Quisquis: An Anonymous Cryptocurrency Based on Updatable Public - - PowerPoint PPT Presentation

▶

Oct 18, 2023 275 likes •583 views

Quisquis: An Anonymous Cryptocurrency Based on Updatable Public Keys Prastudy Fauzi, Sarah Meiklejohn, Rebekah Mercer, Claudio Orlandi @claudiorlandi Blockchain Research Applications Smart Contracts Transaction Layer This talk Consensus

SLIDE 1

Quisquis: An Anonymous Cryptocurrency Based on Updatable Public Keys

Prastudy Fauzi, Sarah Meiklejohn, Rebekah Mercer, Claudio Orlandi @claudiorlandi

SLIDE 2

Blockchain Research

Network Layer Consensus Layer Transaction Layer Smart Contracts Applications This talk

SLIDE 3 3

Bitcoin and Anonymity

SLIDE 4

Bitcoin is like Twitter for your bank account. (Ian Miers)

“ ”

4 A Fistful of Bitcoins (Meiklejohn et al)

SLIDE 5

Existing Alternatives for Anonymous Payments

Dash
Monero
Zcash
… but, I’m a theoretician! For the rest of the talk I

will address ”abstract technologies” not actual products (which are much more complicated).

SLIDE 6

Existing Techniques for Privacy

Technologies

– Tumblers – Ring Signatures – ZK-SNARKS

Questions

– Need for coordination? – Deniability? – Provable Anonymity? – Trust in third parties? – Size of UTXO?

SLIDE 7 pk1 pk2 pk2 pk1 pk1

Basic Transactions (e.g., Bitcoin)

pk3 pk3 pk4 pk2

UTXO Blockchain

For context, in November 2017

– Blockchain 130 GB – UTXO 3 GB

SLIDE 8

Tumblers (1/2)

A wants to give 1 coin to B
C wants to give 1 coin to D
(A, C) create a 2-2 TX with

receivers (B,D) in random

rder.
An external observer cannot

determine who sent to whom.

Can be generalized to N

senders and N receivers

A C B D TX

SLIDE 9

Tumblers (2/2)

Centralized Tumblers

– J Easy (trusted party performs transaction and matches users) – L Need to trust central party for anonymity and security

Decentralized Tumblers

– L Hard (how to find other users who want to mix their coins? + protocol require interaction) – J Secure using cryptographic protocol

(Exception: TumbleBit, see talk this morning)

SLIDE 10

Ring Signatures (1/3)

Sign(pk0,pk1,skb, m)à s
Ver(pk0,pk1,m,s)à accept
Indistinguishability:
Sign(pk0,pk1,sk0, m) ≈ Sign(pk0,pk1,sk1, m)
(In general, there are N public keys)

SLIDE 11

Ring Signatures (2/3)

pk1 pk2 pk2 pk1 pk1 pk3 pk3 pk4 pk2

Was pk1 spent? Can’t tell! J
Also means, cannot remove pk1 from UTXO L

(Ignoring how to prevent double spending)

SLIDE 12 pk1 pk2 pk2 pk1 pk1 pk3 pk3 pk4 pk2 pk1 pk3 pk4 pk2 pk5

Anonymity?

– After 2nd TXs pk1 and pk2 are both spent à 3rd transaction was made by pk3 with certainty

Ring Signatures (3/3)

(Ignoring how to prevent double spending)

SLIDE 13

Zero-Knowledge (come back tomorrow at 10.30!)

P(x) V

“I know x s.t. f(x)=1”

Completeness

– P,V honest à V accepts

Proof-of-Knowledge

– If P does not know x à V rejects

Zero-Knowledge

– V learns nothing about x q a q a

SLIDE 14

ZK-SNARKS

Can be seen as extension of ring signatures, using

advanced cryptographic protocols

– Can hide in sets of arbitrary size - “∞-to-1” transactions – Generation time for transaction high L – Need for trusted setup (CRS) L

pk1 pk2 pk2 pk1 pk1 pk3 pk3 pk4 pk2

SLIDE 15

Entering QuisQuis!

SLIDE 16

QuisQuis idea: N-to-N transaction without interaction

A S R B TX

S wants to send

money to R

Add transaction from

A to B for anonymity

Paradox?

– Move other people money without their approval – While at the same time preventing theft?

SLIDE 17

Idea that does not work

A S R A TX

Add transaction

from A to A.

No money stolen J
No privacy L

SLIDE 18

Idea that might work

A S R A’ TX

What if I could move

A’s money to a new ”random looking” address which is also

wned by A?

SLIDE 19

Updatable Public Keys

Gen

pk sk r pk’

Update

hint

Derive

sk’

SLIDE 20

Updatable Public Keys

Gen

pk sk r pk’

Update

hint

Derive

sk’

Correctness: (pk’,sk’) is a valid key pair

SLIDE 21

Updatable Public Keys

Gen Update Derive

pk sk r pk’ hint sk’

Indistinguishability:

(pk,hint) looks like (pk’,hint)

SLIDE 22

Unforgeability

No A(pk) can output (pk’,sk’,r) such that

Update(r,pk) à pk’ AND (pk’,sk’) is a valid pair

Output (r,pk’): trivial! (run update)
Output (pk’,sk’): trivial! (drop pk and run Gen)
Both at the same time should be hard!

SLIDE 23

Constructions of Updatable Public Key

(Main Construction)

Gen à pk=(gs,gsx)=(u,v), sk=x
Update(pk, r) à pk’ = (ur,vr)
Derive(sk) à sk
Correctness: ✔
Indistinguishability: (u,v, ur,vr) ~ (u,v,ur,vs) DDH
Unforgeability: given x can output x (break DL)

SLIDE 24

Constructions of Updatable Public Key

(Alternative Construction)

Gen à pk=gx, sk=x
Update(pk, r) à hint=gr, pk’=pk*gy with y=H(pkr)
Derive(sk, hint) à sk’ = x + H(hintx)
Correctness: ✔
Indistinguishability: follows from DDH
Unforgeability: given r,sk’ output sk (break DL)
Bonus! Forward anonymity in RO model

– (given sk’ cannot tell if new or derived)

SLIDE 25

QuisQuis Transaction

Real Input: pkS
Real Output: pkR
Run Update(pkR)àpkR’
Choose random pkA from UTXO
Run Update(pkA)à pkB

A S R B=Upd(A) TX

ZK proof π for the following statement:

– ”I computed N-k outputs as Updates of N-k inputs” (hiding which ones) – “I know the sk corresponding to the remaining input keys”

ZK π R’=Upd(R)

SLIDE 26

QuisQuis Transaction

Non-growing UTXO:

– all inputs have been spent and can be removed

Theft prevention:

– You are free to spend a coin if you know the sk – The other coins did not change owner

Anonymity

– Updated keys look ind. from fresh new keys – ZK proof hides links between inputs/outputs

SLIDE 27

A bit more details…

ZK proofs obtained as combination of Sigma

protocols for

– ”I know the sk” (“I know the DL”) – “I run Update correctly” (”Proof of DDH tuple”) – “I shuffled some Updated public keys” (from Bayer-Groth shuffle)

Can be made non-interactive using Fiat-Shamir in the

Random Oracle model.

SLIDE 28

Performances

SLIDE 29