Nummatus: A Privacy Preserving Proof of Reserves Protocol for - PowerPoint PPT Presentation

Nummatus: A Privacy Preserving Proof of Reserves Protocol for Quisquis Arijit Dutta , Arnab Jana, and Saravanan Vijayakumaran Indian Institute of Technology Bombay, Mumbai, India Indocrypt, Hyderabad December 16, 2019 1 / 14

Introduction ◮ Cryptocurrency removes the need to trust centralized financial institute, brings privacy ◮ Miners and cryptocurrency users in Bitcoin 2 / 14

Introduction ◮ Cryptocurrency exchange ◮ Custodial wallet → stores secret keys, enables trading 2 / 14

Concerns and Solution ◮ Concerns ◮ Wallets get hacked, theft, internal fraud, and exit scam ◮ $927 million worth of cryptocurrency reported as stolen from exchanges in the first nine months of 2018 1 ◮ Fractional reserves ◮ One possible solution: Periodic proof of solvency ◮ Proof of reserves ◮ Proof of liabilities 1 https://ciphertrace.com/crypto-aml-report-2018q3 3 / 14

Concerns and Solution ◮ Concerns ◮ Wallets get hacked, theft, internal fraud, and exit scam ◮ $927 million worth of cryptocurrency reported as stolen from exchanges in the first nine months of 2018 1 ◮ Fractional reserves ◮ One possible solution: Periodic proof of solvency ◮ Proof of reserves ◮ Proof of liabilities ◮ What’s in the name? ◮ Quisquis, a privacy focused cryptocurrency, proposed by Fauzi et al . in 2018 ◮ Latin for Quisquis → whoever, whatever ◮ Latin for Nummatus (a proof of reserves protocol) → moneyed, rich ◮ Proves exchanges are rich enough to meet their liabilities, preserves privacy of exchanges 1 https://ciphertrace.com/crypto-aml-report-2018q3 3 / 14

Proof of Reserves Protocol ◮ The exchange needs to prove the possesion of certain amount of reserves ◮ Non-private proof of reserves protocol ◮ Exchange creates a transaction keeping owned addresses as input and some other owned addresses as output ◮ Reveals owned addresses and reserves amount 4 / 14

Provisions: a Privacy Preserving Proof of Reserves Protocol for Bitcoin ◮ Proposed by Dagher et al . in 2015 ◮ Pedersen commitments: to hide the amount associated with a public key ◮ G is a cyclic group of prime order, let g be a generator, DL is hard ◮ h = g x ∈ G is chosen, x is unknown ◮ Pedersen commitment p ( a , y ) for amount a is given as p = g a h y ◮ y is random scalar, called the blinding factor 5 / 14

Provisions: a Privacy Preserving Proof of Reserves Protocol for Bitcoin ◮ Proposed by Dagher et al . in 2015 ◮ Pedersen commitments: to hide the amount associated with a public key ◮ G is a cyclic group of prime order, let g be a generator, DL is hard ◮ h = g x ∈ G is chosen, x is unknown ◮ Pedersen commitment p ( a , y ) for amount a is given as p = g a h y ◮ y is random scalar, called the blinding factor ◮ Proof of reserves: Main Idea 5 / 14

Provisions: a Privacy Preserving Proof of Solvency Protocol for Bitcoin ◮ For each address in P anon , the exchange chooses a random scalar y i and calculates Pedersen commitment � g a i h y i if i ∈ I own p i = h y i if i / ∈ I own ◮ The exchange proves in zero knowledge that p i s are calculated properly 6 / 14

Provisions: a Privacy Preserving Proof of Solvency Protocol for Bitcoin ◮ For each address in P anon , the exchange chooses a random scalar y i and calculates Pedersen commitment � g a i h y i if i ∈ I own p i = h y i if i / ∈ I own ◮ The exchange proves in zero knowledge that p i s are calculated properly ◮ The exchange calculates |P anon | � |P anon | � i ∈I own a i h � y i p res = p i = g i =1 i =1 ◮ Motivated PoR protocols: MProve for Monero, Revelio for Grin, and Nummatus for Quisquis 6 / 14

A Brief Introduction to Quisquis ◮ A recently proposed privacy focused cryptocurrency ◮ Hides the sender, the receiver and the amount of the transaction ◮ Privacy focused cryptocurrency → monotonic growth of UTXO set ◮ Solves the problem with an account based model 7 / 14

Quisquis Accounts ◮ ( G , g , p ), prime order p with generator g , DDH is hard ◮ Quisquis account: acct = (public key , commitment) = (( a , b ) , ( c , d )) ∈ G 4 8 / 14

Quisquis Accounts ◮ ( G , g , p ), prime order p with generator g , DDH is hard ◮ Quisquis account: acct = (public key , commitment) = (( a , b ) , ( c , d )) ∈ G 4 ◮ Public key: ( a , b ) = ( a , a k ) = ( g t , g k · t ), t arbitrary scalar, k secret key ◮ Commitment: ( c , d ) = ( c , g v c k ) = ( a r , g v a kr ) = ( a r , g v b r ), r arbitrary scalar, v ∈ F p is the amount 8 / 14

Quisquis Accounts ◮ ( G , g , p ), prime order p with generator g , DDH is hard ◮ Quisquis account: acct = (public key , commitment) = (( a , b ) , ( c , d )) ∈ G 4 ◮ Public key: ( a , b ) = ( a , a k ) = ( g t , g k · t ), t arbitrary scalar, k secret key ◮ Commitment: ( c , d ) = ( c , g v c k ) = ( a r , g v a kr ) = ( a r , g v b r ), r arbitrary scalar, v ∈ F p is the amount ◮ To claim ownership of acct : prove knowledge of ( k , v ) such that b = a k ∧ d = g v c k , knowledge of t and r are not required! 8 / 14

Simplus: A Semi-private Proof of Reserves Protocol for Quisquis ◮ After the j th block appears in the blockchain, exchange publishes the set of owned accounts A own = { acct 1 , acct 2 , . . . , acct m } 9 / 14

Simplus: A Semi-private Proof of Reserves Protocol for Quisquis ◮ After the j th block appears in the blockchain, exchange publishes the set of owned accounts A own = { acct 1 , acct 2 , . . . , acct m } ◮ For i = 1 to m , the exchange publishes a Pedersen commitment to the amount: p i = g v i h k i (DL of h w.r.t. g is unknown) ◮ For i = 1 to m , the exchange publishes NIZKPoK signatures for � � � � α �� ∧ p i d − 1 c − 1 � PoK α b i = a α = h . � i i i � 9 / 14

Simplus: A Semi-private Proof of Reserves Protocol for Quisquis ◮ After the j th block appears in the blockchain, exchange publishes the set of owned accounts A own = { acct 1 , acct 2 , . . . , acct m } ◮ For i = 1 to m , the exchange publishes a Pedersen commitment to the amount: p i = g v i h k i (DL of h w.r.t. g is unknown) ◮ For i = 1 to m , the exchange publishes NIZKPoK signatures for � � � � α �� ∧ p i d − 1 c − 1 � PoK α b i = a α = h . � i i i � ◮ b i = a k i = ⇒ α = k i for each i i � α = ◮ p i d − 1 c − 1 ⇒ p i = g v i h k i , as d i = g v i c k i � = h i i i ◮ The exchange publishes p res = � m i =1 p i 9 / 14

Simplus: A Semi-private Proof of Reserves Protocol for Quisquis ◮ After the j th block appears in the blockchain, exchange publishes the set of owned accounts A own = { acct 1 , acct 2 , . . . , acct m } ◮ For i = 1 to m , the exchange publishes a Pedersen commitment to the amount: p i = g v i h k i (DL of h w.r.t. g is unknown) ◮ For i = 1 to m , the exchange publishes NIZKPoK signatures for � � � � α �� ∧ p i d − 1 c − 1 � PoK α b i = a α = h . � i i i � ◮ b i = a k i = ⇒ α = k i for each i i � α = ◮ p i d − 1 c − 1 ⇒ p i = g v i h k i , as d i = g v i c k i � = h i i i ◮ The exchange publishes p res = � m i =1 p i ◮ The exchange owned accounts are revealed, but not the reserves amount 9 / 14

Nummatus: A Private Proof of Reserves Protocol for Quisquis ◮ The exchange publishes an anonymity set such that A anon ⊃ A own = { acct 1 , acct 2 , . . . , acct n } 10 / 14

Nummatus: A Private Proof of Reserves Protocol for Quisquis ◮ The exchange publishes an anonymity set such that A anon ⊃ A own = { acct 1 , acct 2 , . . . , acct n } ◮ The exchange needs a sequence h 1 , h 2 , h 3 , · · · with unknown DL w.r.t. g and each other ◮ Can be generated by repeated hashing 10 / 14

Nummatus: A Private Proof of Reserves Protocol for Quisquis ◮ The exchange publishes an anonymity set such that A anon ⊃ A own = { acct 1 , acct 2 , . . . , acct n } ◮ The exchange needs a sequence h 1 , h 2 , h 3 , · · · with unknown DL w.r.t. g and each other ◮ Can be generated by repeated hashing ◮ After j th block in Quisquis blockchain, for each acct i ∈ A anon , the exchange publishes � g v i h k i if acct i ∈ A own , p j j i = h w i if acct i �∈ A own , j w i s are random scalar 10 / 14

Nummatus: A Private Proof of Reserves Protocol for Quisquis ◮ For each acct i ∈ A anon , the exchange generates a NIZKPoK signature σ i of � � � � α � � �� p i = h β b i = a α ∧ p i d − 1 c − 1 � PoK ( α, β ) = ∨ h j � i i i j � 11 / 14

Nummatus: A Private Proof of Reserves Protocol for Quisquis ◮ For each acct i ∈ A anon , the exchange generates a NIZKPoK signature σ i of � � � � α � � �� p i = h β b i = a α ∧ p i d − 1 c − 1 � PoK ( α, β ) = ∨ h j � i i i j � ◮ NIZKPoK signature proves that either p i commits to 0 or p i = g v i h k i j 11 / 14

Nummatus: A Private Proof of Reserves Protocol for Quisquis ◮ For each acct i ∈ A anon , the exchange generates a NIZKPoK signature σ i of � � � � α � � �� p i = h β b i = a α ∧ p i d − 1 c − 1 � PoK ( α, β ) = ∨ h j � i i i j � ◮ NIZKPoK signature proves that either p i commits to 0 or p i = g v i h k i j ◮ The exchange publishes p res = � n i =1 p i 11 / 14