Aggregable Confidential Transactions for Efficient Quantum-Safe Cryptocurrencies

Confidential Transactions (CT) hide coin amounts even from verifiers without the help of trusted third parties. Aggregable CTs are a scalable category of CTs with "spent coin record trimming". For example, if Alice sends coins to Bob, who had sent similar coins to Charles, the aggregated transaction shows only that Alice sent coins to Charles by deleting Bob's coin records. Since the number of spent coin records grows linearly with the number of transactions, faster than the number of accounts, cash systems based on aggregable CTs are highly scalable. However, existing quantum-safe aggregable CT protocols have large unspent coin records, and existing efficient aggregable CTs are vulnerable to quantum attacks. We introduce two aggregable CT protocols, based on new efficient homomorphic zero-knowledge proofs, from either the plain or Module Short Integer Solution (SIS and MSIS) problems, both believed to be secure against quantum adversaries. We further implement the MSIS-based aggregable CT protocol as a C library. Our experiments on 10(4) transactions show that aggregation reduces the cash system's size by 40%-54% when the output/input rate is in the range 1/1-2/1. For example, a cash system of 1.73 GB can be reduced to 0.98 GB when the output/input rate is 1.5, which has been the historical real-world average rate.