Blockchain Privacy: Auditabillity
Christina Garman, Matthew Green, Ian Miers
FC'16
Handle policies to enforce regulations, KYC/AML laws, and taxes
Regulatory type
Spending limit: no transaction over the limit is valid unless signed by an authority
Simulation-based security definitions for Decentralized Anonymous Payment (DAP) scheme
Ken Naganuma and Masayuki Yoshino and Hisayoshi Sato and Takayuki Suzuki (Hitachi)
EuroS&PW'17
Designated auditor link the origin and destination of anonymous transactions.
The auditor doesn’t have other authorities e.g. stopping transfers, confiscating funds, and deactivating accounts.
Concurrent work of (GGM, FC'16)
Yihan Jiang, Yong Li, Yan Zhu
ICCSP'19
Karl W¨ust, Kari Kostiainen (ETH Zurich), Vedran Capkun (HEC Paris), and Srdjan Capkun
FC'19
Commitment-based Mimblewimble transactions
Regulation scheme: Receiving limit w/ ZKP
Limit the total amount of money that any user can receive (spend) anonymously within an epoch.
To exceed the limit, a receiver must reveal his identity to the regulator by encrypting it with the regulator’s public key
Better performance in creating a transaction than Zcash (nrryuya.icon > Light client friendly also?) Creation of a typical transaction and associated proofs takes > 0.1 seconds
Verification of 1000 transactions per second is possible (4 validators with 25 quad-core servers each)
Others
Elli Androulaki, Jan Camenisch, Angelo De Caro, Maria Dubovitskaya, Kaoutar Elkhiyaoui and Björn Tackmann
AFT'20
ZK signature-based membership proofs to ascertain that a user is registered and that a token belongs to the ledger
Assume a trusted registration authority that provides authorized users with long-term credentials (i.e. signatures) with their attributes, and a certifier that a user contacts with a certification request to vouch for the validity of tokens she owns.
A certification request contains a token (i.e. commitment) and upon receiving such a request the certifier checks whether the token is included in a valid transaction in the ledger.
If so, the certifier blindly signs the token and the resulting signature can be used subsequently to prove that the token is legitimate
To prevent double spending, use serial numbers to identify tokens when they are consumed (as in Zerocash)
Properties: collision resistance, determinism, unforgeability (only the owner of the token can produce a valid serial number)
VRF
To enable auditability, encrypt the information in transfer transactions under the public keys of the sender’s and the receivers’ auditors
does not assume a single auditor for all users
E. Cecchetti, F. Zhang, A. Kosba, A.Juels, and E. Shi
Application: Hide the transaction graph and transaction amount between bank customers
Publicly Verifiable Oblivious RAM Machine (PVORM)
El Gamal ciphertexts, which supports variant of Confidential Transactions & Generalized Schnorr Proofs (GSPs)
Support auditing by revealing all of the keys used in the system to an auditor
Neha Narula (MIT Media Lab), Willy Vasquez (University of Texas at Austin), Madars Virza (MIT Media Lab)
Pedersen commitment, Borromean ring signatures for range proofs (similar to Confidential Assets)
Future work: Replace with bulletproof for efficiency
NIZKs: Generalized Schnorr Proofs w/ Fiat-Shamir heuristic (SHA256)
Transaction creation time grows linearly, and verification time quadratically with the number of banks
Multiple banks cannot produce different transactions in parallel
nrryuya.icon > This problem is tackled in Zether
Wulu Li, Yongcan Wang, Lei Chen, Xin Lai, Xiao Zhang, and Jiajun Xin (Onething Technologies)
Dmytro Bogatov (Boston University), Angelo De Caro, Kaoutar Elkhiyaoui (IBM Research), Björn Tackmann (DFINITY)
IEEE Network, 2019
CSCML'19
Ivan Damg˚ard, Chaya Ganesh, Hamidreza Khoshakhlagh, Claudio Orlandi, and Luisa Siniscalchi (Concordium Blockchain Research Center, Aarhus University)
SoK
JFSA, MRI