查看文章

We propose Veksel, a simple generic paradigm for constructing efficient non-interactive coin mixes. The central component in our work is a concretely efficient proof π1-many that a homomorphic commitment c* is a rerandomization of a commitment c ∈ {c1, …,cℓ} without revealing c. We formalize anonymous account-based cryptocurrency as a universally composable functionality and show how to efficiently instantiate it using π1-many in a straightforward way. We instantiate and implement π1-many from Strong-RSA, DDH and random oracles targeting ≈ 112 bits of security. The resulting NIZK has constant size (|π1-many| = 5.3 KB) and constant proving/verification time (≈ 90 ms), on an already accumulated set. Compared to ZCash---which offers comparable marginal verification cost and an anonymity set consisting of every existing transaction---our transactions are larger (6.2 KB) and verification is slower. On …