ebook img

Decentralized Anonymous Payments PDF

223 Pages·2017·1.39 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Decentralized Anonymous Payments

Decentralized Anonymous Payments by Ian Miers A dissertation submitted to The Johns Hopkins University in conformity with the requirements for the degree of Doctor of Philosophy. Baltimore, Maryland August, 2017 © Ian Miers 2017 All rights reserved Abstract Decentralized payment systems such as Bitcoin record monetary transactions between pseudonyms in an append-only ledger known as a blockchain. Because the ledger is public, permanent, and readable by anyone, a user’s privacy depends solely on the difficulty of linking pseudonymous transactions either to each other or to real identities. Both academic work and commercial services have shown that such linking is, in fact, very easy. Anyone at any point in the future can download a user’s transaction history and analyze it. In this work, we propose and implement privacy preserving coins, payments, and payment channels that can be built atop a ledger. In particular we propose: Zerocoin A blockchain based protocol for breaking the link between a transaction that receives non-anonymous funds and the subsequent transaction that spends it. Zerocash The successor to Zerocoin, a blockchain based payment system supporting anonymous payments of arbitrary hidden value to other parties. While payments are recorded publicly in the blockchain, they reveal almost nothing else: the ii ABSTRACT recipient learns only the amount paid but not the source and anyone else learns only that a payment of some value to someone took place. Bolt A payment channel protocol that allows two parties to anonymously and se- curely make many unlinkable payments while only posting two messages to the blockchain. This protocol provides for instant payments while providing drastically improved scalability as every transaction is no longer recorded in the blockchain. Primary Reader: Matthew Green Secondary Readers: Abhishek Jain, Aviel Rubin iii Acknowledgments This work would not have been possible without the help of a number of people: friends, family, and collaborators. I would like to thank Avi Rubin for his support and mentorship especially when I started. I would also like to thank my fellow graduate students, Christina Garman, Michael Rushanan, and Gabriel Kaptchuk, both for their ideas and making the lab a home for the past 6 years. I would particularly like to thank my advisor Matthew Green, for getting me started in this, for his advice, his contributions, and above all never being too busy to take the time for us to throw things at a white board. Some of them actually stuck. iv Contents Abstract ii Acknowledgments iv List of Figures xii 1 Introduction 1 1.1 Background and Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1.1 Bitcoin, crypto-currencies, and blockchains . . . . . . . . . . . . . . . . . . . 4 1.1.2 E-cash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2 Intuition: From public to unlinkable and then anonymous payments and channels . . 6 1.2.1 Augmenting direct anonymous payments with anonymous channels . . . . . . 12 2 Zerocoin 18 2.1 Overview of Bitcoin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.2 Decentralized E-Cash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.3 Decentralized E-Cash from Strong RSA . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.3.1 Cryptographic Building Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.3.2 Our Construction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.3.3 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.4 Real World Security and Parameter Choice . . . . . . . . . . . . . . . . . . . . . . . 28 v CONTENTS 2.4.1 Anonymity of Zerocoin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.4.2 Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.5 Integrating with Bitcoin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.5.1 Suggestions for Optimizing Proof Verification . . . . . . . . . . . . . . . . . . 33 2.5.2 Limited Anonymity and Forward Security . . . . . . . . . . . . . . . . . . . . 34 2.5.3 Code Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 2.5.4 Incremental Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 2.6 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 2.6.1 Microbenchmarks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 2.6.2 Block Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.6.3 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 2.7 Previous Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 2.7.1 E-Cash and Bitcoin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 2.7.2 Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 2.8 Conclusion and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 3 Zerocash 44 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 3.1.1 zk-SNARKs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 3.1.2 Centralized anonymous payment systems . . . . . . . . . . . . . . . . . . . . 46 3.1.3 Decentralized anonymous payment schemes . . . . . . . . . . . . . . . . . . . 47 3.1.4 Zerocash. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 3.1.5 Paper organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 3.2 Background on zk-SNARKs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 3.2.1 Informal definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 3.2.2 Comparison with NIZK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 vi CONTENTS 3.2.3 Known constructions and security . . . . . . . . . . . . . . . . . . . . . . . . 58 3.2.4 zk-SNARK implementations. . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 3.3 Definition of a decentralized anonymous payment scheme . . . . . . . . . . . . . . . 59 3.3.1 Data structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 3.3.2 Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.3.3 Completeness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 3.3.4 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 3.4 Construction of a decentralized anonymous payment scheme . . . . . . . . . . . . . . 68 3.4.1 Cryptographic building blocks . . . . . . . . . . . . . . . . . . . . . . . . . . 68 3.4.2 zk-SNARKs for pouring coins . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.4.3 Algorithm constructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 3.4.4 Completeness and security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 3.5 Zerocash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 3.5.1 Instantiation of building blocks . . . . . . . . . . . . . . . . . . . . . . . . . . 74 3.5.2 Arithmetic circuit for pouring coins . . . . . . . . . . . . . . . . . . . . . . . 76 An arithmetic circuit for verifying SHA256’s compression function . . . . . . 77 Arithmetic circuit for POUR . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 3.6 Integration with existing ledger-based currencies . . . . . . . . . . . . . . . . . . . . 81 3.6.1 Semantics of Bitcoin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 3.6.2 Integration by replacing the base currency . . . . . . . . . . . . . . . . . . . . 82 3.6.3 Integration by hybrid currency . . . . . . . . . . . . . . . . . . . . . . . . . . 83 3.6.4 Extending the Bitcoin protocol to support the combined semantics . . . . . . 85 3.6.5 Additional anonymity considerations . . . . . . . . . . . . . . . . . . . . . . . 86 3.7 Experiments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 3.7.1 Performance of zk-SNARKs for pouring coins . . . . . . . . . . . . . . . . . . 87 3.7.2 Performance of Zerocash algorithms . . . . . . . . . . . . . . . . . . . . . . . 88 vii CONTENTS 3.7.3 Large-scale network simulation . . . . . . . . . . . . . . . . . . . . . . . . . . 89 3.8 Optimizations and extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 3.8.1 Everlasting anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 3.8.2 Fast block propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 3.8.3 Improved storage requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Supporting many coin commitments . . . . . . . . . . . . . . . . . . . . . . . 96 Supporting many spent serial numbers . . . . . . . . . . . . . . . . . . . . . . 97 3.9 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 3.10 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 4 Bolt 101 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 4.1.1 Background on Payment Channels . . . . . . . . . . . . . . . . . . . . . . . . 101 4.1.2 Customers, Merchants, and the Limits of Anonymity for Payment Channels . 103 4.1.3 Overview of our constructions . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 4.1.4 Comparison to related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 4.1.5 Outline of this paper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 4.2 Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 4.2.1 Anonymous Payment Channels . . . . . . . . . . . . . . . . . . . . . . . . . . 111 4.2.2 Correctness and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 4.3 Technical Preliminaries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 4.4 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 4.4.1 Unidirectional payment channels . . . . . . . . . . . . . . . . . . . . . . . . . 117 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 4.4.2 Bidirectional payment channels . . . . . . . . . . . . . . . . . . . . . . . . . . 122 viii CONTENTS Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 4.4.3 Bidirectional Third Party Payments . . . . . . . . . . . . . . . . . . . . . . . 126 4.4.4 From Third Party Payments to Payment Networks . . . . . . . . . . . . . . . 130 4.4.5 Hiding Channel Balances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 4.5 Implementation of the Bidirectional scheme . . . . . . . . . . . . . . . . . . . . . . . 131 4.5.1 Integration with a Currency . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 4.5.2 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 4.6 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 4.7 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 4.8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 5 Conclusion 137 A Zerocoin 138 A.1 Security Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 A.1.1 Proof of Theorem 2.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 A.1.2 Proof of Theorem 2.3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 A.2 Zero-Knowledge Proof Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 A.2.1 Proof Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 A.2.2 HVZK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 A.2.3 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 A.3 Zero-Knowledge Proofs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 A.3.1 Proof Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 A.3.2 HVZK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 A.3.3 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 B Zerocash 150 B.1 Completeness of DAP schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 ix CONTENTS B.2 Security of DAP schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 B.2.1 Ledger indistinguishability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 B.2.2 Transaction non-malleability . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 B.2.3 BAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 B.3 Proof of Theorem 3.4.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 B.3.1 Proof of ledger indistinguishability . . . . . . . . . . . . . . . . . . . . . . . . 159 B.3.2 Proof of transaction non-malleability . . . . . . . . . . . . . . . . . . . . . . . 166 B.3.3 Proof of balance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 C Bolt 175 C.1 Choice of cryptographic primitives . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 C.1.1 Possible building blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 C.1.2 Selecting the signature scheme . . . . . . . . . . . . . . . . . . . . . . . . . . 176 C.1.3 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 C.1.4 Adapting channel closure to avoid public verification of credentials . . . . . . 177 C.2 Security Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 C.2.1 Payment anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 C.2.2 Payment Balance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 C.3 Proof of Security for Unidirectional Scheme . . . . . . . . . . . . . . . . . . . . . . . 181 C.3.1 Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 C.3.2 Balance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 C.4 Proof of Security for Bidirectional Scheme . . . . . . . . . . . . . . . . . . . . . . . . 188 C.4.1 Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 C.4.2 Balance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 C.5 Additional assumptions for the PRF . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Bibliography 194 x

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.