Bitcoin LEDGER From To Amt Sign • Decentralized currency w/ quick adoption. ⋮ • No need to establish business relations σ A A M 10 between banks, merchants and regulators. σ M M N 2.3 • To pay, just sign “from A to B: amt 4.3” . σ A A B 4.3 Micropayments on Bitcoin? Pass-Shelat (CCS 2015) Problem 3: Lack of Anonymity • Probabilistic payments for Bitcoin. Sender, receiver, amount are all public. • • Solves problem 1: Amortized tx fee. Consequences: No fungibility. • No privacy. (especially bad for • micropayment apps) 4
Bitcoin LEDGER From To Amt Sign • Decentralized currency w/ quick adoption. ⋮ • No need to establish business relations σ A A M 10 between banks, merchants and regulators. σ M M N 2.3 • To pay, just sign “from A to B: amt 4.3” . σ A A B 4.3 Micropayments on Bitcoin? Pass-Shelat (CCS 2015) Problem 3: Lack of Anonymity • Probabilistic payments for Bitcoin. Sender, receiver, amount are all public. • • Solves problem 1: Amortized tx fee. Consequences: • Solves problem 2: Quick confirmation. No fungibility. • No privacy. (especially bad for • micropayment apps) 4
Bitcoin LEDGER From To Amt Sign • Decentralized currency w/ quick adoption. ⋮ • No need to establish business relations σ A A M 10 between banks, merchants and regulators. σ M M N 2.3 • To pay, just sign “from A to B: amt 4.3” . σ A A B 4.3 Micropayments on Bitcoin? Zerocash (Oakland 2014) Pass-Shelat (CCS 2015) • Probabilistic payments for Bitcoin. • Anonymous Bitcoin-like currency. • Solves problem 1: Amortized tx fee. • Solves problem 3: Hides sender, receiver • Solves problem 2: Quick confirmation. and amount. 5
Goal 6
Goal micropayments that are: 6
Goal micropayments that are: decentralized (for ease of deployment), 6
Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and 6
Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). 6
Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). Contributions 6
Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). Contributions 1. Definition of cryptographic primitive via ideal functionality . 6
Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). Contributions 1. Definition of cryptographic primitive via ideal functionality . 2. Construction under standard crypto assumptions . 6
Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). Contributions 1. Definition of cryptographic primitive via ideal functionality . 2. Construction under standard crypto assumptions . 3. Techniques: we use two tools: 6
Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). Contributions 1. Definition of cryptographic primitive via ideal functionality . 2. Construction under standard crypto assumptions . 3. Techniques: we use two tools: • translucent crypto : new fractional message transfer protocol. (probabilistic) 6
Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). Contributions 1. Definition of cryptographic primitive via ideal functionality . 2. Construction under standard crypto assumptions . 3. Techniques: we use two tools: • translucent crypto : new fractional message transfer protocol. (probabilistic) • game theory : characterization of double-spending. 6
Probabilistic Payments 7
Probabilistic Payments Alice "pays" Bob $0.01 7
Probabilistic Payments Alice "pays" Bob $0.01 $1 7
Probabilistic Payments Alice "pays" Bob $0.01 $1 7
Probabilistic Payments Alice "pays" Bob $0.01 $1 7
Probabilistic Payments w.p. 99/100 Alice "pays" Bob $0.01 $1 7
Probabilistic Payments w.p. 99/100 Alice "pays" Bob $0.01 $1 $1 7
Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 $1 7
Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 $1 w.p. 1/100 7
Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 $1 w.p. 1/100 $1 7
Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 macropayment $1 (Bob wins) w.p. 1/100 $1 7
Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 macropayment $1 (Bob wins) w.p. 1/100 $1 Probabilistic payments imply micropayments: 7
Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 macropayment $1 (Bob wins) w.p. 1/100 $1 Probabilistic payments imply micropayments: Transaction fee is amortized over many payments. 7
Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 macropayment $1 (Bob wins) w.p. 1/100 $1 Probabilistic payments imply micropayments: Transaction fee is amortized over many payments. Nullpayments are offline and do not require interaction with payment network. 7
Building Blocks Pass-Shelat Zerocash 8
Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin 8
Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin Ledger From To Amt Sign ⋮ σ M M N 2.3 σ A A M 10 8
Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin 1. Alice escrows v . Ledger From To Amt Sign ⋮ σ M M N 2.3 σ A A M 10 σ A A E 4.3 8
Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin 1. Alice escrows v . 2. Alice and Bob engage in coin-flip. Ledger From To Amt Sign ⋮ σ M M N 2.3 σ A A M 10 σ A A E 4.3 coin-flip 8
Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin 1. Alice escrows v . 2. Alice and Bob engage in coin-flip. 3. If Alice wins: she can reuse escrow. Ledger From To Amt Sign ⋮ σ M M N 2.3 σ A A M 10 σ A A E 4.3 coin-flip 8
Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin 1. Alice escrows v . 2. Alice and Bob engage in coin-flip. 3. If Alice wins: she can reuse escrow. 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 σ A A M 10 σ A A E 4.3 σ E E B 4.3 coin-flip 8
Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice escrows v . 2. Alice and Bob engage in coin-flip. 3. If Alice wins: she can reuse escrow. 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 σ A A M 10 σ A A E 4.3 σ E E B 4.3 coin-flip 8
Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice escrows v . 2. Alice and Bob engage in coin-flip. 3. If Alice wins: she can reuse escrow. 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger σ A A M 10 Old New Proof σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip 8
Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. Alice and Bob engage in coin-flip. 3. If Alice wins: she can reuse escrow. 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip 8
Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. To pay Bob, Alice: 2. Alice and Bob engage in coin-flip. 3. If Alice wins: she can reuse escrow. 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip 8
Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. To pay Bob, Alice: 2. Alice and Bob engage in coin-flip. a) derives sn 1 from c 1 and sk A . 3. If Alice wins: she can reuse escrow. 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger sn 1 σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip 8
Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. To pay Bob, Alice: 2. Alice and Bob engage in coin-flip. a) derives sn 1 from c 1 and sk A . 3. If Alice wins: she can reuse escrow. b) creates new coin c 3 with comm cm 3 . 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger sn 1 σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip 8
Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. To pay Bob, Alice: 2. Alice and Bob engage in coin-flip. a) derives sn 1 from c 1 and sk A . 3. If Alice wins: she can reuse escrow. b) creates new coin c 3 with comm cm 3 . 4. If Bob wins: he gets v . c) creates ZK proof π 3 for above. Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger sn 1 σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip 8
Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. To pay Bob, Alice: 2. Alice and Bob engage in coin-flip. a) derives sn 1 from c 1 and sk A . 3. If Alice wins: she can reuse escrow. b) creates new coin c 3 with comm cm 3 . 4. If Bob wins: he gets v . c) creates ZK proof π 3 for above. d) appends tx = ( sn 1 , cm 3 , π 3 ). Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger sn 1 σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip sn 1 cm 3 π 3 8
Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. To pay Bob, Alice: 2. Alice and Bob engage in coin-flip. a) derives sn 1 from c 1 and sk A . 3. If Alice wins: she can reuse escrow. b) creates new coin c 3 with comm cm 3 . 4. If Bob wins: he gets v . c) creates ZK proof π 3 for above. d) appends tx = ( sn 1 , cm 3 , π 3 ). Ledger Cannot link sn 1 with cm 1 without sk A . From To Amt Sign ⋮ σ M M N 2.3 Ledger sn 1 σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip sn 1 cm 3 π 3 8
Naive Attempt: PS + Zerocash 9
Naive Attempt: PS + Zerocash Ledger Old New Proof ⋮ cm 1 π 1 8436378 cm 2 6327690 π 2 9
Naive Attempt: PS + Zerocash 1. Alice escrows v in a Zerocash transaction. Ledger Old New Proof ⋮ cm 1 π 1 8436378 cm 2 6327690 π 2 sn 1 cm 3 π 3 9
Naive Attempt: PS + Zerocash 1. Alice escrows v in a Zerocash transaction. Ledger 2. Alice and Bob engage in coin-flip. Old New Proof ⋮ cm 1 π 1 8436378 cm 2 6327690 π 2 sn 1 cm 3 π 3 coin-flip 9
Naive Attempt: PS + Zerocash 1. Alice escrows v in a Zerocash transaction. Ledger 2. Alice and Bob engage in coin-flip. Old New Proof 3. If Alice wins: she can reuse escrow. ⋮ cm 1 π 1 8436378 cm 2 6327690 π 2 sn 1 cm 3 π 3 coin-flip 9
Naive Attempt: PS + Zerocash 1. Alice escrows v in a Zerocash transaction. Ledger 2. Alice and Bob engage in coin-flip. Old New Proof 3. If Alice wins: she can reuse escrow. ⋮ 4. If Bob wins: he gets v . cm 1 π 1 8436378 cm 2 6327690 π 2 sn 1 cm 3 π 3 sn 3 cm 4 π 4 coin-flip 9
Naive Attempt: PS + Zerocash 1. Alice escrows v in a Zerocash transaction. Ledger 2. Alice and Bob engage in coin-flip. Old New Proof 3. If Alice wins: she can reuse escrow. ⋮ 4. If Bob wins: he gets v . cm 1 π 1 8436378 cm 2 6327690 π 2 sn 1 cm 3 π 3 Major Issues: sn 3 cm 4 π 4 Linkability coin-flip Double Spending 9
Problem 1: Linkability 10
Problem 1: Linkability Ledger ⋮ tx 1 Escrow • To amortize transaction fees, Alice has to reuse escrow. • Bob always learns serial number of escrowed coin. 10
Problem 1: Linkability Ledger ⋮ tx 1 Escrow sn • To amortize transaction fees, Alice has to reuse escrow. • Bob always learns serial number of escrowed coin. • Can track Alice when she spends coin w/ others. 10
Problem 1: Linkability Ledger ⋮ tx 1 Escrow sn • To amortize transaction fees, Alice has to reuse escrow. • Bob always learns serial number of escrowed coin. • Can track Alice when she spends coin w/ others. 10
Problem 1: Linkability Ledger ⋮ tx 1 tx Escrow sn • To amortize transaction fees, Alice has to reuse escrow. • Bob always learns serial number of escrowed coin. • Can track Alice when she spends coin w/ others. 10
Problem 1: Linkability Ledger ⋮ tx 1 ∋ sn tx tx Escrow sn • To amortize transaction fees, Alice has to reuse escrow. • Bob always learns serial number of escrowed coin. • Can track Alice when she spends coin w/ others. • Further attacks lead to loss of most privacy. 10
Solution: Make sn translucent 11
Solution: Make sn translucent Ledger ⋮ tx 1 tx 2 11
Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. Ledger ⋮ c = COMM(tx 3 ) tx 1 tx 2 11
Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. Ledger 2. Sends commitment & proof to Bob. ⋮ c = COMM(tx 3 ) tx 1 c, π tx 2 11
Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. Ledger 2. Sends commitment & proof to Bob. ⋮ c = COMM(tx 3 ) tx 1 c, π tx 2 prob. opening 3. Alice and Bob attempt to open the commitment probabilistically. 11
Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. Ledger 2. Sends commitment & proof to Bob. ⋮ c = COMM(tx 3 ) tx 1 c, π tx 2 prob. opening 3. Alice and Bob attempt to open the commitment 1-p probabilistically. Nullpayment: Alice can spend coin again, but Bob learns nothing about the coin! 11
Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. Ledger 2. Sends commitment & proof to Bob. ⋮ c = COMM(tx 3 ) tx 1 c, π tx 2 prob. opening tx 3 3. Alice and Bob attempt to open the commitment 1-p p probabilistically. Nullpayment: Alice can Macropayment: Bob spend coin again, but Bob gets tx and learns serial learns nothing about the coin! number. 11
Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. Ledger 2. Sends commitment & proof to Bob. ⋮ c = COMM(tx 3 ) tx 1 c, π tx 2 prob. opening tx 3 3. Alice and Bob attempt to open the commitment 1-p p probabilistically. Nullpayment: Alice can Macropayment: Bob spend coin again, but Bob gets tx and learns serial learns nothing about the coin! number. 11
Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. F ractional M essage T ransfer Ledger 2. Sends commitment & proof to Bob. Fractional hiding: w.p 1-p , Bob learns nothing about message. ⋮ c = COMM(tx 3 ) Fractional binding: Bob can always open with probability p . tx 1 c, π tx 2 prob. opening tx 3 3. Alice and Bob attempt to open the commitment 1-p p probabilistically. Nullpayment: Alice can Macropayment: Bob spend coin again, but Bob gets tx and learns serial learns nothing about the coin! number. 11
Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. F ractional M essage T ransfer Ledger 2. Sends commitment & proof to Bob. Fractional hiding: w.p 1-p , Bob learns nothing about message. ⋮ c = COMM(tx 3 ) Fractional binding: Bob can always open with probability p . tx 1 c, π tx 2 prob. opening tx 3 Wants 3. Alice and Bob attempt fractional to open the commitment 1-p hiding p probabilistically. Nullpayment: Alice can Macropayment: Bob spend coin again, but Bob gets tx and learns serial learns nothing about the coin! number. 11
Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. F ractional M essage T ransfer Ledger 2. Sends commitment & proof to Bob. Fractional hiding: w.p 1-p , Bob learns nothing about message. ⋮ c = COMM(tx 3 ) Fractional binding: Bob can always open with probability p . tx 1 c, π tx 2 prob. opening tx 3 Wants Wants 3. Alice and Bob attempt fractional fractional to open the commitment 1-p hiding binding p probabilistically. Nullpayment: Alice can Macropayment: Bob spend coin again, but Bob gets tx and learns serial learns nothing about the coin! number. 11
Problem 2: Double-Spending 12
Problem 2: Double-Spending Malice can use the same coin in multiple payments in parallel . 12
Problem 2: Double-Spending Malice can use the same coin in multiple payments in parallel . COMM(tx) COMM(tx) 12
Problem 2: Double-Spending Malice can use the same coin in multiple payments in parallel . Ledger ⋮ COMM(tx) COMM(tx) tx 1 tx 2 12
Recommend
More recommend