Paper 2020/676

An airdrop that preserves recipient privacy

Riad S. Wahby, Dan Boneh, Christopher Jeffrey, and Joseph Poon


A common approach to bootstrapping a new cryptocurrency is an airdrop, an arrangement in which existing users give away currency to entice new users to join. But current airdrops offer no recipient privacy: they leak which recipients have claimed the funds, and this information is easily linked to off-chain identities. In this work, we address this issue by defining a private airdrop and describing concrete schemes for widely-used user credentials, such as those based on ECDSA and RSA. Our private airdrop for RSA builds upon a new zero-knowledge argument of knowledge of the factorization of a committed secret integer, which may be of independent interest. We also design a private genesis airdrop that efficiently sends private airdrops to millions of users at once. Finally, we implement and evaluate. Our fastest implementation takes 40--180 ms to generate and 3.7--10 ms to verify an RSA private airdrop signature. Signatures are 1.8--3.3 kiB depending on the security parameter.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Major revision. FC20
cryptocurrencyairdropuser privacyzero knowledgeproof of knowledge of factorization
Contact author(s)
rsw @ cs stanford edu
2020-06-08: received
Short URL
Creative Commons Attribution


      author = {Riad S.  Wahby and Dan Boneh and Christopher Jeffrey and Joseph Poon},
      title = {An airdrop that preserves recipient privacy},
      howpublished = {Cryptology ePrint Archive, Paper 2020/676},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.