Paper 2024/953

MixBuy: Contingent Payment in the Presence of Coin Mixers

Diego Castejon-Molina, IMDEA Software Institute, Universidad Politécnica de Madrid
Dimitrios Vasilopoulos, IMDEA Software Institute
Pedro Moreno-Sanchez, IMDEA Software Institute, VISA Research
Abstract

A contingent payment protocol involves two mutually distrustful parties, a buyer and a seller, operating on the same blockchain, and a digital product, whose ownership is not tracked on a blockchain (e.g. a digital book). The buyer holds coins on the blockchain and transfers them to the seller in exchange for the product. However, if the blockchain does not hide transaction details, any observer can learn that a buyer purchased some product from a seller. In this work, we take contingent payment a step further: we consider a buyer who wishes to buy a digital product from a seller routing the payment via an untrusted mixer. Crucially, we require that said payment is unlinkable, meaning that the mixer (or any other observer) does not learn which buyer is paying which seller. We refer to such setting as unlinkable contingent payment (UCP). We present MixBuy, a system that realizes UCP. Mixbuy relies on oracle-based unlinkable contingent payment (O-UCP), a novel four-party cryptographic protocol where the mixer pays the seller and the seller provides the buyer with the product only if a semi-trusted notary attests that the buyer has paid the mixer. More specifically, we require four security notions: (i) mixer security that guarantees that if the mixer pays the seller, the mixer must get paid from the buyer; (ii) seller security that guarantees that if the seller delivers the product to the buyer, the seller must get paid from the mixer; (iii) buyer security that guarantees that if the buyer pays the mixer, the buyer must obtain the product; and (iv) unlinkability that guarantees that given a set of buyers and sellers, the mixer should not learn which buyer paid which seller. We present a provably secure and efficient cryptographic construction for O-UCP. Our construction can be readily used to realize UCP on most blockchains, as it has minimal functionality requirements (i.e., digital signatures and timelocks). To demonstrate the practicality of our construction, we provide a proof of concept for O-UCP and our benchmarks in commodity hardware show that the communication overhead is small (a few kB per message) and the running time is below one second.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. Proceedings on Privacy Enhancing Technologies, Volume 2025, Issue 1
DOI
10.56553/popets-2025-0036
Keywords
BlockchainCryptocurrenciesCoin MixingContingent PaymentFair Exchange
Contact author(s)
diego castejon @ imdea org
Dimitrios Vasilopoulos @ eurecom fr
pedro moreno @ imdea org
History
2024-11-13: last of 2 revisions
2024-06-13: received
See all versions
Short URL
https://ia.cr/2024/953
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/953,
      author = {Diego Castejon-Molina and Dimitrios Vasilopoulos and Pedro Moreno-Sanchez},
      title = {{MixBuy}: Contingent Payment in the Presence of Coin Mixers},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/953},
      year = {2024},
      doi = {10.56553/popets-2025-0036},
      url = {https://eprint.iacr.org/2024/953}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.