mprove a proof of reserves protocol for monero exchanges
play

MProve: A Proof of Reserves Protocol for Monero Exchanges Arijit - PowerPoint PPT Presentation

Jul 19, 2023 •268 likes •395 views

MProve: A Proof of Reserves Protocol for Monero Exchanges Arijit Dutta, Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay IEEE S&B, Stockholm June 20, 2019 1 / 12 Cryptocurrency Exchanges

  1. MProve: A Proof of Reserves Protocol for Monero Exchanges Arijit Dutta, Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay IEEE S&B, Stockholm June 20, 2019 1 / 12

  2. Cryptocurrency Exchanges • Owning cryptocurrencies = Storing private keys • Cryptocurrency exchanges • Store private keys for customers • Allow trading • Risks for customers • Exchanges getting hacked • Incompetence, internal fraud, exit scams • Fractional reserve exchanges • Proof of solvency is a possible solution • Proof of liabilities • Proof of reserves 2 / 12

  3. Naive Proof of Reserves for Bitcoin • Protocol steps • Create a transaction Tx which unlocks all owned UTXOs • Include a dummy input to make Tx invalid • Share Tx with the world. • Why does it work? • Tx proves that exchange owns BTC equal to sum of amounts in unlocked UTXOs • Dummy input prevents misuse of Tx • Removing the dummy input will invalidate signatures • Blockstream has released such a tool 1 • Drawback: Privacy is not preserved • Exchange may not want to reveal its UTXOs 1 https://blockstream.com/2019/02/04/ standardizing-bitcoin-proof-of-reserves/ 3 / 12

  4. Provisions Proof of Reserves Protocol • Proposed by Dagher et al in 2015 • Exchange chooses a set P of UTXOs from the blockchain • It owns a subset P own of P . Let I own = { i | P i ∈ P own } . • P plays the role of the anonymity set • Each P i ∈ P has an associated amount a i • Pedersen commitment to an amount a is given by C ( y , a ) = yG + aH , where the dlog of H wrt G is not known and y is a blinding factor • Exchange creates a Pedersen commitment C i for each P i ∈ P • It gives a zero-knowledge proof of the following statement � y i G + a i H if P i ∈ P own C i = . y i G if P i / ∈ P own • Adding all the commitments gives a commitment to the total reserves |P| |P| � � � C reserves = C i = y i G + a i H . i = 1 i = 1 i ∈I own • Solvency is proven via a range proof on C liabilities − C reserves 4 / 12

  5. Transactions in Monero • Suppose Alice wants to spend coins from an address P she owns • Alice assembles a list { P 0 , P 1 , . . . , P n − 1 } where P j = P for exactly one j • Alice knows x j such that P j = x j G • Key image of P j is I = x j H p ( P j ) where H p is a point-valued hash function • Distinct public keys will have distinct key images • A linkable ring signature over { P 0 , P 1 , . . . , P n − 1 } will have the key image I of P j • Signature proves Alice one of the private keys • Double spending is detected via duplicate key images • One cannot say if a Monero address belongs to the UTXO set or not A fundamental requirement of any proof of reserves protocol for Monero is that it should prove that the key images of the exchange-owned addresses, which contribute to the total reserves commitment C reserves , have not appeared on the blockchain. 5 / 12

  6. Some Facts About Commitments • Suppose C is a Pedersen commitment with amount a and blinding factor x C = xG + aH • One can prove that C is a commitment to the zero amount via a signature with public key C C = xG • If C is a commitment to a non-zero amount a , signature with C as public key will mean dlog of H is known ⇒ H = a − 1 ( y − x ) G C = xG + aH = yG = 6 / 12

  7. MProve Protocol • Exchange chooses addresses P = ( P 1 , P 2 , . . . , P N ) from the Monero blockchain • It knows the private keys of P known ⊆ P • For each P i ∈ P , it reads commitment C i C i = y i G + a i H . For P i ∈ P known , the exchange knows y i and a i • For each P i ∈ P , the exchange randomly picks z i and generates C ′ i as � z i G if P i ∈ P known , C ′ i = z i G + C i if P i / ∈ P known . • For each i = 1 , 2 , . . . , N , the exchange publishes a regular ring signature γ i verifiable by the pair of public keys ( C ′ i , C ′ i − C i ) • For each i = 1 , 2 , . . . , N , the exchange publishes a linkable ring signature σ i verifiable by the pair of public keys ( P i , C ′ i − C i ) • The exchange publishes a commitment C reserves which satisfies the equation N � C i − C ′ � � C reserves = . i i = 1 7 / 12

  8. MProve Intuition • Output of an exchange • A list of one-time addresses P 1 , P 2 , . . . , P N and commitments C 1 , C 2 , . . . , C N . • The commitments C ′ 1 , C ′ 2 , . . . , C ′ N created by the exchange. • The regular ring signatures γ i over public keys ( C ′ i , C ′ i − C i ) • The linkable ring signatures σ i over public keys ( P i , C ′ i − C i ) • The commitment C reserves to the total reserves N � C i − C ′ � � C reserves = i i = 1 • When P i �∈ P known , the exchange has to create σ i with z i where C ′ i − C i = z i G • This implies C i − C ′ i is a commitment to the zero amount • No contribution to C reserves • When P i ∈ P known , the exchange has to create γ i with the private key corresponding to either C ′ i or C ′ i − C i • If C ′ i = z i G , then C i − C ′ i contributes a i H to C reserves • If C ′ i − C i = z i G , then C i − C ′ i contributes nothing to C reserves • To avoid zero contribution to C reserves , exchange has to sign with private key of P i to create σ i • Since σ i reveals the key image of P i , exchange cannot use an already spent address 8 / 12

  9. Drawback • Output of an exchange • A list of one-time addresses P 1 , P 2 , . . . , P N and commitments C 1 , C 2 , . . . , C N . • The commitments C ′ 1 , C ′ 2 , . . . , C ′ N created by the exchange. • The regular ring signatures γ i over public keys ( C ′ i , C ′ i − C i ) • The linkable ring signatures σ i over public keys ( P i , C ′ i − C i ) • The commitment C reserves to the total reserves N � C i − C ′ � � C reserves = i i = 1 • When P i ∈ P known , the linkable ring signature contains the key image I i of P i • A future transaction spending from P i will contain the same I i • Makes the transaction zero mix-in • Ring signature is rendered useless 9 / 12

  10. MProve Simulation Results |P| |P known | Proof Generat. Verif. Query Size Time Time Time 1000 100 0.32 MB 0.70 s 0.65 s 0.048 s 1000 500 0.32 MB 0.69 s 0.69 s 0.048 s 1000 900 0.32 MB 0.68 s 0.67 s 0.048 s 10000 1000 3.2 MB 7.01 s 6.76 s 0.087 s 10000 5000 3.2 MB 6.92 s 6.76 s 0.087 s 10000 9000 3.2 MB 6.87 s 6.75 s 0.087 s 100000 10000 32 MB 71.79 s 67.85 s 0.545 s 100000 50000 32 MB 71.13 s 67.83 s 0.545 s 100000 90000 32 MB 70.39 s 67.82 s 0.545 s 10 / 12

  11. Future Directions • Remove the drawback • Make the proofs smaller • Increase the anonymity set • Ensure that exchanges generate reserves proofs from the same blockchain state • Better proofs of liabilities 11 / 12

  12. References • Provisions https://eprint.iacr.org/2015/1008 • MProve https://eprint.iacr.org/2018/1210 • MProve Simulation Code https://github.com/avras/ monero/tree/v0.14.0.2-mprove/tests/mprove Thanks for your attention Saravanan Vijayakumaran sarva@ee.iitb.ac.in 12 / 12

Recommend

Nummatus: A Privacy Preserving Proof of Reserves Protocol for Quisquis Arijit Dutta , Arnab Jana,

Nummatus: A Privacy Preserving Proof of Reserves Protocol for Quisquis Arijit Dutta , Arnab Jana,

Nummatus: A Privacy Preserving Proof of Reserves Protocol for Quisquis Arijit Dutta , Arnab Jana, and Saravanan Vijayakumaran Indian Institute of Technology Bombay, Mumbai, India Indocrypt, Hyderabad December 16, 2019 1 / 14 Introduction

405 views • 29 slides
How the hell does Monero work? @pwrcycle > cafecode.com/shellcon2018-monero.pdf whois

How the hell does Monero work? @pwrcycle > cafecode.com/shellcon2018-monero.pdf whois

How the hell does Monero work? @pwrcycle > cafecode.com/shellcon2018-monero.pdf whois pwrcycle Prolexic SOC Verisign VIDN Apple SIRT F5 Silverline Salesforce NetSec Gmail Reddit pwrcycle on Twitter Freenode LinkedIn Signal

177 views • 15 slides
Towards Better Privacy with Monero Malte Mser Based on An Empirical Analysis of Traceability in

Towards Better Privacy with Monero Malte Mser Based on An Empirical Analysis of Traceability in

Towards Better Privacy with Monero Malte Mser Based on An Empirical Analysis of Traceability in the Monero Blockchain, joint work with Kyle Soska, Ethan Heilman, Kevin Lee, Henry Heffan, Shashvat Srivastava, Kyle Hogan, Jason Hennessey,

891 views • 30 slides
Ring Signatures Monero Oct. 14, 2019 Overview Privacy Hierarchy Monero Secretly

Ring Signatures Monero Oct. 14, 2019 Overview Privacy Hierarchy Monero Secretly

Ring Signatures Monero Oct. 14, 2019 Overview Privacy Hierarchy Monero Secretly signing a transaction Secretly receiving a transaction Privacy Hierarchy Everything open Bitcoin Pseudonymous, amount open Privacy Hierarchy

911 views • 45 slides
DOI NG MORE WI T H L E SS: I MPROVE D CONF I DE NCE L E VE L S VI A RE DE SI

DOI NG MORE WI T H L E SS: I MPROVE D CONF I DE NCE L E VE L S VI A RE DE SI

DOI NG MORE WI T H L E SS: I MPROVE D CONF I DE NCE L E VE L S VI A RE DE SI GNE D AMMUNI T I ON QUAL I F I CAT I ON T E ST I NG A me tho d to impro ve sma ll a rms a mmunitio n q ua lific a tio n fo r use in

418 views • 17 slides
A NEW APPROACH TO I MPROVE A NEW APPROACH TO I MPROVE THE HYDROGEN YI ELD FOR HI X THE HYDROGEN

A NEW APPROACH TO I MPROVE A NEW APPROACH TO I MPROVE THE HYDROGEN YI ELD FOR HI X THE HYDROGEN

17 th April, 2007 Sadhana Mohan, India A NEW APPROACH TO I MPROVE A NEW APPROACH TO I MPROVE THE HYDROGEN YI ELD FOR HI X THE HYDROGEN YI ELD FOR HI X SYSTEM OF I - - S PROCESS S PROCESS SYSTEM OF I by Dr. Sadhana Mohan Dr. Sadhana

319 views • 27 slides
Proof of Luck: an Efficient Blockchain Consensus Protocol Mitar Milutinovic, Warren He, Howard

Proof of Luck: an Efficient Blockchain Consensus Protocol Mitar Milutinovic, Warren He, Howard

Proof of Luck: an Efficient Blockchain Consensus Protocol Mitar Milutinovic, Warren He, Howard Wu, Maxinder Kanwal Outline Background: blockchains, consensus, and SGX Existing consensus mechanisms Our paper: 3 basic consensus primitives Proof

527 views • 50 slides
1031 Exchanges & Qualified Opportunity Zones Drew Emmert Colleen R. Fausz Ryan M.

1031 Exchanges & Qualified Opportunity Zones Drew Emmert Colleen R. Fausz Ryan M.

1031 Exchanges & Qualified Opportunity Zones Drew Emmert Colleen R. Fausz Ryan M. Whitaker Part 1: 1031 Exchanges Roadmap Overview of 1031 Exchanges History of 1031 Exchanges Benefits of 1031 Exchanges 1031 Exchange

775 views • 41 slides
Reserves Puzzlers Are They or Are They Not Reserves? Part 1 Richard Smith, Gaffney Cline &

Reserves Puzzlers Are They or Are They Not Reserves? Part 1 Richard Smith, Gaffney Cline &

Reserves Puzzlers Are They or Are They Not Reserves? Part 1 Richard Smith, Gaffney Cline & Associates CE seminar; 13 June 2016 Reserves & Resources Reporting Slide 2 DISCLAIMER T HE MATERIAL AND OPINIONS EXPRESSED IN THIS

686 views • 29 slides
A Proof-of-Stake protocol for consensus on Bitcoin subchains M. Bartoletti Stefano Lande A. S.

A Proof-of-Stake protocol for consensus on Bitcoin subchains M. Bartoletti Stefano Lande A. S.

A Proof-of-Stake protocol for consensus on Bitcoin subchains M. Bartoletti Stefano Lande A. S. Podda University of Cagliari, Italy Workshop on Trusted Smart Contracts, 2017 Bitcoin Bitcoin is a popular cryptocurrency that uses a blockchain to

540 views • 20 slides
Res I tr m uctur pr o e vi nsat n ion g to i Suppo mprove recruitmen rt f re o tent r ion T ea

Res I tr m uctur pr o e vi nsat n ion g to i Suppo mprove recruitmen rt f re o tent r ion T ea

Res I tr m uctur pr o e vi nsat n ion g to i Suppo mprove recruitmen rt f re o tent r ion T ea ighly cher effective tea s ing comp t and of h chers Commissioner Mike Morath TASA/TASB Legislative Conference February 26, 2019 1 TEAs

422 views • 18 slides
1031 Like Kind Exchanges: Pursuing 1031 Like Kind Exchanges: Pursuing Opportunities in a

1031 Like Kind Exchanges: Pursuing 1031 Like Kind Exchanges: Pursuing Opportunities in a

Presenting a live 90 minute webinar with interactive Q&A 1031 Like Kind Exchanges: Pursuing 1031 Like Kind Exchanges: Pursuing Opportunities in a Rebounding Market Mastering Complex Tax Rules and Leveraging the New Net Investment Income

947 views • 78 slides
Healthcare Exchanges in Healthcare Exchanges in the Sky with Diamonds Lyman Sornberger Chief

Healthcare Exchanges in Healthcare Exchanges in the Sky with Diamonds Lyman Sornberger Chief

6/9/2014 Healthcare Exchanges in Healthcare Exchanges in the Sky with Diamonds Lyman Sornberger Chief Healthcare Strategy Officer New Jersey HFMA June 10, 2014 Agenda Affordable Care Act (ACA) Highlights Enrollment Assistance

195 views • 17 slides
U SE OF D ECISION U NIT AND I NCREMENTAL S AMPLING M ETHODS TO I MPROVE S ITE I NVESTIGATIONS 2015

U SE OF D ECISION U NIT AND I NCREMENTAL S AMPLING M ETHODS TO I MPROVE S ITE I NVESTIGATIONS 2015

U SE OF D ECISION U NIT AND I NCREMENTAL S AMPLING M ETHODS TO I MPROVE S ITE I NVESTIGATIONS 2015 M2S2 Webinar Series Munitions Constituents Roger Brewer and Steve Mow Hawaii Department of Health December 2014 1 Key References:

598 views • 43 slides
What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i -Key-Protocol, i = 1, 2, 3, Family of protocols Secure electronic payment Based on credit card payments Christopher Hsu Can be extended

407 views • 4 slides
2008 Ryder Scott Reserves Conference Evaluation Challenges in a Changing World BEYOND RESERVES

2008 Ryder Scott Reserves Conference Evaluation Challenges in a Changing World BEYOND RESERVES

2008 Ryder Scott Reserves Conference Evaluation Challenges in a Changing World BEYOND RESERVES VOLUMES Issues That Impact Your Reserves Bookings Brad Gouge Vice President, Ryder Scott Company Beyond Reserves Volumes or in

523 views • 29 slides
Monero an anonymous altcoin Dionysis Zindros ATHECRYPT 2016 Overview Bitcoins problems

Monero an anonymous altcoin Dionysis Zindros ATHECRYPT 2016 Overview Bitcoins problems

Monero an anonymous altcoin Dionysis Zindros ATHECRYPT 2016 Overview Bitcoins problems Moneros solutions Fungibility Anonymity Unlinkability Untraceability Acknowledgments Bitcoin Genve, Universit

734 views • 52 slides
Towards Better Privacy with Monero Malte Mser Based on joint work with Kyle Soska, Ethan

Towards Better Privacy with Monero Malte Mser Based on joint work with Kyle Soska, Ethan

Towards Better Privacy with Monero Malte Mser Based on joint work with Kyle Soska, Ethan Heilman, Kevin Lee, Henry Heffan, Shashvat Srivastava, Kyle Hogan, Jason Hennessey, Andrew Miller, Arvind Narayanan, and Nicolas Christin 2 3

393 views • 27 slides
An Empirical Analysis of Traceability in the Monero Blockchain Malte Mser, Kyle Soska, Ethan

An Empirical Analysis of Traceability in the Monero Blockchain Malte Mser, Kyle Soska, Ethan

An Empirical Analysis of Traceability in the Monero Blockchain Malte Mser, Kyle Soska, Ethan Heilman, Kevin Lee, Henry Heffan, Shashvat Srivastava, Kyle Hogan, Jason Hennessey, Andrew Miller, Arvind Narayanan, Nicolas Christin PETS 2018:

287 views • 26 slides
Oil and Gas Reserves Committee 2008 Update SPE SPE Oil and Gas Reserves Committee Agenda

Oil and Gas Reserves Committee 2008 Update SPE SPE Oil and Gas Reserves Committee Agenda

Oil and Gas Reserves Committee 2008 Update SPE SPE Oil and Gas Reserves Committee Agenda Committee Charter Charge SPE Board Grand Vision Structure Governance Current Activities PRMS JCORET REC SEC

221 views • 18 slides
GLOBAL SEMI NAR ON L EARNING K NOWLEDGE AND S KILLS T O I MPROVE A GRICULTURE R URAL L

GLOBAL SEMI NAR ON L EARNING K NOWLEDGE AND S KILLS T O I MPROVE A GRICULTURE R URAL L

GLOBAL SEMI NAR ON L EARNING K NOWLEDGE AND S KILLS T O I MPROVE A GRICULTURE R URAL L IVELIHOODS T HE C ASE OF C AMBODIA U NESCO H EADQUARTERS , P ARIS , F RANCE 27-28 F EBRUARY , 2014 1 C ONTENTS Introduction - Background of the Study -

383 views • 22 slides
Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and

Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and

Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and Dan Boneh and Kenny Paterson USENIX Security Symposium Meet Alice the Anonymous Activist Blogger PK A anonymous 2 Alices Lack of Privacy Send

395 views • 21 slides
Proof-of-Stake Consensus Protocol for Cyber Supply Chain Data Provenance Xueping Liang, Deepak

Proof-of-Stake Consensus Protocol for Cyber Supply Chain Data Provenance Xueping Liang, Deepak

Proof-of-Stake Consensus Protocol for Cyber Supply Chain Data Provenance Xueping Liang, Deepak Tosh, Sachin She)y Old Dominion University Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security | cred-c.org

1.2k views • 28 slides
DEFINITIONS & CAUTIONARY NOTE Reserves: Our use of the term reserves in this presentation

DEFINITIONS & CAUTIONARY NOTE Reserves: Our use of the term reserves in this presentation

SHELL LNG OUTLOOK 2018 DEFINITIONS & CAUTIONARY NOTE Reserves: Our use of the term reserves in this presentation means SEC proved oil and gas reserves. Resources: Our use of the term resources in this presentation includes

408 views • 29 slides

More recommend