D ecentralized A nonymous M icropayments Alessandro Chiesa, Matthew - PowerPoint PPT Presentation

Bitcoin LEDGER From To Amt Sign • Decentralized currency w/ quick adoption. ⋮ • No need to establish business relations σ A A M 10 between banks, merchants and regulators. σ M M N 2.3 • To pay, just sign “from A to B: amt 4.3” . σ A A B 4.3 Micropayments on Bitcoin? Pass-Shelat (CCS 2015) Problem 3: Lack of Anonymity • Probabilistic payments for Bitcoin. Sender, receiver, amount are all public. • • Solves problem 1: Amortized tx fee. Consequences: No fungibility. • No privacy. (especially bad for • micropayment apps) 4

Bitcoin LEDGER From To Amt Sign • Decentralized currency w/ quick adoption. ⋮ • No need to establish business relations σ A A M 10 between banks, merchants and regulators. σ M M N 2.3 • To pay, just sign “from A to B: amt 4.3” . σ A A B 4.3 Micropayments on Bitcoin? Pass-Shelat (CCS 2015) Problem 3: Lack of Anonymity • Probabilistic payments for Bitcoin. Sender, receiver, amount are all public. • • Solves problem 1: Amortized tx fee. Consequences: • Solves problem 2: Quick confirmation. No fungibility. • No privacy. (especially bad for • micropayment apps) 4

Bitcoin LEDGER From To Amt Sign • Decentralized currency w/ quick adoption. ⋮ • No need to establish business relations σ A A M 10 between banks, merchants and regulators. σ M M N 2.3 • To pay, just sign “from A to B: amt 4.3” . σ A A B 4.3 Micropayments on Bitcoin? Zerocash (Oakland 2014) Pass-Shelat (CCS 2015) • Probabilistic payments for Bitcoin. • Anonymous Bitcoin-like currency. • Solves problem 1: Amortized tx fee. • Solves problem 3: Hides sender, receiver • Solves problem 2: Quick confirmation. and amount. 5

Goal 6

Goal micropayments that are: 6

Goal micropayments that are: decentralized (for ease of deployment), 6

Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and 6

Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). 6

Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). Contributions 6

Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). Contributions 1. Definition of cryptographic primitive via ideal functionality . 6

Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). Contributions 1. Definition of cryptographic primitive via ideal functionality . 2. Construction under standard crypto assumptions . 6

Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). Contributions 1. Definition of cryptographic primitive via ideal functionality . 2. Construction under standard crypto assumptions . 3. Techniques: we use two tools: 6

Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). Contributions 1. Definition of cryptographic primitive via ideal functionality . 2. Construction under standard crypto assumptions . 3. Techniques: we use two tools: • translucent crypto : new fractional message transfer protocol. (probabilistic) 6

Goal micropayments that are: decentralized (for ease of deployment), anonymous (for fungibility, etc.), and offline (for fast response). Contributions 1. Definition of cryptographic primitive via ideal functionality . 2. Construction under standard crypto assumptions . 3. Techniques: we use two tools: • translucent crypto : new fractional message transfer protocol. (probabilistic) • game theory : characterization of double-spending. 6

Probabilistic Payments 7

Probabilistic Payments Alice "pays" Bob $0.01 7

Probabilistic Payments Alice "pays" Bob $0.01 $1 7

Probabilistic Payments Alice "pays" Bob $0.01 $1 7

Probabilistic Payments Alice "pays" Bob $0.01 $1 7

Probabilistic Payments w.p. 99/100 Alice "pays" Bob $0.01 $1 7

Probabilistic Payments w.p. 99/100 Alice "pays" Bob $0.01 $1 $1 7

Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 $1 7

Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 $1 w.p. 1/100 7

Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 $1 w.p. 1/100 $1 7

Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 macropayment $1 (Bob wins) w.p. 1/100 $1 7

Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 macropayment $1 (Bob wins) w.p. 1/100 $1 Probabilistic payments imply micropayments: 7

Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 macropayment $1 (Bob wins) w.p. 1/100 $1 Probabilistic payments imply micropayments: Transaction fee is amortized over many payments. 7

Probabilistic Payments w.p. 99/100 nullpayment Alice "pays" Bob $0.01 (Alice wins) $1 macropayment $1 (Bob wins) w.p. 1/100 $1 Probabilistic payments imply micropayments: Transaction fee is amortized over many payments. Nullpayments are offline and do not require interaction with payment network. 7

Building Blocks Pass-Shelat Zerocash 8

Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin 8

Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin Ledger From To Amt Sign ⋮ σ M M N 2.3 σ A A M 10 8

Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin 1. Alice escrows v . Ledger From To Amt Sign ⋮ σ M M N 2.3 σ A A M 10 σ A A E 4.3 8

Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin 1. Alice escrows v . 2. Alice and Bob engage in coin-flip. Ledger From To Amt Sign ⋮ σ M M N 2.3 σ A A M 10 σ A A E 4.3 coin-flip 8

Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin 1. Alice escrows v . 2. Alice and Bob engage in coin-flip. 3. If Alice wins: she can reuse escrow. Ledger From To Amt Sign ⋮ σ M M N 2.3 σ A A M 10 σ A A E 4.3 coin-flip 8

Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin 1. Alice escrows v . 2. Alice and Bob engage in coin-flip. 3. If Alice wins: she can reuse escrow. 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 σ A A M 10 σ A A E 4.3 σ E E B 4.3 coin-flip 8

Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice escrows v . 2. Alice and Bob engage in coin-flip. 3. If Alice wins: she can reuse escrow. 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 σ A A M 10 σ A A E 4.3 σ E E B 4.3 coin-flip 8

Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice escrows v . 2. Alice and Bob engage in coin-flip. 3. If Alice wins: she can reuse escrow. 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger σ A A M 10 Old New Proof σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip 8

Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. Alice and Bob engage in coin-flip. 3. If Alice wins: she can reuse escrow. 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip 8

Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. To pay Bob, Alice: 2. Alice and Bob engage in coin-flip. 3. If Alice wins: she can reuse escrow. 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip 8

Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. To pay Bob, Alice: 2. Alice and Bob engage in coin-flip. a) derives sn 1 from c 1 and sk A . 3. If Alice wins: she can reuse escrow. 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger sn 1 σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip 8

Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. To pay Bob, Alice: 2. Alice and Bob engage in coin-flip. a) derives sn 1 from c 1 and sk A . 3. If Alice wins: she can reuse escrow. b) creates new coin c 3 with comm cm 3 . 4. If Bob wins: he gets v . Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger sn 1 σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip 8

Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. To pay Bob, Alice: 2. Alice and Bob engage in coin-flip. a) derives sn 1 from c 1 and sk A . 3. If Alice wins: she can reuse escrow. b) creates new coin c 3 with comm cm 3 . 4. If Bob wins: he gets v . c) creates ZK proof π 3 for above. Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger sn 1 σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip 8

Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. To pay Bob, Alice: 2. Alice and Bob engage in coin-flip. a) derives sn 1 from c 1 and sk A . 3. If Alice wins: she can reuse escrow. b) creates new coin c 3 with comm cm 3 . 4. If Bob wins: he gets v . c) creates ZK proof π 3 for above. d) appends tx = ( sn 1 , cm 3 , π 3 ). Ledger From To Amt Sign ⋮ σ M M N 2.3 Ledger sn 1 σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip sn 1 cm 3 π 3 8

Building Blocks Pass-Shelat Zerocash coin-flipping + Bitcoin zero knowledge proofs + Bitcoin 1. Alice owns coin c 1 with comm cm 1 . 1. Alice escrows v . 2. To pay Bob, Alice: 2. Alice and Bob engage in coin-flip. a) derives sn 1 from c 1 and sk A . 3. If Alice wins: she can reuse escrow. b) creates new coin c 3 with comm cm 3 . 4. If Bob wins: he gets v . c) creates ZK proof π 3 for above. d) appends tx = ( sn 1 , cm 3 , π 3 ). Ledger Cannot link sn 1 with cm 1 without sk A . From To Amt Sign ⋮ σ M M N 2.3 Ledger sn 1 σ A A M 10 Old New Proof c 1 σ A ⋮ A E 4.3 pk A , sk A pk B , sk B σ E cm 1 E B 4.3 8436378 π 1 cm 2 π 2 6327690 coin-flip sn 1 cm 3 π 3 8

Naive Attempt: PS + Zerocash 9

Naive Attempt: PS + Zerocash Ledger Old New Proof ⋮ cm 1 π 1 8436378 cm 2 6327690 π 2 9

Naive Attempt: PS + Zerocash 1. Alice escrows v in a Zerocash transaction. Ledger Old New Proof ⋮ cm 1 π 1 8436378 cm 2 6327690 π 2 sn 1 cm 3 π 3 9

Naive Attempt: PS + Zerocash 1. Alice escrows v in a Zerocash transaction. Ledger 2. Alice and Bob engage in coin-flip. Old New Proof ⋮ cm 1 π 1 8436378 cm 2 6327690 π 2 sn 1 cm 3 π 3 coin-flip 9

Naive Attempt: PS + Zerocash 1. Alice escrows v in a Zerocash transaction. Ledger 2. Alice and Bob engage in coin-flip. Old New Proof 3. If Alice wins: she can reuse escrow. ⋮ cm 1 π 1 8436378 cm 2 6327690 π 2 sn 1 cm 3 π 3 coin-flip 9

Naive Attempt: PS + Zerocash 1. Alice escrows v in a Zerocash transaction. Ledger 2. Alice and Bob engage in coin-flip. Old New Proof 3. If Alice wins: she can reuse escrow. ⋮ 4. If Bob wins: he gets v . cm 1 π 1 8436378 cm 2 6327690 π 2 sn 1 cm 3 π 3 sn 3 cm 4 π 4 coin-flip 9

Naive Attempt: PS + Zerocash 1. Alice escrows v in a Zerocash transaction. Ledger 2. Alice and Bob engage in coin-flip. Old New Proof 3. If Alice wins: she can reuse escrow. ⋮ 4. If Bob wins: he gets v . cm 1 π 1 8436378 cm 2 6327690 π 2 sn 1 cm 3 π 3 Major Issues: sn 3 cm 4 π 4 Linkability coin-flip Double Spending 9

Problem 1: Linkability 10

Problem 1: Linkability Ledger ⋮ tx 1 Escrow • To amortize transaction fees, Alice has to reuse escrow. • Bob always learns serial number of escrowed coin. 10

Problem 1: Linkability Ledger ⋮ tx 1 Escrow sn • To amortize transaction fees, Alice has to reuse escrow. • Bob always learns serial number of escrowed coin. • Can track Alice when she spends coin w/ others. 10

Problem 1: Linkability Ledger ⋮ tx 1 Escrow sn • To amortize transaction fees, Alice has to reuse escrow. • Bob always learns serial number of escrowed coin. • Can track Alice when she spends coin w/ others. 10

Problem 1: Linkability Ledger ⋮ tx 1 tx Escrow sn • To amortize transaction fees, Alice has to reuse escrow. • Bob always learns serial number of escrowed coin. • Can track Alice when she spends coin w/ others. 10

Problem 1: Linkability Ledger ⋮ tx 1 ∋ sn tx tx Escrow sn • To amortize transaction fees, Alice has to reuse escrow. • Bob always learns serial number of escrowed coin. • Can track Alice when she spends coin w/ others. • Further attacks lead to loss of most privacy. 10

Solution: Make sn translucent 11

Solution: Make sn translucent Ledger ⋮ tx 1 tx 2 11

Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. Ledger ⋮ c = COMM(tx 3 ) tx 1 tx 2 11

Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. Ledger 2. Sends commitment & proof to Bob. ⋮ c = COMM(tx 3 ) tx 1 c, π tx 2 11

Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. Ledger 2. Sends commitment & proof to Bob. ⋮ c = COMM(tx 3 ) tx 1 c, π tx 2 prob. opening 3. Alice and Bob attempt to open the commitment probabilistically. 11

Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. Ledger 2. Sends commitment & proof to Bob. ⋮ c = COMM(tx 3 ) tx 1 c, π tx 2 prob. opening 3. Alice and Bob attempt to open the commitment 1-p probabilistically. Nullpayment: Alice can spend coin again, but Bob learns nothing about the coin! 11

Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. Ledger 2. Sends commitment & proof to Bob. ⋮ c = COMM(tx 3 ) tx 1 c, π tx 2 prob. opening tx 3 3. Alice and Bob attempt to open the commitment 1-p p probabilistically. Nullpayment: Alice can Macropayment: Bob spend coin again, but Bob gets tx and learns serial learns nothing about the coin! number. 11

Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. Ledger 2. Sends commitment & proof to Bob. ⋮ c = COMM(tx 3 ) tx 1 c, π tx 2 prob. opening tx 3 3. Alice and Bob attempt to open the commitment 1-p p probabilistically. Nullpayment: Alice can Macropayment: Bob spend coin again, but Bob gets tx and learns serial learns nothing about the coin! number. 11

Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. F ractional M essage T ransfer Ledger 2. Sends commitment & proof to Bob. Fractional hiding: w.p 1-p , Bob learns nothing about message. ⋮ c = COMM(tx 3 ) Fractional binding: Bob can always open with probability p . tx 1 c, π tx 2 prob. opening tx 3 3. Alice and Bob attempt to open the commitment 1-p p probabilistically. Nullpayment: Alice can Macropayment: Bob spend coin again, but Bob gets tx and learns serial learns nothing about the coin! number. 11

Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. F ractional M essage T ransfer Ledger 2. Sends commitment & proof to Bob. Fractional hiding: w.p 1-p , Bob learns nothing about message. ⋮ c = COMM(tx 3 ) Fractional binding: Bob can always open with probability p . tx 1 c, π tx 2 prob. opening tx 3 Wants 3. Alice and Bob attempt fractional to open the commitment 1-p hiding p probabilistically. Nullpayment: Alice can Macropayment: Bob spend coin again, but Bob gets tx and learns serial learns nothing about the coin! number. 11

Solution: Make sn translucent 1. Creates tx, but doesn’t append to ledger. Instead, commits to it and generates ZK proof of correctness. F ractional M essage T ransfer Ledger 2. Sends commitment & proof to Bob. Fractional hiding: w.p 1-p , Bob learns nothing about message. ⋮ c = COMM(tx 3 ) Fractional binding: Bob can always open with probability p . tx 1 c, π tx 2 prob. opening tx 3 Wants Wants 3. Alice and Bob attempt fractional fractional to open the commitment 1-p hiding binding p probabilistically. Nullpayment: Alice can Macropayment: Bob spend coin again, but Bob gets tx and learns serial learns nothing about the coin! number. 11

Problem 2: Double-Spending 12

Problem 2: Double-Spending Malice can use the same coin in multiple payments in parallel . 12

Problem 2: Double-Spending Malice can use the same coin in multiple payments in parallel . COMM(tx) COMM(tx) 12

Problem 2: Double-Spending Malice can use the same coin in multiple payments in parallel . Ledger ⋮ COMM(tx) COMM(tx) tx 1 tx 2 12