d ecentralized a nonymous m icropayments
play

D ecentralized A nonymous M icropayments Alessandro Chiesa, Matthew - PowerPoint PPT Presentation

D ecentralized A nonymous M icropayments Alessandro Chiesa, Matthew Green, Jingcheng Liu, Peihan Miao, Ian Miers, Pratyush Mishra http://eprint.iacr.org/2016/1033 1 Digital Payments Payment Network Customer Merchant 2 Digital Payments


  1. Bitcoin LEDGER From To Amt Sign • Decentralized currency w/ quick adoption. ⋮ • No need to establish business relations σ A A M 10 between banks, merchants and regulators. σ M M N 2.3 • To pay, just sign “from A to B: amt 4.3” . σ A A B 4.3 Micropayments on Bitcoin? Pass-Shelat (CCS 2015) Problem 3: Lack of Anonymity • Probabilistic payments for Bitcoin. Sender, receiver, amount are all public. • • Solves problem 1: Amortized tx fee. Consequences: No fungibility. • No privacy. (especially bad for • micropayment apps) 4

  2. Bitcoin LEDGER From To Amt Sign • Decentralized currency w/ quick adoption. ⋮ • No need to establish business relations σ A A M 10 between banks, merchants and regulators. σ M M N 2.3 • To pay, just sign “from A to B: amt 4.3” . σ A A B 4.3 Micropayments on Bitcoin? Pass-Shelat (CCS 2015) Problem 3: Lack of Anonymity • Probabilistic payments for Bitcoin. Sender, receiver, amount are all public. • • Solves problem 1: Amortized tx fee. Consequences: • Solves problem 2: Quick confirmation. No fungibility. • No privacy. (especially bad for • micropayment apps) 4

  3. Bitcoin LEDGER From To Amt Sign • Decentralized currency w/ quick adoption. ⋮ • No need to establish business relations σ A A M 10 between banks, merchants and regulators. σ M M N 2.3 • To pay, just sign “from A to B: amt 4.3” . σ A A B 4.3 Micropayments on Bitcoin? Zerocash (Oakland 2014) Pass-Shelat (CCS 2015) • Probabilistic payments for Bitcoin. • Anonymous Bitcoin-like currency. • Solves problem 1: Amortized tx fee. • Solves problem 3: Hides sender, receiver • Solves problem 2: Quick confirmation. and amount. 5

  4. Goal 6

  5. Goal micropayments that are: 6

  6. Goal micropayments that are: decentralized (for ease of deployment), 6

  7. Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and 6

  8. Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). 6

  9. Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). Contributions 6

  10. Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). Contributions 1. Definition of cryptographic primitive via ideal functionality . 6

  11. Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). Contributions 1. Definition of cryptographic primitive via ideal functionality . 2. Construction under standard crypto assumptions . 6

  12. Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). Contributions 1. Definition of cryptographic primitive via ideal functionality . 2. Construction under standard crypto assumptions . 3. Techniques: we use two tools: 6

  13. Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). Contributions 1. Definition of cryptographic primitive via ideal functionality . 2. Construction under standard crypto assumptions . 3. Techniques: we use two tools: • translucent crypto : new fractional message transfer protocol. (probabilistic) 6

  14. Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). Contributions 1. Definition of cryptographic primitive via ideal functionality . 2. Construction under standard crypto assumptions . 3. Techniques: we use two tools: • translucent crypto : new fractional message transfer protocol. (probabilistic) • game theory : characterization of double-spending. 6

  15. Probabilistic Payments 7

  16. Probabilistic Payments Alice "pays" Bob $0.01 7

  17. Probabilistic Payments Alice "pays" Bob $0.01 $1 7

  18. Probabilistic Payments Alice "pays" Bob $0.01 $1 7

  19. Probabilistic Payments Alice "pays" Bob $0.01 $1 7

  20. Probabilistic Payments w.p. 99/100 Alice "pays" Bob $0.01 $1 7

  21. Probabilistic Payments w.p. 99/100 Alice "pays" Bob $0.01 $1 $1 7

  22. Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 $1 7

  23. Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 $1 w.p. 1/100 7

  24. Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 $1 w.p. 1/100 $1 7

  25. Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 macropayment $1 (Bob wins) w.p. 1/100 $1 7

  26. Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 macropayment $1 (Bob wins) w.p. 1/100 $1 Probabilistic payments imply micropayments: 7

  27. Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 macropayment $1 (Bob wins) w.p. 1/100 $1 Probabilistic payments imply micropayments: Transaction fee is amortized over many payments. 7

  28. Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 macropayment $1 (Bob wins) w.p. 1/100 $1 Probabilistic payments imply micropayments: Transaction fee is amortized over many payments. Nullpayments are offline and do not require interaction with payment network. 7

  29. Building Blocks Pass-Shelat Zerocash 8

  30. Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin 8

  31. Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin Ledger From To Amt Sign ⋮ σ M M N 2.3 σ A A M 10 8

  32. Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin 1. Alice escrows v . Ledger From To Amt Sign ⋮ σ M M N 2.3 σ A A M 10 σ A A E 4.3 8

  33. Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin 1. Alice escrows v . 2. Alice and Bob engage in coin-flip. Ledger From To Amt Sign ⋮ σ M M N 2.3 σ A A M 10 σ A A E 4.3 coin-flip 8

  34. Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin 1. Alice escrows v . 2. Alice and Bob engage in coin-flip. 3. If Alice wins: she can reuse escrow. Ledger From To Amt Sign ⋮ σ M M N 2.3 σ A A M 10 σ A A E 4.3 coin-flip 8

  35. Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin 1. Alice escrows v . 2. Alice and Bob engage in coin-flip. 3. If Alice wins: she can reuse escrow. 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 σ A A M 10 σ A A E 4.3 σ E E B 4.3 coin-flip 8

  36. Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice escrows v . 2. Alice and Bob engage in coin-flip. 3. If Alice wins: she can reuse escrow. 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 σ A A M 10 σ A A E 4.3 σ E E B 4.3 coin-flip 8

  37. Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice escrows v . 2. Alice and Bob engage in coin-flip. 3. If Alice wins: she can reuse escrow. 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger σ A A M 10 Old New Proof σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip 8

  38. Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. Alice and Bob engage in coin-flip. 3. If Alice wins: she can reuse escrow. 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip 8

  39. Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. To pay Bob, Alice: 2. Alice and Bob engage in coin-flip. 3. If Alice wins: she can reuse escrow. 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip 8

  40. Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. To pay Bob, Alice: 2. Alice and Bob engage in coin-flip. a) derives sn 1 from c 1 and sk A . 3. If Alice wins: she can reuse escrow. 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger sn 1 σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip 8

  41. Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. To pay Bob, Alice: 2. Alice and Bob engage in coin-flip. a) derives sn 1 from c 1 and sk A . 3. If Alice wins: she can reuse escrow. b) creates new coin c 3 with comm cm 3 . 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger sn 1 σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip 8

  42. Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. To pay Bob, Alice: 2. Alice and Bob engage in coin-flip. a) derives sn 1 from c 1 and sk A . 3. If Alice wins: she can reuse escrow. b) creates new coin c 3 with comm cm 3 . 4. If Bob wins: he gets v . c) creates ZK proof π 3 for above. Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger sn 1 σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip 8

  43. Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. To pay Bob, Alice: 2. Alice and Bob engage in coin-flip. a) derives sn 1 from c 1 and sk A . 3. If Alice wins: she can reuse escrow. b) creates new coin c 3 with comm cm 3 . 4. If Bob wins: he gets v . c) creates ZK proof π 3 for above. d) appends tx = ( sn 1 , cm 3 , π 3 ). Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger sn 1 σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip sn 1 cm 3 π 3 8

  44. Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. To pay Bob, Alice: 2. Alice and Bob engage in coin-flip. a) derives sn 1 from c 1 and sk A . 3. If Alice wins: she can reuse escrow. b) creates new coin c 3 with comm cm 3 . 4. If Bob wins: he gets v . c) creates ZK proof π 3 for above. d) appends tx = ( sn 1 , cm 3 , π 3 ). Ledger Cannot link sn 1 with cm 1 without sk A . From To Amt Sign ⋮ σ M M N 2.3 Ledger sn 1 σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip sn 1 cm 3 π 3 8

  45. Naive Attempt: PS + Zerocash 9

  46. Naive Attempt: PS + Zerocash Ledger Old New Proof ⋮ cm 1 π 1 8436378 cm 2 6327690 π 2 9

  47. Naive Attempt: PS + Zerocash 1. Alice escrows v in a Zerocash transaction. Ledger Old New Proof ⋮ cm 1 π 1 8436378 cm 2 6327690 π 2 sn 1 cm 3 π 3 9

  48. Naive Attempt: PS + Zerocash 1. Alice escrows v in a Zerocash transaction. Ledger 2. Alice and Bob engage in coin-flip. Old New Proof ⋮ cm 1 π 1 8436378 cm 2 6327690 π 2 sn 1 cm 3 π 3 coin-flip 9

  49. Naive Attempt: PS + Zerocash 1. Alice escrows v in a Zerocash transaction. Ledger 2. Alice and Bob engage in coin-flip. Old New Proof 3. If Alice wins: she can reuse escrow. ⋮ cm 1 π 1 8436378 cm 2 6327690 π 2 sn 1 cm 3 π 3 coin-flip 9

  50. Naive Attempt: PS + Zerocash 1. Alice escrows v in a Zerocash transaction. Ledger 2. Alice and Bob engage in coin-flip. Old New Proof 3. If Alice wins: she can reuse escrow. ⋮ 4. If Bob wins: he gets v . cm 1 π 1 8436378 cm 2 6327690 π 2 sn 1 cm 3 π 3 sn 3 cm 4 π 4 coin-flip 9

  51. Naive Attempt: PS + Zerocash 1. Alice escrows v in a Zerocash transaction. Ledger 2. Alice and Bob engage in coin-flip. Old New Proof 3. If Alice wins: she can reuse escrow. ⋮ 4. If Bob wins: he gets v . cm 1 π 1 8436378 cm 2 6327690 π 2 sn 1 cm 3 π 3 Major Issues: sn 3 cm 4 π 4 Linkability coin-flip Double Spending 9

  52. Problem 1: Linkability 10

  53. Problem 1: Linkability Ledger ⋮ tx 1 Escrow • To amortize transaction fees, Alice has to reuse escrow. • Bob always learns serial number of escrowed coin. 10

  54. Problem 1: Linkability Ledger ⋮ tx 1 Escrow sn • To amortize transaction fees, Alice has to reuse escrow. • Bob always learns serial number of escrowed coin. • Can track Alice when she spends coin w/ others. 10

  55. Problem 1: Linkability Ledger ⋮ tx 1 Escrow sn • To amortize transaction fees, Alice has to reuse escrow. • Bob always learns serial number of escrowed coin. • Can track Alice when she spends coin w/ others. 10

  56. Problem 1: Linkability Ledger ⋮ tx 1 tx Escrow sn • To amortize transaction fees, Alice has to reuse escrow. • Bob always learns serial number of escrowed coin. • Can track Alice when she spends coin w/ others. 10

  57. Problem 1: Linkability Ledger ⋮ tx 1 ∋ sn tx tx Escrow sn • To amortize transaction fees, Alice has to reuse escrow. • Bob always learns serial number of escrowed coin. • Can track Alice when she spends coin w/ others. • Further attacks lead to loss of most privacy. 10

  58. Solution: Make sn translucent 11

  59. Solution: Make sn translucent Ledger ⋮ tx 1 tx 2 11

  60. Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. Ledger ⋮ c = COMM(tx 3 ) tx 1 tx 2 11

  61. Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. Ledger 2. Sends commitment & proof to Bob. ⋮ c = COMM(tx 3 ) tx 1 c, π tx 2 11

  62. Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. Ledger 2. Sends commitment & proof to Bob. ⋮ c = COMM(tx 3 ) tx 1 c, π tx 2 prob. opening 3. Alice and Bob attempt to open the commitment probabilistically. 11

  63. Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. Ledger 2. Sends commitment & proof to Bob. ⋮ c = COMM(tx 3 ) tx 1 c, π tx 2 prob. opening 3. Alice and Bob attempt to open the commitment 1-p probabilistically. Nullpayment: Alice can spend coin again, but Bob learns nothing about the coin! 11

  64. Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. Ledger 2. Sends commitment & proof to Bob. ⋮ c = COMM(tx 3 ) tx 1 c, π tx 2 prob. opening tx 3 3. Alice and Bob attempt to open the commitment 1-p p probabilistically. Nullpayment: Alice can Macropayment: Bob spend coin again, but Bob gets tx and learns serial learns nothing about the coin! number. 11

  65. Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. Ledger 2. Sends commitment & proof to Bob. ⋮ c = COMM(tx 3 ) tx 1 c, π tx 2 prob. opening tx 3 3. Alice and Bob attempt to open the commitment 1-p p probabilistically. Nullpayment: Alice can Macropayment: Bob spend coin again, but Bob gets tx and learns serial learns nothing about the coin! number. 11

  66. Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. F ractional M essage T ransfer Ledger 2. Sends commitment & proof to Bob. Fractional hiding: w.p 1-p , Bob learns nothing about message. ⋮ c = COMM(tx 3 ) Fractional binding: Bob can always open with probability p . tx 1 c, π tx 2 prob. opening tx 3 3. Alice and Bob attempt to open the commitment 1-p p probabilistically. Nullpayment: Alice can Macropayment: Bob spend coin again, but Bob gets tx and learns serial learns nothing about the coin! number. 11

  67. Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. F ractional M essage T ransfer Ledger 2. Sends commitment & proof to Bob. Fractional hiding: w.p 1-p , Bob learns nothing about message. ⋮ c = COMM(tx 3 ) Fractional binding: Bob can always open with probability p . tx 1 c, π tx 2 prob. opening tx 3 Wants 3. Alice and Bob attempt fractional to open the commitment 1-p hiding p probabilistically. Nullpayment: Alice can Macropayment: Bob spend coin again, but Bob gets tx and learns serial learns nothing about the coin! number. 11

  68. Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. F ractional M essage T ransfer Ledger 2. Sends commitment & proof to Bob. Fractional hiding: w.p 1-p , Bob learns nothing about message. ⋮ c = COMM(tx 3 ) Fractional binding: Bob can always open with probability p . tx 1 c, π tx 2 prob. opening tx 3 Wants Wants 3. Alice and Bob attempt fractional fractional to open the commitment 1-p hiding binding p probabilistically. Nullpayment: Alice can Macropayment: Bob spend coin again, but Bob gets tx and learns serial learns nothing about the coin! number. 11

  69. Problem 2: Double-Spending 12

  70. Problem 2: Double-Spending Malice can use the same coin in multiple payments in parallel . 12

  71. Problem 2: Double-Spending Malice can use the same coin in multiple payments in parallel . COMM(tx) COMM(tx) 12

  72. Problem 2: Double-Spending Malice can use the same coin in multiple payments in parallel . Ledger ⋮ COMM(tx) COMM(tx) tx 1 tx 2 12

Recommend


More recommend