Cryptology ePrint Archive: Report 2018/990

Quisquis: A New Design for Anonymous Cryptocurrencies

Prastudy Fauzi and Sarah Meiklejohn and Rebekah Mercer and Claudio Orlandi

Abstract: Despite their usage of pseudonyms rather than persistent identifiers, most existing cryptocurrencies do not provide users with any meaningful levels of privacy. This has prompted the creation of privacy-enhanced cryptocurrencies such as Monero and Zcash, which are specifically designed to counteract the tracking analysis possible in currencies like Bitcoin. These cryptocurrencies, however, also suffer from some drawbacks: in both Monero and Zcash, the set of potential unspent coins is always growing, which means users cannot store a concise representation of the blockchain. Additionally, Zcash requires a common reference string and the fact that addresses are reused multiple times in Monero has led to attacks to its anonymity.

In this paper we propose a new design for anonymous cryptocurrencies, Quisquis, that achieves provably secure notions of anonymity. Quisquis stores a relatively small amount of data, does not require trusted setup, and in Quisquis each address appears on the blockchain at most twice: once when it is generated as output of a transaction, and once when it is spent as input to a transaction. Our result is achieved by combining a DDH-based tool (that we call updatable keys) with efficient zero-knowledge arguments.

Category / Keywords: cryptographic protocols / anonymity, cryptocurrencies, zero knowledge

Original Publication (with minor differences): IACR-ASIACRYPT-2019

Date: received 15 Oct 2018, last revised 16 Sep 2019

Contact author: prastudy fauzi at gmail com,orlandi@cs au dk,s meiklejohn@ucl ac uk,rebekah@o1labs org

Available format(s): PDF | BibTeX Citation

Note: Added a full proof of shuffle, and further explained how Quisquis differs from Mimblewimble and Monero.

Version: 20190916:160318 (All versions of this report)

Short URL: ia.cr/2018/990


[ Cryptology ePrint archive ]