Zero-Knowledge Protocol for Knowledge of Known Discrete Logarithms: Applications to Ring Confidential Transactions and Anonymous Zether

Li Lin; Tian Qiu; Xin Wang; Hailong Wang; Changzheng Wei; Ying Yan; Wei Wang; Wenbiao Zhao

Paper 2025/690

Zero-Knowledge Protocol for Knowledge of Known Discrete Logarithms: Applications to Ring Confidential Transactions and Anonymous Zether

Li Lin, Digital Technologies, Ant Group

Tian Qiu, The University of Sydney

Xin Wang, Digital Technologies, Ant Group

Hailong Wang, Digital Technologies, Ant Group

Changzheng Wei, Digital Technologies, Ant Group

Ying Yan, Digital Technologies, Ant Group

Wei Wang, Digital Technologies, Ant Group

Wenbiao Zhao, Digital Technologies, Ant Group

Abstract

The securities of a large fraction of zero-knowledge arguments of knowledge schemes rely on the discrete logarithm (DL) assumption or the discrete logarithm relation assumption, such as Bulletproofs (S&P 18) and compressed $\Sigma$-protocol (CRYPTO 20). At the heart of these protocols is an interactive proof of knowledge between a prover and a verifier showing that a Pedersen vector commitment $P=h^{\rho}\cdot\textbf{g}^{\textbf{x}}$ to a vector $\textbf{x}$ satisfies multi-variate equations, where the DL relations among the vector of generators $\textbf{g}$ are unknown. However, in some circumstances, the prover may know the DL relations among the generators, and the DL relation assumption no longer holds, such as ring signatures, ring confidential transactions (RingCT) and K-out-of-N proofs, which will make the soundness proof of these protocols infeasible. This paper is concerned with a problem called knowledge of known discrete logarithms (KKDL) that appears but has not been clearly delineated in the literature. Namely, it asks to prove a set of multi-exponent equalities, starting with the fact that the prover may know the DL relations among the generators of these equalities. Our contributions are three-fold: (1) We propose a special honest-verifier zero-knowledge protocol for the problem. Using the Fiat-Shamir heuristic and the improved inner-product argument of Bulletproofs, the proof size of our protocol is logarithmic to the dimension of the vector. (2) As applications, our protocol can be utilized to construct logarithmic-size RingCT securely which fixes the issues of Omniring (CCS 19), ring signatures (with signature size $2\cdot \lceil \log_2(N) \rceil+10$ for ring size $N$) and $K$-out-of-$N$ proof of knowledge (with proof size $2\cdot \lceil \log_2(N) \rceil+14$) which achieves the most succinct proof size improving on previous results. Meanwhile, we propose the first account-based multi-receiver privacy scheme considering the sender's privacy with logarithmic proof size (to the best of our knowledge). (3) We describe an attack on RingCT-3.0 (FC 20) where an attacker can spend a coin of an arbitrary amount that never existed on the blockchain.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Preprint.
Keywords: Zero-Knowledge Proof Bulletproofs RingCT Omniring Anonymous Zether Cryptanalysis on RingCT-3.0
Contact author(s): felix ll @ antgroup com
tqiu4893 @ uni sydney edu au
wx352699 @ antgroup com
whl383799 @ antgroup com
changzheng wcz @ antgroup com
fuying yy @ antgroup com
wei wangwwei @ antgroup com
wenbiao zwb @ antgroup com
History: 2025-04-16: approved; 2025-04-16: received; See all versions
Short URL: https://ia.cr/2025/690
License: CC BY

BibTeX

@misc{cryptoeprint:2025/690,
      author = {Li Lin and Tian Qiu and Xin Wang and Hailong Wang and Changzheng Wei and Ying Yan and Wei Wang and Wenbiao Zhao},
      title = {Zero-Knowledge Protocol for Knowledge of Known Discrete Logarithms: Applications to Ring Confidential Transactions and Anonymous Zether},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/690},
      year = {2025},
      url = {https://eprint.iacr.org/2025/690}
}