BulletCT: Towards More Scalable Ring Confidential Transactions With Transparent Setup

Nan Wang; Qianhui Wang; Dongxi Liu; Muhammed F. Esgin; Alsharif Abuadbba

Paper 2025/188

BulletCT: Towards More Scalable Ring Confidential Transactions With Transparent Setup

Nan Wang

, CSIRO's Data61

Qianhui Wang

, University of Cambridge

Dongxi Liu

, CSIRO's Data61

Muhammed F. Esgin

, Monash University

Alsharif Abuadbba

, CSIRO's Data61

Abstract

RingCT signatures are essential components of Ring Confidential Transaction (RingCT) schemes on blockchain platforms, enabling anonymous transaction spending and significantly impacting the scalability of these schemes. This paper makes two primary contributions: We provide the first thorough analysis of a recently developed Any-out-of-N proof in the discrete logarithm (DLOG) setting and the associated RingCT scheme, introduced by ZGSX23 (S&P '23). The proof conceals the number of the secrets to offer greater anonymity than K-out-of-N proofs and uses an efficient "K-Weight" technique for its construction. However, we identify for the first time several limitations of using Any-out-of-N proofs, such as increased transaction sizes, heightened cryptographic complexities and potential security risks. These limitations prevent them from effectively mitigating the longstanding scalability bottleneck. We then continue to explore the potential of using K-out-of-N proofs to enhance scalability of RingCT schemes. Our primary innovation is a new DLOG-based RingCT signature that integrates a refined "K-Weight"-based K-out-of-N proof and an entirely new tag proof. The latter is the first to efficiently enable the linkability of RingCT signatures derived from the former, effectively resisting double-spending attacks. Finally, we identify and patch a linkability flaw in ZGSX23's signature. We benchmark our scheme against this patched one to show that our scheme achieves a boost in scalability, marking a promising step forward.

Note: Compared to the camera-ready version of USENIX Security '25, the following improvements have been made: 1 - The typo in Equation (2) on page 9 has been corrected to $\prod_{i=1}^{|{\mathcal{R}}|} (P_i \cdot T_i^d)^{y^i b_i} = (\tau \cdot \eta^d)^{\sum_{k=1}^{|{\mathcal{S}}|} y^{\phi(k)} s_{\phi(k)}}$ to ensure consistency with our implementation. 2 - The security proofs of the pseudo-randomness of tags on page 19 have been improved for greater clarity.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Published elsewhere. Minor revision. USENIX Security 2025
Keywords: Ring Confidential Transaction K-out-of-N Zero-Knowledge Proof Linkable Ring Signature Transparent Setup Blockchain
Contact author(s): nan wang @ data61 csiro au
qw304 @ cam ac uk
dongxi liu @ data61 csiro au
muhammed esgin @ monash edu
sharif abuadbba @ data61 csiro au
History: 2025-03-08: last of 4 revisions; 2025-02-08: received; See all versions
Short URL: https://ia.cr/2025/188
License: CC BY

BibTeX

@misc{cryptoeprint:2025/188,
      author = {Nan Wang and Qianhui Wang and Dongxi Liu and Muhammed F. Esgin and Alsharif Abuadbba},
      title = {{BulletCT}: Towards More Scalable Ring Confidential Transactions With Transparent Setup},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/188},
      year = {2025},
      url = {https://eprint.iacr.org/2025/188}
}