TumbleBit: an untrusted Bitcoin-compatible anonymous payment hub

This paper presents TumbleBit, a new unidirectional unlinkable payment hub that is fully compatible with today s Bitcoin protocol. TumbleBit allows parties to make fast, anonymous, off-blockchain payments through an untrusted intermediary called the Tumbler. TumbleBits anonymity properties are similar to classic Chaumian eCash: no one, not even the Tumbler, can link a payment from its payer to its payee. Every payment made via TumbleBit is backed by bitcoins, and comes with a guarantee that Tumbler can neither violate anonymity, nor steal bitcoins, nor print money by issuing payments to itself. We prove the security of TumbleBit using the real/ideal world paradigm and the random oracle model. Security follows from the standard RSA assumption and ECDSA unforgeability. We implement TumbleBit, mix payments from 800 users and show that TumbleBits offblockchain payments can complete in seconds.https://eprint.iacr.org/2016/575.pdfPublished versio

Compact E-Cash and Simulatable VRFs Revisited

Abstract. Efficient non-interactive zero-knowledge proofs are a powerful tool for solving many cryptographic problems. We apply the recent Groth-Sahai (GS) proof system for pairing product equations (Eurocrypt 2008) to two related cryptographic problems: compact e-cash (Eurocrypt 2005) and simulatable verifiable random functions (CRYPTO 2007). We present the first efficient compact e-cash scheme that does not rely on a random oracle. To this end we construct efficient GS proofs for signature possession, pseudo randomness and set membership. The GS proofs for pseudorandom functions give rise to a much cleaner and substantially faster construction of simulatable verifiable random functions (sVRF) under a weaker number theoretic assumption. We obtain the first efficient fully simulatable sVRF with a polynomial sized output domain (in the security parameter).

Quantum Coins

One of the earliest cryptographic applications of quantum information was to create quantum digital cash that could not be counterfeited. In this paper, we describe a new type of quantum money: quantum coins, where all coins of the same denomination are represented by identical quantum states. We state desirable security properties such as anonymity and unforgeability and propose two candidate quantum coin schemes: one using black box operations, and another using blind quantum computation.Comment: 12 pages, 4 figure

Towards Applying Cryptographic Security Models to Real-World Systems

The cryptographic methodology of formal security analysis usually works in three steps: choosing a security model, describing a system and its intended security properties, and creating a formal proof of security. For basic cryptographic primitives and simple protocols this is a well understood process and is performed regularly. For more complex systems, as they are in use in real-world settings it is rarely applied, however. In practice, this often leads to missing or incomplete descriptions of the security properties and requirements of such systems, which in turn can lead to insecure implementations and consequent security breaches. One of the main reasons for the lack of application of formal models in practice is that they are particularly difficult to use and to adapt to new use cases. With this work, we therefore aim to investigate how cryptographic security models can be used to argue about the security of real-world systems. To this end, we perform case studies of three important types of real-world systems: data outsourcing, computer networks and electronic payment. First, we give a unified framework to express and analyze the security of data outsourcing schemes. Within this framework, we define three privacy objectives: \emph{data privacy}, \emph{query privacy}, and \emph{result privacy}. We show that data privacy and query privacy are independent concepts, while result privacy is consequential to them. We then extend our framework to allow the modeling of \emph{integrity} for the specific use case of file systems. To validate our model, we show that existing security notions can be expressed within our framework and we prove the security of CryFS---a cryptographic cloud file system. Second, we introduce a model, based on the Universal Composability (UC) framework, in which computer networks and their security properties can be described We extend it to incorporate time, which cannot be expressed in the basic UC framework, and give formal tools to facilitate its application. For validation, we use this model to argue about the security of architectures of multiple firewalls in the presence of an active adversary. We show that a parallel composition of firewalls exhibits strictly better security properties than other variants. Finally, we introduce a formal model for the security of electronic payment protocols within the UC framework. Using this model, we prove a set of necessary requirements for secure electronic payment. Based on these findings, we discuss the security of current payment protocols and find that most are insecure. We then give a simple payment protocol inspired by chipTAN and photoTAN and prove its security within our model. We conclude that cryptographic security models can indeed be used to describe the security of real-world systems. They are, however, difficult to apply and always need to be adapted to the specific use case

Smart Contracts and the Limits of Computerized Commerce

Having recently celebrated its ten-year anniversary, Bitcoin should be considered a qualified success. In October 2020, each unit1 was worth about $10,700, and the entire market capitalization was approximately$200 billion.2 Bitcoin is a significant economic force with sizable market value. Despite this success, however, Bitcoin has not been widely adopted as a method of payment, which was its intended use.3 By providing a template for a durable cryptocurrency, Bitcoin also blazed a path for other cryptocurrency projects. In terms of market capitalization and current importance, Ethereum is comfortably in second place.4 In October 2020, it had a market capitalization of approximately $40 billion.5 Unlike Bitcoin, however, Ethereum was not designed primarily to serve as a method of payment. Ethereum supports a system of sophisticated “smart contracts” that would not work on the Bitcoin system. Smart contracts and cryptocurrencies have sparked considerable interest among legal scholars in recent years, and a growing body of scholarship focuses on whether smart contracts and cryptocurrencies can sidestep law and regulation altogether.6 Bitcoin is famously decentralized, without any central actor controlling the system. Its users remain largely anonymous, using alphanumeric addresses instead of legal names. Ethereum shares these traits and also supports smart contracts that can automate the transfer of the Ethereum cryptocurrency (known as ether). Ethereum also supports specialized “tokens” that can be tied to the ownership of assets, goods, and services that exist completely outside of the Ethereum blockchain. The goal of this Article is to evaluate the degree to which cryptocurrencies and smart contracts can operate outside the reach of law and regulation. By some accounts, cryptocurrencies and smart contracts will revolutionize private law.7 Some argue they have the potential to displace contract and property law. For example, in a previous article, I argued that Bitcoin represents a system of private property that exists wholly outside of traditional legal structures.8 In this Article, I will argue that a complete revolution is not inexorable.9 Facing the technical and complicated nature of this subject, we should keep in mind a simple fact: cryptocurrencies and smart contracts are computer data and computer programs. To a large extent, they will have legal force only if given force by judges, regulators, and legislators. Part II describes Bitcoin and how it creates a system of property that exists outside of legal structures. Bitcoin is special because it controls no external assets (like securities, dollars, or gold). It is purely “notional” property that exists only on a computer file. Part III describes Ethereum and how it builds upon the principles of Bitcoin. The primary innovation of Ethereum is smart contracts, which allow for variable and conditional transfers of cryptocurrency. To be of commercial value, however, smart contracts must incorporate economic or financial information (e.g., interest rates or exchange rates). Ethereum allows users to incorporate this information using third party “oracles.” While oracles allow for sophisticated transactions, their presence illustrates some of the limits of smart contracts. Part IV extends the discussion of Ethereum and explains how many developers use it as a way to effectuate property transactions. Tokens are specialized smart contracts used to represent ownership of assets or certain privileges. Conceivably, ownership in any asset— homes, cars, etc.—could be represented by Ethereum tokens. Rather than using a deed of transfer, owners could simply transfer the representative tokens. Part V develops what this Article calls a “remote-computer model” of Bitcoin and Ethereum. Because Bitcoin and Ethereum are computer programs and computer data, we can view each as constituting a single computer. This hypothetical computer is remote in the sense that judges, regulators, and legislators can exercise little control over it directly. The remote computer controls ownership of cryptocurrency units, leaving direct cryptocurrency transactions outside the scope of traditional legal institutions. That being said, smart contracts often purport to control external resources and rights. For example, a smart contract might purport to control the transfer of land or stock in a corporation. These transactions have effects outside the hypothetical remote computer and can potentially be subject to control by legal institutions

Contracts Ex Machina

Smart contracts are self-executing digital transactions using decentralized cryptographic mechanisms for enforcement. They were theorized more than twenty years ago, but the recent development of Bitcoin and blockchain technologies has rekindled excitement about their potential among technologists and industry. Startup companies and major enterprises alike are now developing smart contract solutions for an array of markets, purporting to offer a digital bypass around traditional contract law. For legal scholars, smart contracts pose a significant question: Do smart contracts offer a superior solution to the problems that contract law addresses? In this article, we aim to understand both the potential and the limitations of smart contracts. We conclude that smart contracts offer novel possibilities, may significantly alter the commercial world, and will demand new legal responses. But smart contracts will not displace contract law. Understanding why not brings into focus the essential role of contract law as a remedial institution. In this way, smart contracts actually illuminate the role of contract law more than they obviate it

Blockchain For Food: Making Sense of Technology and the Impact on Biofortified Seeds

The global food system is under pressure and is in the early stages of a major transition towards more transparency, circularity, and personalisation. In the coming decades, there is an increasing need for more food production with fewer resources. Thus, increasing crop yields and nutritional value per crop is arguably an important factor in this global food transition. Biofortification can play an important role in feeding the world. Biofortified seeds create produce with increased nutritional values, mainly minerals and vitamins, while using the same or less resources as non-biofortified variants. However, a farmer cannot distinguish a biofortified seed from a regular seed. Due to the invisible nature of the enhanced seeds, counterfeit products are common, limiting wide-scale adoption of biofortified crops. Fraudulent seeds pose a major obstacle in the adoption of biofortified crops. A system that could guarantee the origin of the biofortified seeds is therefore required to ensure widespread adoption. This trust-ensuring immutable proof for the biofortified seeds, can be provided via blockchain technology

Pisces: Private and Compliable Cryptocurrency Exchange

Cryptocurrency exchange platforms such as Coinbase, Binance, enable users to purchase and sell cryptocurrencies conveniently just like trading stocks/commodities. However, because of the nature of blockchain, when a user withdraws coins (i.e., transfers coins to an external on-chain account), all future transactions can be learned by the platform. This is in sharp contrast to conventional stock exchange where all external activities of users are always hidden from the platform. Since the platform knows highly sensitive user private information such as passport number, bank information etc, linking all (on-chain) transactions raises a serious privacy concern about the potential disastrous data breach in those cryptocurrency exchange platforms. In this paper, we propose a cryptocurrency exchange that restores user anonymity for the first time. To our surprise, the seemingly well-studied privacy/anonymity problem has several new challenges in this setting. Since the public blockchain and internal transaction activities naturally provide many non-trivial leakages to the platform, internal privacy is not only useful in the usual sense but also becomes necessary for regaining the basic anonymity of user transactions. We also ensure that the user cannot double spend, and the user has to properly report accumulated profit for tax purposes, even in the private setting. We give a careful modeling and efficient construction of the system that achieves constant computation and communication overhead (with only simple cryptographic tools and rigorous security analysis); we also implement our system and evaluate its practical performance.Comment: 27 pages, 8 figures, 2 tables. To be published in NDSS'24. This is the full version of the conference pape

Black-Box Wallets: Fast Anonymous Two-Way Payments for Constrained Devices

Black-box accumulation (BBA) is a building block which enables a privacy-preserving implementation of point collection and redemption, a functionality required in a variety of user-centric applications including loyalty programs, incentive systems, and mobile payments. By definition, BBA+ schemes (Hartung et al. CCS \u2717) offer strong privacy and security guarantees, such as unlinkability of transactions and correctness of the balance flows of all (even malicious) users. Unfortunately, the instantiation of BBA+ presented at CCS \u2717 is, on modern smartphones, just fast enough for comfortable use. It is too slow for wearables, let alone smart-cards. Moreover, it lacks a crucial property: For the sake of efficiency, the user\u27s balance is presented in the clear when points are deducted. This may allow to track owners by just observing revealed balances, even though privacy is otherwise guaranteed. The authors intentionally forgo the use of costly range proofs, which would remedy this problem. We present an instantiation of BBA+ with some extensions following a different technical approach which significantly improves efficiency. To this end, we get rid of pairing groups, rely on different zero-knowledge and fast range proofs, along with a slightly modified version of Baldimtsi-Lysyanskaya blind signatures (CCS \u2713). Our prototype implementation with range proofs (for 16-bit balances) outperforms BBA+ without range proofs by a factor of 2.5. Moreover, we give estimates showing that smart-card implementations are within reach