Quisquis: A New Design for Anonymous Cryptocurrencies
read more
Citations
Zether: Towards Privacy in a Smart Contract World
DCAP: A Secure and Efficient Decentralized Conditional Anonymous Payment System Based on Blockchain
High-Frequency Trading on Decentralized On-Chain Exchanges
High-Frequency Trading on Decentralized On-Chain Exchanges
Non-Interactive Zero-Knowledge for Blockchain: A Survey
References
Zerocash: Decentralized Anonymous Payments from Bitcoin
Quantitative Analysis of the Full Bitcoin Transaction Graph
A fistful of bitcoins: characterizing payments among men with no names
Bulletproofs: Short Proofs for Confidential Transactions and More
An Analysis of Anonymity in the Bitcoin System
Related Papers (5)
Frequently Asked Questions (19)
Q2. What is the first heuristic for a transaction to be rejected?
The first heuristic is “reject and wait”: if two conflicting transactions are received in the same time period, they are both rejected and the users are instructed to wait and attempt the transaction again.
Q3. Why do the authors need to use the zero-knowledge proof system?
Due to the extractability of the zero-knowledge proof system, the authors know that the tx will be accepted only if the adversary has a valid witness.
Q4. How does the protocol mitigate the growth of the UTXO set?
The protocol mitigates this growth by storing information about shielded coins in a Merkle tree, meaning proofs grow in a logarithmic rather than a linear fashion with respect to the size of the UTXO set, but the growth of the set is still monotonic.
Q5. How many bytes of communication is required for the x-coordinate?
In their UPK construction, an account consists of four elements from G. Using an elliptic curve at the 128-bit security level and with compressed points (i.e., in which points are represented just by the x-coordinate and the sign of the y-coordinate), each group element requires 33 bytes of communication (32 bytes for the x-coordinate and 1 bit for the sign), and each field element is 32 bytes.
Q6. What is the way to provide both these properties?
The simple way to provide both these properties is to require authorization only on behalf of the public keys whose associated balance has gone down; i.e., for every pki ∈ P such that bl1,i − bl0,i < 0.
Q7. What is the simplest way to prove that a transaction is spending unspent coins?
Zcash [6] is based on succinct zero-knowledge proofs (zk-SNARKs), which allow users to prove that a transaction is spending unspent shielded coins (i.e., coins that have already been deposited into a so-called shielded pool), without revealing which shielded coins they are.
Q8. What is the definition of a cryptographic account?
To represent an account in a cryptocurrency, the authors use pairs acct = (pk, com) of public keys, which act as the pseudonym for a user, and commitments, which represent the balance associated with that public key.
Q9. What is the way to verify that the update is done correctly?
To be able to easily verify that the update is done correctly, the prover creates accounts acctδ that contain values v. Since the authors need preservation of value, there needs to be a way to verify that ∑ i vi = 0.
Q10. What is the reason why the adversary cannot distinguish between the two transactions?
Since all the accounts are updated (both those in P and in A), and they are then randomly permuted, the adversary cannot distinguish based on (2) either.
Q11. How can a proof be produced and verified in batches?
https://github.com/dalek-cryptography/bulletproofsBulletproofs can be produced and verified in batches, leading to the resulting proofs growing only logarithmically with the size of the batch, rather than linearly.
Q12. what is agnostic to re-randomizations of the commitment?
VerifyAcct is agnostic to re-randomizations of the commitment; i.e., VerifyAcct((pk, com), (sk, bl)) = VerifyAcct((pk, com Commitpk(0; r)), (sk, bl)).
Q13. What is the main reason why users can destroy accounts?
Allowing users to destroy empty accounts reduces the storage overhead of the system, since other users do not have to keep track of accounts that have no contents left to spend.
Q14. What is the simplest way to add transaction fees to the Trans algorithm?
To add transaction fees to the Trans algorithm, the authors can add the fee f as an input and change the requirement on the vector v to be f + ∑ i vi = 0.
Q15. What is the proof of correct shuffle for a comi?
– The Hadamard product argument, πHad: Given extended Pedersen commit-ments A,B,C, the prover shows knowledge of an opening to vectors a, b, c such that a ◦ b = c.A proof of correct shuffle for comi uses the following invariant, provided the authors set all ρi to be the same value ρ.
Q16. What is the key of the extended Pedersen commitment scheme?
Let (g, h) be the global public key output by the Setup algorithm, and let ck = (ḡ, ḡ1, . . . , ḡn) be the commitment key of the extended Pedersen commitment scheme XComck(a; r) = ḡr ∏ i ḡ ai i .
Q17. How many bytes does the proof of the next lemma require?
Concretely then, each of these two proofs requires 352 √ n + 224 bytes for group elements, and 160 √ n+384 for field elements, for a total of 512 √ n+608 bytes each, giving 1024 √ n+ 1216 bytes in total.
Q18. What is the way to ensure anonymity?
The second proposal ensures lower latency, but might reduce the privacy of the second transaction: if all accounts in the intersection were part of the anonymity set, the sender might simply replace those and effectively run a transaction with a smaller anonymity set.
Q19. What is the advantage of the adversary?
The authors define the advantage of the adversary as the probability that the adversary wins subtracted by 1/2, and say that:Definition 4.