Cryptographic Foundations of Privacy in Distributed Ledgers
Project funded by the Vienna Science and Technology Fund
Duration: 2020-01-01 – 2027-12-31
Funding: € 1,599,280
- DI Dr Georg Fuchsbauer (PI), Associate Professor, TU Wien
- DI Mathias Wolf, BSc, Pre-doc
We are observing a trend towards decentralization to avoid single points of failure and trust in a single actor. Its epitome is the blockchain, a publicly verifiable distributed ledger that was introduced by Bitcoin, a currency with no central authority. While banks are also using distributed ledgers, e.g. in the form of Ripple, a distributed settlement network, applications are now spreading far beyond currencies. Blockchains enabled smart contracts, which promise community-based applications that forgo reliance on centralized, typically commercial, actors.
Central to all such systems is their transparency; anyone can view and check consistency of Bitcoin transactions. While public verifiability is a prerequisite for consensus in distributed ledgers, this openness conflicts with an increasing awareness of the importance of privacy (as e.g. manifested by the EU’s GDPR) in a world where more and more user data is amassed and leaked in frequent security breaches. At the same time, the civic freedom of making payments anonymously is disappearing together with cash, forcing citizens to submit to surveillance by payment providers and secret services.
While cryptocurrencies may seem like an alternative, contrary to popular belief they often offer only very little privacy. Transactions can be traced, systems lack rigorous guarantees, make strong assumptions or they are not practically efficient. Traceability of coins moreover violates fungibility, a fundamental principle of currency that demands that all coins be equal.
The overarching ambition of the COnFIDE project is to reconcile public verifiability with privacy in distributed ledgers.
The most promising approach to privacy are zero-knowledge proofs, as used for example by the cryptocurrency Zcash. Their main shortcoming, which also conflicts with the spirit of decentralization, is their dependency on trusted parameters. These are computed at system setup from random values that must then be securely disposed of (failing which enables e.g. counterfeit in Zcash). We see reducing the trust assumptions that are necessary to achieve privacy as the main challenge for distributed ledgers.
Other issues with blockchains today concern their efficiency. Proof of work is used for consensus in all major systems, leading to Bitcoin’s electricity consumption now exceeding Austria’s. Alternatives either still rely on physical resources or are incompatible with privacy guarantees, and sustainable systems that protect privacy are still an open problem. Another shortcoming is scalability; while Visa’s payment system handles 2000 transactions per second, Bitcoin handles 7. Moreover, all transactions remain in the blockchain forever, now over 300 GB for Bitcoin. While the current state of Bitcoin can be concisely represented by the set of unspent transactions (UTXOs), this is not possible in anonymous currencies, exacerbating scalability issues.
To overcome these issues, we are developing new cryptographic methods that reduce or eliminate the trust assumptions currently required for privacy. These we will then underly distributed ledgers with stronger privacy guarantees based on weaker assumptions. Another topic is investigating integration of means for prosecution of abuse, which is especially relevant for cryptocurrencies and their embedding in the legal framework; at the same time our goal is to prevent indiscriminate surveillance.
Our last goal is reconciling sustainability with privacy in distributed ledgers; in particular, improving on systems based on proof of space and make proof of stake, the most ecologically friendly consensus mechanism, compatible with privacy. Towards ensuring scalability, we are working on blockchains that allow discarding obsolete information, so they only store the current state; and other means of increasing throughput, all while protecting privacy. The results of COnFIDE will be essential to the viability of next-generation distributed systems and will ensure the safety of citizens and protection of the environment in a time of vast technological change.
Blind signatures are the digital analog of blank signatures: a user can obtain a digital signature on a document without revealing the document to the signer. This concept is at the heart of “traditional” e-cash, which predates cryptocurrencies by far, but there are also applications in distributed ledgers that enhance user privacy guarantees. Schnorr signatures are considered for replacing the currently prevailing signature standard (EC)DSA. While there is a protocol that allows blind issuing of Schnorr signatures, the implied security guarantees are weak. In this work we revisit this protocol, strengthen it and give formal security guarantees. This will enable privacy-preserving blockchain applications that rest on solid foundations.
In an article two years ago (The Algebraic Group Model and Its Applications at CRYPTO ‘18 with Eike Kiltz and Julian Loss), we proposed an abstract model for analyzing cryptographic schemes, which has already found numerous uses for proving the security of zero-knowledge proof systems. In this work, we use this model to classify types of hardness assumptions, which are the foundation of cryptographic schemes that are corroborated by security proofs.
In this work we propose the currently most efficient realization of a cryptographic concept that underlies schemes for anonymous authentication.
Double-authentication-preventing signatures were designed to be used for certificates, e.g. for websites. They prevent the issuance of rogue certificates, which certification authorities have been order to do by intelligence agencies. That is, such authorities have been forced to sign a certificate for a website w.r.t. a public key belonging to the agency; the latter can thus read all encrypted traffic for this website. This type of signatures has also found applications in distributed ledgers, where it can prevent duplication, and thus forgery, of information. In this work we propose a realization of this concept featuring a combination of properties hitherto not achieved.
In this work, we give the first practical realization of transferable e-cash. In such a system, like for national currencies, electronic money is issued by a central bank. In contrast to “classical” e-cash, where money can only be used to pay once, and must then be deposited at the bank by the recipient, transferable e-cash allows further payments – as with physical cash.