Aggregable Confidential Transactions for Efficient Quantum-Safe Cryptocurrencies

Confidential Transactions (CT) hide coin amounts even from verifiers without the help of trusted third parties. Aggregable CTs are a scalable category of CTs with “spent coin record trimming”. For example, if Alice sends coins to Bob, who had sent similar coins to Charles, the aggregated transaction shows only that Alice sent coins to Charles by deleting Bob’s coin records. Since the number of spent coin records grows linearly with the number of transactions, faster than the number of accounts, cash systems based on aggregable CTs are highly scalable. However, existing quantum-safe aggregable CT protocols have large unspent coin records, and existing efficient aggregable CTs are vulnerable to quantum attacks. We introduce two aggregable CT protocols, based on new efficient homomorphic zero-knowledge proofs, from either the plain or Module Short Integer Solution (SIS and MSIS) problems, both believed to be secure against quantum adversaries. We further implement the MSIS-based aggregable CT protocol as a C library. Our experiments on 104 transactions show that aggregation reduces the cash system’s size by 40%–54% when the output/input rate is in the range 1/1–2/1. For example, a cash system of 1.73 GB can be reduced to 0.98 GB when the output/input rate is 1.5, which has been the historical real-world average rate.


I. INTRODUCTION
Zero-Knowledge (ZK) proofs are exhaustively used in multiparty distributed systems to preserve privacy while maintaining public verification. More theoretically, ZK proofs can verify statement(s) regarding concealed information without revealing it. For example, a ZK range proof of a commitment 1 shows that the committed value is in a specific range without revealing the value. Another example is ZK summation proofs, which verify the summation of committed values without revealing the committed values individually. Privacypreserving cryptocurrencies heavily use these ZK proofs due to this verifiable yet concealed information.
Early cryptocurrencies reveal coin amounts since the coins are linked to pseudonymous identities. However, many studies [1]- [7] show that pseudonymous identities are linkable to real-world identities, creating a demand for Confidential The associate editor coordinating the review of this manuscript and approving it for publication was Lo'ai A. Tawalbeh . 1 Each commitment is associated with a value and a secret masking key. Masking keys are also known as blinding factors since they add randomness required to hide the coin amount. Commitments allow hiding a value or a string and disclosing the hidden value/string when required. Commitments' binding property ensures that the disclosed value/string is the originally committed value/string. In other words, finding another value/string for the same commitment is computationally infeasible.
Transaction (CT) protocols as the popularity of decentralized cash systems is growing. Typical CTs present coins as commitments. Since coin amounts are hidden in commitments, CTs contain ZK range proofs and ZK summation proofs: • ZK range proofs, to ensure that committed coin amounts are not negative, nor creating overflows; • ZK summation proofs, to ensure that the sum of sent amounts balances the sum of received amounts-the ''zero-coin generation'' property. Decentralized multi-party systems like blockchains can be categorized into (1) stateful systems and (2) stateless systems. 2 Stateful cash systems [8]- [12] and stateful data systems [13] must preserve everything, including spent coin bundles and stale data records. In these systems the entirety of each transaction is hashed and taken as an input for the cash system's verification. Therefore, removing records from stateful systems can lead to theft and inconsistent consensuses. 3 On the other hand, stateless systems allow secure optional deletion for spent coin records and old data records with the help of homomorphic cryptographic protocols like homomorphic commitments and homomorphic digital signatures. For example, stateless cash systems like Mimblewimble [15]- [17] and stateless data systems like Origami datachains [18] aggregate transactions by safely deleting spent coin bundles and stale data records.
There are two CT protocol classes: (1) Ring CT and (2) aggregate CT protocols. Stateful cash systems like [10] are built on Ring CTs [19]- [21] where transactions obfuscate true senders and receivers by mixing them with irrelevant participants, in an attempt to enhance privacy. Stateless cash systems depend on aggregable CTs [22] to safely trim spent coin records, also boosting privacy. We illustrate an example in Figure 1. Statistics [23] show that approximately 87% of coin records are spent. As a result, stateless cash systems based on aggregable CTs should be both private and scalable.
Additively homomorphic commitments can be added together without changing the committed values. Let there be two commitments of [v 1 , r 1 ] and [v 2 , r 2 ] with values (v 1 , v 2 ) and secret masks (r 1 , r 2 ). Then there is a public function which outputs a commitment of [v 1 + v 2 , r 1 + r 2 ] by adding those commitment without accessing their values or masks. The existing efficient CTs like Maxwell's CTs [22] use Pedersen commitments [24] which are inherently homomorphic with no bounds on the number of commitments that can be added. Due to the homomorphic properties of Pedersen commitments, ZK summation proofs can be implemented directly. However, being based on the Discrete-Log Problem (DLP), these protocols are vulnerable to quantum attacks.
Conjectured quantum-safe 4 substitutes for Pedersen commitments could be element-wise homomorphic 5 commitments based on the Short Integer Solution (SIS) problem, where the coin amount and the masking key are encoded as a ''short'' (i.e., low-norm) vector whose norm γ q against some fixed modulus q. For example, in [25], shortnorm vectors are [v, r 1 , r 2 ..] for some coin amount v and masking key [r 1 , r 2 ..]. However, the price of quantum-safety is often a combination of inefficiency and limitations on the number and values of commitments that can be added. For example, [25] works with lattice modulus q 2 64 · 10 6 for coin values in [0, 2 64 ) and up to 10 6 unspent coin bundles.
One tempting solution would be to commit to coin amounts as a binary expansion rather than an integer, i.e., as a short vector [b 0 , b 1 , .., b 63 , r 1 , r 2 , ..]) to signify v = 63 i=0 2 i b i . This would allow the use of a small modulus. However, we lose homomorphic properties since the resulting commitments are not globally but only element-wise homomorphic, incompatible with the direct implementation of ZK summation proofs. This is our approach, and we show how to make this work efficiently.

A. OUR CONTRIBUTION
We introduce the first Lattice-based Aggregable Confidential Transactions with binary commitments which are based on the SIS problem and the MSIS problem. Our CTs have the following properties.
• Confidentiality: Our CTs hide the coin amounts of all coin bundles except the coins from the coinbase. 6 • Scalability: We can aggregate any number of transactions by removing spent coin records. Hence the stateless cash systems built on our CTs are highly scalable.
• Efficiency: Our CTs always store coin amounts in their binary format. As a result, a smaller lattice modulus q can be used than when the direct values are stored, e.g., our MSIS-based CT modulus is 2 50 −2 14 +1 even though coin values are in [0, 2 64 ). Moreover, we implement a C library for our MSIS-CT protocol to experimentally determine the size reductions for different input and output rates. The results are stated in Table 1 for [input:output] proportions; [2:2], [2:3], and [2:4], i.e., for [x, y], the numbers for inputs and outputs are randomly chosen from [1, x] and [1, y], respectively. Note that we choose these proportions due to the average real-world [input:output] proportion being about 1.5 in Bitcoin [23].

1) ROADMAP
We explain the basic idea of our protocols in Section II and Section III without deep diving into Lattice-based Cryptography. Then we discuss related work in Section IV. Preliminaries such as commitments, digital signatures, and their security 4 Quantum-Safe a.k.a. Post-Quantum (PQ) is in the conjectured sense. 5 Homomorphism means that adding two commitments of [v, r 1 , r 2 , ..] and [v , r 1 , r 2 , ..] yields a commitment of [v + v , r 1 + r 1 , r 2 + r 2 , ..]. 6 The coinbase records the number of possible total coins minus the number of coins currently in circulation. properties are discussed in Section V. After that, we explain the expected security properties of aggregable transactions in Section VI and Section VII. Our SIS-based aggregable CT protocol and its security proofs are given in Section VIII and Section IX. Then we explain the MSIS-based aggregable CT protocol and its security proofs in Section X and Section XI. The MSIS-based CT implementation and its experimental results are discussed in Section XIII. Finally, we summarize the paper in Section XIV.

II. STATIC CARRIES
As we discussed before, lattice-based commitments are element-wise homomorphic, yet we want to commit the binary forms of coin values to reduce the lattice modulus. Making the task more complex, we want to remove spent coin records and still check the number of circulating coins in the system. In this section, we explain how to use the binary form of the coins while completing these tasks.
Our solution for ZK summation proof is to use the binary form of coin values with static carries.
when ÷ is the integer division, e.g., 3 ÷ 2 = 1. Note that each c * ∈ [0, u/2 ] and c 0 = c L = 0. The carries are the amounts that need to be carried from one column to the next when performing addition, as shown below for base 2.
We will explain our approach using a simple example. Here, we restrict the maximum number of inputs and outputs to 2 per transactions, i.e., transactions with 1 ⇒ 2, 2 ⇒ 1, 2 ⇒ 2 (inputs ⇒ outputs) are possible. Any other complex transaction can be accomplished using a combination of the above transactions. Hence, this restriction does not impact the cash system's practicality.
As shown in Figure 1, the aggregated cash system only has unspent coin bundles and transaction headers since the aggregation removes all spent coin bundles. Therefore, a stateless cash system has two tables, Ucoins for unspent coin bundles and Headers for transaction headers. At this stage, we only explain the correctness of element-wise additions, not the security, which will be added in the next section.
A. STEP 1: COINBASE ACCOUNT The initial cash system only has the coinbase in Ucoins where the coinbase has the maximum number of coins, S. We store the maximum coin amount in binary format. The coinbase account can transfer coins to other accounts as rewards, and the balance after the transaction will be stored in binary format. Note that these coins do not belong to any participant until they are awarded. Our supplying technique is different from typical cash systems, where they start with zero supply and keep adding supply coins to the system. However, we cannot use their method since we have to fix the circulating coins in the system. 7

B. STEP 2: TRANSACTIONS' ZERO-COIN GENERATION
When the t th transaction happens with input coins  1 and store them in the transaction header table. If the binary forms and carries correspond to a valid transaction, they will satisfy the following equation for all j ∈ [0, L): Here, ''|·|'' states the number of elements in an array, column, or rows of a table. Note that each c The novelty of our protocols is that we propose Equation (2) where we can verify the aggregated cash system's circulating coin amount without the spent coin bundles using. A valid state (Ucoins, Headers) will satisfy the following for all j ∈ [0, L): This follows by summing (1) over all transactions, noting that spent coins will be cancelled out.
These static carries have multiple advantages.
• Spent coin records can be removed from the system since Equation (2) does not need spent coin records. 7 The technical reason for fixing the initial coin supply (S) is that this way carries are static and previously computed carries will not need to be changed with new transactions. If the total coin of the cash system changes over time, we get volatile carries where previous carries are no longer valid. In that case, all the participants in the system have to join for all transactions even though they are not senders nor the receivers of that particular transaction, which makes the cash system impractical. MatRiCT [21] uses these volatile carries and cannot delete spent coin records freely.
• Only the parties involved in the transaction need to compute the carries since Equation (1) only takes the transaction's inputs, outputs, and carries.
• We easily enforce the carries to be in [0, 1], which will be useful for the range proof computation of the carries.
• No input (or output) carries need to be calculated if there is only one input (or output) since those carries are always zeros. This reduces transaction size and verification time drastically. We explain this by taking a simple example. Assume the maximum coin amount is 2 4 − 1 coins and L = 4. Note that we do not have to store c (t) 0,4 and c (t) 1,4 since they are zeros; however, we store them in these introductory sections to give a clear explanation.
Initially, only the coinbase has coins. From the example, we can see that spent coin bundles like Alice's 10 coins can be removed from the cash system without affecting the verifiability.

III. AGGREGABLE CONFIDENTIAL TRANSACTIONS
We now explain how our aggregable confidential transactions work by expanding the example used in Section II.

A. CONFIDENTIAL COIN BUNDLES
CTs store inputs and outputs as confidential coin bundles. Let coin(v, k) be a confidential coin bundle with v coins and masking key k. 8 Each coin(v, k) is a tuple of a commitment and the commitment's range proof given by: where bin(v) is a vector which represents v in base-2. 8 In lattice-based cryptography, masking keys are vectors. For simplicity of the explanation, we restrict it to a single element.
A commitment makes sure that the committed value and the masking key are hiding and binding. Here, binding means no one, including the creator of the commitment, can find another value and a masking key for the same commitment. range_proof(bin(v)) ensures that bin(v) is a valid binary vector for a number in the range [0, 2 L ).

B. CONFIDENTIAL CARRY PROOFS
We need the knowledge of carries to check the summation since coin bundles commit binary form of the coin amount. Therefore, CTs also contain carry proofs. Let carry(c, k) be a carry proof for some carry vector c = [c 0 , .., c L ], given by: Similar to coin bundles, carry proofs have range proofs to check whether c is a binary vector or not. Additionally, carry range proofs ensure that c 0 and c L are zero. Note that we commit [c j − 2c j+1 ] L−1 j=0 , not c, in carry proofs because our target is to perform arithmetic operations on commitments similar to Equation (1) and Equation (2).

C. DIGITAL SIGNATURES FROM ZERO VECTOR COMMITMENTS
We depend on digital signatures to show the knowledge of secret keys without revealing them. Let (k, pk(k)) be a secret key-public key pair, where the public key is a commitment of a zero vector such that pk(k) = commit([0, .., 0], k). We denote the signature of k as sig(k) where the message is empty. In our protocol, we make sure that a valid signature can be only created 9 if the committed value of the public key is a zero vector.
Let us explain the digital signature process at higher level. The signature scheme we explain here is a commonly used digital signature with Fiat-Shamir challenges [26]- [32] (see the complete protocol in Figure 3). The only difference is that we force all secret keys to have beginning zeros. First, the signer randomly chooses a signature mask key r. Then he/she creates the masking commitment Y = commit([0, 0, 0, 0], r). The Fiat-Shamir challenge x is created by hashing the public key, the masking commitment, and the message, i.e. x = hash(pk(k), Y, ε). Here, ε is the empty message. Then the signature is, sig(k) = (σ, x) = (r + xk, hash(pk(k), Y, ε)).
To verify the signature, first the verifiers check whether the norm of σ is less or equal to the hard problem's norm or not, e.g., σ ≤ γ for the SIS problem. Then the verifiers recreate Y = commit([0, 0, 0, 0], σ ) − xpk(k) 9 More accurately, it is computationally infeasible to create a valid signature for a public key with a non-zero vector due to a known hard problem like SIS or MSIS problems.  and check whether the hash challenge is the same or not by checking, Therefore, a valid signature sig(k) can be only created if pk(k) is a commitment to a zero vector.

1) TRANSACTION 1: ALICE RECEIVES 10 COINS FROM THE COINBASE
Recall that the coinbase sent 10 coins to Alice in the first transaction. Even though the received coin amount is public, Alice wants to make sure that her coins cannot be stolen. Therefore, she stores coins as a confidential coin bundle with a secret key. Let Alice's confidential coin bundles be coin(10, k A ) where k A is only known to Alice. To secure the confidential coin bundle, Alice sends a transaction tx 1 implying the knowledge of k A via a digital signature sig(k A ).
Here, public key pk(k A ) is the difference of output commitment summation and input commitment summation according to Equation (1)., i.e., Note that if a coin value is public, a commitment with a zero key is computed when computing the public key, allowing the verifiers to recreate the same commitment easily. Also, if a carry vector is all zeros, we do not need to compute its commitment; however, we include it to show the equivalence of the public key computation and Equation (1).
Upon receiving the transaction, the verifiers can recreate the public key pk(k A ) since all the details required are in the transaction. After that verifiers check whether the digital signature sig(k A ) is correctly generated for the public key or not. This signature shows 1) the knowledge of the aggregate secret key (k A ) since the public key was computed taking the commitments and 2) the transaction's zero-coin generation since the signature can be only created if its committed value of the public key is a zero vector.
Note that we do not need to include carry proofs in tx 1 since coin values are known to the public. Then the cash system aggregates tx 1 to itself. The state of the aggregated cash system is shown in in Figure 2. After the aggregation, we consider Alice has received coins. Now, Alice's coins are locked with the secret masking key k A .
2) TRANSACTION 2: ALICE SENDS 7 COINS TO BOB Alice sends 7 coins to Bob from her 10 coins. We denote the second transaction tx 2 below. Unlike the first transaction, they have to include carry proofs for outputs 10 to the second transaction since carries might reveal the hidden coin amounts. With the second transaction, Alice updates the secret mask of the balance to k A , Bob receives coins under the secret mask k B , and carries are hidden with k c 1 .
After receiving tx 2 , the verifiers check these; (1) the input coin bundle is in Ucoins, (2) the range proofs are correct for all inputs, outputs, and carries, and (3) the public key This signature prevents stealing the coins due to the need for k A . Also, verifiers use the signature to check that no coins were illegally generated during the transaction according to Equation (1) since a valid signature can be created only if the committed value of the public key is a zero vector.
Once the transaction is added to the cash system, we consider that Alice has sent coin, and Bob has received coins.

a: TRANSACTION CUT-THROUGH
If the cash system is stateful, it must preserve all coin bundles, including the spent coin bundles like coin(10, k A ). However, stateless cash systems allow optional deletion called ''cutthough'' or ''aggregation'' to remove spent coin bundles. Even after the aggregation, we can fully verify the cash system, i.e., the unspent coin bundles are not stolen, and their hidden coin amounts are equal to the supply coins. For example, we can check the cash system of Figure 2 s.t., following Equation (2). Here, commit([1, 1, 1, 1], 0) is the supply coin commitment with no keys and [0, 1, 0, 1] is the coinbase.
The cash system can remove spent coin records without affecting the verification since Equation (3) is independent from spent coin bundles, e.g., coin(10, k A ).

IV. RELATED WORK
We compare our contributions with other confidential transactions in Table 2. Typical transaction protocols like [8]- [12] preserve everything, including spent coin records since deletion breaks the public verification. For example, consensus mechanisms like Proof of Work and Proof of Stake, check 11 all spent and unspent coin records to prevent altering and stealing (which is known as immutability). 11 Each transaction is hashed and included in the Markle hash tree of a block. The entire transaction must be given to check the Merkle tree. Therefore, deletion is not an option for those cash systems.
The first aggregable transaction protocol [22] introduced a novel idea to allow public verification even after the transaction cut-through, which was later adapted for a cash system called Mimblewimble [15]. Unlike lattice-based CTs, these CTs [15], [17], [22], [35] enjoy the efficiency of the DL problem based range proofs [39]- [41] with no bounds. Unfortunately, these efficient transaction protocols are vulnerable to quantum adversaries due to the use of the DL problem.
Quantum-safe Ring Confidential Transactions [21], [36]- [38] are more private than typical Aggregable transactions due to the mixing. For example, the real sender is mixed with a set of other participants. The ownership of the coins is shown via a ring signature where the real sender can create signatures for other participants as well. However, these ring signatures prevent the transaction aggregation techniques. Aggregable Confidential Transactions do not provide mixing capabilities, yet hide coin amounts. Therefore, aggregable CTs are both scalable and private.
MatRiCT [21] is one of the most efficient quantum-safe Ring CT protocols since it also uses binary commitments similar to our protocols. 12 The downside of binary commitment is that ZK summation proof requires carry commitments if there is more than one input/output. Also, this limits the maximum number of inputs and outputs to 2, and other complex transactions should be divided into multiple transactions. However, from statistics [23], real-world transactions have average 1.5 outputs/input rate. Therefore, even dividing complex into multiple transactions is more efficient than having larger modulus like 2 196 in [37] (see more details in [21]).
Our confidential transactions also suffer from this limitation on the number of inputs and outputs. However, similar to [21], having binary commitments is more efficient than having large modulus like [25]. Moreover, our protocols are aggregable due to the static carries, unlike MatRiCT with volatile carries, which do not remove additional transactions' inputs. For example, assume a transaction of 2 ⇒ 3. Then we have to create two transactions of 2 ⇒ 2 and 1 ⇒ 2. Since [21] is stateful, they have to add 4 additional coin bundles (totally 6 coin bundles) while cash systems, based on our protocols, delete 2 coin bundles and only add 3 coin bundles. Therefore, our confidential transactions are more efficient and scalable than other quantum-safe confidential transactions due to aggregation and binary commitments.

V. PRELIMINARIES
We denote the ring of integers modulo q by Z q = Z/qZ, which is represented by the range [− q−1 2 , q−1 2 ] for an odd prime q. For an even q, the range is 12 The major differences are that they are not aggregable like our protocols and do not embed the coinbase to the cash system at the beginning. VOLUME 10, 2022 TABLE 2. Comparison of related work. Note that the root Hermite factor should be less than 1.0045 to achieve 128-bit security against the known attacks [33]. Here, ''unlimited'' means unlimited coin bundles, and ''C. Size'' is the size of a commitment in a coin bundle. coefficient is in Z q . We will often write a for both the vector and the corresponding polynomial.
We use simple bold letters like a for integer vectors and capital bold letters such as A for integer matrices. Similarly, a denotes a vector of polynomials, and A denotes a matrix of polynomials. The ith element of a vector a is a i or we can denote the entire vector as a = [a 0 , .., a n when a has n elements. Also, A = [A 0 , .., A m−1 ] when A has m vectors. We denote matrix multiplication as Aa when A's numbers of columns matches with a's number of elements. a b denotes the polynomial multiplication of a and b. Also, a a = a 2 . When x is an integer, xa denotes that every element in a is multiplied by x. xE a denotes that every polynomial in a is multiplied by x. We use ''+'', ''−'', and ''•'' for elementwise or polynomial-wise addition, subtraction, and multiplication respectively, i.e. a + b = [a 0 + b 0 , .., a n−1 ., a n−1 b n−1 ]. Sometimes, we use a 2 and a 2 for a • a and a • a, respectively.
The norms are defined as follows, a = max([|a i |] n−1 i=0 ), and a 1 = n−1 i=0 |a i |. The norms for a polynomial a are defined as follows, We use a ← S to denote a was sampled from S and a $ ← − S to denote a was uniformly sampled from S. a 0 , .., a m−1 ← S m denotes each a i is sampled from S. (λ) = 1/o(λ c ) is a negligible function which vanishes faster than any polynomial of degree c, ∀c ∈ N. We generally use pp (λ) to denote public parameters of some protocol with λ bits of security.
We use A to denote an adversarial algorithm. A is a stateful interactive algorithm, e.g., A step1 () and A step2 () denote the first step and the second step of the protocol, respectively. Since A is stateful, A can save information from the first step for the second step.
Definition 1 (Statistical Distance): Let X and Y be two random variables with range U . The statistical distance between X and Y is defined as, (X ,

Definition 2 (Short Integer Solution Problem (SIS)):
The advantage of an algorithm A solving a special instance of SIS n,m,q,γ after one execution is given by

Definition 3 (Module Short Integer Solution Problem (MSIS)):
The advantage of an algorithm A solving an special instance of MSIS n,m,q,γ ,N after one execution is given by,

A. COMMITMENTS OF SIS/MSIS PROBLEMS
The purpose of a commitment is to secretly publish some string and open it later to show it. Therefore, a commitment is hiding and binding, i.e., finding the committed string or finding a different value for the same commitment is difficult. We define a simple commitment scheme COM below.
We define the security properties of a generic COM below, Definition 4: COM is hiding and binding if

Game 4: Hiding
We state two commitment protocols; COM SIS and COM MSIS below.
Theorem 2: COM SIS is computationally hiding and computationally binding if solving SIS n,m,q,γ is at most (λ) after one execution.
Proof: Breaking the binding property of COM SIS directly solves the SIS problem. However, the computational hiding property is not directly visible. Our target is to show that there are at least 2 2λ different u for the same v over Z n q .

Protocol 2: MSIS Commitments
From Bertrand's postulate, we know there should be at least one prime p such that 2 ≤ 2 2λ/n < p < 2 4λ/n < q.
Recall from Theorem 1, this function f outputs an uniform distribution over Z n p for any v when τ satisfies the following: In other words, if τ satisfies Equation (4), there are at least 2 2λ different outputs for the same v over Z n p with an overwhelming probability since p > 2 2λ/n .
There are at least 2 2λ different u over Z n q as well since q > p, and the map of Z p → Z q is injective for prime numbers p and q. According to the init function of COM SIS , τ ≥ τ always satisfies Equation (5) s.t., since p < 2 4λ/n . Therefore, Adv HID, * COM,pp (λ,d) ≤ (λ) after one execution. Hence Theorem 2 is true, i.e. COM SIS is computationally hiding and computationally binding.
Theorem 3: COM MSIS is computationally hiding and binding if solving MSIS n,m,q,γ ,N is at most (λ) after one execution.
Proof: Any valid output of Game BND, * COM,pp (λ,d) is a solution to MSIS problem. Therefore, we move to the computational hiding property. Note that, q < 2 4λ nN . Therefore, there should be at least one prime p such that that outputs a uniform distribution over R n p . Provided that, according to Theorem 1. Since p > 2 2λ/nN and p < q, there will be at least 2 2λ different polynomials over R n q . VOLUME 10, 2022 According to the initialization function of COM MSIS , τ ≥ τ always satisfies Equation (6) because, when p < 2 4λ/nN . Therefore, Adv HID, * COM,pp (λ,d) is (λ) after one execution and COM MSIS is computationally hiding.

B. SIGNATURES WITH FIAT SHAMIR CHALLENGES
Next, we define digital signature schemes based on [26]- [32]. In this paper, we employ many-time signatures that are EUF-CMA (Existential Unforgeable under Chosen Message Attack) due to rejection sampling even though only one signature is created from the same key pair.
We state variations of [31], [32] in Figure 3. In these protocols, to reduce the size, the signature contains a hash challenge similar to [32] instead of the masking commitment (Y or y). y is around 9 KB when the hash challenge is 32 bytes in our MSIS-CT protocol.  for (n, m, q, γ , N ). (see details in [31])

VI. PROPERTIES OF CONFIDENTIAL COIN BUNDLES
Confidential coin bundles are special commitments accompanied by range proofs of the committed coin values. As discussed before, commitments contain mask keys, and we use these masks as the ownership of the coin bundles. For example, sending a coin bundle is equivalent to sending the masking key of the coin bundle to the receiver.
Let there be a confidential coin bundle scheme COIN.

Functionality 3: Confidential Coin Bundles
Here, mask is a secret mask(s), and L is defined in pp (λ,L) .
Once the coin bundle is generated, the coin value and mask should be binding, or no one (including the creator) should be able to come up with a different coin value and mask for the same coin bundle. As the name implies, coin bundles should be confidential, i.e., no algorithm should be able to distinguish the coin amount of the coin bundle. We capture this hiding property as follows.
We define knowledge soundness such that no p.p.t. algorithm can compute a valid coin bundle for an invalid coin value, i.e., the extracted coin value of E is not in [0, 2 L − 1].

Definition 9 (Knowledge Soundness): COIN is knowledge sound if
Adv KS,A COIN,pp (λ,L) = Pr Game KS,A COIN,pp (λ,L) () ≤ (λ). Note that extractors do not exist in real-world unless the public parameters have been tampered with trapdoor functions. These extractors are commonly used in zeroknowledge proofs or arguments to verify security. In this paper, we construct extractors based on the Generalized Forking Lemma [27] where the adversarial algorithm is rewound just before the challenge computation.

VII. PROPERTIES OF CONFIDENTIAL TRANSACTIONS
Confidential transactions contain input coin bundles, output coin bundles, and proofs to verify the ownership and zerocoin generation. Here, zero-coin generation ensures that input coin summation is equal to output coin summation. The ownership proofs (typically a multi-signature) are created by taking the inputs' and outputs' masking keys. Therefore, coin bundles cannot be stolen without the masking keys.
Recall the ownership of a coin bundle is its masking key. Therefore, once a recipient gets a masking key, he/she sends a transaction updating the masking key of the coin bundle.
Once the transaction is appended to the cash system, only the recipient knows the coin bundle's new masking key, and no one can steal coins, including the previous owner. Let CTx be a confidential transaction scheme for transactions with |in| inputs and |out| outputs.
We say CTx is complete if honestly generated confidential transactions can be publicly verified.

Game 9: Hiding
Game HID,A CTx,pp (λ,L) (|in|, |out|): Theft resistance of confidential transactions ensures that the given coin bundle cannot be spent without its secret mask. Here, we define a strong version of theft-resistance where the adversarial algorithm chooses the coin amount since the coin value is known in some cases, e.g., coinbase reward.

Game 10: Theft Resistance
return CTx.ver(pp (λ,L) , tx) coin ? ∈ tx.in Zero-coin generation of transactions means that no coins can be generated during a transaction. Here, the extractor E outputs the hidden coin amount of the coin bundle similar to the extractor of Definition 9.

VIII. AGGREGABLE CONFIDENTIAL TRANSACTIONS WITH GENERIC LATTICES
This section explains the confidential transaction protocol based on SIS problem when coin values are in [0, 2 L ). Concrete Protocols related to this section are stated in Figure 4, 5, 8 and 9.
As discussed before, coin bundles include range proofs to ensure that the committed value is in the valid range. If we have a method to prove some bit is either 0 or 1 then we can extend that method for all L bits since we commit the binary form of the coin values. First, we explain how to show a bit is 0 or 1 without revealing the bit.
Assume a prover P wants to hide b ∈ [0, 1] but wants to prove to a verifier V that b is definitely 0 or 1.
1) First, P chooses a random a.
2) P computes these commitments; u = commit ([b, 0], r) and t 1 = commit([0, a(2b − 1)], r 1 ) with some masks r, r 1 . Then P sends u and t 1 to V. 3) V chooses a random challenge x 1 and sends to P. ([x 1 a, a 2 ], r 2 ) with some mask r 2 . Then P sends the commitment t 2 to V 5) V chooses a random challenge x 2 and sends to P. 6) P sends z = bx 2 + a, R = x 2 (x 1 r + r 1 ) + r 2

4) t 2 = commit
If there is z = bx + a for some random a and challenge x, then when b is 0 or 1. Therefore, P can prove that b is indeed 0 or 1 without revealing b directly. Before proceeding, we define the range for a to be [−α, α] and the range of the challenge x 1 and x 2 to be [−χ , χ] when 0 < χ < α. Now, we can define the safe range for rejection sampling, i.e., z should be [−(α − χ), α − χ]; otherwise, z leaks information about b. If z is out of this range, we will reject the sample and start over. We use lazy sampling for a to reduce the number of rejections. For example, A similar approach should be applied to the masks as well. When r ∈ [−τ, τ ], r 1 ∈ [−τ 1 , τ 1 ] and r 2 ∈ [−τ 2 , −τ 2 ], we can define the safe range of R a [−(τ 2 −χ 2 τ −χ τ 1 ), (τ 2 − χ 2 τ − χ τ 1 )] when 0 < χ 2 τ + χ τ 1 < τ . We state these conditions in Figure 4.
We can see that the soundness error is 2 −(2χ) when x ∈ [−χ , χ]. Therefore, we repeat the interactions between P and V multiple times (ch ≈ log 2χ 2 2λ times) to reduce the soundness error to 2 −λ .
Aggregate CTs should hide all binary values and carries while ensuring other security properties like theft resistance and zero-coin generation. When we examine the structure of carries, we can see that proving the range of carries is similar to proving the coins' range. However, what we want to commit is not input carries (c 0 ) nor output carries (c 1 ) but [c 0,j − 2c 0,j+1 ] L−1 j=0 and [c 1,j − 2c 1,j+1 ] L−1 j=0 to check Equation (1) and Equation (2). Therefore, we commit [c 1,j − 2c 1,j+1 − c 0,j + 2c 0,j+1 ] L−1 j=0 as shown in Figure 7. As we discussed in Section III, a transaction should contain a carry proof for inputs and a carry proof for outputs. In our protocol, transactions have combined carry proofs where the input and output carry proof are combined into a single proof.
We create proof (or the header) of the transactions by combining the carry proofs and a multi-signature. A signature  (Z, R, u, T 1 , x 2 = hash(u, T 1 , T 2 )) with its T 2 and x 1 = hash(u, T 1 ).

FIGURE 7.
Carry proof structure of (Z 0 , Z 1 , R, u, T 1 σ is created for the aggregate masking key of the inputs', outputs', and carries' masks (see Step 44). Assume Alice wants to send coins to two receivers, Bob and Charles, and they have a secure communication channel where none of them can impersonate others. During the transaction generation, Alice should be able to hide the new mask from others, and the same goes for Bob and Charles as well. On the other hand, they have to show their knowledge of the masks to compute the multi-signature.
Therefore, each sender and receiver computes partial signatures separately with a signature mask in [−τ 3 , τ 3 ]. In the end, they aggregate partial signatures to compute the multisignature. We perform rejection sampling in Step 40 and Step 44 for partial signatures to make sure that partial signatures do not leak information. Therefore, the safe range for a partial signature is [−(τ 3 − χτ ), τ 3 − χτ ] (recall that coin masks are in [−τ, τ ]). In that way, they can hide the mask of the coin bundle from each other. Aggregated signatures are also subjected to rejection sampling because the knowledge of aggregate keys may leak the proof's masking key.
The protocol provides the following security measures.
• The sender, Alice, can stop the transaction by not sharing her signature.
• Bob (or Charles) cannot update the created transaction to steal Charles' (or Bob's) coins due to the challenge x 1 , i.e., changing any u of a coin bundles changes x 1 of that coin bundle.
• No sender or receiver can see or derive others' secret masks due to the rejection sampling on partial signatures. We define the concrete non-interactive confidential coin bundle scheme COIN in Figure 5 and our aggregate CT protocol CTx in Figure 8 and Figure 9. Here, ''non-interactive'' means that the prover(s) gets challenges from a hash function instead of the verifier, e.g., x 1 = hash(u, T 1 ) and x 2 = hash(u, T 1 , T 2 ) from Figure 6. Since we have a precise method to recompute challenges, we do not include T 2 in the coin bundle. Instead, we include x 2 and recompute T 2 using x 2 (see Step 33). At the end, we check whether the hash challenge x 2 is equal to hash(u, T 1 , T 2 ) or not. This method saves space since T 2 is a few kilobytes while x 2 is just 32 bytes.
We use a similar method for the carry proofs and the signatures as well. For example, the recomputable hash challenge of a signature is computed as x 0 = hash(pk, Y ). To save space, we include x 0 , not Y . During the signature verification, we recompute Y and check whether x 0 is equal to hash(pk, Y ) or not (see Step 92).
We illustrate the correctness in Figure 6 and Figure 7.

IX. SECURITY PROOFS FOR SIS PROBLEM BASED TRANSACTIONS
This section shows the security of our confidential coin bundles and confidential transactions.  We give the proof in a series of lemmas below. We should be able to verify and open the honestly generated confidential coin bundles as defined in Definition 6. Here, ''honestly generated'' includes (1) the coin value is in [0, 2 L ), (2) the commitment contains the correct binary form of the coin value, and (3) the random masks are chosen from the defined range. We directly see the opening of a coin bundle is correct. We show the correctness of verification function in Figure 6. Therefore, we conclude COIN SIS is complete. Proof: This proof has two parts; (1) Z statistically hides the coin amount, and (2) u, T 1 , T 2 are computationally hiding.
First, we prove that there is exactly one possible [a i ] ch−1 i=0 ∈ [−α, α] ch×L for any combination of (b, Z) and any x 2 . Since b j ∈ [0, 1], x 2,i ∈ [−χ , χ], and Z i,j ∈ [−α + χ, α − χ]; for j ∈ [0, L), Secondly, we show that u, T 1 is not equal to 0 L . In other words, when COM SIS is binding, A finds some (Z, R, u, T 1 , T 2 ) s.t. for each i ∈ [0, ch): We prove each security property of CTx SIS individually. We start with the completeness of CTx SIS . The completeness of CTx SIS states that the verification function accepts correctly generated transactions. Here, we focus on two verification functions; (1) proof-verification, which checks the range of the carries, and (2) transaction verification that checks whether total coin summation is zero or not. We visualize the correctness of CTx SIS in Figure 7.
Proof: If A steals coins without knowing the secret mask then we can use A in a simulation to break EUF-CMA of SIG SIS . Therefore, we claim that CTx SIS is theft resistant when SIG SIS is EUF-CMA.
Lemma 5: CTx SIS is computationally hiding when COM SIS is computationally hiding.
Proof: We claim that carry proofs are hiding similar to the confidential coin bundles since (1) the smallest random mask τ satisfies the condition; (m − 3L) log(2τ ) ≥ 6λ, and (2) any pair of (Z 0 , Z 1 ) statistically hides the input carries and output carries due to the rejection sampling. n, m, q, γ ), and ch log(2χ) ≥ 2λ.

Lemma 6: Breaking CTx SIS 's zero coin generation property is computationally infeasible if
Proof: Let there be a p.p.t. algorithm A that breaks the zero coin generation property when COIN SIS is knowledge sound, and SIG SIS is EUF-CMA. Assume the extractor E of such that, Here, we assume COIN SIS is knowledge sound. We can replace coin values with their binary forms ( and their real carries (c 0 , c 1 Note that there are two verification steps; checking (1) the zero coin summation and (2) signature verification. If A creates a valid transaction then one of the following scenarios can happen.

X. AGGREGABLE CONFIDENTIAL TRANSACTIONS WITH IDEAL LATTICES
As we saw in CTx SIS , we have to repeat the process multiple times to reduce the soundness error. Therefore, the overall size of the coin bundles and carry proofs rapidly increases with the number of challenges.
As a solution, we introduce a new aggregate confidential transaction protocol based on the MSIS problem. This protocol uses a single challenge polynomial chosen from a large space and does not need to repeat the same process multiple times. We choose challenge polynomials from C N β,1 with exactly β number of ±1 and N − β number of zeros. Therefore, there are N β · 2 β possible challenges. We can achieve a negligible soundness error by setting N β · 2 β ≥ 2 2λ as shown in Step 17 of Figure 10. Other related protocols are explained in Figure 11, 13, and 15.
This protocol also commits the binary form of the coin value in confidential coin bundles. Since coin bundles require range proofs, first, we explain a method to show a bit is 0 or 1 without revealing it. Later we expand this method for L number of bits. Assume a prover P wants to hide the VOLUME 10, 2022 FIGURE 11. Confidential coin bundles based on MSIS problem.
ith bit b i but wants to prove to a verifier V that b i is definitely 0 or 1. Here, we commit the ith bit as a polynomial of b = [0 i−1 , b i , 0 N −i ] which we denote as rot(b i , i) through out the paper (see Figure 11).
The interactive range proof protocol works as follows. 1) First, P chooses a random small polynomial a.
3) V chooses a random challenge x 1 and sends to P. 4) P computes t 2 = commit ([ x 1 a, a a], r) with some mask r 2 . Then P sends the commitment t 2 to V. 5) V chooses a random challenge x 2 and sends to P. 6) P sends z = b x 2 + a, R = x 2 ( x 1 r + r 1 ) + r 2 to V.
If there is z = b x + a for some a and challenge x, then when b is 0 or 1. Therefore, P can prove that b i is indeed 0 or 1 without revealing b i directly.
We commit the binary form b = bin(v) of the coin amount v when v = L−1 i=0 2 i b i . First we choose random a i and create z i = x 2 rot(b i , i) + a i for each b i . Note that the secure range for z is [−(α − 1), α − 1] to prevent information leakage. Therefore, we perform rejection sampling for z and start over if z is out of the range. To increase the acceptance rate, we use ''lazy sampling'' where, MSIS confidential transactions contain carry proofs since confidential coin bundles commit binary forms of the coin values. These carry proofs commit [c 1,j − c 0,j − 2(c 1,j+1 − c 0,j+1 )] L j=0 when the input carry vector and output carry vector are c 0 and c 1 , respectively. Therefore, we can check the summation of inputs and outputs following Equation (1). Not only that, carry proofs need range proofs to make sure that carries are binary vectors. For that, we create a single range proof for both input carries and output carries, which we call ''an aggregated range proof''. We illustrate the structure of carry proofs in Figure 13.
The theft resistance of a transaction comes from a multisignature. As we explained in Section III, we use the masks of input commitments, output commitments, input carry commitment, and output commitment (if available) to compute the secret key of the whole transaction. Since senders and receivers want to hide their secret keys from each other, they create partial signatures with rejection sampling. Then they aggregate all partial signatures to create the multi-signature. In that way, they can hide their masking keys and yet create a valid multi-signature.
We state the complete non-interactive confidential coin bundle protocol in Figure 11 and non-interactive confidential transaction protocol in Figure 14 and 15. Also, we illustrate the correctness of the protocol in Figure 12 and Figure 13. Since our protocols are non-interactive, or the challenges are computed from a hash function, we can recreate them. Using this property, we do not include t 2 vectors of both coin bundles and carry proofs. Instead, we include x 2 and recompute t 2 . As a result, we can save significant amount of space, e.g., a vector of t 2 is 9.6 KB while x 2 is 32 bytes in our MSIS-CTx implementation. The same technique is used for signatures as well where we include x 0 , not y.   ( z, r, u, t 1 u, t 1 , , x 2 = hash( u, t 1 , t 2 )) with its t 2 and x 1 = hash( u, t 1 ).

XI. SECURITY PROOFS FOR MSIS PROBLEM BASED TRANSACTIONS
We start with proving the confidential coin bundles' security. Then, we prove the security of confidential transactions. The completeness of coin bundles states that honestly generated coin bundles are always valid. In other words, for coin amounts in [0, 2 L ), the generation function should output a coin bundle that will be accepted by the verification function. We conclude that COIN is complete since the verification is equivalent to the generation as shown in Figure 12. Recall that each z i is in [−(α − 1), (α − 1)] N and x 2 = 1. As a result, there exists a valid a i ∈ [−α, α] N for any b ∈ [0, 1] because,

A. SECURITY OF CONFIDENTIAL COIN BUNDLES
Therefore, we claim z statistically hides the coin amount.
Recall that the smallest random mask τ satisfies the condition; (m − 3)N log(2τ ) > 6λ. If A breaks the hiding property then we can simulate A to break the hiding property of COM MSIS when d = 3. Therefore, we claim COIN MSIS is computationally hiding if COM MSIS is computationally hiding.
Lemma 9: Breaking knowledge soundness of COIN MSIS is computationally infeasible if COM MSIS is binding, and MSIS pp λ is hard for pp λ = (n, m, q, γ , N ). with a non-negligible probability when COM MSIS is binding. Then A creates a coin bundle for an invalid b such that First, we prove that x 2 2 cannot be a zero polynomial because the first coefficient of x 2 2 is always equal to β. Therefore, h should be a zero polynomial. Also, s is not equal to 0 m since b is not a valid binary polynomial. Therefore, s is a solution to MSIS problem. We reduce A's probability of winning Game KS,A COIN,pp (λ,L) to, 3) after one execution. Finally, we conclude Lemma 9 is valid or COIN MSIS is knowledge sound. First we show that CTx is complete by proving that the carry proofs' verification and coin summation verification are correct. We illustrate the correctness of CTx in Figure 13.
Proof: Suppose A spends the coin bundle after creating a valid transaction. Then, we can simulate A to break EUF-CMA of SIG MSIS since A creates the signature without knowing the secret mask. Therefore, we claim that CTx is theft resistant when SIG MSIS is EUF-CMA.
Lemma 11: CTx MSIS is computationally hiding when COM MSIS is computationally hiding.
Proof: Similar to COIN MSIS , we claim that carry proofs are computationally hiding since (1) the smallest random mask τ satisfies the condition of (m − 3)N log(2τ ) ≥ 6λ, and (2) any pair of ( z 0 , z 1 ) statistically hides the input carries and output carries.
We can replace the extracted coin values with their binary forms and real carries; for j ∈ [0, L), We can reduce A's advantage to the following three scenarios. (9) From carry proof verification in Step 89, we know that

1) Due to the signature verification in Step 91, A finds
Since x 2 2 cannot be a zero polynomial, E h is 0 n .
3) A breaks the knowledge soundness of COIN MSIS . In both scenarios, A's advantage is, CTx,pp (λ,L) ≤ Adv MSIS,A pp λ +Adv KS,A COIN,pp (λ,L) + Adv EUF,A SIG,pp λ . Therefore, we claim that CTx MSIS holds zero coin generation property when the MSIS problem is hard, and COIN MSIS is knowledge sound.

XII. TRANSACTION AGGREGATION
This section explains transaction aggregation process for both CTx SIS and CTx MSIS . Then we prove the security of the aggregated cash system. Once the cash system receives a new transaction, it verifies the transaction. If the transaction is valid, then the inputs are in the unspent coin table. Next, the cash system removes those inputs from the unspent coin table and adds new transaction outputs to the table. Also, the cash system adds the number of inputs, the number of outputs, and the proof to the header table. This aggregation preserves cash systems verification due to Equation (2). We state the transaction aggregation and the verification of the aggregated cash system in Figure 16.
Let ACS be an aggregable cash system with the following properties. Here, we consider two tables (Ucoins, Headers) as a cash system. add tx to (Ucoins, Headers) and return the updated tables.
ACS is expected to have these security properties after the aggregation; completeness, theft resistance, and zero-coin generation.
The completeness of the aggregate cash system states that the aggregation of honestly generated transactions always outputs a valid cash system. Let G be a valid random transaction generator. These transactions can be rewards or spending of existing unspent coin bundles. We capture the completeness as follows.

Definition 14 (Completeness): ACS is complete if,
Pr random_cash_system(pp (λ,L) , t) ≥ 1. Theft resistance of an aggregable cash system ensures that unspent coin bundles cannot be spent without their secret masking keys. We allow the adversarial algorithm to generate the cash system for stronger theft resistance. Then we ask the algorithm to transfer a coin bundle coin to us by computing a new transaction. In the new transaction, the algorithm chooses all parameters except the masking key mask of coin . After adding the transaction, we ask the algorithm to update the cash system by spending the coin bundle without mask . If the updated cash system is valid and the coin bundle is not in the unspent coin table, the algorithm wins the game.
This strong theft resistance considers a environment where everyone is dishonest, except the coin bundle's owner. By allowing the algorithm to choose parameters for the transaction, we let the coin sender be dishonest as well,  Zero-coin generation of cash system states that no coins can be generated during the transaction aggregation. Note that the extractor E outputs the coin amount of the confidential coin bundle. Due to the zero-coin generation, the extracted unspent coins are equal to the original supply.

Definition 16 (Zero-Coin Generation of Aggregate Cash Systems): An aggregate Cash System ensures zerocoin generation property if
Adv ZCG,A ACS,pp (λ,L) = Pr Game ZCG,A ACS,pp (λ,L) () ≤ (λ). We state aggregable cash systems ACS SIS and ACS MSIS that are compatible with CTx SIS and CTx MSIS , respectively, in Figure 16.  Proof: Let there be an algorithm A that wins the theftresistance game. Then, we can simulate A to break one of the above properties. Therefore, we can reduce A's advantages such that Adv TR,A ACS SIS ,pp (λ,L) is,

XIII. IMPLEMENTATION OF MSIS CONFIDENTIAL TRANSACTIONS
We implement COIN MSIS and CTx MSIS protocols using the C language targeting root Hermite factor δ = 1.004. It is widely believed that δ ≤ 1.0045 is sufficient to withstand known attacks of any chosen security level [33] (we chose λ = 128).
We always work with coin values in [0, 2 64 ) and polynomial space R q = Z q [X ]/[X 256 + 1]. We state the parameters used for the implementation in Table 3. Note that the challenges are taken from the ''hashing to a ball'' method where the hash function is SHAKE-256 [43]. We only use uniform distributions for secret vectors and do not use any Gaussian distributions making it easy to secure against side channel attacks.
We use two polynomial multiplication methods. 1) Generic polynomial multiplication using Number Theoretic Transform (NTT) on 64 bit signed integers similar to [44], and 2) An easy multiplication for polynomial of rot(). Recall that we chose q to have 512-th root of unity 13 r (mod q). Therefore, X 256 + 1 splits into linear factors X − r i (mod q) with i = 1, 3, 5, .., 511. As a result, Z q [X ]/(X − r i ) ∼ = Z q (the Chinese remainder theorem). We can easily transform the polynomials in R q to i Z q [X ]/(X + r i ) using the Fast Fourier Transform (or NTT since our field is finite) which we denote as, a → (a(r), a(r 3 ), a(r 5 ), .., a(r 511 )) R q → i Z q [X ]/(X + r i ) Since At this stage, polynomial multiplication is point-wise. Note that natural NTT implementation does not output a(r) directly. Therefore, following [45], NTT( a) = (a(r brv(128+i) ), a(−r brv(128+i) )) 127 i=0 when brv is the bit-reversal algorithm. Now, we can denote a b = NTT −1 (NTT( a) • NTT( b)) where • is the point-wise multiplication. We use Cooley-Tukey butterflies for the forward transform [46], Gentleman-Sande butterflies for the inverse-transform [47], and Montgomery point-wise multiplications [48]. Our second multiplication is for polynomial formed from rot(). Recall that a = rot(j, i) outputs a polynomial such that a i = j and other coefficients are zero. Therefore, we simply multiply all coefficient of b by j, change signs of the coefficients after the ith index, and rotate i times to get a b.

A. BENCHMARKS
We run benchmarks for different average input and output rates; [2:2], [2:3], and [2:4] since the statistics show that the average input and output rate is [2:3]. We uniformly choose input sizes from [1, x] and output sizes from [1, y] when the rate is [x : y]. For the benchmarks, we use SQLite3 [49] as the database of the cash system. When we measure the size of the cash system, we actually measure the size of the database. The measured size of the cash system is slightly higher than the theoretical size due to the identifiers and index tables used for faster searching. Also, we transfer 2000 coins from the coinbase per 10 transactions. Therefore, 2 million coins circulate in the system at the end of each benchmark.
First, we check what happens when we limit the maximum number of inputs and outputs to 2. We use, ''original transactions'' for any real transaction with average  [input:output] proportions. Later we separate them into the transactions of maximum 2 inputs and 2 outputs which we call ''LACTX transactions''. Figure 18 shows the number of LACTX transactions when the numbers of inputs and outputs of original transactions are chosen uniformly with average input and output rates; [2:2], [2:3], and [2:4].
Next, we check the cash systems' size reductions after the aggregation. Figure 19 shows the cash systems' sizes before and after the transaction aggregation. According to the figure, we see that all input and output rates have significant size reductions even if the LACTX transactions are limited to 2 inputs and 2 outputs.
We check the verification times of the aggregated cash systems. We use an i7-1065G7 CPU @1.30GHz to measure verification times. From Figure 20, we see that the average input-output rate affects the verification time. However, the verification time is shorter after the aggregation since there are no spent coin bundles.
Finally, we show the space savings of our aggregate cash systems for different input and output rates in Figure 21. Here, space saving is computed as, spacesaving = size−aggregated_size size ×100%

XIV. CONCLUSION
Post-quantum zero-knowledge (PQ-ZK) protocols from lattices have a potential for unrivalled security and privacy, but, in such massively multi-party systems as cryptocurrencies, they tend to be less practical than their quantum-vulnerable discrete-logarithm counterparts. To reconcile the appeal of post-quantum security and confidentiality with the need for efficiency and scalability in truly decentralized cash systems, we introduce two efficient lattice-based aggregable confidential transaction (CT) protocols that respectively rely on the (plain) SIS and (ring-like) MSIS lattice problems. We use them to construct a stateless or histoty-free efficient blockchain-based cash system, where old coin records can be safely deleted once spent. Our protocols achieve a higher efficiency through the use of commitments in binary form, while retaining the ability to perform correct arithmetic in zero-knowledge through the judicious use of carries. Our experiments with our MSIS-based CT implementation show 40%-54% size reductions from ZK transaction aggregation.