Quisquis: An Anonymous Cryptocurrency Based on Updatable Public Keys Prastudy Fauzi, Sarah Meiklejohn, Rebekah Mercer, Claudio Orlandi @claudiorlandi
Blockchain Research Applications Smart Contracts Transaction Layer This talk Consensus Layer Network Layer
Bitcoin and Anonymity 3
“ ” Bitcoin is like Twitter for your bank account. (Ian Miers) A Fistful of Bitcoins (Meiklejohn et al) 4
Existing Alternatives for Anonymous Payments • Dash • Monero • Zcash • … but, I’m a theoretician! For the rest of the talk I will address ”abstract technologies” not actual products (which are much more complicated).
Existing Techniques for Privacy • Technologies • Questions – Tumblers – Need for coordination? – Ring Signatures – Deniability? – ZK-SNARKS – Provable Anonymity? – Trust in third parties? – Size of UTXO?
Basic Transactions (e.g., Bitcoin) pk1 pk1 pk1 Blockchain pk2 pk2 pk2 UTXO pk3 pk3 pk4 • For context, in November 2017 – Blockchain 130 GB – UTXO 3 GB
Tumblers (1/2) • A wants to give 1 coin to B • C wants to give 1 coin to D • (A, C) create a 2-2 TX with A D receivers (B,D) in random TX order. C B • An external observer cannot determine who sent to whom. • Can be generalized to N senders and N receivers
Tumblers (2/2) • Centralized Tumblers – J Easy (trusted party performs transaction and matches users) – L Need to trust central party for anonymity and security • Decentralized Tumblers – L Hard (how to find other users who want to mix their coins? + protocol require interaction) – J Secure using cryptographic protocol • (Exception: TumbleBit, see talk this morning)
Ring Signatures (1/3) • Sign(pk 0 ,pk 1 ,sk b , m) à s • Ver(pk 0 ,pk 1 ,m,s) à accept • Indistinguishability: • Sign(pk 0 ,pk 1 ,sk 0 , m) ≈ Sign(pk 0 ,pk 1 ,sk 1 , m) • (In general, there are N public keys)
Ring Signatures (2/3) (Ignoring how to prevent double spending) pk1 pk1 pk1 pk2 pk2 pk2 pk3 pk3 pk4 • Was pk1 spent? Can’t tell! J • Also means, cannot remove pk1 from UTXO L
Ring Signatures (3/3) (Ignoring how to prevent double spending) pk1 pk1 pk1 pk1 pk2 pk2 pk2 pk2 pk3 pk3 pk3 pk4 pk4 • Anonymity? pk5 – After 2nd TXs pk1 and pk2 are both spent à 3 rd transaction was made by pk3 with certainty
Zero-Knowledge (come back tomorrow at 10.30!) P(x) V • Completeness “I know x s.t. f(x)=1” – P,V honest à V accepts q • Proof-of-Knowledge a q – If P does not know x à V rejects a • Zero-Knowledge – V learns nothing about x
ZK-SNARKS • Can be seen as extension of ring signatures, using advanced cryptographic protocols – Can hide in sets of arbitrary size - “∞-to-1” transactions – Generation time for transaction high L – Need for trusted setup (CRS) L pk1 pk1 pk1 pk2 pk2 pk2 pk3 pk3 pk4
Entering QuisQuis!
QuisQuis idea: N-to-N transaction without interaction • S wants to send money to R • Add transaction from A R A to B for anonymity TX • Paradox? S B – Move other people money without their approval – While at the same time preventing theft?
Idea that does not work • Add transaction from A to A. • No money stolen J A R TX • No privacy L S A
Idea that might work • What if I could move A’s money to a new ”random looking” A R address which is also TX S A’ owned by A?
Updatable Public Keys r pk’ Update hint pk sk’ Derive Gen sk
Updatable Public Keys r pk’ Update hint pk sk’ Derive Gen sk • Correctness : (pk’,sk’) is a valid key pair
Updatable Public Keys r pk’ Update hint pk sk’ Derive Gen sk • Indistinguishability : (pk,hint) looks like (pk’,hint)
Unforgeability • No A(pk) can output (pk’,sk’,r) such that Update(r,pk) à pk’ AND (pk’,sk’) is a valid pair • Output (r,pk’): trivial! (run update) • Output (pk’,sk’): trivial! (drop pk and run Gen) • Both at the same time should be hard!
Constructions of Updatable Public Key (Main Construction) • Gen à pk=(g s ,g sx )=(u,v), sk=x • Update(pk, r) à pk’ = (u r ,v r ) • Derive(sk) à sk • Correctness : ✔ • Indistinguishability : (u,v, u r ,v r ) ~ (u,v,u r ,v s ) DDH • Unforgeability : given x can output x (break DL)
Constructions of Updatable Public Key (Alternative Construction) • Gen à pk=g x , sk=x • Update(pk, r) à hint=g r , pk’=pk*g y with y=H(pk r ) • Derive(sk, hint) à sk’ = x + H(hint x ) • Correctness : ✔ • Indistinguishability : follows from DDH • Unforgeability : given r,sk’ output sk (break DL) • Bonus! Forward anonymity in RO model – (given sk’ cannot tell if new or derived)
QuisQuis Transaction • Real Input: pkS • Real Output: pkR R R’=Upd(R) A • Run Update(pkR) à pkR’ TX • Choose random pkA from UTXO S B=Upd(A) • Run Update(pkA) à pkB ZK π • ZK proof π for the following statement: – ”I computed N-k outputs as Updates of N-k inputs” (hiding which ones) – “I know the sk corresponding to the remaining input keys”
QuisQuis Transaction • Non-growing UTXO: – all inputs have been spent and can be removed • Theft prevention: – You are free to spend a coin if you know the sk – The other coins did not change owner • Anonymity – Updated keys look ind. from fresh new keys – ZK proof hides links between inputs/outputs
A bit more details… • ZK proofs obtained as combination of Sigma protocols for – ”I know the sk” (“I know the DL”) – “I run Update correctly” (”Proof of DDH tuple”) – “I shuffled some Updated public keys” (from Bayer-Groth shuffle) • Can be made non-interactive using Fiat-Shamir in the Random Oracle model.
Performances
More in the paper! • Formal definitions and proofs of security • How to deal with private, variable amounts – Commitment schemes based on updatable public keys – Split/Merge transactions – …and more!
Recommend
More recommend
