nummatus a privacy preserving proof of reserves protocol
play

Nummatus: A Privacy Preserving Proof of Reserves Protocol for - PowerPoint PPT Presentation

Sep 28, 2022 •106 likes •405 views

Nummatus: A Privacy Preserving Proof of Reserves Protocol for Quisquis Arijit Dutta , Arnab Jana, and Saravanan Vijayakumaran Indian Institute of Technology Bombay, Mumbai, India Indocrypt, Hyderabad December 16, 2019 1 / 14 Introduction

  1. Nummatus: A Privacy Preserving Proof of Reserves Protocol for Quisquis Arijit Dutta , Arnab Jana, and Saravanan Vijayakumaran Indian Institute of Technology Bombay, Mumbai, India Indocrypt, Hyderabad December 16, 2019 1 / 14

  2. Introduction ◮ Cryptocurrency removes the need to trust centralized financial institute, brings privacy ◮ Miners and cryptocurrency users in Bitcoin 2 / 14

  3. Introduction ◮ Cryptocurrency exchange ◮ Custodial wallet → stores secret keys, enables trading 2 / 14

  4. Concerns and Solution ◮ Concerns ◮ Wallets get hacked, theft, internal fraud, and exit scam ◮ $927 million worth of cryptocurrency reported as stolen from exchanges in the first nine months of 2018 1 ◮ Fractional reserves ◮ One possible solution: Periodic proof of solvency ◮ Proof of reserves ◮ Proof of liabilities 1 https://ciphertrace.com/crypto-aml-report-2018q3 3 / 14

  5. Concerns and Solution ◮ Concerns ◮ Wallets get hacked, theft, internal fraud, and exit scam ◮ $927 million worth of cryptocurrency reported as stolen from exchanges in the first nine months of 2018 1 ◮ Fractional reserves ◮ One possible solution: Periodic proof of solvency ◮ Proof of reserves ◮ Proof of liabilities ◮ What’s in the name? ◮ Quisquis, a privacy focused cryptocurrency, proposed by Fauzi et al . in 2018 ◮ Latin for Quisquis → whoever, whatever ◮ Latin for Nummatus (a proof of reserves protocol) → moneyed, rich ◮ Proves exchanges are rich enough to meet their liabilities, preserves privacy of exchanges 1 https://ciphertrace.com/crypto-aml-report-2018q3 3 / 14

  6. Proof of Reserves Protocol ◮ The exchange needs to prove the possesion of certain amount of reserves ◮ Non-private proof of reserves protocol ◮ Exchange creates a transaction keeping owned addresses as input and some other owned addresses as output ◮ Reveals owned addresses and reserves amount 4 / 14

  7. Provisions: a Privacy Preserving Proof of Reserves Protocol for Bitcoin ◮ Proposed by Dagher et al . in 2015 ◮ Pedersen commitments: to hide the amount associated with a public key ◮ G is a cyclic group of prime order, let g be a generator, DL is hard ◮ h = g x ∈ G is chosen, x is unknown ◮ Pedersen commitment p ( a , y ) for amount a is given as p = g a h y ◮ y is random scalar, called the blinding factor 5 / 14

  8. Provisions: a Privacy Preserving Proof of Reserves Protocol for Bitcoin ◮ Proposed by Dagher et al . in 2015 ◮ Pedersen commitments: to hide the amount associated with a public key ◮ G is a cyclic group of prime order, let g be a generator, DL is hard ◮ h = g x ∈ G is chosen, x is unknown ◮ Pedersen commitment p ( a , y ) for amount a is given as p = g a h y ◮ y is random scalar, called the blinding factor ◮ Proof of reserves: Main Idea 5 / 14

  9. Provisions: a Privacy Preserving Proof of Solvency Protocol for Bitcoin ◮ For each address in P anon , the exchange chooses a random scalar y i and calculates Pedersen commitment � g a i h y i if i ∈ I own p i = h y i if i / ∈ I own ◮ The exchange proves in zero knowledge that p i s are calculated properly 6 / 14

  10. Provisions: a Privacy Preserving Proof of Solvency Protocol for Bitcoin ◮ For each address in P anon , the exchange chooses a random scalar y i and calculates Pedersen commitment � g a i h y i if i ∈ I own p i = h y i if i / ∈ I own ◮ The exchange proves in zero knowledge that p i s are calculated properly ◮ The exchange calculates |P anon | � |P anon | � i ∈I own a i h � y i p res = p i = g i =1 i =1 ◮ Motivated PoR protocols: MProve for Monero, Revelio for Grin, and Nummatus for Quisquis 6 / 14

  11. A Brief Introduction to Quisquis ◮ A recently proposed privacy focused cryptocurrency ◮ Hides the sender, the receiver and the amount of the transaction ◮ Privacy focused cryptocurrency → monotonic growth of UTXO set ◮ Solves the problem with an account based model 7 / 14

  12. Quisquis Accounts ◮ ( G , g , p ), prime order p with generator g , DDH is hard ◮ Quisquis account: acct = (public key , commitment) = (( a , b ) , ( c , d )) ∈ G 4 8 / 14

  13. Quisquis Accounts ◮ ( G , g , p ), prime order p with generator g , DDH is hard ◮ Quisquis account: acct = (public key , commitment) = (( a , b ) , ( c , d )) ∈ G 4 ◮ Public key: ( a , b ) = ( a , a k ) = ( g t , g k · t ), t arbitrary scalar, k secret key ◮ Commitment: ( c , d ) = ( c , g v c k ) = ( a r , g v a kr ) = ( a r , g v b r ), r arbitrary scalar, v ∈ F p is the amount 8 / 14

  14. Quisquis Accounts ◮ ( G , g , p ), prime order p with generator g , DDH is hard ◮ Quisquis account: acct = (public key , commitment) = (( a , b ) , ( c , d )) ∈ G 4 ◮ Public key: ( a , b ) = ( a , a k ) = ( g t , g k · t ), t arbitrary scalar, k secret key ◮ Commitment: ( c , d ) = ( c , g v c k ) = ( a r , g v a kr ) = ( a r , g v b r ), r arbitrary scalar, v ∈ F p is the amount ◮ To claim ownership of acct : prove knowledge of ( k , v ) such that b = a k ∧ d = g v c k , knowledge of t and r are not required! 8 / 14

  15. Simplus: A Semi-private Proof of Reserves Protocol for Quisquis ◮ After the j th block appears in the blockchain, exchange publishes the set of owned accounts A own = { acct 1 , acct 2 , . . . , acct m } 9 / 14

  16. Simplus: A Semi-private Proof of Reserves Protocol for Quisquis ◮ After the j th block appears in the blockchain, exchange publishes the set of owned accounts A own = { acct 1 , acct 2 , . . . , acct m } ◮ For i = 1 to m , the exchange publishes a Pedersen commitment to the amount: p i = g v i h k i (DL of h w.r.t. g is unknown) ◮ For i = 1 to m , the exchange publishes NIZKPoK signatures for � � � � α �� ∧ p i d − 1 c − 1 � PoK α b i = a α = h . � i i i � 9 / 14

  17. Simplus: A Semi-private Proof of Reserves Protocol for Quisquis ◮ After the j th block appears in the blockchain, exchange publishes the set of owned accounts A own = { acct 1 , acct 2 , . . . , acct m } ◮ For i = 1 to m , the exchange publishes a Pedersen commitment to the amount: p i = g v i h k i (DL of h w.r.t. g is unknown) ◮ For i = 1 to m , the exchange publishes NIZKPoK signatures for � � � � α �� ∧ p i d − 1 c − 1 � PoK α b i = a α = h . � i i i � ◮ b i = a k i = ⇒ α = k i for each i i � α = ◮ p i d − 1 c − 1 ⇒ p i = g v i h k i , as d i = g v i c k i � = h i i i ◮ The exchange publishes p res = � m i =1 p i 9 / 14

  18. Simplus: A Semi-private Proof of Reserves Protocol for Quisquis ◮ After the j th block appears in the blockchain, exchange publishes the set of owned accounts A own = { acct 1 , acct 2 , . . . , acct m } ◮ For i = 1 to m , the exchange publishes a Pedersen commitment to the amount: p i = g v i h k i (DL of h w.r.t. g is unknown) ◮ For i = 1 to m , the exchange publishes NIZKPoK signatures for � � � � α �� ∧ p i d − 1 c − 1 � PoK α b i = a α = h . � i i i � ◮ b i = a k i = ⇒ α = k i for each i i � α = ◮ p i d − 1 c − 1 ⇒ p i = g v i h k i , as d i = g v i c k i � = h i i i ◮ The exchange publishes p res = � m i =1 p i ◮ The exchange owned accounts are revealed, but not the reserves amount 9 / 14

  19. Nummatus: A Private Proof of Reserves Protocol for Quisquis ◮ The exchange publishes an anonymity set such that A anon ⊃ A own = { acct 1 , acct 2 , . . . , acct n } 10 / 14

  20. Nummatus: A Private Proof of Reserves Protocol for Quisquis ◮ The exchange publishes an anonymity set such that A anon ⊃ A own = { acct 1 , acct 2 , . . . , acct n } ◮ The exchange needs a sequence h 1 , h 2 , h 3 , · · · with unknown DL w.r.t. g and each other ◮ Can be generated by repeated hashing 10 / 14

  21. Nummatus: A Private Proof of Reserves Protocol for Quisquis ◮ The exchange publishes an anonymity set such that A anon ⊃ A own = { acct 1 , acct 2 , . . . , acct n } ◮ The exchange needs a sequence h 1 , h 2 , h 3 , · · · with unknown DL w.r.t. g and each other ◮ Can be generated by repeated hashing ◮ After j th block in Quisquis blockchain, for each acct i ∈ A anon , the exchange publishes � g v i h k i if acct i ∈ A own , p j j i = h w i if acct i �∈ A own , j w i s are random scalar 10 / 14

  22. Nummatus: A Private Proof of Reserves Protocol for Quisquis ◮ For each acct i ∈ A anon , the exchange generates a NIZKPoK signature σ i of � � � � α � � �� p i = h β b i = a α ∧ p i d − 1 c − 1 � PoK ( α, β ) = ∨ h j � i i i j � 11 / 14

  23. Nummatus: A Private Proof of Reserves Protocol for Quisquis ◮ For each acct i ∈ A anon , the exchange generates a NIZKPoK signature σ i of � � � � α � � �� p i = h β b i = a α ∧ p i d − 1 c − 1 � PoK ( α, β ) = ∨ h j � i i i j � ◮ NIZKPoK signature proves that either p i commits to 0 or p i = g v i h k i j 11 / 14

  24. Nummatus: A Private Proof of Reserves Protocol for Quisquis ◮ For each acct i ∈ A anon , the exchange generates a NIZKPoK signature σ i of � � � � α � � �� p i = h β b i = a α ∧ p i d − 1 c − 1 � PoK ( α, β ) = ∨ h j � i i i j � ◮ NIZKPoK signature proves that either p i commits to 0 or p i = g v i h k i j ◮ The exchange publishes p res = � n i =1 p i 11 / 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MProve: A Proof of Reserves Protocol for Monero Exchanges Arijit Dutta, Saravanan Vijayakumaran

MProve: A Proof of Reserves Protocol for Monero Exchanges Arijit Dutta, Saravanan Vijayakumaran

MProve: A Proof of Reserves Protocol for Monero Exchanges Arijit Dutta, Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay IEEE S&B, Stockholm June 20, 2019 1 / 12 Cryptocurrency Exchanges

395 views • 12 slides
GNUnet A network protocol stack for building secure, distributed, and privacy-preserving

GNUnet A network protocol stack for building secure, distributed, and privacy-preserving

GNUnet A network protocol stack for building secure, distributed, and privacy-preserving application FOSDEM20 Martin Schanzenbach 2/2/2020 The Internet is under attack The Internet HTTP, Facebook, Google, Libra ... DNS / X.509 TCP /

631 views • 34 slides
Ouroboros Crypsinous Privacy-Preserving Proof-of-Stake Thomas Kerber Aggelos Kiayias

Ouroboros Crypsinous Privacy-Preserving Proof-of-Stake Thomas Kerber Aggelos Kiayias

Ouroboros Crypsinous Privacy-Preserving Proof-of-Stake Thomas Kerber Aggelos Kiayias t.kerber@ed.ac.uk akiayias@ed.ac.uk Markulf Kohlweiss Vassilis Zikas mkohlwei@ed.ac.uk vzikas@ed.ac.uk The University of Edinburgh & IOHK May 17,

286 views • 28 slides
End-to-end Design of a PUF based Privacy Preserving Authentication Protocol Aydin Aysu (Virginia

End-to-end Design of a PUF based Privacy Preserving Authentication Protocol Aydin Aysu (Virginia

End-to-end Design of a PUF based Privacy Preserving Authentication Protocol Aydin Aysu (Virginia Tech) Ege Gulcan (Virginia Tech) Daisuke Moriyama (NICT) Patrick Schaumont (Virginia Tech) Moti Yung (Google/Columbia University) 1 Motivation

595 views • 31 slides
Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU

Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU

Privacy Preserving Protocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU Leuven - COSIC 20 November 2012 Privacy Preserving Protocols Introduction Cryptography in Daily Life RFID Privacy

1.04k views • 60 slides
Privacy-Preserving Telemonitoring for eHealth Mohamed Layouni , Kristof Verslype , Mehmet

Privacy-Preserving Telemonitoring for eHealth Mohamed Layouni , Kristof Verslype , Mehmet

Introduction Settings Requirements Building Blocks Protocol Description Discussion Privacy-Preserving Telemonitoring for eHealth Mohamed Layouni , Kristof Verslype , Mehmet Tahir Sandkkaya , Bart De Decker , Hans Vangheluwe

350 views • 19 slides
Privacy-preserving Location Proximity Per Hallgren, Chalmers Univ. Gothenburg Martn Ochoa,

Privacy-preserving Location Proximity Per Hallgren, Chalmers Univ. Gothenburg Martn Ochoa,

Privacy-preserving Location Proximity Per Hallgren, Chalmers Univ. Gothenburg Martn Ochoa, Siemens AG (Recently TUM) Andrei Sabelfeld, Chalmers University of Technology TOC 1. Background 2. Protocol 3. Theoretical Evaluation 4. Practical

844 views • 36 slides
Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro

Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro

Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro University College London (UCL) https://emilianodc.com Privacy-preserving what ? Parties with limited mutual trust willing or required to share

1.1k views • 66 slides
Transaction Tax Challenges in Mergers and Acquisitions Identifying Reserves, Preserving Credits

Transaction Tax Challenges in Mergers and Acquisitions Identifying Reserves, Preserving Credits

Transaction Tax Challenges in Mergers and Acquisitions Identifying Reserves, Preserving Credits and Incentives, Maintaining Post-Integration Documents TUESDAY , SEPTEMBER 29, 2015 1:00-2:50 pm Eastern IMPORTANT INFORMATION This program is

525 views • 33 slides
New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of California, San Diego Sensitive Data Medical Records Genetic Data Search Logs AOL Violates Privacy AOL Violates Privacy Netflix Violates Privacy [NS08]

957 views • 92 slides
Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute Hung Dang, Anh

Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute Hung Dang, Anh

Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute Hung Dang, Anh Dinh, Ee-Chien Chang, Beng Chin Ooi School of Computing National University of Singapore PETS 2017 Privacy-Preserving Computation with Trusted

477 views • 34 slides
Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No

Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No

Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No privacy breaches! Public Data Anonymization Data representation? Privacy breach? Value of data? Data publisher Privacy Analyst Work by: Elena

80 views • 3 slides
Collaborative Privacy Preserving Data Mining in Vertically Partitioned Databases Ehud Gudes

Collaborative Privacy Preserving Data Mining in Vertically Partitioned Databases Ehud Gudes

Collaborative Privacy Preserving Data Mining in Vertically Partitioned Databases Ehud Gudes Ben-Gurion University, Israel This talk presents joint work with Boris Rozenberg Talk Outline Motivation for Privacy-Preserving Distributed Data

1.48k views • 68 slides
Privacy preserving data mining randomized response and association rule hiding Li Xiong

Privacy preserving data mining randomized response and association rule hiding Li Xiong

Privacy preserving data mining randomized response and association rule hiding Li Xiong CS573 Data Privacy and Anonymity Partial slides credit: W. Du, Syracuse University, Y. Gao, Peking University Privacy Preserving Data Mining

659 views • 39 slides
Privacy-preserving Biometrics in practice: diffjcult to sell Carmela Troncoso (Gradiant) My

Privacy-preserving Biometrics in practice: diffjcult to sell Carmela Troncoso (Gradiant) My

Privacy-preserving Biometrics in practice: diffjcult to sell Carmela Troncoso (Gradiant) My experience with biometrics and privacy Academic background on privacy Gradiants goal: transfer of knowledge to industry We bring state of

193 views • 6 slides
Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption With good encryption, data values not readable So whats the problem? Lecture 17 Page 1 CS 236 Online Traffic Analysis

532 views • 21 slides
Holography for inflation using conformal perturbation theory Paul McFadden Perimeter Institute

Holography for inflation using conformal perturbation theory Paul McFadden Perimeter Institute

Holography for inflation using conformal perturbation theory Paul McFadden Perimeter Institute for Theoretical Physics 17.12.12 arXiv:1211.4550 with Adam Bzowski & Kostas Skenderis Introduction Correlation functions of the primordial

615 views • 33 slides
The quest for the beginning Nikhef - November 20 th 2015 A dynamical universe Spectral lines

The quest for the beginning Nikhef - November 20 th 2015 A dynamical universe Spectral lines

Paolo Creminelli, ICTP (Trieste) The quest for the beginning Nikhef - November 20 th 2015 A dynamical universe Spectral lines from faraway galaxies are redshifted: Doppler effect Galaxies get away from each other Velocity proportional to

739 views • 50 slides
Path Planning for PLM Solutions and open issues Product Lifecycle Management MOVIE Workshop

Path Planning for PLM Solutions and open issues Product Lifecycle Management MOVIE Workshop

Path Planning for PLM Solutions and open issues Product Lifecycle Management MOVIE Workshop January 2005 1 Research Kineo PLM Users Research Lab PLM Users Scientific Professional Contributions Solutions Needs Problems Kineo

200 views • 17 slides
EXECUTIVE COMPENSATION 2020: T opics Arising from Recent Disruptions October 29, 2020 AGENDA

EXECUTIVE COMPENSATION 2020: T opics Arising from Recent Disruptions October 29, 2020 AGENDA

EXECUTIVE COMPENSATION 2020: T opics Arising from Recent Disruptions October 29, 2020 AGENDA 1. 2020 - What has happened so far? 2. Discussions Boards should be having now: preparing for year-end 3. Stakeholder Communication 4. Goal setting

222 views • 19 slides
Section 3.7 Derivatives of logarithmic functions 1 Rules of exponentials and logarithms 1.

Section 3.7 Derivatives of logarithmic functions 1 Rules of exponentials and logarithms 1.

Section 3.7 Derivatives of logarithmic functions 1 Rules of exponentials and logarithms 1. a b + c = a b a c 1. log a ( bc ) = log a ( b ) + log a ( c ) 2. a b c = a b 2. log a b c = log a ( b ) log a ( c ) a c 3. log a ( b c ) = c

217 views • 11 slides
Now what do I do with this function? Enrique Pinzn StataCorp LP October 19, 2017 Madrid

Now what do I do with this function? Enrique Pinzn StataCorp LP October 19, 2017 Madrid

Now what do I do with this function? Enrique Pinzn StataCorp LP October 19, 2017 Madrid (StataCorp LP) October 19, 2017 Madrid 1 / 42 Initial thoughts Nonparametric regression and about effects/questions npregress Mean relation between

841 views • 66 slides
Support Vector Machines (SVMs). Semi-Supervised Learning. Semi-Supervised SVMs.

Support Vector Machines (SVMs). Semi-Supervised Learning. Semi-Supervised SVMs.

Support Vector Machines (SVMs). Semi-Supervised Learning. Semi-Supervised SVMs. Maria-Florina Balcan 03/25/2015 Support Vector Machines (SVMs). One of the most theoretically well motivated and practically most e ff ective

792 views • 40 slides
UW Insider Trusted college advice, for students, by students Jordan Heier and Isaiah Mathieu

UW Insider Trusted college advice, for students, by students Jordan Heier and Isaiah Mathieu

UW Insider Trusted college advice, for students, by students Jordan Heier and Isaiah Mathieu Problem and Solution Problem: Difficult for students to find information essential for college planning Many end up switching majors,

76 views • 3 slides

More recommend