Advertisement

Aggregate Cash Systems: A Cryptographic Investigation of Mimblewimble

  • Georg FuchsbauerEmail author
  • Michele Orrù
  • Yannick Seurin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11476)

Abstract

Mimblewimble is an electronic cash system proposed by an anonymous author in 2016. It combines several privacy-enhancing techniques initially envisioned for Bitcoin, such as Confidential Transactions (Maxwell, 2015), non-interactive merging of transactions (Saxena, Misra, Dhar, 2014), and cut-through of transaction inputs and outputs (Maxwell, 2013). As a remarkable consequence, coins can be deleted once they have been spent while maintaining public verifiability of the ledger, which is not possible in Bitcoin. This results in tremendous space savings for the ledger and efficiency gains for new users, who must verify their view of the system.

In this paper, we provide a provable-security analysis for Mimblewimble. We give a precise syntax and formal security definitions for an abstraction of Mimblewimble that we call an aggregate cash system. We then formally prove the security of Mimblewimble in this definitional framework. Our results imply in particular that two natural instantiations (with Pedersen commitments and Schnorr or BLS signatures) are provably secure against inflation and coin theft under standard assumptions.

Keywords

Mimblewimble Bitcoin Commitments Aggregate signatures 

Notes

Acknowledgements

The first author is supported by the French ANR EfTrEC project (ANR-16-CE39-0002) and the MSR-Inria Joint Centre. The second author is supported by ERC grant 639554 (project aSCEND).

References

  1. [AKR+13]
    Androulaki, E., Karame, G.O., Roeschlin, M., Scherer, T., Capkun, S.: Evaluating user privacy in Bitcoin. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 34–51. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-39884-1_4CrossRefGoogle Scholar
  2. [Bac13]
    Back, A.: Bitcoins with homomorphic value (validatable but encrypted), October 2013. BitcoinTalk post. https://bitcointalk.org/index.php?topic=305791.0
  3. [BBB+18]
    Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: S&P 2018, pp. 315–334 (2018)Google Scholar
  4. [BBSU12]
    Barber, S., Boyen, X., Shi, E., Uzun, E.: Bitter to better—how to make Bitcoin a better currency. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 399–414. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32946-3_29CrossRefGoogle Scholar
  5. [BCG+14]
    Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from Bitcoin. In: S&P 2014, pp. 459–474 (2014)Google Scholar
  6. [BCJ08]
    Bagherzandi, A., Cheon, J.H., Jarecki, S.: Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma. In: ACM CCS 2008, pp. 449–458 (2008)Google Scholar
  7. [BGLS03]
    Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-39200-9_26CrossRefGoogle Scholar
  8. [BLS01]
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-45682-1_30CrossRefGoogle Scholar
  9. [BNM+14]
    Bonneau, J., Narayanan, A., Miller, A., Clark, J., Kroll, J.A., Felten, E.W.: Mixcoin: anonymity for Bitcoin with accountable mixes. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 486–504. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45472-5_31CrossRefGoogle Scholar
  10. [BNN07]
    Bellare, M., Namprempre, C., Neven, G.: Unrestricted aggregate signatures. In: Arge, L., Cachin, C., Jurdziński, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 411–422. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-73420-8_37CrossRefGoogle Scholar
  11. [DDO+01]
    De Santis, A., Di Crescenzo, G., Ostrovsky, R., Persiano, G., Sahai, A.: Robust non-interactive zero knowledge. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 566–598. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44647-8_33CrossRefGoogle Scholar
  12. [FOS18]
    Fuchsbauer, G., Orrù, M., Seurin, Y.: Aggregate cash systems: a cryptographic investigation of Mimblewimble. Cryptology ePrint Archive, Report 2018/1039 (2018). https://eprint.iacr.org/2018/1039
  13. [GCKG14]
    Gervais, A., Capkun, S., Karame, G.O., Gruber, D.: On the privacy provisions of bloom filters in lightweight Bitcoin clients. In: ACSAC 2014, pp. 326–335 (2014)Google Scholar
  14. [Gro06]
    Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006).  https://doi.org/10.1007/11935230_29CrossRefGoogle Scholar
  15. [HAB+17]
    Heilman, E., Alshenibr, L., Baldimtsi, F., Scafuro, A., Goldberg, S.: TumbleBit: an untrusted Bitcoin-compatible anonymous payment hub. In: NDSS (2017)Google Scholar
  16. [Jed16]
  17. [KKM14]
    Koshy, P., Koshy, D., McDaniel, P.: An analysis of anonymity in Bitcoin using P2P network traffic. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 469–485. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45472-5_30CrossRefGoogle Scholar
  18. [LMRS04]
    Lysyanskaya, A., Micali, S., Reyzin, L., Shacham, H.: Sequential aggregate signatures from trapdoor permutations. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 74–90. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24676-3_5CrossRefGoogle Scholar
  19. [Max13a]
    Maxwell, G.: CoinJoin: Bitcoin privacy for the real world, August 2013. BitcoinTalk post. https://bitcointalk.org/index.php?topic=279249.0
  20. [Max13b]
    Maxwell, G.: Transaction cut-through, August 2013. BitcoinTalk post. https://bitcointalk.org/index.php?topic=281848.0
  21. [Max15]
    Maxwell, G.: Confidential Transactions (2015). https://people.xiph.org/~greg/confidential_values.txt
  22. [MGGR13]
    Miers, I., Garman, C., Green, M., Rubin, A.D.: Zerocoin: anonymous distributed E-cash from Bitcoin. In: S&P 2013, pp. 397–411 (2013)Google Scholar
  23. [MPJ+13]
    Meiklejohn, S., et al.: A fistful of Bitcoins: characterizing payments among men with no names. In: Internet Measurement Conference, IMC 2013, pp. 127–140 (2013)Google Scholar
  24. [Nak08]
    Nakamoto, S.: Bitcoin: A Peer-to-Peer Electronic Cash System (2008). http://bitcoin.org/bitcoin.pdf
  25. [Ped92]
    Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992).  https://doi.org/10.1007/3-540-46766-1_9CrossRefGoogle Scholar
  26. [Poe16]
  27. [PS96]
    Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-68339-9_33CrossRefGoogle Scholar
  28. [RMK14]
    Ruffing, T., Moreno-Sanchez, P., Kate, A.: CoinShuffle: practical decentralized coin mixing for Bitcoin. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 345–364. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-11212-1_20CrossRefGoogle Scholar
  29. [RS13]
    Ron, D., Shamir, A.: Quantitative analysis of the full Bitcoin transaction graph. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 6–24. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-39884-1_2CrossRefGoogle Scholar
  30. [RTRS18]
    Ruffing, T., Thyagarajan, S.A., Ronge, V., Schröder, D.: Burning zerocoins for fun and for profit: a cryptographic denial-of-spending attack on the zerocoin protocol. IACR Cryptology ePrint Archive, Report 2018/612 (2018)Google Scholar
  31. [Sch91]
    Schnorr, C.-P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)CrossRefGoogle Scholar
  32. [SMD14]
    Saxena, A., Misra, J., Dhar, A.: Increasing anonymity in Bitcoin. In: Böhme, R., Brenner, M., Moore, T., Smith, M. (eds.) FC 2014. LNCS, vol. 8438, pp. 122–139. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44774-1_9CrossRefGoogle Scholar
  33. [SZ16]
    Sompolinsky, Y., Zohar, A.: Bitcoin’s security model revisited (2016). Manuscript http://arxiv.org/abs/1605.09193
  34. [vS13]
    van Saberhagen, N.: CryptoNote v 2.0 (2013). Manuscript https://cryptonote.org/whitepaper.pdf

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Georg Fuchsbauer
    • 1
    • 2
    Email author
  • Michele Orrù
    • 1
    • 2
  • Yannick Seurin
    • 3
  1. 1.InriaParisFrance
  2. 2.École normale supérieure, CNRS, PSLParisFrance
  3. 3.ANSSIParisFrance

Personalised recommendations