Nummatus: A Privacy Preserving Proof of Reserves Protocol for - - PowerPoint PPT Presentation

Nummatus: A Privacy Preserving Proof of Reserves Protocol for Quisquis

Arijit Dutta, Arnab Jana, and Saravanan Vijayakumaran

Indian Institute of Technology Bombay, Mumbai, India

Indocrypt, Hyderabad December 16, 2019

1 / 14

Introduction

◮ Cryptocurrency removes the need to trust centralized financial

institute, brings privacy

◮ Miners and cryptocurrency users in Bitcoin

2 / 14

Introduction

◮ Cryptocurrency exchange ◮ Custodial wallet → stores secret keys, enables trading

2 / 14

Concerns and Solution

◮ Concerns

◮ Wallets get hacked, theft, internal fraud, and exit scam ◮ $927 million worth of cryptocurrency reported as stolen from

exchanges in the first nine months of 2018 1

◮ Fractional reserves

◮ One possible solution: Periodic proof of solvency

◮ Proof of reserves ◮ Proof of liabilities 1https://ciphertrace.com/crypto-aml-report-2018q3 3 / 14

Concerns and Solution

◮ Concerns

◮ Wallets get hacked, theft, internal fraud, and exit scam ◮ $927 million worth of cryptocurrency reported as stolen from

exchanges in the first nine months of 2018 1

◮ Fractional reserves

◮ One possible solution: Periodic proof of solvency

◮ Proof of reserves ◮ Proof of liabilities

◮ What’s in the name?

◮ Quisquis, a privacy focused cryptocurrency, proposed by Fauzi

et al. in 2018

◮ Latin for Quisquis → whoever, whatever ◮ Latin for Nummatus (a proof of reserves protocol) →

moneyed, rich

◮ Proves exchanges are rich enough to meet their liabilities,

preserves privacy of exchanges

1https://ciphertrace.com/crypto-aml-report-2018q3 3 / 14

Proof of Reserves Protocol

◮ The exchange needs to prove the possesion of certain amount

• f reserves

◮ Non-private proof of reserves protocol

◮ Exchange creates a transaction keeping owned addresses as

input and some other owned addresses as output

◮ Reveals owned addresses and reserves amount 4 / 14

Provisions: a Privacy Preserving Proof of Reserves Protocol for Bitcoin

◮ Proposed by Dagher et al. in 2015 ◮ Pedersen commitments: to hide the amount associated with a

public key

◮ G is a cyclic group of prime order, let g be a generator, DL is

hard

◮ h = g x ∈ G is chosen, x is unknown ◮ Pedersen commitment p(a, y) for amount a is given as

p = g ahy

◮ y is random scalar, called the blinding factor 5 / 14

Provisions: a Privacy Preserving Proof of Reserves Protocol for Bitcoin

◮ Proposed by Dagher et al. in 2015 ◮ Pedersen commitments: to hide the amount associated with a

public key

◮ G is a cyclic group of prime order, let g be a generator, DL is

hard

◮ h = g x ∈ G is chosen, x is unknown ◮ Pedersen commitment p(a, y) for amount a is given as

p = g ahy

◮ y is random scalar, called the blinding factor

◮ Proof of reserves: Main Idea

5 / 14

Provisions: a Privacy Preserving Proof of Solvency Protocol for Bitcoin

◮ For each address in Panon, the exchange chooses a random scalar yi

and calculates Pedersen commitment pi = g ai hyi if i ∈ Iown hyi if i / ∈ Iown

◮ The exchange proves in zero knowledge that pis are calculated

properly

6 / 14

Provisions: a Privacy Preserving Proof of Solvency Protocol for Bitcoin

◮ For each address in Panon, the exchange chooses a random scalar yi

and calculates Pedersen commitment pi = g ai hyi if i ∈ Iown hyi if i / ∈ Iown

◮ The exchange proves in zero knowledge that pis are calculated

properly

◮ The exchange calculates

pres =

|Panon|

• i=1

pi = g

• i∈Iown ai h

|Panon|

i=1

yi

◮ Motivated PoR protocols: MProve for Monero, Revelio for Grin, and

Nummatus for Quisquis

6 / 14

A Brief Introduction to Quisquis

◮ A recently proposed privacy focused cryptocurrency ◮ Hides the sender, the receiver and the amount of the

transaction

◮ Privacy focused cryptocurrency → monotonic growth of

UTXO set

◮ Solves the problem with an account based model

7 / 14

Quisquis Accounts

◮ (G, g, p), prime order p with generator g, DDH is hard ◮ Quisquis account:

acct = (public key, commitment) = ((a, b), (c, d)) ∈ G4

8 / 14

Quisquis Accounts

◮ (G, g, p), prime order p with generator g, DDH is hard ◮ Quisquis account:

acct = (public key, commitment) = ((a, b), (c, d)) ∈ G4

◮ Public key: (a, b) = (a, ak) = (gt, gk·t), t arbitrary scalar, k

secret key

◮ Commitment: (c, d) = (c, gvck) = (ar, gvakr) = (ar, gvbr), r

arbitrary scalar, v ∈ Fp is the amount

8 / 14

Quisquis Accounts

◮ (G, g, p), prime order p with generator g, DDH is hard ◮ Quisquis account:

acct = (public key, commitment) = ((a, b), (c, d)) ∈ G4

◮ Public key: (a, b) = (a, ak) = (gt, gk·t), t arbitrary scalar, k

secret key

◮ Commitment: (c, d) = (c, gvck) = (ar, gvakr) = (ar, gvbr), r

arbitrary scalar, v ∈ Fp is the amount

◮ To claim ownership of acct: prove knowledge of (k, v) such

that b = ak ∧ d = gvck, knowledge of t and r are not required!

8 / 14

Simplus: A Semi-private Proof of Reserves Protocol for Quisquis

◮ After the jth block appears in the blockchain, exchange publishes

the set of owned accounts Aown = {acct1, acct2, . . . , acctm}

9 / 14

Simplus: A Semi-private Proof of Reserves Protocol for Quisquis

◮ After the jth block appears in the blockchain, exchange publishes

the set of owned accounts Aown = {acct1, acct2, . . . , acctm}

◮ For i = 1 to m, the exchange publishes a Pedersen commitment to

the amount: pi = g vi hki (DL of h w.r.t. g is unknown)

◮ For i = 1 to m, the exchange publishes NIZKPoK signatures for

PoK

• α
• bi = aα

i

∧ pid−1

i

=

• c−1

i

h α .

9 / 14

Simplus: A Semi-private Proof of Reserves Protocol for Quisquis

◮ After the jth block appears in the blockchain, exchange publishes

the set of owned accounts Aown = {acct1, acct2, . . . , acctm}

◮ For i = 1 to m, the exchange publishes a Pedersen commitment to

the amount: pi = g vi hki (DL of h w.r.t. g is unknown)

◮ For i = 1 to m, the exchange publishes NIZKPoK signatures for

PoK

• α
• bi = aα

i

∧ pid−1

i

=

• c−1

i

h α .

◮ bi = aki

i

= ⇒ α = ki for each i

◮ pid−1

i

=

• c−1

i

h α = ⇒ pi = g vi hki, as di = g vi cki

i

◮ The exchange publishes pres = m

i=1 pi

9 / 14

Simplus: A Semi-private Proof of Reserves Protocol for Quisquis

◮ After the jth block appears in the blockchain, exchange publishes

the set of owned accounts Aown = {acct1, acct2, . . . , acctm}

◮ For i = 1 to m, the exchange publishes a Pedersen commitment to

the amount: pi = g vi hki (DL of h w.r.t. g is unknown)

◮ For i = 1 to m, the exchange publishes NIZKPoK signatures for

PoK

• α
• bi = aα

i

∧ pid−1

i

=

• c−1

i

h α .

◮ bi = aki

i

= ⇒ α = ki for each i

◮ pid−1

i

=

• c−1

i

h α = ⇒ pi = g vi hki, as di = g vi cki

i

◮ The exchange publishes pres = m

i=1 pi

◮ The exchange owned accounts are revealed, but not the reserves

amount

9 / 14

Nummatus: A Private Proof of Reserves Protocol for Quisquis

◮ The exchange publishes an anonymity set such that

Aanon ⊃ Aown = {acct1, acct2, . . . , acctn}

10 / 14

Nummatus: A Private Proof of Reserves Protocol for Quisquis

◮ The exchange publishes an anonymity set such that

Aanon ⊃ Aown = {acct1, acct2, . . . , acctn}

◮ The exchange needs a sequence h1, h2, h3, · · · with unknown DL

w.r.t. g and each other

◮ Can be generated by repeated hashing

10 / 14

Nummatus: A Private Proof of Reserves Protocol for Quisquis

◮ The exchange publishes an anonymity set such that

Aanon ⊃ Aown = {acct1, acct2, . . . , acctn}

◮ The exchange needs a sequence h1, h2, h3, · · · with unknown DL

w.r.t. g and each other

◮ Can be generated by repeated hashing ◮ After jth block in Quisquis blockchain, for each accti ∈ Aanon, the

exchange publishes pj

i =

g vi hki

j

if accti ∈ Aown, hwi

j

if accti ∈ Aown, wis are random scalar

10 / 14

Nummatus: A Private Proof of Reserves Protocol for Quisquis

◮ For each accti ∈ Aanon, the exchange generates a NIZKPoK

signature σi of PoK

• (α, β)
• bi = aα

i

∧ pid−1

i

=

• c−1

i

hj α ∨

• pi = hβ

j

• 11 / 14

Nummatus: A Private Proof of Reserves Protocol for Quisquis

◮ For each accti ∈ Aanon, the exchange generates a NIZKPoK

signature σi of PoK

• (α, β)
• bi = aα

i

∧ pid−1

i

=

• c−1

i

hj α ∨

• pi = hβ

j

• ◮ NIZKPoK signature proves that either pi commits to 0 or

pi = gvihki

j

11 / 14

Nummatus: A Private Proof of Reserves Protocol for Quisquis

◮ For each accti ∈ Aanon, the exchange generates a NIZKPoK

signature σi of PoK

• (α, β)
• bi = aα

i

∧ pid−1

i

=

• c−1

i

hj α ∨

• pi = hβ

j

• ◮ NIZKPoK signature proves that either pi commits to 0 or

pi = gvihki

j ◮ The exchange publishes pres = n i=1 pi

11 / 14

Nummatus: A Private Proof of Reserves Protocol for Quisquis

◮ For each accti ∈ Aanon, the exchange generates a NIZKPoK

signature σi of PoK

• (α, β)
• bi = aα

i

∧ pid−1

i

=

• c−1

i

hj α ∨

• pi = hβ

j

• ◮ NIZKPoK signature proves that either pi commits to 0 or

pi = gvihki

j ◮ The exchange publishes pres = n i=1 pi ◮ Exchange privacy is preserved as owned accounts as well as

the reserves amount are not revealed

11 / 14

Discussion

◮ All Quisquis exchanges need to generate proof at same block

height j

◮ Security properties of Nummatus

◮ Collusion resistance: same pi = g vihki

j detects account sharing

collusion between exchanges

◮ Inflation resistance ◮ Account privacy 12 / 14

Discussion

◮ All Quisquis exchanges need to generate proof at same block

height j

◮ Security properties of Nummatus

◮ Collusion resistance: same pi = g vihki

j detects account sharing

collusion between exchanges

◮ Inflation resistance ◮ Account privacy

◮ Performance comparison: Both protocol implemented in Rust

using rust-secp256k1-zkp library

Aanon Aown Nummatus Nummatus Nummatus Simplus Simplus Simplus size size Proof Generat. Verification Proof Generat. Verification Size Time Time Size Time Time 100 25 0.02 MB 1.15 s 1.15 s 0.005 MB 0.29 s 0.28 s 100 50 0.02 MB 1.16 s 1.16 s 0.011 MB 0.58 s 0.57 s 100 75 0.02 MB 1.19 s 1.19 s 0.017 MB 0.91 s 0.91 s 1000 250 0.29 MB 11.94 s 11.76 s 0.057 MB 3.00 s 2.98 s 1000 500 0.29 MB 11.92 s 11.77 s 0.114 MB 5.97 s 5.95 s 1000 750 0.29 MB 11.83 s 11.74 s 0.171 MB 8.92 s 8.74 s 10000 2500 2.93 MB 112.65 s 113.36 s 0.572 MB 28.99 s 28.06 s 10000 5000 2.93 MB 112.08 s 113.23 s 1.145 MB 56.40 s 56.63 s 10000 7500 2.93 MB 111.71 s 112.87 s 1.717 MB 85.07 s 85.72 s 12 / 14

Conclusion

◮ Nummatus: first privacy preserving proof of reserves protocol

for Quisquis

◮ Collusion detection: all exchanges must agree upon a common

block height for proof generation

◮ Linear proof size: scalability to consider in future work

13 / 14

References

[1]

• G. G. Dagher, B. B¨

unz, J. Bonneau, J. Clark, and D. Boneh, “Provisions: Privacy-preserving proofs of solvency for Bitcoin exchanges,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (ACM CCS), New York, NY, USA, 2015, pp. 720–731. [2]

• P. Fauzi, S. Meiklejohn, R. Mercer, and C. Orlandi, “Quisquis: A new design for anonymous cryptocurrencies,”

Cryptology ePrint Archive, Report 2018/990, 2018, https://eprint.iacr.org/2018/990. [3]

• A. Dutta and S. Vijayakumaran, “MProve: A proof of reserves protocol for Monero exchanges,” in 2019 IEEE

European Symposium on Security and Privacy Workshops (EuroS&PW), June 2019, pp. 330–339. [4]

• A. Dutta and S. Vijayakumaran, “Revelio: A MimbleWimble proof of reserves protocol,” in 2019 Crypto Valley

Conference on Blockchain Technology (CVCBT), June 2019, pp. 7–11. [5] “Nummatus simulation code.” [Online]. Available: https://github.com/Arnabjana1999/Nummatus

Thank you for your attention. Questions?

14 / 14