Abstract
In this work we present MiniLedger, a distributed payment system which not only guarantees the privacy of transactions, but also offers built-in functionalities for various types of audits by any external authority. MiniLedger is the first private and auditable payment system with storage costs independent of the number of transactions. To achieve such a storage improvement, we introduce pruning functionalities for the transaction history while maintaining integrity and auditing. We provide formal security definitions and a number of extensions for various auditing levels. Our evaluation results show that MiniLedger is practical in terms of storage requiring as low as 70 KB per participant for 128 bits of security, and depending on the implementation choices, can prune 1 million transactions in less than a second.
F. Baldimtsi—The authors have been supported by the National Science Foundation (NSF) under Grant 1717067, the National Security Agency (NSA) under Grant 204761, an IBM Faculty Award and Facebook Research Award.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
To simplify notation, from now on we will drop the superscripts from the two parts of Elgamal ciphertext, i.e., we will simply write \(C_{0j} = (c_{1},c_{2})\).
- 2.
- 3.
A basic implementation of MiniLedger is available at https://github.com/PanosChtz/Miniledger.
References
Privacy coins face existential threat amid regulatory pinch. https://www.bloomberg.com/news/articles/2019-09-19/privacy-coins-face-existential-threat-amid-regulatory-crackdown
The libra blockchain (2020). https://developers.libra.org/docs/assets/papers/the-libra-blockchain/2020-05-26.pdf
Libra roles and permissions (2020). https://lip.libra.org/lip-2/
Androulaki, E., et al.: Hyperledger fabric: a distributed operating system for permissioned blockchains. In: Oliveira, R., Felber, P., Hu, Y.C. (eds.) Proceedings of the Thirteenth EuroSys Conference, Porto, Portugal, 23–26 April 2018, pp. 30:1–30:15. ACM (2018)
Androulaki, E., Karame, G.O., Roeschlin, M., Scherer, T., Capkun, S.: Evaluating user privacy in bitcoin. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 34–51. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_4
Baldimtsi, F., et al.: Accumulators with applications to anonymity-preserving revocation. In: 2017 IEEE European Symposium on Security and Privacy, Paris, France, 26–28 April 2017, pp. 301–315. IEEE (2017)
Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE Computer Society Press (2014). https://doi.org/10.1109/SP.2014.36
Boneh, D., Bünz, B., Fisch, B.: Batching techniques for accumulators with applications to IOPs and stateless blockchains. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 561–586. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_20
Bonneau, J., Meckler, I., Rao, V., Shapiro, E.: Coda: decentralized cryptocurrency at scale. Cryptology ePrint Archive, Report 2020/352 (2020)
Bünz, B., Agrawal, S., Zamani, M., Boneh, D.: Zether: towards privacy in a smart contract world. In: Bonneau, J., Heninger, N. (eds.) FC 2020. LNCS, vol. 12059, pp. 423–443. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51280-4_23
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: Short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334. IEEE Computer Society Press (2018)
Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052252
Castro, M., Liskov, B.: Practical byzantine fault tolerance. In: Proceedings of the Third USENIX Symposium on Operating Systems Design and Implementation (OSDI), New Orleans, Louisiana, USA, 22–25 February 1999, pp. 173–186 (1999)
Cecchetti, E., Zhang, F., Ji, Y., Kosba, A.E., Juels, A., Shi, E.: Solidus: confidential distributed ledger transactions via PVORM. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 701–717. ACM Press (2017). https://doi.org/10.1145/3133956.3134010
Chatzigiannis, P., Baldimtsi, F.: Miniledger: compact-sized anonymous and auditable distributed payments. Cryptology ePrint Archive, Report 2021/869 (2021). https://ia.cr/2021/869
Chatzigiannis, P., Baldimtsi, F., Chalkias, K.: SoK: auditability and accountability in distributed payment systems. In: Sako, K., Tippenhauer, N.O. (eds.) ACNS 2021. LNCS, vol. 12727, pp. 311–337. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78375-4_13
Chen, Yu., Ma, X., Tang, C., Au, M.H.: PGC: decentralized confidential payment system with auditability. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12308, pp. 591–610. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58951-6_29
Chepurnoy, A., Papamanthou, C., Zhang, Y.: Edrax: a cryptocurrency with stateless transaction validation. Cryptology ePrint Archive, Report 2018/968 (2018). https://eprint.iacr.org/2018/968
Fauzi, P., Meiklejohn, S., Mercer, R., Orlandi, C.: Quisquis: a new design for anonymous cryptocurrencies. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 649–678. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_23
Fuchsbauer, G., Orrù, M., Seurin, Y.: Aggregate cash systems: a cryptographic investigation of mimblewimble. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 657–689. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_22
Garay, J., Kiayias, A.: SoK: a consensus taxonomy in the blockchain era. In: Jarecki, S. (ed.) CT-RSA 2020. LNCS, vol. 12006, pp. 284–318. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-40186-3_13
Garman, C., Green, M., Miers, I.: Accountable privacy for decentralized anonymous payments. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 81–98. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_5
Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure distributed key generation for discrete-log based cryptosystems. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 295–310. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_21
Heasman, W.: Privacy coins in 2019: True financial freedom or a criminal’s delight? (2020). https://cointelegraph.com/news/privacy-coins-in-2019-true-financial-freedom-or-a-criminals-delight
Jiang, Y., Li, Y., Zhu, Y.: Auditable zerocoin scheme with user awareness. In: Proceedings of the 3rd International Conference on Cryptography, Security and Privacy, Kuala Lumpur, Malaysia, 19–21 January 2019, pp. 28–32 (2019)
Li, Y., Yang, G., Susilo, W., Yu, Y., Au, M.H., Liu, D.: Traceable monero: anonymous cryptocurrency with enhanced accountability. IEEE Trans. Depend. Secure Comput. (2019). https://doi.org/10.1109/TDSC.2019.2910058
Lueks, W., Kulynych, B., Fasquelle, J., Bail-Collet, S.L., Troncoso, C.: zksk: a library for composable zero-knowledge proofs. In: Proceedings of the 18th ACM Workshop on Privacy in the Electronic Society, pp. 50–54 (2019)
Maxwell, G.: Confidential transactions (2015). https://people.xiph.org/~greg/confidential_values.txt
Maxwell, G., Poelstra, A.: Borromean ring signatures (2015). https://github.com/Blockstream/borromean_paper/blob/master/borromean_draft_0.01_34241bb.pdf
Meiklejohn, S., et al.: A fistful of bitcoins: characterizing payments among men with no names. Commun. ACM 59(4), 86–93 (2016)
Merkle, R.C.: A digital signature based on a conventional encryption function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_32
Naganuma, K., Yoshino, M., Sato, H., Suzuki, T.: Auditable zerocoin. In: 2017 IEEE European Symposium on Security and Privacy Workshops, pp. 59–63 (2017)
Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system (2008)
Narula, N., Vasquez, W., Virza, M.: zkledger: privacy-preserving auditing for distributed ledgers. In: 15th USENIX Symposium on Networked Systems Design and Implementation, pp. 65–80. USENIX Association, Renton (2018)
National Institute of Standards and Technology: Recommendation for Key Management: NIST SP 800–57 Part 1 Rev 4. USA (2016)
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9
Poelstra, A., Back, A., Friedenbach, M., Maxwell, G., Wuille, P.: Confidential assets. In: Zohar, A., et al. (eds.) FC 2018. LNCS, vol. 10958, pp. 43–63. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-662-58820-8_4
Schoenmakers, B.: Interval proofs revisited. In: Workshop on Frontiers in Electronic Elections (2005)
Van Saberhagen, N.: Cryptonote v 2.0 (2013). https://cryptonote.org/whitepaper.pdf
Wood, G.: Ethereum: a secure decentralized generalised transaction ledger (2021). https://ethereum.github.io/yellowpaper/paper.pdf, Accessed 14 Feb 2021
Wüst, K., Kostiainen, K., Čapkun, V., Čapkun, S.: PRCash: fast, private and regulated transactions for digital currencies. In: Goldberg, I., Moore, T. (eds.) FC 2019. LNCS, vol. 11598, pp. 158–178. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-32101-7_11
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A MiniLedger Security and Extensions
A MiniLedger Security and Extensions
1.1 A.1 MiniLedger security
We achieve the security of MiniLedger construction as follows: Theft prevention and balance: relies on NIZK soundness of \(\pi \) (e.g. prevent a cheating prover to make false claims such as knowledge of \(\mathsf {sk_{{}_{}}}\) or v in range) and consensus consistency. Secure pruning: relies on accumulator soundness (e.g. prevent accepting a digest not representing the exact set of pruned transactions) and consensus consistency. Ledger correctness: relies on consensus consistency. Correct and Sound auditability: relies on NIZK soundness (e.g. preventing convincing an auditor for a false claim), accumulator soundness and consensus consistency. Privacy: relies on IND-CPA security of ElGamal variant, Pedersen commitment hiding and NIZK zero-knowledgeness (e.g. prevent distinguishing information on the ledger or leaking private information during transaction creation).
1.2 A.2 Adding Clients for Fine-grained Auditing (MiniLedger+)
At a high level, each Bank \(\mathsf {B}_{j}\) maintains a private ledger of clients \(L_{\mathsf {B}_{j}}\) (denoted as “UsrDB” in Fig. 1), independent of the public ledger L. For each client m, \(\mathsf {B}_{j}\) stores its transactions in encrypted format. For a \(\mathsf {B}_{s}\) client to transfer value v to a \(\mathsf {B}_{r}\) client, she creates a transaction that includes encryptions of the recipient client’s \(\mathsf {pk_{{}_{}}}\), the receiver’s Bank \(\mathsf {B}_{r}\) and v, as well as appropriate NIZKs to prove consistency with the protocol, which is recorded on the private ledger \(L_{\mathsf {B}_{s}}\). Then \(\mathsf {B}_{s}\) constructs a transaction on L that transfers v to \(\mathsf {B}_{r}\), which in turn decrypts the information and allocates v to its recipient client. MiniLedger+ preserves anonymity while enabling fine-grained auditing at a client level, including checks that Banks allocated the funds correctly. It also has minimal overhead compared to MiniLedger while still maintaining a ledger of constant size. We provide a detailed description and analysis in the full version [15].
1.3 A.3 Additional Types of Audits
As shown in Sect. 4.1, MiniLedger basic audit functionality \(\mathsf {Audit}\{\}\) is on the value \(v_{ij}\) of specific transaction \(\mathsf {tx}_{ij}\). Several more audit types can be constructed which reduce to that basic audit. We discuss some of those below, and provide more details for audit extensions in the full version [15]. Note these audits can still be executed for pruned data.
Full Transaction Audit: For an auditor to learn the full details of a transaction (sender, receiver and values), they would have to audit the entire row (i.e. perform n audits on \(v_{ij}~\forall j\)).
Statistical Audits: Audits such as average or standard deviation are supported by utilizing “bit flags” to disregard zero-value transactions, proved for correctness in zero knowledge.
Value or Transactions Exceeding Limit: Utilizing appropriate range proofs, an auditor can learn if a sent or received value exceeds some limit t. Multiple range proofs can show a Bank has not exceeded the limit over a time period.
Transaction Recipient: The goal of this audit type is for a sending Bank to prove the recipients for one of its transactions. While a Bank doesn’t know (and therefore cannot prove) where a received value came from (unless learning it out-of-band as in zkLedger), for outbound transactions the Bank can keep an additional record of its transaction recipients in its local memory. As an example, for proving in \(\mathsf {tx}_{i}\) that the Bank really sent \(v_{ij}\) to \(\mathsf {B}_j\), it could send this claim to the auditor who in turn would simply then audit \(\mathsf {B}_j\) to verify this claim.
Client Audits: Audits in a client level (e.g. statistical audits or transaction limits) can be performed similar to the respective audits in a Bank level, however the auditor needs first to learn and verify the Bank’s private ledger \(L_B\) as discussed above. From that point, the auditor can perform all audits in a client level in a similar fashion to the respective audits in a Bank level. For instance, to learn if some MiniLedger+ client exceeded a value transaction threshold within a time period or over a number of transactions, this audit can be executed by selecting the client’s transactions from the Bank’s private table that happened within this period by their id’s. The audit would then be on the sum of the values represented by the product of the respective ciphertexts, and the client would produce a range proof for that ciphertext product as above. and select those with the appropriate timestamp. A special useful audit would be to learn if a MiniLedger+ client has sent assets to some specific client \(\mathsf {pk_{{}_{}}}\) or not. The transactions would need to be augmented with an additive universal accumulator, with each sender adding the end client recipient’s \(\mathsf {pk_{{}_{}}}\) to the accumulator, while also providing its Bank a ZK proof of adding the correct public key. During an audit, the client would have to prove membership (or non membership) to the auditor. An important note is that the receiving client does not directly learn the original sender of a specific transaction in-band, which implies the above approach cannot work for a client to prove if he has received (or not) assets from another client.
Non-interactive Audits: The audit proof \(\pi ^{\mathsf {Aud}}\) described in Sect. 4 is interactive and require the Bank’s consent. While can treat a Bank’s refusal to cooperate as a failed audit, we could still enable non-interactive audits by including an encryption of \(\pi ^{\mathsf {Aud}}\) and its statement for each transaction cell under a pre-determined trusted auditor’s public key (which preserves privacy). Our full version [15] provides more details.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Chatzigiannis, P., Baldimtsi, F. (2021). MiniLedger: Compact-Sized Anonymous and Auditable Distributed Payments. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham. https://doi.org/10.1007/978-3-030-88418-5_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-88418-5_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88417-8
Online ISBN: 978-3-030-88418-5
eBook Packages: Computer ScienceComputer Science (R0)