Skip to main content

MiniLedger: Compact-Sized Anonymous and Auditable Distributed Payments

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12972)

Abstract

In this work we present MiniLedger, a distributed payment system which not only guarantees the privacy of transactions, but also offers built-in functionalities for various types of audits by any external authority. MiniLedger is the first private and auditable payment system with storage costs independent of the number of transactions. To achieve such a storage improvement, we introduce pruning functionalities for the transaction history while maintaining integrity and auditing. We provide formal security definitions and a number of extensions for various auditing levels. Our evaluation results show that MiniLedger is practical in terms of storage requiring as low as 70 KB per participant for 128 bits of security, and depending on the implementation choices, can prune 1 million transactions in less than a second.

F. Baldimtsi—The authors have been supported by the National Science Foundation (NSF) under Grant 1717067, the National Security Agency (NSA) under Grant 204761, an IBM Faculty Award and Facebook Research Award.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88418-5_20
  • Chapter length: 23 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88418-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.

Notes

  1. 1.

    To simplify notation, from now on we will drop the superscripts from the two parts of Elgamal ciphertext, i.e., we will simply write \(C_{0j} = (c_{1},c_{2})\).

  2. 2.

    By using twisted ElGamal [17], MiniLedger is fully-compatible with Bulletproofs [11] which can further reduce its concrete storage requirements.

  3. 3.

    A basic implementation of MiniLedger is available at https://github.com/PanosChtz/Miniledger.

References

  1. Privacy coins face existential threat amid regulatory pinch. https://www.bloomberg.com/news/articles/2019-09-19/privacy-coins-face-existential-threat-amid-regulatory-crackdown

  2. The libra blockchain (2020). https://developers.libra.org/docs/assets/papers/the-libra-blockchain/2020-05-26.pdf

  3. Libra roles and permissions (2020). https://lip.libra.org/lip-2/

  4. Androulaki, E., et al.: Hyperledger fabric: a distributed operating system for permissioned blockchains. In: Oliveira, R., Felber, P., Hu, Y.C. (eds.) Proceedings of the Thirteenth EuroSys Conference, Porto, Portugal, 23–26 April 2018, pp. 30:1–30:15. ACM (2018)

    Google Scholar 

  5. Androulaki, E., Karame, G.O., Roeschlin, M., Scherer, T., Capkun, S.: Evaluating user privacy in bitcoin. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 34–51. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_4

    CrossRef  Google Scholar 

  6. Baldimtsi, F., et al.: Accumulators with applications to anonymity-preserving revocation. In: 2017 IEEE European Symposium on Security and Privacy, Paris, France, 26–28 April 2017, pp. 301–315. IEEE (2017)

    Google Scholar 

  7. Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE Computer Society Press (2014). https://doi.org/10.1109/SP.2014.36

  8. Boneh, D., Bünz, B., Fisch, B.: Batching techniques for accumulators with applications to IOPs and stateless blockchains. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 561–586. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_20

    CrossRef  Google Scholar 

  9. Bonneau, J., Meckler, I., Rao, V., Shapiro, E.: Coda: decentralized cryptocurrency at scale. Cryptology ePrint Archive, Report 2020/352 (2020)

    Google Scholar 

  10. Bünz, B., Agrawal, S., Zamani, M., Boneh, D.: Zether: towards privacy in a smart contract world. In: Bonneau, J., Heninger, N. (eds.) FC 2020. LNCS, vol. 12059, pp. 423–443. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51280-4_23

    CrossRef  Google Scholar 

  11. Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: Short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334. IEEE Computer Society Press (2018)

    Google Scholar 

  12. Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052252

    CrossRef  Google Scholar 

  13. Castro, M., Liskov, B.: Practical byzantine fault tolerance. In: Proceedings of the Third USENIX Symposium on Operating Systems Design and Implementation (OSDI), New Orleans, Louisiana, USA, 22–25 February 1999, pp. 173–186 (1999)

    Google Scholar 

  14. Cecchetti, E., Zhang, F., Ji, Y., Kosba, A.E., Juels, A., Shi, E.: Solidus: confidential distributed ledger transactions via PVORM. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 701–717. ACM Press (2017). https://doi.org/10.1145/3133956.3134010

  15. Chatzigiannis, P., Baldimtsi, F.: Miniledger: compact-sized anonymous and auditable distributed payments. Cryptology ePrint Archive, Report 2021/869 (2021). https://ia.cr/2021/869

  16. Chatzigiannis, P., Baldimtsi, F., Chalkias, K.: SoK: auditability and accountability in distributed payment systems. In: Sako, K., Tippenhauer, N.O. (eds.) ACNS 2021. LNCS, vol. 12727, pp. 311–337. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78375-4_13

    CrossRef  Google Scholar 

  17. Chen, Yu., Ma, X., Tang, C., Au, M.H.: PGC: decentralized confidential payment system with auditability. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12308, pp. 591–610. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58951-6_29

    CrossRef  Google Scholar 

  18. Chepurnoy, A., Papamanthou, C., Zhang, Y.: Edrax: a cryptocurrency with stateless transaction validation. Cryptology ePrint Archive, Report 2018/968 (2018). https://eprint.iacr.org/2018/968

  19. Fauzi, P., Meiklejohn, S., Mercer, R., Orlandi, C.: Quisquis: a new design for anonymous cryptocurrencies. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 649–678. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_23

    CrossRef  Google Scholar 

  20. Fuchsbauer, G., Orrù, M., Seurin, Y.: Aggregate cash systems: a cryptographic investigation of mimblewimble. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 657–689. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_22

    CrossRef  Google Scholar 

  21. Garay, J., Kiayias, A.: SoK: a consensus taxonomy in the blockchain era. In: Jarecki, S. (ed.) CT-RSA 2020. LNCS, vol. 12006, pp. 284–318. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-40186-3_13

    CrossRef  MATH  Google Scholar 

  22. Garman, C., Green, M., Miers, I.: Accountable privacy for decentralized anonymous payments. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 81–98. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_5

    CrossRef  Google Scholar 

  23. Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure distributed key generation for discrete-log based cryptosystems. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 295–310. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_21

    CrossRef  Google Scholar 

  24. Heasman, W.: Privacy coins in 2019: True financial freedom or a criminal’s delight? (2020). https://cointelegraph.com/news/privacy-coins-in-2019-true-financial-freedom-or-a-criminals-delight

  25. Jiang, Y., Li, Y., Zhu, Y.: Auditable zerocoin scheme with user awareness. In: Proceedings of the 3rd International Conference on Cryptography, Security and Privacy, Kuala Lumpur, Malaysia, 19–21 January 2019, pp. 28–32 (2019)

    Google Scholar 

  26. Li, Y., Yang, G., Susilo, W., Yu, Y., Au, M.H., Liu, D.: Traceable monero: anonymous cryptocurrency with enhanced accountability. IEEE Trans. Depend. Secure Comput. (2019). https://doi.org/10.1109/TDSC.2019.2910058

  27. Lueks, W., Kulynych, B., Fasquelle, J., Bail-Collet, S.L., Troncoso, C.: zksk: a library for composable zero-knowledge proofs. In: Proceedings of the 18th ACM Workshop on Privacy in the Electronic Society, pp. 50–54 (2019)

    Google Scholar 

  28. Maxwell, G.: Confidential transactions (2015). https://people.xiph.org/~greg/confidential_values.txt

  29. Maxwell, G., Poelstra, A.: Borromean ring signatures (2015). https://github.com/Blockstream/borromean_paper/blob/master/borromean_draft_0.01_34241bb.pdf

  30. Meiklejohn, S., et al.: A fistful of bitcoins: characterizing payments among men with no names. Commun. ACM 59(4), 86–93 (2016)

    CrossRef  Google Scholar 

  31. Merkle, R.C.: A digital signature based on a conventional encryption function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_32

    CrossRef  Google Scholar 

  32. Naganuma, K., Yoshino, M., Sato, H., Suzuki, T.: Auditable zerocoin. In: 2017 IEEE European Symposium on Security and Privacy Workshops, pp. 59–63 (2017)

    Google Scholar 

  33. Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system (2008)

    Google Scholar 

  34. Narula, N., Vasquez, W., Virza, M.: zkledger: privacy-preserving auditing for distributed ledgers. In: 15th USENIX Symposium on Networked Systems Design and Implementation, pp. 65–80. USENIX Association, Renton (2018)

    Google Scholar 

  35. National Institute of Standards and Technology: Recommendation for Key Management: NIST SP 800–57 Part 1 Rev 4. USA (2016)

    Google Scholar 

  36. Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9

    CrossRef  Google Scholar 

  37. Poelstra, A., Back, A., Friedenbach, M., Maxwell, G., Wuille, P.: Confidential assets. In: Zohar, A., et al. (eds.) FC 2018. LNCS, vol. 10958, pp. 43–63. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-662-58820-8_4

  38. Schoenmakers, B.: Interval proofs revisited. In: Workshop on Frontiers in Electronic Elections (2005)

    Google Scholar 

  39. Van Saberhagen, N.: Cryptonote v 2.0 (2013). https://cryptonote.org/whitepaper.pdf

  40. Wood, G.: Ethereum: a secure decentralized generalised transaction ledger (2021). https://ethereum.github.io/yellowpaper/paper.pdf, Accessed 14 Feb 2021

  41. Wüst, K., Kostiainen, K., Čapkun, V., Čapkun, S.: PRCash: fast, private and regulated transactions for digital currencies. In: Goldberg, I., Moore, T. (eds.) FC 2019. LNCS, vol. 11598, pp. 158–178. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-32101-7_11

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Panagiotis Chatzigiannis .

Editor information

Editors and Affiliations

A MiniLedger Security and Extensions

A MiniLedger Security and Extensions

1.1 A.1 MiniLedger security

We achieve the security of MiniLedger construction as follows: Theft prevention and balance: relies on NIZK soundness of \(\pi \) (e.g. prevent a cheating prover to make false claims such as knowledge of \(\mathsf {sk_{{}_{}}}\) or v in range) and consensus consistency. Secure pruning: relies on accumulator soundness (e.g. prevent accepting a digest not representing the exact set of pruned transactions) and consensus consistency. Ledger correctness: relies on consensus consistency. Correct and Sound auditability: relies on NIZK soundness (e.g. preventing convincing an auditor for a false claim), accumulator soundness and consensus consistency. Privacy: relies on IND-CPA security of ElGamal variant, Pedersen commitment hiding and NIZK zero-knowledgeness (e.g. prevent distinguishing information on the ledger or leaking private information during transaction creation).

1.2 A.2 Adding Clients for Fine-grained Auditing (MiniLedger+)

At a high level, each Bank \(\mathsf {B}_{j}\) maintains a private ledger of clients \(L_{\mathsf {B}_{j}}\) (denoted as “UsrDB” in Fig. 1), independent of the public ledger L. For each client m, \(\mathsf {B}_{j}\) stores its transactions in encrypted format. For a \(\mathsf {B}_{s}\) client to transfer value v to a \(\mathsf {B}_{r}\) client, she creates a transaction that includes encryptions of the recipient client’s \(\mathsf {pk_{{}_{}}}\), the receiver’s Bank \(\mathsf {B}_{r}\) and v, as well as appropriate NIZKs to prove consistency with the protocol, which is recorded on the private ledger \(L_{\mathsf {B}_{s}}\). Then \(\mathsf {B}_{s}\) constructs a transaction on L that transfers v to \(\mathsf {B}_{r}\), which in turn decrypts the information and allocates v to its recipient client. MiniLedger+ preserves anonymity while enabling fine-grained auditing at a client level, including checks that Banks allocated the funds correctly. It also has minimal overhead compared to MiniLedger while still maintaining a ledger of constant size. We provide a detailed description and analysis in the full version [15].

1.3 A.3 Additional Types of Audits

As shown in Sect. 4.1, MiniLedger basic audit functionality \(\mathsf {Audit}\{\}\) is on the value \(v_{ij}\) of specific transaction \(\mathsf {tx}_{ij}\). Several more audit types can be constructed which reduce to that basic audit. We discuss some of those below, and provide more details for audit extensions in the full version [15]. Note these audits can still be executed for pruned data.

Full Transaction Audit: For an auditor to learn the full details of a transaction (sender, receiver and values), they would have to audit the entire row (i.e. perform n audits on \(v_{ij}~\forall j\)).

Statistical Audits: Audits such as average or standard deviation are supported by utilizing “bit flags” to disregard zero-value transactions, proved for correctness in zero knowledge.

Value or Transactions Exceeding Limit: Utilizing appropriate range proofs, an auditor can learn if a sent or received value exceeds some limit t. Multiple range proofs can show a Bank has not exceeded the limit over a time period.

Transaction Recipient: The goal of this audit type is for a sending Bank to prove the recipients for one of its transactions. While a Bank doesn’t know (and therefore cannot prove) where a received value came from (unless learning it out-of-band as in zkLedger), for outbound transactions the Bank can keep an additional record of its transaction recipients in its local memory. As an example, for proving in \(\mathsf {tx}_{i}\) that the Bank really sent \(v_{ij}\) to \(\mathsf {B}_j\), it could send this claim to the auditor who in turn would simply then audit \(\mathsf {B}_j\) to verify this claim.

Client Audits: Audits in a client level (e.g. statistical audits or transaction limits) can be performed similar to the respective audits in a Bank level, however the auditor needs first to learn and verify the Bank’s private ledger \(L_B\) as discussed above. From that point, the auditor can perform all audits in a client level in a similar fashion to the respective audits in a Bank level. For instance, to learn if some MiniLedger+ client exceeded a value transaction threshold within a time period or over a number of transactions, this audit can be executed by selecting the client’s transactions from the Bank’s private table that happened within this period by their id’s. The audit would then be on the sum of the values represented by the product of the respective ciphertexts, and the client would produce a range proof for that ciphertext product as above. and select those with the appropriate timestamp. A special useful audit would be to learn if a MiniLedger+ client has sent assets to some specific client \(\mathsf {pk_{{}_{}}}\) or not. The transactions would need to be augmented with an additive universal accumulator, with each sender adding the end client recipient’s \(\mathsf {pk_{{}_{}}}\) to the accumulator, while also providing its Bank a ZK proof of adding the correct public key. During an audit, the client would have to prove membership (or non membership) to the auditor. An important note is that the receiving client does not directly learn the original sender of a specific transaction in-band, which implies the above approach cannot work for a client to prove if he has received (or not) assets from another client.

Non-interactive Audits: The audit proof \(\pi ^{\mathsf {Aud}}\) described in Sect. 4 is interactive and require the Bank’s consent. While can treat a Bank’s refusal to cooperate as a failed audit, we could still enable non-interactive audits by including an encryption of \(\pi ^{\mathsf {Aud}}\) and its statement for each transaction cell under a pre-determined trusted auditor’s public key (which preserves privacy). Our full version [15] provides more details.

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Chatzigiannis, P., Baldimtsi, F. (2021). MiniLedger: Compact-Sized Anonymous and Auditable Distributed Payments. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham. https://doi.org/10.1007/978-3-030-88418-5_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88418-5_20

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88417-8

  • Online ISBN: 978-3-030-88418-5

  • eBook Packages: Computer ScienceComputer Science (R0)