mprove a proof of reserves protocol for monero exchanges
play

MProve: A Proof of Reserves Protocol for Monero Exchanges Arijit - PowerPoint PPT Presentation

Jul 19, 2023 •268 likes •395 views

MProve: A Proof of Reserves Protocol for Monero Exchanges Arijit Dutta, Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay IEEE S&B, Stockholm June 20, 2019 1 / 12 Cryptocurrency Exchanges

  1. MProve: A Proof of Reserves Protocol for Monero Exchanges Arijit Dutta, Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay IEEE S&B, Stockholm June 20, 2019 1 / 12

  2. Cryptocurrency Exchanges • Owning cryptocurrencies = Storing private keys • Cryptocurrency exchanges • Store private keys for customers • Allow trading • Risks for customers • Exchanges getting hacked • Incompetence, internal fraud, exit scams • Fractional reserve exchanges • Proof of solvency is a possible solution • Proof of liabilities • Proof of reserves 2 / 12

  3. Naive Proof of Reserves for Bitcoin • Protocol steps • Create a transaction Tx which unlocks all owned UTXOs • Include a dummy input to make Tx invalid • Share Tx with the world. • Why does it work? • Tx proves that exchange owns BTC equal to sum of amounts in unlocked UTXOs • Dummy input prevents misuse of Tx • Removing the dummy input will invalidate signatures • Blockstream has released such a tool 1 • Drawback: Privacy is not preserved • Exchange may not want to reveal its UTXOs 1 https://blockstream.com/2019/02/04/ standardizing-bitcoin-proof-of-reserves/ 3 / 12

  4. Provisions Proof of Reserves Protocol • Proposed by Dagher et al in 2015 • Exchange chooses a set P of UTXOs from the blockchain • It owns a subset P own of P . Let I own = { i | P i ∈ P own } . • P plays the role of the anonymity set • Each P i ∈ P has an associated amount a i • Pedersen commitment to an amount a is given by C ( y , a ) = yG + aH , where the dlog of H wrt G is not known and y is a blinding factor • Exchange creates a Pedersen commitment C i for each P i ∈ P • It gives a zero-knowledge proof of the following statement � y i G + a i H if P i ∈ P own C i = . y i G if P i / ∈ P own • Adding all the commitments gives a commitment to the total reserves |P| |P| � � � C reserves = C i = y i G + a i H . i = 1 i = 1 i ∈I own • Solvency is proven via a range proof on C liabilities − C reserves 4 / 12

  5. Transactions in Monero • Suppose Alice wants to spend coins from an address P she owns • Alice assembles a list { P 0 , P 1 , . . . , P n − 1 } where P j = P for exactly one j • Alice knows x j such that P j = x j G • Key image of P j is I = x j H p ( P j ) where H p is a point-valued hash function • Distinct public keys will have distinct key images • A linkable ring signature over { P 0 , P 1 , . . . , P n − 1 } will have the key image I of P j • Signature proves Alice one of the private keys • Double spending is detected via duplicate key images • One cannot say if a Monero address belongs to the UTXO set or not A fundamental requirement of any proof of reserves protocol for Monero is that it should prove that the key images of the exchange-owned addresses, which contribute to the total reserves commitment C reserves , have not appeared on the blockchain. 5 / 12

  6. Some Facts About Commitments • Suppose C is a Pedersen commitment with amount a and blinding factor x C = xG + aH • One can prove that C is a commitment to the zero amount via a signature with public key C C = xG • If C is a commitment to a non-zero amount a , signature with C as public key will mean dlog of H is known ⇒ H = a − 1 ( y − x ) G C = xG + aH = yG = 6 / 12

  7. MProve Protocol • Exchange chooses addresses P = ( P 1 , P 2 , . . . , P N ) from the Monero blockchain • It knows the private keys of P known ⊆ P • For each P i ∈ P , it reads commitment C i C i = y i G + a i H . For P i ∈ P known , the exchange knows y i and a i • For each P i ∈ P , the exchange randomly picks z i and generates C ′ i as � z i G if P i ∈ P known , C ′ i = z i G + C i if P i / ∈ P known . • For each i = 1 , 2 , . . . , N , the exchange publishes a regular ring signature γ i verifiable by the pair of public keys ( C ′ i , C ′ i − C i ) • For each i = 1 , 2 , . . . , N , the exchange publishes a linkable ring signature σ i verifiable by the pair of public keys ( P i , C ′ i − C i ) • The exchange publishes a commitment C reserves which satisfies the equation N � C i − C ′ � � C reserves = . i i = 1 7 / 12

  8. MProve Intuition • Output of an exchange • A list of one-time addresses P 1 , P 2 , . . . , P N and commitments C 1 , C 2 , . . . , C N . • The commitments C ′ 1 , C ′ 2 , . . . , C ′ N created by the exchange. • The regular ring signatures γ i over public keys ( C ′ i , C ′ i − C i ) • The linkable ring signatures σ i over public keys ( P i , C ′ i − C i ) • The commitment C reserves to the total reserves N � C i − C ′ � � C reserves = i i = 1 • When P i �∈ P known , the exchange has to create σ i with z i where C ′ i − C i = z i G • This implies C i − C ′ i is a commitment to the zero amount • No contribution to C reserves • When P i ∈ P known , the exchange has to create γ i with the private key corresponding to either C ′ i or C ′ i − C i • If C ′ i = z i G , then C i − C ′ i contributes a i H to C reserves • If C ′ i − C i = z i G , then C i − C ′ i contributes nothing to C reserves • To avoid zero contribution to C reserves , exchange has to sign with private key of P i to create σ i • Since σ i reveals the key image of P i , exchange cannot use an already spent address 8 / 12

  9. Drawback • Output of an exchange • A list of one-time addresses P 1 , P 2 , . . . , P N and commitments C 1 , C 2 , . . . , C N . • The commitments C ′ 1 , C ′ 2 , . . . , C ′ N created by the exchange. • The regular ring signatures γ i over public keys ( C ′ i , C ′ i − C i ) • The linkable ring signatures σ i over public keys ( P i , C ′ i − C i ) • The commitment C reserves to the total reserves N � C i − C ′ � � C reserves = i i = 1 • When P i ∈ P known , the linkable ring signature contains the key image I i of P i • A future transaction spending from P i will contain the same I i • Makes the transaction zero mix-in • Ring signature is rendered useless 9 / 12

  10. MProve Simulation Results |P| |P known | Proof Generat. Verif. Query Size Time Time Time 1000 100 0.32 MB 0.70 s 0.65 s 0.048 s 1000 500 0.32 MB 0.69 s 0.69 s 0.048 s 1000 900 0.32 MB 0.68 s 0.67 s 0.048 s 10000 1000 3.2 MB 7.01 s 6.76 s 0.087 s 10000 5000 3.2 MB 6.92 s 6.76 s 0.087 s 10000 9000 3.2 MB 6.87 s 6.75 s 0.087 s 100000 10000 32 MB 71.79 s 67.85 s 0.545 s 100000 50000 32 MB 71.13 s 67.83 s 0.545 s 100000 90000 32 MB 70.39 s 67.82 s 0.545 s 10 / 12

  11. Future Directions • Remove the drawback • Make the proofs smaller • Increase the anonymity set • Ensure that exchanges generate reserves proofs from the same blockchain state • Better proofs of liabilities 11 / 12

  12. References • Provisions https://eprint.iacr.org/2015/1008 • MProve https://eprint.iacr.org/2018/1210 • MProve Simulation Code https://github.com/avras/ monero/tree/v0.14.0.2-mprove/tests/mprove Thanks for your attention Saravanan Vijayakumaran sarva@ee.iitb.ac.in 12 / 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Nummatus: A Privacy Preserving Proof of Reserves Protocol for Quisquis Arijit Dutta , Arnab Jana,

Nummatus: A Privacy Preserving Proof of Reserves Protocol for Quisquis Arijit Dutta , Arnab Jana,

Nummatus: A Privacy Preserving Proof of Reserves Protocol for Quisquis Arijit Dutta , Arnab Jana, and Saravanan Vijayakumaran Indian Institute of Technology Bombay, Mumbai, India Indocrypt, Hyderabad December 16, 2019 1 / 14 Introduction

405 views • 29 slides
How the hell does Monero work? @pwrcycle > cafecode.com/shellcon2018-monero.pdf whois

How the hell does Monero work? @pwrcycle > cafecode.com/shellcon2018-monero.pdf whois

How the hell does Monero work? @pwrcycle > cafecode.com/shellcon2018-monero.pdf whois pwrcycle Prolexic SOC Verisign VIDN Apple SIRT F5 Silverline Salesforce NetSec Gmail Reddit pwrcycle on Twitter Freenode LinkedIn Signal

177 views • 15 slides
Towards Better Privacy with Monero Malte Mser Based on An Empirical Analysis of Traceability in

Towards Better Privacy with Monero Malte Mser Based on An Empirical Analysis of Traceability in

Towards Better Privacy with Monero Malte Mser Based on An Empirical Analysis of Traceability in the Monero Blockchain, joint work with Kyle Soska, Ethan Heilman, Kevin Lee, Henry Heffan, Shashvat Srivastava, Kyle Hogan, Jason Hennessey,

891 views • 30 slides
Ring Signatures Monero Oct. 14, 2019 Overview Privacy Hierarchy Monero Secretly

Ring Signatures Monero Oct. 14, 2019 Overview Privacy Hierarchy Monero Secretly

Ring Signatures Monero Oct. 14, 2019 Overview Privacy Hierarchy Monero Secretly signing a transaction Secretly receiving a transaction Privacy Hierarchy Everything open Bitcoin Pseudonymous, amount open Privacy Hierarchy

911 views • 45 slides
DOI NG MORE WI T H L E SS: I MPROVE D CONF I DE NCE L E VE L S VI A RE DE SI

DOI NG MORE WI T H L E SS: I MPROVE D CONF I DE NCE L E VE L S VI A RE DE SI

DOI NG MORE WI T H L E SS: I MPROVE D CONF I DE NCE L E VE L S VI A RE DE SI GNE D AMMUNI T I ON QUAL I F I CAT I ON T E ST I NG A me tho d to impro ve sma ll a rms a mmunitio n q ua lific a tio n fo r use in

418 views • 17 slides
A NEW APPROACH TO I MPROVE A NEW APPROACH TO I MPROVE THE HYDROGEN YI ELD FOR HI X THE HYDROGEN

A NEW APPROACH TO I MPROVE A NEW APPROACH TO I MPROVE THE HYDROGEN YI ELD FOR HI X THE HYDROGEN

17 th April, 2007 Sadhana Mohan, India A NEW APPROACH TO I MPROVE A NEW APPROACH TO I MPROVE THE HYDROGEN YI ELD FOR HI X THE HYDROGEN YI ELD FOR HI X SYSTEM OF I - - S PROCESS S PROCESS SYSTEM OF I by Dr. Sadhana Mohan Dr. Sadhana

319 views • 27 slides
Proof of Luck: an Efficient Blockchain Consensus Protocol Mitar Milutinovic, Warren He, Howard

Proof of Luck: an Efficient Blockchain Consensus Protocol Mitar Milutinovic, Warren He, Howard

Proof of Luck: an Efficient Blockchain Consensus Protocol Mitar Milutinovic, Warren He, Howard Wu, Maxinder Kanwal Outline Background: blockchains, consensus, and SGX Existing consensus mechanisms Our paper: 3 basic consensus primitives Proof

527 views • 50 slides
1031 Exchanges & Qualified Opportunity Zones Drew Emmert Colleen R. Fausz Ryan M.

1031 Exchanges & Qualified Opportunity Zones Drew Emmert Colleen R. Fausz Ryan M.

1031 Exchanges & Qualified Opportunity Zones Drew Emmert Colleen R. Fausz Ryan M. Whitaker Part 1: 1031 Exchanges Roadmap Overview of 1031 Exchanges History of 1031 Exchanges Benefits of 1031 Exchanges 1031 Exchange

775 views • 41 slides
Reserves Puzzlers Are They or Are They Not Reserves? Part 1 Richard Smith, Gaffney Cline &

Reserves Puzzlers Are They or Are They Not Reserves? Part 1 Richard Smith, Gaffney Cline &

Reserves Puzzlers Are They or Are They Not Reserves? Part 1 Richard Smith, Gaffney Cline & Associates CE seminar; 13 June 2016 Reserves & Resources Reporting Slide 2 DISCLAIMER T HE MATERIAL AND OPINIONS EXPRESSED IN THIS

686 views • 29 slides
A Proof-of-Stake protocol for consensus on Bitcoin subchains M. Bartoletti Stefano Lande A. S.

A Proof-of-Stake protocol for consensus on Bitcoin subchains M. Bartoletti Stefano Lande A. S.

A Proof-of-Stake protocol for consensus on Bitcoin subchains M. Bartoletti Stefano Lande A. S. Podda University of Cagliari, Italy Workshop on Trusted Smart Contracts, 2017 Bitcoin Bitcoin is a popular cryptocurrency that uses a blockchain to

540 views • 20 slides
Res I tr m uctur pr o e vi nsat n ion g to i Suppo mprove recruitmen rt f re o tent r ion T ea

Res I tr m uctur pr o e vi nsat n ion g to i Suppo mprove recruitmen rt f re o tent r ion T ea

Res I tr m uctur pr o e vi nsat n ion g to i Suppo mprove recruitmen rt f re o tent r ion T ea ighly cher effective tea s ing comp t and of h chers Commissioner Mike Morath TASA/TASB Legislative Conference February 26, 2019 1 TEAs

422 views • 18 slides
1031 Like Kind Exchanges: Pursuing 1031 Like Kind Exchanges: Pursuing Opportunities in a

1031 Like Kind Exchanges: Pursuing 1031 Like Kind Exchanges: Pursuing Opportunities in a

Presenting a live 90 minute webinar with interactive Q&A 1031 Like Kind Exchanges: Pursuing 1031 Like Kind Exchanges: Pursuing Opportunities in a Rebounding Market Mastering Complex Tax Rules and Leveraging the New Net Investment Income

947 views • 78 slides
Healthcare Exchanges in Healthcare Exchanges in the Sky with Diamonds Lyman Sornberger Chief

Healthcare Exchanges in Healthcare Exchanges in the Sky with Diamonds Lyman Sornberger Chief

6/9/2014 Healthcare Exchanges in Healthcare Exchanges in the Sky with Diamonds Lyman Sornberger Chief Healthcare Strategy Officer New Jersey HFMA June 10, 2014 Agenda Affordable Care Act (ACA) Highlights Enrollment Assistance

195 views • 17 slides
U SE OF D ECISION U NIT AND I NCREMENTAL S AMPLING M ETHODS TO I MPROVE S ITE I NVESTIGATIONS 2015

U SE OF D ECISION U NIT AND I NCREMENTAL S AMPLING M ETHODS TO I MPROVE S ITE I NVESTIGATIONS 2015

U SE OF D ECISION U NIT AND I NCREMENTAL S AMPLING M ETHODS TO I MPROVE S ITE I NVESTIGATIONS 2015 M2S2 Webinar Series Munitions Constituents Roger Brewer and Steve Mow Hawaii Department of Health December 2014 1 Key References:

598 views • 43 slides
What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i -Key-Protocol, i = 1, 2, 3, Family of protocols Secure electronic payment Based on credit card payments Christopher Hsu Can be extended

407 views • 4 slides
2008 Ryder Scott Reserves Conference Evaluation Challenges in a Changing World BEYOND RESERVES

2008 Ryder Scott Reserves Conference Evaluation Challenges in a Changing World BEYOND RESERVES

2008 Ryder Scott Reserves Conference Evaluation Challenges in a Changing World BEYOND RESERVES VOLUMES Issues That Impact Your Reserves Bookings Brad Gouge Vice President, Ryder Scott Company Beyond Reserves Volumes or in

523 views • 29 slides
Together, SF DEVELOPMENT Co., Ltd. creates value for our customers, our tenants and ourselves by

Together, SF DEVELOPMENT Co., Ltd. creates value for our customers, our tenants and ourselves by

Together, SF DEVELOPMENT Co., Ltd. creates value for our customers, our tenants and ourselves by combining the strength of the brand, the enthusiasm and competence of Siam Future Development and IKANO, into business. We

810 views • 19 slides
Trading-off incrementality and dynamic restart of multiple solvers in IC3 Paolo Enrico Camurati,

Trading-off incrementality and dynamic restart of multiple solvers in IC3 Paolo Enrico Camurati,

Trading-off incrementality and dynamic restart of multiple solvers in IC3 Paolo Enrico Camurati, Carmelo Loiacono, Paolo Pasini, Denis Patti, Stefano Quer Dip. di Automatica ed Informatica, Politecnico di Torino, Torino, Italy Multiple

615 views • 27 slides
Microservices for Performance Building low latency Micro Services and monolith in Java using high

Microservices for Performance Building low latency Micro Services and monolith in Java using high

Microservices for Performance Building low latency Micro Services and monolith in Java using high performance serialization and messaging Peter Lawrey - CEO of Higher Frequency Trading GOTO Chicago - 2016 Peter Lawrey Java Developer/Consultant

782 views • 51 slides
Growth Hacking Your Brand to Success! Irfan Khairi www.irfankhairi.org |

Growth Hacking Your Brand to Success! Irfan Khairi www.irfankhairi.org |

31/5/2016 Growth Hacking Your Brand to Success! Irfan Khairi www.irfankhairi.org | info@rahsiainternet.com | www.fb.com/irfankhairi.fb About me Doing online business since 2000 Made $1,000,000 at 25 Authored 7 books Business

1.22k views • 76 slides
Real investments II Corporate Finance and Incentives Lars Jul Overby Department of Economics

Real investments II Corporate Finance and Incentives Lars Jul Overby Department of Economics

Real investments II Corporate Finance and Incentives Lars Jul Overby Department of Economics University of Copenhagen November 2010 Lars Jul Overby (D of Economics - UoC) Real investments II 11/10 1 / 28 Investing in risky projects There

493 views • 28 slides
Market Considerations and Projections for SMRs November 5, 2014 Anthony Ianno, Managing

Market Considerations and Projections for SMRs November 5, 2014 Anthony Ianno, Managing

Market Considerations and Projections for SMRs November 5, 2014 Anthony Ianno, Managing Director, Investment Banking, Morgan Stanley 1 Overview of Investors Views Although existing nuclear is valued for fuel diversity and environmental

477 views • 5 slides
Incorporating ESG into Investment Strategy Drive performance, attract investors, and increase NOI

Incorporating ESG into Investment Strategy Drive performance, attract investors, and increase NOI

Incorporating ESG into Investment Strategy Drive performance, attract investors, and increase NOI RETHINK WHAT AP CAN BE THE BUXE Company Ou Our sp speakers Roxana Isaiu Dan Winters Sean Daley Kylie Ford Michelle Winters GRESB GRESB

656 views • 33 slides
Time consistency and optimal stopping of risk averse multistage stochastic programs A. Shapiro

Time consistency and optimal stopping of risk averse multistage stochastic programs A. Shapiro

Time consistency and optimal stopping of risk averse multistage stochastic programs A. Shapiro School of Industrial and Systems Engineering, Georgia Institute of Technology, Atlanta, Georgia 30332-0205, USA Joint work with A.Pichler and

297 views • 19 slides

More recommend