[Resource Topic] 2023/1948: PriDe CT: Towards Public Consensus, Private Transactions, and Forward Secrecy in Decentralized Payments

Welcome to the resource topic for 2023/1948

PriDe CT: Towards Public Consensus, Private Transactions, and Forward Secrecy in Decentralized Payments

Authors: Yue Guo, Harish Karthikeyan, Antigoni Polychroniadou


Anonymous Zether, proposed by Bunz et al. (FC, 2020) and subsequently improved by Diamond (IEEE S&P, 2021) is an account-based confidential payment mechanism that works by using a smart contract to achieve privacy (i.e. identity of receivers to transactions and payloads are hidden). In this work, we look at simplifying the existing protocol while also achieving batching of transactions for multiple receivers, while ensuring consensus and forward secrecy. To the best of our knowledge, this work is the first to formally study the notion of forward secrecy in the setting of blockchain, borrowing a very popular and useful idea from the world of secure messaging. Specifically, we introduce:

  • FUL-Zether, a forward-secure version of Zether (Bunz et al., FC, 2020).
  • PRIvate DEcentralized Confidental Transactions (PriDe CT), a much-simplified version of Anonymous Zether that achieves competitive performance and enables batching of transactions for multiple receivers.
  • PRIvate DEcentralized Forward-secure Until Last update
    Confidential Transactions (PriDeFUL CT), a forward-secure version of PriDe CT.
    We also present an open-source, Ethereum-based implementation of our system.
    PriDe CT uses linear homomorphic encryption as Anonymous Zether but with simpler zero-knowledge proofs. PriDeFUL CT uses an updatable public key encryption scheme to achieve forward secrecy by introducing a new DDH-based construction in the standard model.
    In terms of transaction sizes, Quisquis (Asiacrypt, 2019), which is the only cryptocurrency that supports batchability (albeit in the UTXO model), has 15 times more group elements than PriDe CT. Meanwhile, for a ring of N receivers, Anonymous Zether requires 6\log N more terms even without accounting for the ability to batch in PriDe CT. Further, our implementation indicates that, for N=32, even if there were 7 intended receivers, PriDe CT outperforms Anonymous Zether in proving time and gas consumption.

ePrint: https://eprint.iacr.org/2023/1948

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .