簡易檢索 / 詳目顯示
| 研究生: |
林采葶 Lin, Tsai-Ting |
|---|---|
| 論文名稱: |
零知識證明用於 GNU Taler 找零機制之研究 A Study on Applying Zero-Knowledge Proofs to the GNU Taler Refresh Protocol |
| 指導教授: |
左瑞麟
Tso, Ray-Lin |
| 口試委員: |
羅乃維
Lo, Nai-Wei 許建隆 Hsu, Chien-Lung 楊明豪 Yang, Ming-Hour 羅嘉寧 Luo, Jia-Ning |
| 學位類別: |
碩士
Master |
| 系所名稱: |
資訊學院 - 資訊科學系碩士在職專班 Excutive Master Program of Computer Science |
| 論文出版年: | 2026 |
| 畢業學年度: | 114 |
| 語文別: | 英文 |
| 論文頁數: | 51 |
| 中文關鍵詞: | GNU Taler 、零知識證明 、盲簽章 、找零協定 |
| 外文關鍵詞: | GNU Taler, zero-knowledge proofs, blind signatures, refresh protocol |
| 相關次數: | 點閱:15 下載:0 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
GNU Taler 是一套以使用者隱私與匿名性為核心設計目標的數位貨幣支付系統。在確保交易不可追蹤的同時,系統仍能維持商家的可稽核性。此特性主要透過盲簽章機制實現,使交易所無法將貨幣發行與後續消費行為連結,從而保障付款者的匿名性。
為支援部分支付情境,GNU Taler 設計了找零協定,將已部分使用的舊幣轉換為新幣,同時確保價值一致性。現行找零協定採用 cut-and-choose 機制,以機率性的方式驗證新幣是否依協定正確派生。該方法透過產生多組候選派生結果並隨機揭露部分進行檢查,以降低作弊成功的機率,其安全性建立於統計性假設之上,並需額外負擔多組候選資料的計算與驗證成本。
本研究提出一種以零知識證明為基礎的驗證設計,將找零協定中的派生關係轉為可驗證的零知識電路,使驗證者能在不揭露任何私密資訊的情況下,直接驗證新幣派生的正確性。透過實驗研究,驗證了此設計在技術上的可行性,同時能維持 GNU Taler 原有的匿名性要求。作為一項初步探索,本研究為未來進一步整合至實際系統架構提供了理論基礎與設計方向。
GNU Taler is a digital payment system designed to protect user privacy and anonymity. While keeping transactions unlinkable, the system also maintains merchant-side auditability. This is mainly achieved through blind signature mechanisms, which prevent the exchange from linking coin issuance to later spending, thereby protecting payer anonymity.
To support partial payments, GNU Taler introduces a Refresh protocol that converts a partially spent coin into new coins while preserving value consistency. The current Refresh protocol uses a cut-and-choose mechanism to probabilistically verify whether new coins are correctly derived according to the protocol. This method generates multiple candidate derivations and randomly reveals some of them for checking in order to reduce cheating probability. However, its security remains probabilistic and requires additional computation and verification costs.
This thesis proposes a design that models the derivation relation in the Refresh protocol as an arithmetic circuit for zero-knowledge proof. This allows the verifier to confirm the correctness of new coin derivation without revealing any private information. Through experimental evaluation, we demonstrate the technical feasibility of the proposed design while preserving the original anonymity guarantees of GNU Taler. As a preliminary study, this research provides a theoretical foundation and design direction for future integration into practical system architectures.
1 Introduction 1
1.1 Motivation 2
1.2 Contribution 3
1.3 Organization 3
2 Related Research 5
2.1 Digital Currency and GNU Taler 5
2.2 Refresh Correctness Verification 7
3 Preliminaries 9
3.1 Clause-Schnorr Blind Signature 9
3.2 Refresh Derive Schnorr 13
3.3 Refresh Protocol 14
3.4 Deterministic Refresh Derivation 18
3.5 Zero-Knowledge Proofs 19
4 ZK-Friendly Refresh Derivation 21
4.1 Refresh Derive as a Verifiable Computation 21
4.2 From ECDH-based to Signature-based Derivation 22
4.3 Why Zero-Knowledge Proofs and zk-SNARKs 22
5 Our Proposal 24
5.1 Proof Structure and Verification Components 24
5.1.1 Schnorr Verify 25
5.1.2 Derive Chain Verify 26
5.1.3 Blind CS Verify 26
5.2 Public and Private Inputs 27
5.2.1 Public Inputs 28
5.2.2 Private Inputs 28
5.3 Integration with the Refresh Protocol 29
5.4 Comparison with Existing Refresh Verification 30
6 Security 31
6.1 Completeness 31
6.2 Soundness 31
6.3 Zero-Knowledge 32
7 Experiment 34
7.1 Circuit Architecture 34
7.2 Circuit Realization 38
7.3 Proof System Implementation 39
7.4 Experimental Environment 41
8 Experimental Results 42
8.1 Zero-Knowledge Verification Time 42
8.2 Cut-and-Choose Input Generation Cost 44
8.3 Comparative Analysis 45
9 Conclusion 48
Reference 50
[1] G. Demarmels and L. Heuzeveldt, “Adding schnorr’s blind signature in taler,”Master’s thesis, Bern University of Applied Sciences, 2022. [Online]. Available: https://www.taler.net/papers/cs-thesis.pdf
[2] F. Dold, “The gnu taler system: Practical and provably secure electronic payments,” Ph.D. dissertation, Université de Rennes 1, 2019. [Online]. Available: https://ged.univ-rennes1.fr/nuxeo/site/esupversions/
41aac1ac-3074-4b0e-9087-cee5f58ce0b2?inline
[3] GNU Taler Project, “Exchange http api: Refreshing,” GNU Taler Documentation, 2025. [Online]. Available: https://docs.taler.net/core/api-exchange.html#refreshing
[4] ——, “Dd 62: Pq refresh protocol,” GNU Taler Design Documents, 2025. [Online]. Available: https://docs.taler.net/design-documents/062-pq-refresh.html
[5] J. Liang, D. Hu, P. Wu, Y. Yang, Q. Shen, and Z. Wu, “Sok: Understanding zk-snarks: The gap between research and practice,” Cryptology ePrint Archive, vol. 2025, no. 172, 2025. [Online]. Available: https://eprint.iacr.org/2025/172.pdf
[6] GNU Taler Project, “Exchange http api: Blinding prepare,” GNU Taler Documentation, 2025. [Online]. Available: https://docs.taler.net/core/api-exchange. html#blinding-prepare
[7] G. Fuchsbauer, A. Plouviez, and Y. Seurin, “Blind schnorr signatures and signed ElGamal encryption in the algebraic group model,” Cryptology ePrint Archive, vol. 2019, no. 877, 2019. [Online]. Available: https://eprint.iacr.org/2019/877
[8] C.-P. Schnorr, “Efficient signature generation by smart cards,” Journal of Cryptology, vol. 4, no. 3, pp. 161–174, 1991.
[9] D. Chaum, “Blind signatures for untraceable payments,” in Advances in Cryptology, 1983, pp. 199–203.
[10] J. Groth, “On the size of pairing-based non-interactive arguments,” in Advances in Cryptology – EUROCRYPT 2016, 2016, pp. 305–326.
[11] C. Crépeau, “Cut-and-choose protocols,” McGill University Lecture Notes. [Online]. Available: http://crypto.cs.mcgill.ca/~crepeau/EoC/Cut&Choose.pdf
[12] iden3, “Circom documentation,” 2025. [Online]. Available: https://docs.circom.io
[13] ——, “snarkjs,” 2025. [Online]. Available: https://github.com/iden3/snarkjs
[14] S. Josefsson and I. Liusvaara, “Edwards-curve digital signature algorithm (eddsa),”RFC 8032, 2017. [Online]. Available: https://rfc-editor.org/rfc/rfc8032.txt
