This draft presents post-quantum mitigations for Monero's next transaction protocol Seraphis. These mitigations are "zero-cost" in the sense that they only involve changes to the way private keys and blinding factors are calculated, which is transparent to blockchain verifiers. Mitigated keys will be compatible with a future hard-fork that can be put in place to ensure monetary soundness and security of the protocol even against a quantum computer.
While these mitigations do not prevent a quantum adversary from breaking the privacy of past transactions, they protect Monero from a total collapse that would result from an undetectable money supply inflation or the theft of users' funds.
In 2020, Monero performed a post-quantum security audit that confirmed severe vulnerabilities of the transaction protocol against quantum algorithms [1]. In descending order of severity, a quantum adversary (QA) would be able to:
- undetectably inflate the money supply,
- steal users' funds,
- deanonymize the transaction graph.
While the audit mostly focused on Monero's current transaction protocol RingCT, the above issues also apply to the next transaction protocol Seraphis [2]. In addition, Seraphis is also vulnerable to a double-spending attack because its key images are not perfectly bound to the output keys. Double-spending would also enable a QA to undetectably inflate the money supply.
The following mitigations are proposed for Seraphis:
- Embedding ElGamal commitments into Pedersen commitments. ElGamal commitments are pefectly binding and prevent a QA from opening the commitment to arbitrary values.
- Using hash-based commitments to prove the correctness of key images, preventing a QA from double-spending.
- Embedding a quantum-resistant public key into the private spend key to prevent a QA from stealing outputs they don't own.
We use the additive notation for elliptic curve operations. Lowercase letters usually refer to the elements of Zq, where q is the prime order of the main subgroup of the ed25519 elliptic curve. Uppercase letters usually refer to group elements (elliptic curve points). G is the generator of the elliptic curve and H, J, X, U are four additional generators with a (presently) unknown discrete logarithm relationship to G.
The function Hq() refers to a hash function {0,1}* -> Zq. The function H32() refers to a hash function {0,1}* -> {0,1}256. The concatenation operator is denoted by ||.
Domain-separation tags are denoted with a capital letter T.
Similarly to RingCT, transaction amounts in Seraphis are hidden with Pedersen commitments. Pedersen commitment C to a value v using a blinding factor r is derived as:
C = r G + v H (2.1.1)
Rewritten in terms of logG, the commitment becomes:
c = r + v*h (2.1.2)
where H = h G. This is an equation with 2 variables, so anyone who learns h can open the commitment to an arbitrary value of v by calculating the corresponding blinding factor as r = c - v*h.
In Seraphis, the public spend key has the form of:
Ks = kvb X + ks U (2.2.1)
where kvb is the private view key and ks is the private spend key.
Public address keys have the form of:
Kaddr = Ks + kaddr_x X + kaddr_u U (2.2.2)
where kaddr_x and kaddr_u are private key extensions derived from a secret key sga and the address index j:
kaddr_x = Hq(sga || Taddr_x || j) (2.2.3)
kaddr_u = Hq(sga || Taddr_u || j) (2.2.4)
One-time output keys have the form of:
Ko = Kaddr + ksender_x X + ksender_u U (2.2.5)
where Kaddr is the public key of the address the output was sent to and ksender_x and ksender_u are address extensions generated by the sender from the shared secret sshared and the amount commitment C:
ksender_x = Hq(Tsender_x || sshared || C) (2.2.6)
ksender_u = Hq(Tsender_u || sshared || C) (2.2.7)
A Seraphis one-time output key has the form of:
Ko = kx X + ku U (2.3.1)
where
kx = kvb + kaddr_x + ksender_x (2.3.2)
ku = ks + kaddr_u + ksender_u (2.3.3)
The corresponding key image is:
Ki = (ku / kx) U (2.3.4)
We can rewrite Eq. 2.3.1 in terms of logU as:
ko = kx*x + ku (2.3.5)
where X = x U. An adversary who knows x can produce an arbitrary number of different valid key images for every Ko, allowing unlimited double spending.
While Pedersen commitments do not bind a QA to the original amount, ElGamal commitments are a different form of homomorphic commitments that are pefectly binding.
An ElGamal commitment to a value v with a blinding factor r consists of two group elements C, D calculated as:
C = r G + v H
D = r J
There are three problems with ElGamal commitments:
- The range proofs are less efficient than for Pedersen commitments.
- They do not hide the value
vfrom a QA, who can learnrby calculating the discrete log ofD. - They require twice the blockchain space of Pedersen commitments.
The first problem can be solved by treating an ElGamal commitment as if it was a Pedersen commitment, ignoring the value of D. This is the main idea behind "switch commitments" [3]. Keeping D allows past amounts to be validated in the future if the danger of quantum computers arises.
The second problem can be solved by defining a switch commitment as the pair (C, d), where d = H32(D).
Finally, an even more efficient solution was proposed in the Mimblewimble mailing list [4]. A switch commitment can be constructed by simply tweaking the blinding factor r. It works as follows:
- Generate a random blinding factor
r'. - Construct an ElGamal commitment with
C' = r' G + v HandD' = r' J(3.1.2.1) - Calculate a new blinding factor
r = r' + Hq(Telgamal || C' || D'). - Output a Pedersen commitment
C = r G + v H.
This construction removes all the disadvantages of ElGamal commitments, while still allowing the post-quantum validation protocol (Ch. 4) to verify that the commitment is being open to the original value.
To prevent a QA from directly learning wallet seeds by calculating a discrete logarithm, each wallet must be derived from a secret seed m that is never directly used as an elliptic curve private key.
The private view key kvb must be constructed independently of the spend key as:
kvb = Hq(m || Tvb) (3.2.1.1)
The associated public view key is defined as:
Kvb = kvb X (3.2.1.2)
This public key does not need to be published in the Seraphis protocol, but it is needed in the post-quantum protocol.
Instead of directly deriving the private spend key from m, we derive an auxiliary spend key as:
ks' = Hq(m || Taux_spend) (3.2.2.1)
The associated public auxiliary spend key is defined as:
Ks' = ks' U (3.2.2.2)
Before the wallet can construct the Seraphis spend key, a quantum-resistant key pair (zqr, Zqr) is generated using the following seed mqr:
mqr = H32(Tqr || m) (3.2.3)
Two possible quantum-resistant signature algorithms are listed in Chapter 5.
The wallet can construct an auxiliary key image as:
Ki' = (ks' / kvb) U (3.2.4)
This key image has a similar format as the output key image (Eq. 2.3.4).
To ensure that the auxiliary key image Ki' is correctly constructed according to Eq. (3.2.4), the wallet must construct two proofs:
σki = (e1, s1)- a proof of knowledge of the discrete logarithm ofKi'with respect to the generatorU.πki = (e2, s2)- a discrete logarithm equality proof showing the knowledge of a private keykvbsuch thatkvb X = Kvbandkvb Ki' = Ks'(these relations hold from Eq. 3.2.1.2, 3.2.2.2 and 3.2.4).
The proofs σki and πki are standard Fiat-Shamir proofs discribed in the literature [5].
The Seraphis private spend key is finally constructed as:
ks = ks' + kΩ (3.2.5.1)
where kΩ is defined as:
kΩ = Hq(Tspend || Ω) (3.2.5.2)
and Ω is the following tuple:
Ω = (Kvb, Ks', Zqr, Ki', σki, πki) (3.2.5.3)
Since the hash function Hq() is irreversible even for a QA, the constuction proves that the tuple Ω had existed before the public spend key Ks was created.
Rather than using Eq. 2.2.3 and 2.2.4, address key extensions must be constructed as:
kaddr_x = Hq(Taddr_x || Ks || saddr) (3.3.1.1)
kaddr_u = Hq(Taddr_u || Ks || kaddr_x || saddr) (3.3.1.2)
where Ks is the wallet public spend key (Eq. 2.2.1) and
saddr = H32(sga || Taddr_inner || j) (3.3.1.3)
The irreversibility of Hq() proves that the spend key Ks had existed before the address extension kaddr_x and that kaddr_x was created before kaddr_u.
Rather than using Eq. 2.2.6 and 2.2.7, sender key extensions must be constructed as:
ksender_x = Hq(Tsender_x || Kaddr || ssender) (3.3.2.1)
ksender_u = Hq(Tsender_u || Kaddr || ksender_x || ssender) (3.3.2.2)
where Kaddr is the address public key and
ssender = H32(Tsender_inner || sshared || C) (3.3.2.3)
The irreversibility of Hq() proves that the address key Kaddr had existed before the sender extension ksender_x and that ksender_x was created before ksender_u.
The Seraphis key image (Eq. 2.3.4) can be equivalently expressed as:
Ki = Kxs + (kΩ + kaddr_u + ksender_u) Kxu (3.4.1)
where the public keys Kxs and Kxu meet the following three discrete logarithm relationships:
kx Kxs = Ks' (3.4.2)
kx Kxu = U (3.4.3)
kx Ki' = Ksi (3.4.4)
The public key Ksi is defined as:
Ksi = Ks' + kaddr_x Ki' + ksender_x Ki' (3.4.5)
Substituting for Ki', Ks' and Ksi into Eq. 3.4.4 yields:
(kx * ks' / kvb) U = ks' U + (kaddr_x * ks' / kvb) U + (ksender_x * ks' / kvb) U
kx * ks' / kvb = ks' + kaddr_x * ks' / kvb + ksender_x * ks' / kvb
kx * ks' = kvb * ks' + kaddr_x * ks' + ksender_x * ks'
kx = kvb + kaddr_x + ksender_x
which matches the definition of kx (Eq. 2.3.2).
Rearranging Eq. 3.4.2 and 3.4.3 yields:
Kxs = (ks' / kx) U (3.4.6)
Kxu = (1 / kx) U (3.4.7)
Substituting for Kxs and Kxu into Eq. 3.4.1 shows that it's equivalent to Eq. 2.3.4.
This proposal does not modify any Seraphis consensus rules, but offers a secondary quantum-resistant protocol that can be activated by a hard fork.
Spending a Seraphis e-note (Ko, C) in the post-quantum protocol requires the transaction to reveal the following:
- The hidden ElGamal commitment
(C', D')(Eq. 3.1.2.1) - A range proof for the commitment.
- The tuple
Ω(Eq. 3.2.5.2) - The secret key
saddr(Eq. 3.3.1.3) - The secret key
ssender(Eq. 3.3.2.3) - The public key
Kxs(Eq. 3.4.6) - The public key
Kxu(Eq. 3.4.7) - The discrete logarithm equality proof
πx = (e3, s3)for the pairs(Kxs, Ks'),(Kxu, U)and(Ki', Ksi)(Eq. 3.4.2-3.4.4) - A quantum-resistant signature with the private key
zqr(Ch. 3.2.3). This signature should sign all transaction outputs.
To validate the spend, consensus needs to perform the following steps:
- Validate
C ?= C' + Hq(Telgamal || C' || D') G - Validate the range proof
- Validate the proofs
σkiandπkifromΩ - Calculate
kΩ = Hq(Tspend || Ω) - Calculate
Ks = Kvb + Ks' + kΩ U - Calculate
kaddr_x = Hq(Taddr_x || Ks || saddr) - Calculate
kaddr_u = Hq(Taddr_u || Ks || kaddr_x || saddr) - Calculate
Kaddr = Ks + kaddr_x X + kaddr_u U - Calculate
ksender_x = Hq(Tsender_x || Kaddr || ssender) - Calculate
ksender_u = Hq(Tsender_u || Kaddr || ksender_x || ssender) - Validate
Ko ?= Kaddr + ksender X + ksender_u U - Validate the proof
πx - Calculate the key image
Ki = Kxs + (kΩ + kaddr_u + ksender_u) Kxu - Validate that
Kiis not spent. - Validate the quantum-resistant signature with
Zqr.
All transaction outputs must contain ElGamal commitments with valid range proofs. The component-wise sum of the output commitments must be equal to the component-wise sum of the input commitments.
This protocol does not put any other restrictions on the output format, so it can be used to migrate Seraphis outputs to a new quantum-secure privacy protocol.
The quantum-resistant protocol makes the input e-notes provably spent, which may reduce the privacy of past transactions that used the e-notes as decoys.
All migrated outputs that belong to the same wallet share the same tuple Ω, which links them together.
In July 2022, NIST has announced 3 post-quantum digital signature algorithms that have been selected for standardization [6]:
- CRYSTALS-Dilithium
- Falcon
- SPHINCS+
These algorithms have survived at least 6 years of cryptanalysis and offer acceptable size and performance to be practically usable. Falcon is patented [7], so that leaves just two possible candidates to be used by Monero.
CRYSTALS-Dilithium is lattice-based signature scheme. It offers decently sized public keys and signatures and relatively fast key generation (with comparable performance to elliptic curves).
| variant | security level | public key size | signature size | keygen (Intel Skylake) |
|---|---|---|---|---|
| Dilithium2 | 128-bit | 1 312 | 2 420 | ~100 μs |
| Dilithium3 | 192-bit | 1 952 | 3 293 | ~200 μs |
The major disadvantage of lattice-based systems is that they rely on new hardness assumptions, which may be broken in the future.
The generation of a CRYSTALS-Dilithium public key requires approximately 10 KB of RAM and takes around 50 ms on ARM Cortex M4.
SPHINCS+ is hash-based digital signature scheme. It's the most conservative choice because it only relies on the preimage resistance of hash functions.
The disadvantages of SPHINCS+ are relatively large signatures and slow key generation.
| variant | security level | public key size | signature size | keygen (Intel Haswell) |
|---|---|---|---|---|
| SPHINCS+-SHA-256-128s-simple | 128-bit | 32 | 7 856 | ~100 ms |
| SPHINCS+-SHA-256-128s-robust | 128-bit | 32 | 7 856 | ~200 ms |
| SPHINCS+-SHA-256-128f-simple | 128-bit | 32 | 17 088 | ~1.5 ms |
| SPHINCS+-SHA-256-128f-robust | 128-bit | 32 | 17 088 | ~3 ms |
| SPHINCS+-SHA-256-192s-simple | 192-bit | 48 | 16 224 | ~150 ms |
| SPHINCS+-SHA-256-192s-robust | 192-bit | 48 | 16 224 | ~300 ms |
| SPHINCS+-SHA-256-192f-simple | 192-bit | 48 | 35 664 | ~3 ms |
| SPHINCS+-SHA-256-192f-robust | 192-bit | 48 | 35 664 | ~6 ms |
The generation of a SPHINCS+ public key requires approximately 2 KB of RAM and takes around 0.5 seconds on ARM Cortex M4 for the "f-simple" variants and around 10-20 seconds for the "s-simple" variants. The "robust" variants are twice slower.
Incorporating this protocol into Seraphis requires the following 4 wallet-side functions:
MakeCommit(r', v), returns(C, r)(Ch. 3.1.2)MakeWallet(m), returns(kvb, ks)(Ch. 3.2)MakeAddressExt(Ks, sga, j), returns(kaddr_x, kaddr_u)(Ch. 3.3.1)MakeSenderExt(Kaddr, sshared, C), returns(ksender_x, ksender_u)(Ch. 3.3.2)
These functions enable a backwards-compatible post-quantum protocol to be activated eiher as an emergency hard-fork or as part of a post-quantum migration process.
While it's possible that the post-quantum protocol may not be needed in the foreseeable future, the "zero-cost" nature of this proposal makes it a very cheap mitigation for a possible disaster.
[2] https://github.com/UkoeHB/Seraphis/blob/master/Seraphis-0-0-16.pdf
[3] https://eprint.iacr.org/2017/237.pdf
[4] https://lists.launchpad.net/mimblewimble/msg00479.html
[5] https://crypto.ethz.ch/publications/files/CamSta97b.pdf
[6] https://csrc.nist.gov/projects/post-quantum-cryptography/selected-algorithms-2022
We don't have a requirement to support multiple messages, right? Would a traditional WOTS(+) signature achieve smaller sizes compared to SPHINCS+?
The overall idea sounds great and generally trivial to implement as needed during a pre-quantum setting.