1}, \textsf{sn})\).

For all \(i \in [S]\) and \(\textsf{cn}_{\textsf{new},i}=(C_{r,i}\Vert C_{a,i}\Vert C_{p,i})\), we get the following equations, \(E'_{i} = \boldsymbol{G}_{0}\cdot \boldsymbol{z}_{i} - x_{1} C_{r,i}, E'_{i} = \boldsymbol{G}_{0}\cdot \boldsymbol{z}'_{i} - x_{2} C_{r,i}.\) Subtracting one from the other, we get valid “unique” opening \(\boldsymbol{r}^{*}_{i} = \bar{x}^{-1}(\boldsymbol{z}'_{i} - \boldsymbol{z}_{i})\) of \(C_{r,i}\) where \(\bar{x}^{-1} = x_1 -x_2\), unless one can immediately compute a Module-SIS solution for \(\boldsymbol{G}_{0}\) of length at most \(8\eta B\). From the verification equation, the following holds \(\boldsymbol{f}_{i} = x_{1} C_{a,i} - \boldsymbol{G}_{1}\cdot \boldsymbol{z}_{i}, \boldsymbol{f}'_{i} = x_{2} C_{a,i} - \boldsymbol{G}_{1}\cdot \boldsymbol{z}'_{i}\). Subtracting one from the other, we get \(\boldsymbol{f}_{i} - \boldsymbol{f}'_{i} = \bar{x}C_{a,i} - \boldsymbol{G}_{1}(\boldsymbol{z}'_{i}-\boldsymbol{z}_{i}) \Rightarrow \bar{x}^{-1}(\boldsymbol{f}_{i} - \boldsymbol{f}'_{i}) = C_{a,i} - \boldsymbol{G}_{1}\boldsymbol{r}^{*}_{i}\).

Let \(\boldsymbol{a}_{i}^{*} = \bar{x}^{-1}(\boldsymbol{f}_{i} - \boldsymbol{f}'_{i})\). There can only be a “unique” opening \((\boldsymbol{a}_{i}^{*},\boldsymbol{r}^{*}_{i})\) for \(C_{a,i}\) such that \(C_{a,i} = \boldsymbol{G}_{1}\boldsymbol{r}^{*}_{i} + \boldsymbol{a}_{i}^{*}\). As the same way, there can only be a “unique” opening \((\boldsymbol{p}_{i}^{*},\boldsymbol{r}^{*}_{i})\) for \(C_{p,i}\) such that \(C_{p,i} = \boldsymbol{G}_{2}\boldsymbol{r}^{*}_{i} + \boldsymbol{p}_{i}^{*}\), where \(\boldsymbol{p}_{i}^{*} = C_{p,i} - \bar{x}^{-1}\boldsymbol{G}_{2}\cdot (\boldsymbol{z}'_{i}-\boldsymbol{z}_{i})\). Thus we get the “unique” opening \((\boldsymbol{a}_{i}^{*}, \boldsymbol{p}_{i}^{*}; \boldsymbol{r}^{*}_{i})\) of the output coin \(\textsf{cn}_{\textsf{out},i}\) such that \(\textsf{cn}_{\textsf{out},i} = (\boldsymbol{G}_{0}\cdot \boldsymbol{r}^{*}\Vert \boldsymbol{G}_{1}\cdot \boldsymbol{r}^{*} +\boldsymbol{a}^{*}\Vert \boldsymbol{G}_{2}\cdot \boldsymbol{r}^{*} + \boldsymbol{p}^{*})\).

We can also get the following verification equations \(C'_{m} = (\boldsymbol{G}_0\cdot \boldsymbol{z}_{k}\Vert \boldsymbol{G}_1\cdot \boldsymbol{z}_{k}+\sum _{i = 0}^{S - 1} \boldsymbol{f}_{i}\Vert \boldsymbol{G}_2\cdot \boldsymbol{z}_{k}+ \boldsymbol{H}_0\cdot \boldsymbol{z}_{\textsf{sk}}) - \boldsymbol{G}\boldsymbol{f}_{l}, C'_{m} = (\boldsymbol{G}_0\cdot \boldsymbol{z}'_{k}\Vert \boldsymbol{G}_1\cdot \boldsymbol{z}'_{k}+\sum _{i = 0}^{S - 1} \boldsymbol{f}'_{i}\Vert \boldsymbol{G}_2\cdot \boldsymbol{z}'_{k}+ \boldsymbol{H}_0\cdot \boldsymbol{z}'_{\textsf{sk}}) - \boldsymbol{G}\boldsymbol{f}'_{l}\). Due to the soundness proof of \(\varPi _{\textsf{acc}}\), \(\boldsymbol{f}_{l}\) and \(\boldsymbol{f}'_{l}\) can be denoted by \(\boldsymbol{f}_{l} = x_{1}\boldsymbol{v}^{*}_{l} + \boldsymbol{c}^{*}_{l}\), and \(\boldsymbol{f}'_{l} = x_{2}\boldsymbol{v}^{*}_{l} + \boldsymbol{c}^{*}_{l}\). Subtracting one from the other, let \(\boldsymbol{k}^{*} = \bar{x}^{-1}(\boldsymbol{z}'_{k} - \boldsymbol{z}_{k})\) and \(\boldsymbol{s}^{*} = \bar{x}^{-1}(\boldsymbol{z}'_{\textsf{sk}} - \boldsymbol{z}_{\textsf{sk}})\), thus we can get that \((\boldsymbol{G}_0\cdot \boldsymbol{k}^{*}\Vert \boldsymbol{G}_1\cdot \boldsymbol{k}^{*} +\sum _{i=0}^{S-1}\boldsymbol{a}^{*}_{i}\Vert \boldsymbol{G}_2\cdot \boldsymbol{k}^{*} +\boldsymbol{H}_0\cdot \boldsymbol{s}^{*}) = \boldsymbol{G}\cdot \boldsymbol{v}^{*}_{l}\).

That is, the “unique” leaf node \(\boldsymbol{v}^{*}_{l}\) in \(\varPi _{\textsf{acc}}\) are equal to the well-formed input coin with the opening \(\boldsymbol{k}^*\), \(\boldsymbol{s}^*\) and \(\sum _{i=0}^{S-1}\boldsymbol{a}^{*}_{i}\). The opening \(\boldsymbol{k}^*\) is “unique” unless one can immediately compute a Module-SIS solution for \(\boldsymbol{G}_{0}\) of length at most \(8\eta B\). Then we can infer the “uniqueness” of the opening \(\boldsymbol{s}^*\) can be guaranteed unless one can compute a Module-SIS solution for \(\boldsymbol{H}_0\) of length at most \(8\eta B\).

Subtracting the verification equation from the other, \(F' = \boldsymbol{H}_1\cdot \boldsymbol{z}_{\textsf{sk}} - x\cdot \textsf{sn}, F' = \boldsymbol{H}_1\cdot \boldsymbol{z}'_{\textsf{sk}} - x\cdot \textsf{sn}\). We get that \(\textsf{sn} = \boldsymbol{H}_1\cdot \bar{x}^{-1}(\boldsymbol{z}'_{\textsf{sk}} - \boldsymbol{z}_{\textsf{sk}})\). Thus the opening of serial number \(\textsf{sn}\) is also \(\boldsymbol{s}^*\).

E Proof of Theorem 4

Proof

• Unbalanced amounts: Let \(\mathsf {E_{unb}}\) denote the event that \(\mathcal {A}\) wins the game Exp-balance. Note that \(\mathsf {E_{unb}}\) occurs when \(\mathcal {A}\) outputs t transactions \(\{\textsf{Tx}^{j}\), \(\mathsf {Amt_{new}}^{j}, \mathsf {Ck_{new}}^{j}\}_{j=0}^{t-1}\) which satisfy:

  • there exists \(j^*\in [t]\), such that \(\sum _{i=0}^{S-1}\mathsf {Amt_{new}}^{j^*}[i] > \textsf{amt}^{j^*}_{\textsf{old}}\) where \(S = |\mathsf {Amt_{new}}^{j^{*}}|\) and \(\mathcal {T}[\textsf{sn}].\textsf{IsCrpt} = 1\).

  • \( {\textbf {Verify}}(\textsf{Tx}^{j})\ne 0\) for all \(j \in [t]\).

  • all input public keys and coins in \((\mathsf {cn_{old}}^{j}, \mathsf {pk_{old}}^{j})\) for all \(j \in [t]\) are generated by CreateAddr and Mint, respectively, and all accounts in \((\mathsf {cn_{old}}^{j}, \mathsf {pk_{old}}^{j})\) are generated by ActGen.

  If \(\mathsf {E_{unb}}\) happens with non-negligible probability, we can construct an efficient algorithm \(\mathcal {E}\) to break the MSIS problem. \(\mathcal {E}\) simulates Exp-balance for \(\mathcal {A}\) as follows.

  1. (1)

     \(\mathcal {E}\) runs \(pp\leftarrow {\textbf {Setup}}(1^\lambda )\), randomly picks index \(j^*\in [t]\) to guess that \(\mathsf {E_{unb}}\) occurs in the \(j^*\)-th transaction.

  2. (2)

     When \(\mathcal {A}\) makes queries for Orc, \(\mathcal {E}\) responds by maintaining a list \(\mathcal {T}\) which is initially empty.

     • \(*\) CreateAddr(i): on the i-th query, \(\mathcal {E}\) runs \((\textsf{pk}_{i}, \textsf{sk}_{i})\) \(\leftarrow \) CreateAddr(pp), \(\textsf{sn}_{i}\leftarrow \) SnGen\((\textsf{sk}_{i})\) and returns (\(\textsf{pk}_{i},\textsf{sn}_{i}\)) to \(\mathcal {A}\). Insert (\(\textsf{pk}_{i}, \textsf{sk}_{i}, \textsf{sn}_{i}\)) to the list \(\mathcal {T}\) where \(\textsf{IsCrpt}\) tag is set to zero and the remaining information is left empty.

     • \(*\) Mint\((\textsf{amt, pk})\): \(\mathcal {E}\) runs \((\textsf{cn, ck})\leftarrow {\textbf {Mint}}(\textsf{amt},\) \(\textsf{pk})\) and returns \(\textsf{cn}\).

     • ActGen\((\textsf{amt,pk,cn,ck,st})\): For \(\textsf{pk}\), add \((\textsf{cn},\) \( \textsf{ck, amt})\) to the list \(\mathcal {T}[\textsf{pk}]\) respectively and run \((\textsf{cn,st})\leftarrow {\textbf {UpdateSt}}(\textsf{cn,st})\). Return \((\textsf{pk},\) \(\textsf{cn})\) and updated \(\textsf{st}\).

     • \(*\) Corrupt\((\textsf{act})\): For a \(\mathsf {act = (pk, cn)}\), if \(\mathcal {T}[\textsf{pk}]\) or \(\mathcal {T}[\textsf{cn}]\) cannot be found, indicating failure, return 0; else, update \(\mathcal {T}[\textsf{pk}]\).IsCrpt to 1, and output \(\mathcal {T}[\textsf{pk}].\textsf{sk}\), \(\mathcal {T}[\textsf{pk}].\textsf{ck}\) and \(\mathcal {T}[\textsf{pk}].\textsf{amt}\).

     • \(*\) Spend\((\mathsf {st, Amt_{new}, Pk_{new}, Cn_{old}, Amt_{old}, Pk_{old}},\) \(\mathsf {Sk_{old},Ck_{old}})\): Retrieve from \(\mathcal {T}\) all account secret keys associated to \(\mathsf {Cn_{old}}\). Run \(\mathsf {(Tx, Ck_{new})}\) \( \leftarrow {\textbf {Spend}}\) \((\mathsf {st, Amt_{new}, Pk_{new}, Cn_{old}, Amt_{old}, Sk_{old}}, \) \(\mathsf {Ck_{old}})\) and \(B\leftarrow {\textbf {Verify}}\) \((\textsf{Tx})\). If the verification fails, i.e., \(B = 0\), return \(\perp \); otherwise, run \((\mathsf {Cn_{new},st})\) \(\leftarrow {\textbf {UpdateSt}}\) \((\mathsf {Cn_{new},st})\), then output \(\textsf{Tx}\) and insert the output accounts information in the list \(\mathcal {T}\), respectively.

  By the rewinding technique, \(\mathcal {E}\) runs \(\mathcal {A}\) until \(\mathsf {E_{unb}}\) occurs twice with the distinct challenges, the same instances and witnesses, and the index \(j^*\) is the same. Hence, \(\mathcal {E}\) gets two accepting transcripts of CTA protocol with distinct challenges. Based on the soundness proof of the underlying ZKP in CTA, \(\mathcal {E}\) can recover an opening \((\boldsymbol{a}_i,\boldsymbol{r}_i,\boldsymbol{p}_i)\) for the \(\mathsf {Cn_{new}}^{j^*}[i]\) such that \(\mathsf {Cn_{new}}^{j^*}[i] = (\boldsymbol{G}_{0}\Vert \boldsymbol{G}_{1}\Vert \boldsymbol{G}_{2}) \cdot \boldsymbol{r}_i+ (\boldsymbol{0}^{\hat{n}}\Vert \boldsymbol{a}_i\Vert \boldsymbol{p}_i)\) for all \(i\in [S]\) and \(\sum _{i=0}^{S-1}\boldsymbol{a}_i = \textsf{amt}_{\textsf{old}}^{j^*}\). Due to \( \sum _{i=0}^{S-1}\mathsf {Amt_{new}}^{j^*}[i]\ge \textsf{amt}_{\textsf{old}}^{j^*}\), there exists at least one of the corrupted output coins such that \(\mathsf {Amt_{new}}^{j^*}[i]\) \(\ne \boldsymbol{a}_{i}\). That implies that there exists \(\boldsymbol{r}' \ne \boldsymbol{r}_i\) and \(\boldsymbol{p}'\) such that \(\mathsf {Cn_{new}}^{j^*}[i] = (\boldsymbol{G}_{0}\Vert \boldsymbol{G}_{1}\Vert \boldsymbol{G}_{2}) \cdot \boldsymbol{r}' + (\boldsymbol{0}^{\hat{n}}\Vert \mathsf {Amt_{new}}^{j^*}[i]\Vert \boldsymbol{p}')\). This gives a solution \((\boldsymbol{r}' - \boldsymbol{r}_i)\) for M-SIS problem under the matrix \(\boldsymbol{G}_{0}\), which yields a contradiction with the M-SIS\(_{\hat{n},\hat{m},q,8\eta B}\) assumption.

• Double spending: Let \(\mathsf {E_{2sp}}\) denote the event that \(\mathcal {A}\) wins the game Exp-balance. \(\mathsf {E_{2sp}}\) means that when \(\mathcal {A}\) outputs t transactions \(\{\textsf{Tx}^{j}\}_{j=0}^{t-1}\), there exists \(j^*\in [t]\), such that \(\textsf{sn}^{j^*}\notin \mathcal {T}\), where

  • \( {\textbf {Verify}}(\textsf{Tx}^{j})\ne 0\) for all \(j \in [t]\).

  • all input public keys and coins in \((\mathsf {cn_{old}}^{j}, \mathsf {pk_{old}}^{j})\) for all \(j \in [t]\) are generated by CreateAddr and Mint, respectively, and all accounts in \((\mathsf {cn_{old}}^{j}, \mathsf {pk_{old}}^{j})\) are generated by ActGen.

  If \(\mathsf {E_{2sp}}\) happens with non-negligible probability, we can construct an efficient algorithm \(\mathcal {E}\) to break the M-SIS assumption. The way that \(\mathcal {E}\) simulates Exp-balance for \(\mathcal {A}\) is just like that of \(\mathsf {E_{unb}}\). By the rewinding technique, \(\mathcal {E}\) runs \(\mathcal {A}\) with distinct challenges, the same instances x and witnesses w, and the same index \(j^*\). For the \(j^*\)-th transaction output by \(\mathcal {A}\), \(\mathcal {E}\) recovers an opening \(\boldsymbol{s}\) of \(\textsf{sn}^{j^*}\) such that \(\textsf{sn}^{j^*} = \boldsymbol{H}_1\cdot \boldsymbol{s}\), \(\mathsf {pk_{old}} = \boldsymbol{H}_0\cdot \boldsymbol{s}\) and \( \mathcal {T}[\mathsf {pk_{old}}].\textsf{sn} \ne \textsf{sn}^{j^*}\). So, there exists some \(\boldsymbol{s}'\ne \boldsymbol{s}\) such that \(\mathcal {T}[\mathsf {pk_{old}}].\textsf{sn} = \boldsymbol{H}_1\cdot \boldsymbol{s}'\) and \(\mathsf {pk_{old}} = \boldsymbol{H}_0\cdot \boldsymbol{s}'\). This gives a solution \((\boldsymbol{s}' - \boldsymbol{s})\) for M-SIS problem under the matrix \(\boldsymbol{H}_0\), which yield a contradiction with the M-SIS\(_{\hat{n},\hat{m},q,8\eta B}\) assumption.

• Forgery: Let \(\mathsf {E_{forge}}\) denote the event that \(\mathcal {A}\) wins the game Exp-balance. \(\mathsf {E_{forge}}\) occurs when \(\mathcal {A}\) outputs t transactions \(\{\textsf{Tx}^{j}\}_{j=0}^{t-1}\), there exists \(j^* \in [t]\), such that \(\textsf{sn}^{j^*}\in \mathcal {T}\) and \(\mathcal {T}[\textsf{sn}^{j^*}].\textsf{IsCrpt} = 0\), where

  • \(0 \ne \) Verify(\(\textsf{Tx}^{j}\)) for all \(j\in [t]\).

  • all input public keys and coins in \((\mathsf {cn_{old}}^{j}, \mathsf {pk_{old}}^{j})\) for all \(j\in [t]\), are generated by CreateAddr and Mint, respectively, and all accounts in \((\mathsf {cn_{old}}^{j}, \mathsf {pk_{old}}^{j})\) are generated by ActGen.

  Let Q be the number of CreateAddr queries that \(\mathcal {A}\) makes. \(\mathcal {E}\) picks \(a\in [Q]\), then return \(\textsf{pk}_a = \boldsymbol{H}_0\boldsymbol{s} + (1\Vert 0\Vert \cdots \Vert 0)\) for the a-th query from \(\mathcal {A}\) to CreateAddr oracle, where \(\boldsymbol{s}\in \{-\beta ,\cdots ,\beta \}^{\hat{m}d}\). Note that the attacker’s view in this modified game is computationally indistinguishable from its view in the original attack by the hiding property of commitment \(\textsf{pk}_a\), i.e., the M-LWE\(_{\hat{n},\hat{m}-\hat{n},q,\beta }\) assumption. \(\mathcal {E}\) simulates the Exp-balance until \(\mathsf {E_{forge}}\) occurs twice by the rewinding technique with the distinct challenges, the same instances x and witnesses w, and the indices \(j^*\) and a are the same. By the soundness of the underlying ZKP, \(\mathcal {E}\) recovers an opening \(\textsf{sk}\) such that \(\textsf{pk}_a = \boldsymbol{H}_0\cdot \textsf{sk}\). This also gives a solution \(\big ( (\textsf{sk} - \boldsymbol{s})\Vert -(1\Vert 0\Vert \cdots \Vert 0)\big )\) for M-SIS problem under the matrix \([\boldsymbol{H}_0\Vert \boldsymbol{I}_{\hat{n}}]\), which yield a contradiction with the M-SIS\(_{\hat{n},\hat{m}+\hat{n},q,8\eta B}\) assumption.

• Fake accounts: Let \(\mathsf {E_{fake}}\) be the event that \(\mathcal {A}\) wins the game Exp-balance. \(\mathsf {E_{fake}}\) occurs when \(\mathcal {A}\) outputs t transactions \(\{\textsf{Tx}^{j}\}_{j=0}^{t-1}\), there exists \(j^*\in [t]\), such that \(\mathsf {sn^{j^*}\notin \mathcal {T}}\) where

  • \(0 \ne \) Verify(\(\textsf{Tx}^{j}\)) for all \(j \in [t]\).

  • all input public keys and coins in \((\mathsf {cn_{old}}^{j},\mathsf {pk_{old}}^{j})\) for all \(j\in [t]\), are generated by CreateAddr and Mint, respectively.

  • \(\mathsf {cn_{in}}^{j^*}\) is not the output by the ActGen oracle.

  \(\mathcal {E}\) simulates the Exp-balanced until \(\mathsf {E_{fake}}\) occurs twice by the rewinding technique with distinct challenges, the same instances x and witnesses w, and the same index \(j^*\). Retrieving all the \(\mathcal {T}[\textsf{cn}]\) to form the set V. Therefore, for the \(j^*\)-th transaction output by \(\mathcal {A}\), \(\mathcal {E}\) recovers an opening \(\textsf{cn}^{j^*}\) such that \(\textsf{cn}^{j^*}\notin V\) and \(\textsf{Acc}.{\textbf {Acc}}(V) = \boldsymbol{u}_0\in \textsf{st}\). This yields a contradiction with the security of the accumulator schemes \(\textsf{Acc}\) by returning \((\textsf{cn}^{j^*}, \boldsymbol{u}_{0},V)\).