Paper 2023/1948

PriDe CT: Towards Public Consensus, Private Transactions, and Forward Secrecy in Decentralized Payments

Yue Guo, J.P. Morgan AI Research, J.P. Morgan AlgoCRYPT CoE
Harish Karthikeyan, J.P. Morgan AI Research, J.P. Morgan AlgoCRYPT CoE
Antigoni Polychroniadou, J.P. Morgan AI Research, J.P. Morgan AlgoCRYPT CoE
Chaddy Huussin, J.P. Morgan AlgoCRYPT CoE
Abstract

Anonymous Zether, proposed by Bunz et al. (FC, 2020) and subsequently improved by Diamond (IEEE S&P, 2021) is an account-based confidential payment mechanism that works by using a smart contract to achieve privacy (i.e. identity of receivers to transactions and payloads are hidden). In this work, we look at simplifying the existing protocol while also achieving batching of transactions for multiple receivers, while ensuring consensus and forward secrecy. To the best of our knowledge, this work is the first to formally study the notion of forward secrecy in the setting of blockchain, borrowing a very popular and useful idea from the world of secure messaging. Specifically, we introduce: - FUL-Zether, a forward-secure version of Zether (Bunz et al., FC, 2020). - PRIvate DEcentralized Confidental Transactions (PriDe CT), a much-simplified version of Anonymous Zether that achieves competitive performance and enables batching of transactions for multiple receivers. - PRIvate DEcentralized Forward-secure Until Last update Confidential Transactions (PriDeFUL CT), a forward-secure version of PriDe CT. We also present an open-source, Ethereum-based implementation of our system. PriDe CT uses linear homomorphic encryption as Anonymous Zether but with simpler zero-knowledge proofs. PriDeFUL CT uses an updatable public key encryption scheme to achieve forward secrecy by introducing a new DDH-based construction in the standard model. In terms of transaction sizes, Quisquis (Asiacrypt, 2019), which is the only cryptocurrency that supports batchability (albeit in the UTXO model), has 15 times more group elements than PriDe CT. Meanwhile, for a ring of $N$ receivers, Anonymous Zether requires $6\log N$ more terms even without accounting for the ability to batch in PriDe CT. Further, our implementation indicates that, for $N=32$, even if there were 7 intended receivers, PriDe CT outperforms Anonymous Zether in proving time and gas consumption.

Note: Revised Author Affiliation

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. Major revision. IEEE S&P 2024
Keywords
forward securityblockchainprivate transactionszero-knowledgebulletproofsethereum
Contact author(s)
yueguoephemera @ gmail com
harish @ nyu edu
antigonipoly @ gmail com
History
2024-04-19: last of 2 revisions
2023-12-22: received
See all versions
Short URL
https://ia.cr/2023/1948
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2023/1948,
      author = {Yue Guo and Harish Karthikeyan and Antigoni Polychroniadou and Chaddy Huussin},
      title = {{PriDe} {CT}: Towards Public Consensus, Private Transactions, and Forward Secrecy in Decentralized Payments},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1948},
      year = {2023},
      url = {https://eprint.iacr.org/2023/1948}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.