Delegated RingCT: faster anonymous transactions Rui Morais Release Laboratory, Nova Lincs University of Beira Interior Covilh˜ a, Portugal ru.morais@ubi.pt Paul Crocker Instituto de Telecomunicac ¸˜ oes University of Beira Interior Covilh˜ a, Portugal crocker@di.ubi.pt Sim˜ ao Melo de Sousa Nova Lincs, C4 Center, Release Laboratory University of Beira Interior Covilh˜ a, Portugal desousa@di.ubi.pt Abstract—We present a modification to RingCT protocol with stealth addresses that makes it compatible with Delegated Proof of Stake based consensus mechanisms called Delegated RingCT. Our scheme has two building blocks: a customised version of an Integrated Signature and Encryption scheme composed of a public key encryption scheme and two signature schemes (a digital signature and a linkable ring signature); and non- interactive zero knowledge proofs. We give a description of the scheme, security proofs and a prototype implementation whose benchmarking is discussed. Although Delegated RingCT does not have the same degree of anonymity as other RingCT constructions, we argue that the benefits that the compatibility with DPoS consensus mechanisms brings constitute a reasonable trade-off for being able to develop an anonymous decentralised cryptocurrency faster and more scalable than existing ones. Index Terms—Anonymity, Privacy, Monero, RingCT, Dele- gated Proof of Stake I. I NTRODUCTION Bitcoin appeared in 2008 [1] and is widely considered to be the first decentralised cryptocurrency. Its ingenious design, that uses a blockchain as a distributed ledger to store the transac- tions that happen on the network and Nakamoto consensus [2] (which centres around the proof-of-work mechanism and the “longest-chain-win” rule) to reach a decentralised consensus about the state of that blockchain, was revolutionary at the time. Even today Bitcoin is the most well known and most valuable cryptocurrency. Since then, the industry has grown and the term cryptocur- rency is not solely a synonym of currency anymore, but has extended to other use cases (e.g. smart contracts). Still, more than ten years later, we do not have a cryptocurrency that is widely used as a currency, as Bitcoin was supposed to be as the title of its original paper states: a peer-to-peer electronic cash system. One can argue that this is due to external factors, such as government regulations, lack of knowledge or necessity by societies, ideological motives, etc. But we can also argue that the intrinsic technical limitations of current cryptocurrencies, due to their design, have contributed to this situation. These design flaws include the inability to scale, insufficient maxi- mum throughput, slow confirmation times, ledger size or lack of anonymity. A. Motivation In our opinion, the ideal cryptocurrency is decentralised, fast, scalable, anonymous, has a transparent monetary policy and is environmentally friendly. Many cryptocurrencies have been created in the last few years that have tried to fulfil these goals but, so far, none of them has been able to reach them all. Some, like Monero [3] and ZCash [4], solve the anonymity issue but still share the same other limitations of Bitcoin. Other cryptocurrencies based on Delegated Proof of Stake (DPoS), like Tezos [5] (Liquid Proof of Stake) and Nano [6] (Open Representative Voting), improve on the maximum throughput and slow confirmation times but are only pseudo-anonymous, meaning that anonymity is only maintained as long as a node on the network is not associated to a ”real world” identity. These consensus mechanisms are typically faster than others that use hashrate power competition to select the node that proposes the new transactions, like Bitcoin, allowing for a greater throughput of transactions, and have a much lower carbon footprint. The goal of this paper is to bring together some of the strengths of these designs and develop a protocol that can be used as a building block for a cryptocurrency with the proper- ties mentioned above, specifically an anonymous decentralised cryptocurrency faster and more scalable than the current ones. B. Contributions We present an extension to the base protocol of Monero, RingCT with stealth addresses, that makes it compatible with Delegated Proof of Stake, a family of consensus mechanisms where the weight of a node in the consensus for validating transactions is proportional to its delegated stake on the network, called Delegated RingCT. We first present a generic version of Delegated RingCT constructed from two cryptographic primitives: a customised version of an Integrated Signatures and Encryption scheme (ISE) [7], which is composed of a public key encryption scheme (PKE) and two signature schemes, a digital signature (DS) [8] and a linkable ring signature (LRS) [9]; and non- interactive zero knowledge proofs (NIZK). We, then, give a concrete efficient instantiation of Delegated RingCT and a prototype implementation whose benchmarking shows that the scheme can be used to build a faster and more scalable anonymous decentralised cryptocurrency.