Content uploaded by Alex Vazquez

Author content

All content in this area was uploaded by Alex Vazquez on Jan 17, 2019

Content may be subject to copyright.

ZeroCT: Improving Zerocoin with Conﬁdential

Transactions and more

Alex Vazquez

alex@encrypt-s.com

January 17, 2019

Abstract

The Zerocoin protocol [4] is a set of cryptographic algorithms which

embedded in a cryptocurrency provide anonymous swap of tokens in a

mathematically provable way by using cryptographic accumulators. Func-

tionally it can be described as a black box where an actor can introduce an

arbitrary number of coins, and later withdraw them without leaving evi-

dence of connection between both actions. The withdrawing step admits

a destination for the coins diﬀerent from the original minter, but uncondi-

tionally requires a previous mint action and does not accept the transfer

of coins without leaving the accumulator, thus exposing the traceability of

the coins. We propose an alternative design which for the ﬁrst time com-

bines the virtues of Zerocoin [4] with those of Conﬁdential Transactions

[17] oﬀering fully-featured anonymous transactions between individuals

with private amounts.

1 Introduction

We can ﬁnd implementations of Zerocoin in a “production” environment in

active projects like ZCoin [1] or PIVX [2]. Those stick to the original protocol [4]

where the set of actions a user can execute are limited to minting and spending

coins, working the system as a simple on-chain mixer where a previous step of

coin laundering is necessary before the transfer of value is anonymously possible.

Other alternative variations of the protocol [6] operate in a similar way, while

some newer variations [8] introduce the concept of sending Zerocoins to an

external party but still require an initial interactive setup step and only allow

one deposit per key. Although the system satisﬁes the necessary conditions to

consider it functionally anonymous, we would like to point out some drawbacks

from the original implementation for which we propose a solution in this paper.

1

•Because only transparent addresses exist, it promotes the use of the Ze-

rocoin accumulators as purely transitional for the laundering of coins be-

tween transparent addresses, being transaction traceability and address

linkability through chain analysis moderately plausible. Even if a mecha-

nism consisting of rewarding users for keeping coins in the Zerocoin pool

[7] is an example of good action to increase the anonymity set, it does not

prevent the fact that coins need to leave the anonymity pool in order to be

transferred, which is the ﬁnal utility of a currency, to be transferred and

used. The anonymity of the Zerocoin protocol is upper-bounded by the

size of the pool of coins, while the size of the anonymity pool is linearly

related to the amount of coins sitting in the accumulators but inversely

correlated to the number of transactions between users.

We introduce the use of Anonymous Identities, similar to the concept of

Stealth Addresses existent in other cryptocurrencies, allowing the private

transfer of coins between diﬀerent entities without the requirement of us-

ing transparent addresses and incorporating the size of the transactional

ledger to the anonymity pool.

•Privacy concerns aside, the use of clear-text denominations reduces the

usability of the system, by increasing the number of required coins and

therefore the total size of the necessary proofs. Let e0,··· , ezthe set

of diﬀerent denominations supported by a Zerocoin implementation, the

transaction amount can be decomposed as z

i=0 aiei. For a single spend

proof message size W, the full communication cost for the spend proofs

of a transaction is a function of its value and can be expressed as

W

z

i=0

ai

By applying variations of known methods inspired by [17], our implemen-

tation allows the transfer of divisible amounts to be expressed as a secret

value only known to the participants of the transaction with the use of

just two Accumulators.

2 Notation

Let us deﬁne some notation and variables that will be used through this paper.

Let l≤ktwo security parameters determining the security of the zero knowledge

proofs and u≤(log2q)−2 the number of bits necessary to have enough precision

for transaction amounts. The concatenation of two bit arrays of arbitrary length

αand βis denoted by α||β. The binary operation XOR will be denoted with

the operator ⊕. Let H : {0,1}∗ → {0,1}la one-way cryptographic function

taking a bit array of arbitrary length as input and outputting a bit array of

length l. The function Hstakes an EC point as input and outputs the result of

2

feeding its binary representation into H. The bit in the position iof a bit array

ais denoted a[i], considering a[0] the bit in the left-most position of the array.

When describing Zero Knowledge proofs we will use the notation of Camenisch

and Stadler [15]. For instance, ZKSoK[m]{(x) : h=gx}denotes a signature

of knowledge on message m of the element x that satisﬁes h=gx, where all

values not enclosed in () are assumed to be known to the veriﬁer. If Ais a

set, a←Ameans that ais chosen at random from Aaccording to the uniform

distribution. If Ais a function, a←A(···) means ais assigned the value

returned from executing Awith the given parameters.

3 A mathematical introduction to the Mint op-

eration

The Zerocoin protocol [4] deﬁnes the Mint operation as the operation of minting

new private tokens (Zerocoins in the original deﬁnition). As in a regular Bitcoin

transaction [3], it requires that the amount of inputs used to feed the transaction

is equal to the value of the minted private tokens plus any fees deﬁned by the

network policies.

“To mint a zerocoin cof denomination d, Alice runs Mint(params)→(c,skc)

and stores skc securely. She then embeds cin the output of a Bitcoin transac-

tion that spends d+ fees classical bitcoins. Once a mint transaction has been

accepted into the block chain, cis included in the global accumulator A, and

the currency cannot be accessed except through a Zerocoin spend” [4]

Mathematically minting a coin means calculating a Pedersen Commitment

[12] which value will be later accumulated in the accumulator of the correspond-

ing denomination. A Pedersen Commitment is a one-way function where you

can commit to a value vunder a blinding factor swithout revealing the value

vuntil a later time:

c=gvhs(mod p)

Additionally this structure admits commitments to ndiﬀerent values at the

same time in the form c=hsn

i=0 gvi

i. Each additional generator gican be

calculated as gi= H(gi−1) (mod p) for i≥1. For simplicity, we will denote v0

and g0as simply vand g.

Given c, ﬁnding sand vifor 0 ≤i≤nis known as the Discrete Loga-

rithm Problem, it’s “hard” to solve and there isn’t currently any known eﬃcient

method for computing the solution in reasonable time even if some but not all of

the values of the set (s,v1, . . . , vn) are known. Because of the hardness of ﬁnd-

ing suitable values for viand s, a Pedersen Commitment c←C(v,s,v1,...,vn)

is both hiding (the Commitment cdoes not reveal the value it commits to) and

3

binding (having made the Commitment cit’s not possible to open it with dif-

ferent values for vior s) as long as loggi′giis unknown with g= (h, gi,...,gn)

for 0 ≤i≤nand 0 ≤i′ ≤ n.

Pedersen Commitments also have homomorphic properties: The product of

two commitments is equal to the commitment to the sum of its values as in

C(va, sa)·C(vb, sb) = C(va+vb, sa+sb) = gvahsagvbhsb=gva+vbhsa+sb

In the same fashion, the division of two commitments equals the commitment

to the subtraction of its values as in

C(va, sa)

C(vb, sb)= C(va−vb, sa−sb) = gvahsa

gvbhsb=gvahsag−vbh−sb=gva−vbhsa−sb

The original Zerocoin protocol [4] uses a RNG to generate diﬀerent values

for S←Z∗

q(serial number of the minted coin) and r←Z∗

q(randomness used

as a blind factor) to be used in the computation of c←C(S, r) until {cprime

—c∈[A, B]}[14]. The future spender of the minted coin is required to prove

knowledge of both values Sand rconstraining the spending action to the original

minter. Our contribution allows an actor to commit in zero knowledge to secret

values only known to an external party, even if those are publicly disclosed later.

4 Constructing a transaction

We will start deﬁning how an anonymous identity is constructed. Let Bthe

public part of a Elliptic Curve key B=bG,j1←Z∗

q,k1←Z∗

q,j2←Z∗

q,

k2←Z∗

q,z1←C(j1, k1) and z2←C(j2, k2). The triplet (B, z1, z2) is known as

the anonymous identity I, which can be publicly shared and used as an address

where users can receive private coins. The tuple (b, j1, j2, z1, z2) is considered

a private view key P Kv iew and allows the wallet to identify which outputs

contain spendable private coins and when those coins are spent. P Kv iew can

be handed to an accountant to prove an account’s history of private transac-

tions without compromising the spending rights exclusivity of funds. The tuple

(b, j1, j2, k1, k2) is considered a private spend key P Kspend and allows to con-

struct the cryptographic proofs necessary to spend private coins. Anonymous

identities admit receiving as a single output an arbitrary and divisible amount

in the range [0,2u) denoted as w.

We redeﬁne the Mint algorithm as Mint(params, I,w), so when Alice wants

to send coins to Bob’s Private Identity IBO B she:

1. Extracts B,z1and z2from IBO B .

4

2. Generates a new EC key A=aG and calculates a Diﬃe-Helman secret χ

using Bob’s EC public key B.

χ= Hs(aB) (mod q)

3. Uses H as a Pseudorandom Number Generator to compute σand taking

the shared secret χas the initial seed.

σ= H(χ) (mod q)

= H(σ) (mod 2u−1)

4. Lets c=zχ

1z2(mod p) and ←C(w,c,σ) .

5. Veriﬁes cand are prime numbers and within the allowed range required

in the accumulator proof [14]. If the test fails, she repeats the process

going back to the second step. If it passes, she continues with the next

step.

6. Includes a zero knowledge range proof that the value committed in is a

positive number and lies in the range [0,2u).

NIZKPoK{(v, σ) : =gwhcgσ

1∧0≤v≤2u−1}

Methods like Bulletproofs [16] allow provers to bundle many range proofs

in one of compressed size, making it possible to compute one proof per

transaction instead of using the more expensive model of one-proof-per-

output.

7. Lets W=w⊕the amount obfuscated with .

8. Reveals (A, c, ,W) in the output of a transaction.

Considering the following equality is satisﬁed

c=zχ

1z2= (gj1)χ(hk1)χgj2hk2=g(j1χ+j2)h(k1χ+k2)(mod p)

we can claim c is equivalent to a Pedersen Commitment with one secret and one

randomness value. Alice knows z1,z2and χbut she does not have knowledge of

j1,j2,k1or k2because of the properties of the Pedersen Commitment and under

the assumption of the hardness of the Discrete Log Problem, thus she would be

committing without retaining the ability of later opening the commitment by

using the serial number S=j1χ+j2or the randomness r=k1χ+k2in the

construction of the proofs that are necessary to spend the coins. This scheme

retains the perfectly hidden property from the Pedersen Commitment construc-

tion as j1,j2,k1and k2are uniformly drawn from Z∗

qwhile χis calculated mod

q, being the distribution of the resulting j1χ+j2and k1χ+k2equally uniform.

5

An actor observing the chain and acting as a validator would accumulate c

and in diﬀerent accumulators Aand Vrespectively.

The private key awill be stored by Alice and used to prove the minting of

speciﬁc coins without revealing Alice’s whole transaction history or identity.

Due to the use of only one anonymous identity to receive coins, this scheme

does not facilitate the use of short-lived addresses to identify individual pay-

ments, which is a common use case for merchants in other cryptocurrencies

like Bitcoin. To solve this we propose the calculation of an extra parameter

o= H() used to obfuscate a Payment ID/Message Mas in M′=M⊕o, being

the maximum admitted length for |M|the bit length of the output from the

chosen hash function H. M′can be attached to an extra metadata parameter of

a transaction, as an additional byte array in the output’s scriptPubKey or as

an OP RETURN OP PAYID script in a 0-value output from the transaction.

If Alice wants to anonymously spend private coins to fund the transaction,

she will need to construct and attach as inputs a set of spend proofs for each of

the outputs she wants to spend.

Tim Ruﬃng, Sri Aravinda Thyagarajan, Viktoria Ronge and Dominique

Schrder published a paper [5] describing a cryptographic denial-of-spending at-

tack against the original Zerocoin protocol where it would be possible to block a

transaction from being propagated in blocks and reusing its serial number Sto

create a new Zerocoin mint. If this new Zerocoin mint is spent earlier than the

honest coin, the honest coin’s serial number would be marked as spent making

the honest coin thus unspendable.

They propose to “use (as a serial number) a fresh veriﬁcation key of an

ordinary signature scheme, which is strongly existentially unforgeable under

chosen message attacks. The spender will additionally sign spend transactions

under this veriﬁcation key, and veriﬁers will additionally verify these signatures

using the veriﬁcation key revealed as serial number.” [5]

This solution, already implemented in other cryptocurrencies, is not com-

pletely compatible as it is with the changes in the Zerocoin protocol proposed

in this paper, as the coin’s serial number is calculated by the sender in zero

knowledge.

As an alternative we propose the following scheme to achieve serial number

unforgeability:

•When computing a coin spend proof for a transaction’s input, we consider

Sa private key and provide the serial number’s public key Sinstead as in

S=gS(mod p)

6

•Alice will also include an extra zero knowledge proof of knowledge based

on a Schnorr identiﬁcation protocol [9] transformed in a non-interactive

signature of knowledge using the Fiat-Shamir heuristic [10]:

ZKSoK[m]{(S) : S=gS}

This scheme removes an attacker’s ability to reuse a serial number to mint

a new coin and later proceed with a Denial-Of-Spending attack, as even if he

could mint a new coin with the serial number public key S, he’d be unable to

spend it without knowledge of the serial number private key S.

Further modiﬁcation of the Spend algorithm is required to accommodate a

new transaction’s value commitment W.

W=gwgr

1=gwg(k1χ+k2)

1(mod p)

The description of the original algorithm in [4, Appendix B] deﬁnes πas a

signature of knowledge “composed of two proofs that (1) a committed value

cis accumulated and (2) that cis a commitment to S”. A prover using our

implementation will need to extend (1) with an extra proof of the accumulation

of in Vusing the accumulation witness w′, and substitute (2) with a new

proof to prove in zero knowledge that he knows the secrets of both cand ,

that commits to cas an exponent of hand that Wand commit to the same

transaction amount w:

π=ZK S oK [m]{(c, w, S, r, v, σ) :

AccVerify((N , u), A, c, w) = 1 ∧AccVerify((N, u), V, , w′) = 1∧

S=gS∧c=Shr∧=gwhcgσ

1∧W=gwgr

1}

As a quick draft, we propose the following protocol in order to produce a

proof to mathematically convince a veriﬁer of the aforementioned statement.

Taken y=ϑcβv=ϑ(gShr)βvand Y=ϑβς=ϑ(gwhσgc

1)βςfrom the transcripts

of the AccVerify algorithm (used to prove the accumulation of cand in the

accumulators Aand Vas described in [14]), let aand bbe generators of a group

whose order equals the modulus of the group used for the Pedersen Commitment

c. Let v′ ← Z∗

n,ς′ ← Z∗

n,y′=a(gShr)bv′and Y′=a(gwhσgc

1)bς′. Using standard

and well known techniques, Alice will ﬁrst prove with a discrete log equality

proof that both yand y′, and Yand Y′, open to the same values.

Then, inspired by the double discrete log proof described in [4, Appendix

B], Alice will prove she knows how to open y′,Y′and Wand will reuse the

challenges from the zero knowledge proof to argue for the fulﬁlment of the rest

of conditions:

7

•She will compute for each 1 ≤i≤l:

ρi,τi,αi,γi∈Zq

ζi,ϕi,ϖi∈Zn

ti=a(Shρi)bζi

υi=a(gτihγigαi

1)bϖi

µi=gτigρi

1

κi=aγibϕi

ω= H(m||y||y′||a||b||g||h||g1||W||S||t1|| ...||tl

||υ1|| ...||υl||µ1|| ...||µl||κ1|| ...||κl)

•For every bit ω[i], when its value equals 0, let

ξi=ρi

ιi=τi

δi=αi

ψi=ζi

νi=γi

Ωi=ϖi

ηi=ϕi

If ω[i] equals 1, let

ξi=ρi−r

ιi=τi−w

δi=αi−σ

ψi=ζi−v′h(ρi−r)

νi=γi−c

Ωi=ϖi−ς′g(τi−w)h(γi−c)g(αi−σ)

1

ηi=ϕi−v′

•The proof

(ω,ξ1,...,ξl,ι1,...,ιl,δ1,...,δl,ψ1,...,ψl,ν1,...,νl,Ω1,...,Ωl,η1,...,ηl)

is sent to the veriﬁer.

8

•For every ω[i] he will check if it equals 0. In that case, let

t′i=a(Shξi)bψi

υ′i=a(gιihνigδi

1)bΩi

µ′i=gιigξi

1

κ′i=aνibηi

otherwise

t′i=y′(hξi)bψi

υ′i=Y′(gιihνigδi

1)bΩi

µ′i=Wgιigξi

1

κ′i=y′aνibηi

•He can now compute

ω′= H(m||y||y′||a||b||g||h||g1||W||S||t′1|| ...||t′l

||υ′1|| ...||υ′l||µ′|| ...||µ′||κ′1|| ...||κ′l)

•The proof is valid iﬀω≡ω′.

We point the interested reader to [13, Appendix A] in order to ﬁnd a full

security proof of the original zero knowledge proof which served as an inspiration

to construct this.

This proof clearly increases the communication overhead compared with the

original proof. Considering Athe size of an accumulation proof, Ethe size

of a discrete logarithm equality proof and Cthe size of a challenge used in the

double logarithm proof, a transaction’s input communication cost of the original

protocol can be approximately denoted as

W=A+E+ 2lC

while the cost of the cryptographic proofs for an input in our proposal would be

W= 2A+ 2E+ 7lC

For a default l= 80, let e=2+2l

4+7l=162

564 ≈1

4the eﬃciency of our implementation,

we can use

(

z

i=0

ai≥e−1)?

= True

to determine if this protocol has a communicational cost advantage for a con-

crete transaction. Even if our proposal oﬀers better anonymity properties and

9

shows itself more eﬃcient than Zerocoin transactions with 4 or more inputs,

we strongly encourage research in the direction of designing more eﬃcient zero

knowledge proofs.

The following table shows the count of single- and multi-exponentiation op-

erations needed to construct and verify the diﬀerent cryptographic proofs which

are part of the coin spend algorithm. Count of scalar arithmetic operations,

multiplicative inverse calculations, hash functions or other operations out of the

exponentiation realm are intentionally excluded from the scope of the table for

simplicity, as their computational cost is considered marginally low.

Table 1: Count of operations of exponentiations of n powers

n=1 n=2 n=3

Accumulation Proof Prove 1 8 2

Verify 0 0 7

DL Equality Proof Prove 0 2 0

Verify 0 0 2

Ext. Double DL Proof Prove 2l 4l 2l

Verify l 4l l

Coin Serial Signature Prove 2 0 0

Verify 2 0 0

5 A transaction’s amount signature

We substitute the public amounts from transactions with secret values hidden in

the coin and spend proof commitments. The amounts being publicly veriﬁable

is a key part of how traditional blockchains work to conﬁrm all value transfers

occur inside of a constrained money supply limit and that no user is able to

spend more coins than those he proved ownership of.

For a transaction Twith minputs and noutputs we will also require the

transaction fee (following strict network policies) to appear explicit as the last

output at index nwith transparent amount f. This output can be denoted with

a special un-spendable script like OP RETURN OP FEE.

Once the explicit-fee output is added to the output’s array of the transaction,

Alice will be able to sign the transaction using the public key Nas in

N=m

i=0 Wi

gfn−1

i=0 ih−ci

=g(w′0+···+w′m)g(r0+···+rm)

1

g(f+w0+···+wn−1)g(σ0+···+σn−1)

1

(mod p)

10

only if the committed amounts in Wiand the committed amounts in i+f

match m

i=0

w′i−f−

n−1

i=0

wi

?

= 0

by using

m

i=0

ri−

n−1

i=0

σi(mod q)

as a private key.

6 Validating transactions

Bob will scan all the incoming new transactions (as he already does) and for

every output containing a Zerocoin mint, he will:

1. Reject the transaction if:

•The range proof for the outputs’ amount is not valid or

•The fee is not explicitly included or does not strictly meet the network

policies or

•Broadcasted values cand are not prime numbers or in the required

range or

•The transaction is not signed by N.

2. Extract b,z1and z2from his own P Kview .

3. Calculate a Diﬃe-Helman secret χ′using his own EC private key band

Alice’s EC public key A.

χ′= Hs(bA) (mod q)

4. Derive σ′and ′from χ′.

σ′= H(χ′) (mod q)

′= H(σ′) (mod 2u−1)

5. Decode the transaction amount into w′.

w′=W′ ⊕ ′

6. Reconstruct ′and c′.

c′=zχ′

1z2(mod p)

′=gw′hc′gσ′

1(mod p)

11

7. Iﬀc′and ′equals the values of cand submitted by Alice, Bob recognises

the output as spendable and securely stores it, so he can later calculate

the spend proofs.

As an improvement to the original speciﬁcation, Bob or an accountant will be

able to reconstruct his whole transaction history of private coins by simply using

his private view key PKv iew with very low computing costs. He will need to

keep P Kview on memory to verify outputs and calculate an unspendable private

coin pc. This is considered safe, as an adversary accessing the memory resources

of Bob’s system won’t be able to steal the funds. Only when a Spend action

is performed, the private spend key P Kspend is unencrypted and temporarily

stored in memory while the proofs are constructed, reducing the likeliness of an

unauthorised access to the coins in the same manner as in the regular spending

of Bitcoin occurs.

However compromising P Kv iew from the memory space of the wallet, or

compromising access to the wallet’s database local ﬁle, would entirely compro-

mise the privacy and act as a source of evidence for an adversary as he would

be able to undoubtedly identify previous and future transactions. We encour-

age to implement full encryption for the whole wallet database to prevent those

leakages.

Acknowledgement

We would like to specially thank Samuel Dobson, Guy Kloss, the Veil develop-

ment team, Jonathan Cressman and Sarang Noether for reviewing the soundness

of this paper and providing their constructive input. Marcus Chan for reviewing

the copywriting of this paper. Craig MacGregor for coordinating reviews and

overseeing the production of this paper. Please note that reviewers of this paper

have not been commercially engaged, nor should their review of this paper be

considered an endorsement of the papers content or imply any liability what-

soever regarding the application of the private transaction methods the paper

describes.

References

[1] Zcoin. https://zcoin.io

[2] PIVX. https://pivx.org

[3] S. Nakamoto, Bitcoin: A peer-to-peer electronic cash system, 2009. 2012.

http://www.bitcoin.org/ bitcoin.pdf

12

[4] Ian Miers, Christina Garman, Matthew Green, Aviel D. Ru-

bin: Zerocoin: Anonymous Distributed E-Cash from Bitcoin.

http://zerocoin.org/media/pdf/ZerocoinOakland.pdf

[5] Tim Ruﬃng, Sri Aravinda Thyagarajan, Viktoria Ronge, Do-

minique Schrder: Burning Zerocoins for Fun and for Proﬁt A

Cryptographic Denial-of-Spending Attack on the Zerocoin Protocol.

https://www.chaac.tf.fau.de/ﬁles/2018/04/attack-cryptocur.pdf

[6] Jens Groth, Markulf Kohlweiss. One-out-of-Many Proofs: Or How to Leak

a Secret and Spend a Coin https://eprint.iacr.org/2014/764.pdf

[7] zPOS / zPIV Staking Rewards https://www.reddit.com/r/pivx/comments/82w7s0/

[8] The NIX Developer Team: Pedersen Anonymous De-

posits: Commitment Key Packs https://nixplatform.io/wp-

content/uploads/2018/10/Commitment Key Packs v1-0-1.pdf

[9] Claus P. Schnorr. Eﬃcient signature generation for smart cards. Journal

of Cryptology, 4(3):239252, 1991.

[10] Amos Fiat and Adi Shamir. How to Prove Yourself: Practical Solutions

to Identiﬁcation and Signature Problems. CRYPTO 1986: pp. 186-194

[11] Christina Garman, Matthew Green, Ian Miers, and Aviel D. Rubin Ra-

tional Zero: Economic Security for Zerocoin with Everlasting Anonymity.

https://www.ifca.ai/fc14/bitcoin/papers/bitcoin14 submission 12.pdf

[12] Pedersen T.P. (1992) Non-Interactive and Information-Theoretic Secure

Veriﬁable Secret Sharing. In: Feigenbaum J. (eds) Advances in Cryptology

CRYPTO 91. CRYPTO 1991. Lecture Notes in Computer Science, vol 576.

Springer, Berlin, Heidelberg

[13] Ian Miers. Decentralized Anonymous Payments. 2017

[14] J. Camenisch and A. Lysyanskaya, Dynamic accumulators and application

to eﬃcient revocation of anonymous credentials. in CRYPTO 02, 2002, pp.

6176.

[15] J. Camenisch and M. Stadler, Eﬃcient group signature schemes for large

groups. in CRYPTO 97, vol. 1296 of LNCS, 1997, pp. 410424.

[16] Bunz, B., Bootle, J., Boneh, D., Poelstra, A., Maxwell, G.: Bulletproofs:

short proofs for conﬁdential transactions and more. Cryptology ePrint

Archive, Report 2017/1066 (2017).

[17] Greg Maxwell, Conﬁdential Transactions

https://people.xiph.org/˜greg/conﬁdential values.txt

13