Monero has emerged as one of the leading cryptocurrencies
with privacy by design. However, this comes at the price of reduced expressiveness and interoperability as well as severe scalability issues. First,
Monero is restricted to coin exchanges among individual addresses and
no further functionality is supported. Second, transactions are authorized by linkable ring signatures, a digital signature scheme used in Monero, hindering thereby the interoperability with virtually all the rest of
cryptocurrencies that support different digital signature schemes. Third,
Monero transactions require an on-chain footprint larger than other cryptocurrencies, leading to rapid ledger growth and thus scalability issues.
This work extends Monero expressiveness and interoperability while mitigating its scalability issues. We present Dual Linkable Spontaneous Anonymous Group Signature for Ad Hoc Groups (DLSAG), a linkable ring signature scheme that enables for the first time non-interactive refund
transactions natively in Monero: DLSAG can seamlessly be implemented
along with other cryptographic tools already available in Monero such as
commitments and range proofs. We formally prove that DLSAG provides
the same security and privacy notions introduced in the original linkable
ring signature [31] namely, unforgeability, signer ambiguity, and linkability. We have evaluated DLSAG and showed that it imposes even slightly
lower computation and similar communication overhead than the current digital signature scheme in Monero, demonstrating its practicality.
We further show how to leverage DLSAG to enable off-chain scalability solutions in Monero such as payment channels and payment-channel
networks as well as atomic swaps and interoperable payments with virtually all cryptocurrencies available today. DLSAG is currently being
discussed within the Monero community as an option for adoption as a
key building block for expressiveness, interoperability, and scalability.
more »
« less
Privacy-Preserving Cross-Chain Atomic Swaps
Recently, there has been a lot of interest in studying the transfer of assets across different blockchains in the form of cross-chain atomic swaps. Unfortunately, the current candidates of atomic swaps (hash-lock time contracts) offer no privacy; the identities as well as the exact trade that happened between any two parties is publicly visible.
In this work, we explore the different notions of privacy that we can hope for in an atomic swap protocol. Concretely, we define an atomic swap as a two-party protocol and formalize the different notions of privacy in the form of anonymity, confidentiality and indistinguishability of swap transactions.
As a building block, we abstract out the primitive of Atomic Release of Secrets ( ARS ) which captures atomic exchange of a secret for a pre-decided transaction. We then show how ARS can be used to build privacy-preserving cross-chain swaps.
We also show that the recently introduced notion of adapter signatures [Poe18, War17] is a concrete instantiation of ARS under the framework of Schnorr signatures [Sch91] and thus, construct a private cross-chain swap using Schnorr signatures.
more »
« less
- Award ID(s):
- 1917990
- NSF-PAR ID:
- 10206409
- Date Published:
- Journal Name:
- Lecture notes in computer science
- Volume:
- 12063
- ISSN:
- 0302-9743
- Page Range / eLocation ID:
- 3-38
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Tremendous growth in cryptocurrency usage is exposing the inherent scalability issues with permissionless blockchain technology. Payment-channel networks (PCNs) have emerged as the most widely deployed solution to mitigate the scalability issues, allowing the bulk of payments between two users to be carried out off-chain. Unfortunately, as reported in the literature and further demonstrated in this paper, current PCNs do not provide meaningful security and privacy guarantees [30], [40]. In this work, we study and design secure and privacy-preserving PCNs. We start with a security analysis of existing PCNs, reporting a new attack that applies to all major PCNs, including the Lightning Network, and allows an attacker to steal the fees from honest intermediaries in the same payment path. We then formally define anonymous multi-hop locks (AMHLs), a novel cryptographic primitive that serves as a cornerstone for the design of secure and privacy-preserving PCNs. We present several provably secure cryptographic instantiations that make AMHLs compatible with the vast majority of cryptocurrencies. In particular, we show that (linear) homomorphic one-way functions suffice to construct AMHLs for PCNs supporting a script language (e.g., Ethereum). We also propose a construction based on ECDSA signatures that does not require scripts, thus solving a prominent open problem in the field. AMHLs constitute a generic primitive whose usefulness goes beyond multi-hop payments in a single PCN and we show how to realize atomic swaps and interoperable PCNs from this primitive. Finally, our performance evaluation on a commodity machine finds that AMHL operations can be performed in less than 100 milliseconds and require less than 500 bytes of communication overhead, even in the worst case. In fact, after acknowledging our attack, the Lightning Network developers have implemented our ECDSA-based AMHLs into their PCN. This demonstrates the practicality of our approach and its impact on the security, privacy, interoperability, and scalability of today’s cryptocurrencies.more » « less
-
null (Ed.)The value of cryptocurrencies is highly volatile and investors require fast and reliable exchange systems. In cross-chain transactions, multiple parties exchange assets across multiple blockchains which can be represented as a directed graph with vertexes V as parties and edges E as asset transfers. In a simple form, cross-chain transactions are cross-chain swaps where each edge e transfers an asset that the head of e already owns. However, in general, a cross-chain transaction includes a sequence of exchanges at each blockchain. Further, transactions may have off-chain steps and hence may not be strongly connected. Given a transaction, protocols are desired that guarantee the following property called uniformity. If all parties conform to the protocol, all the assets should be transferred. Further, if any party deviates from the protocol, the conforming parties should not experience any loss. Previous work introduced a uniform protocol for strongly connected cross-chain swaps and showed that no uniform protocol exists for transactions that are not strongly connected. We present a uniform protocol for general cross-chain transactions with sequenced and off-chain steps when a few certain parties are conforming. Further, we prove a new property called end-to-end that guarantees that if the source parties pay, the sink parties are paid. We present a synthesis tool called XCHAIN that given a high-level description of a cross-transaction can automatically generate smart contracts in Solidity for all the parties.more » « less
-
Trapped-ion qubits are a leading technology for practical quantum computing. In this work, we present an architectural analysis of a linear-tape architecture for trapped ions. In order to realize our study, we develop and evaluate mapping and scheduling algorithms for this architecture. In particular, we introduce TILT, a linear “Turing-machinelike” architecture with a multilaser control “head,” where a linear chain of ions moves back and forth under the laser head. We find that TILT can substantially reduce communication as compared with comparable-sized Quantum Charge Coupled Device (QCCD) architectures. We also develop two important scheduling heuristics for TILT. The first heuristic reduces the number of swap operations by matching data traveling in opposite directions into an “opposing swap.”, and also avoids the maximum swap distance across the width of the head, as maximum swap distances make scheduling multiple swaps in one head position difficult. The second heuristic minimizes ion chain motion by scheduling the tape to the position with the maximal executable operations for every movement. We provide application performance results from our simulation, which suggest that TILT can outperform QCCD in a range of NISQ applications in terms of success rate (up to 4.35x and 1.95x on average). We also discuss using TILT as a building block to extend existing scalable trapped-ion quantum computing proposals.more » « less
-
Public key quantum money can be seen as a version of the quantum no-cloning theorem that holds even when the quantum states can be verified by the adversary. In this work, we investigate quantum lightning where no-cloning holds even when the adversary herself gener- ates the quantum state to be cloned. We then study quantum money and quantum lightning, showing the following results: – We demonstrate the usefulness of quantum lightning beyond quan- tum money by showing several potential applications, such as gen- erating random strings with a proof of entropy, to completely decen- tralized cryptocurrency without a block-chain, where transactions is instant and local. – We give Either/Or results for quantum money/lightning, showing that either signatures/hash functions/commitment schemes meet very strong recently proposed notions of security, or they yield quan- tum money or lightning. Given the difficulty in constructing public key quantum money, this suggests that natural schemes do attain strong security guarantees. – We show that instantiating the quantum money scheme of Aaron- son and Christiano [STOC’12] with indistinguishability obfuscation that is secure against quantum computers yields a secure quantum money scheme. This construction can be seen as an instance of our Either/Or result for signatures, giving the first separation between two security notions for signatures from the literature. – Finally, we give a plausible construction for quantum lightning, which we prove secure under an assumption related to the multi- collision resistance of degree-2 hash functions. Our construction is inspired by our Either/Or result for hash functions, and yields the first plausible standard model instantiation of a non-collapsing col- lision resistant hash function. This improves on a result of Unruh [Eurocrypt’16] which is relative to a quantum oracle.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Journal Article:
- https://doi.org/10.1007/978-3-030-54455-3_38
