Informatica

We present a solution for a confidential and verifiable realization of transactions based on the Unspent Transaction Output (UTxO) paradigm. This means that the total sum of transaction inputs (incomes) $In$ must be equal to the total sum of transaction outputs (expenses) $Ex$, satisfying the balance equation $In=Ex$. Privacy in a private blockchain must be achieved through the encryption of actual transaction values. However, it is crucial that all participants in the network be able to verify the validity of the transaction balance equation. This poses a challenge with probabilistically encrypted data. Moreover, the inputs and outputs are encrypted with different public keys. With the introduction of the AA, the number of different public keys for encryption can be reduced to two. Incomes are encrypted with the Receiver’s public key and expenses with the AA’s public key.

The novelty of our realization lies in taking additively-multiplicative, homomorphic ElGamal encryption and integrating it with a proposed paradigm of modified Schnorr identification providing a non-interactive zero-knowledge proof (NIZKP) using a cryptographically secure h-function. Introducing the AA as a structural element in a blockchain system based on the UTxO enables effective verification of encrypted transaction data for the Net. This is possible because the proposed NIZKP is able to prove the equivalency of two ciphertexts encrypted with two different public keys and different actors.

This integration allows all users on the Net to check the UTxO-based transaction balance equation on encrypted data. The security considerations of the proposed solution are presented.

The transaction model allows Net to verify the validity of a transaction, having access only to encrypted transaction data. Each money receiver is able to decrypt and verify the actual sum that is transferred by the sender. AA is provided with actual transaction values and is able to supervise the tax payments for business actors. Such information allows to verify the honesty of transaction data for each user role.

The security analysis of the scheme is presented, referencing to ElGamal security assumptions. The coalition attack is formulated and prevention of this attack is proposed. It is shown that transaction creation is effective and requires almost the same resources as multiple ElGamal encryption. In addition to ElGamal encryption of all income and expenses, an additional exponentiation operation with small exponents, representing transferred sums, is needed. AA computation resources are slightly larger, since they have to be adequate for search procedures in the small range from 1 to ${2^{32}}-1=4294967295$ for individual money transfers.