Paper 2019/319

PGC: Pretty Good Decentralized Confidential Payment System with Auditability

Yu Chen, Xuecheng Ma, Cong Tang, and Man Ho Au

Abstract

Modern cryptocurrencies such as Bitcoin and Ethereum achieve decentralization by replacing a trusted center with a distributed and append-only ledger (known as blockchain). However, removing this trusted center comes at significant cost of privacy due to the public nature of blockchain. Many existing cryptocurrencies fail to provide transaction anonymity and confidentiality, meaning that addresses of sender, receiver and transfer amount are publicly accessible. As the privacy concerns grow, a number of academic work have sought to enhance privacy by leveraging cryptographic tools. Though strong privacy is appealing, it might be abused in some cases. Particularly, anonymity poses great challenges to auditability, which is a crucial property for the adoption of decentralized payment systems. Aiming for a middle ground between privacy and auditability, we introduce the notion of \emph{auditable decentralized confidential payment} (ADCP) system. In addition to offering transaction confidentiality, ADCP system supports two levels of auditability, namely regulation compliance and global supervision. We present a generic construction of ADCP system from integrated signature and encryption scheme and non-interactive zero-knowledge proof systems. We then instantiate our generic construction by carefully designing the underlying building blocks, yielding a standalone cryptocurrency called PGC. In PGC, the setup procedure is (semi-)transparent, and transaction cost is independent of system scale, which is roughly 1.4KB and takes under 28ms to generate and 9ms to verify. At the core of PGC is an additively homomorphic public-key encryption scheme that we introduce, twisted ElGamal, which is not only as secure as standard exponential ElGamal, but also friendly to Sigma protocols and range proofs. This enables us to easily devise zero-knowledge proofs for basic correctness of transactions as well as various application-dependent policies in a modular fashion. Moreover, it is very efficient. Compared with the most efficient reported implementation of Paillier PKE, twisted ElGamal is an order of magnitude better in key and ciphertext size and decryption speed (for small message space), two orders of magnitude better in encryption speed. We believe twisted ElGamal is of independent interest on its own right. Along the way of designing and reasoning zero-knowledge proofs for PGC, we also obtain two interesting results. One is weak forking lemma which is a useful tool to prove computational knowledge soundness. The other is a method to prove no-knowledge of discrete logarithm, which is a complement of standard proof of discrete logarithm knowledge.

Note: Update experimental results.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. MAJOR revision.ESORICS 2020
Keywords
cryptocurrenciesdecentralized confidential payment systemauditabilitytwisted ElGamal
Contact author(s)
yuchen prc @ gmail com
History
2022-04-16: last of 10 revisions
2019-03-29: received
See all versions
Short URL
https://ia.cr/2019/319
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2019/319,
      author = {Yu Chen and Xuecheng Ma and Cong Tang and Man Ho Au},
      title = {PGC: Pretty Good Decentralized Confidential Payment System with Auditability},
      howpublished = {Cryptology ePrint Archive, Paper 2019/319},
      year = {2019},
      note = {\url{https://eprint.iacr.org/2019/319}},
      url = {https://eprint.iacr.org/2019/319}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.