Анонимные оффчейн-транзакции без валидации с возможностью обнаружения повторной траты | ПДМ. Приложение. 2020. № 13. DOI: 10.17223/2226308X/13/27

Анонимные оффчейн-транзакции без валидации с возможностью обнаружения повторной траты

Один из способов масштабируемости блокчейн-решений - так называемые протоколы второго уровня. Они позволяют минимизировать ончейн-трафик и, следовательно, делают переходы между состояниями распределённого реестра (частным случаем таких переходов могут быть, например, платежи) более быстрыми, сохраняя в то же время возможность предотвращения атаки повторной траты. Однако такие решения имеют некоторые недостатки (пропускная способность, доступность маршрута, доступность оператора и т.д.). В работе исследуется возможность упрощения и улучшения существующих протоколов формирования оффчейн-транзакций и описывается схема (построенная на основе предложенной в 2008 г. системы анонимных электронных денежных переводов), которая без валидации транзакций позволяет обнаружить пользователя, совершившего повторную трату и при этом сохранить анонимность остальных транзакций. Схема подразумевает использование оффчейн-аналога модели UTXO и состоит из процедур формирования оффчейн-транзакций выпуска, перевода и погашения "банкноты", содержащей секретный ключ, необходимый для выполнения соответствующей ончейн-транзакции перевода токенов, а также процедуры обнаружения пользователя, совершившего повторную трату.

Validation-free offchain transactions with unlinkable double spend detection.pdf 1. Introduction Layer-two protocols are the trend of blockchain scalability solutions right now. Such protocols allow users to make offchain transactions. In [1] the authors summarize and systematize existing solutions: payment/state channels and commit-chains (or hubs). It would be interesting to create a system in which some users transfer tokens to others, while they can dynamically join the two-layer solution (free establishment property [1]). Next, any user who received tokens offchain can receive them onchain. There are commit-chains with unlinkability and anonimity properties (e.g. TumbleBit [2] and Bolt [3]), which are suitable for this problem. However, existing solutions also have the following tradeoffs. For example: - unlike the regular blockchain security model, when using a layer-two solution, the user may need to monitor his funds from time to time; - there may be some constraints or prerequisites for using such a solution (channel capacity, route availability for payment/state channels, operator availability for commit-chains, etc.); - the user may need to use additional complex software that stores sensitive information (the history of transactions, including the so-called "breach remedy transactions", or other data required to create a proof of fraud and prevent loss of funds). Consider the following case: there is no transaction validation, however, there is an operator that checks for double spend when the current owner wants to receive his tokens in the blockchain. Obviously, in this case, the operator will not be able to prevent double spend, but can only detect it. This case is very similar to an e-cash system. Moreover, for example, Bolt uses an offline anonymous e-cash scheme [4]. But this protocol does not have the transferability property (for a coin there can be only one transfer transaction). The paper [5] describes a modified protocol that provides transferability (the main modification is related to the ability for the receiver to spend the received coin later). Our current research aims to implement the approaches proposed in [4, 5] to create a simpler offchain transaction scheme that allows to detect a double spender without validation and linking transactions. Let G be an additive group of prime order q, s £ Zq be a number that can be used as a secret key to make a transaction for transfer of some tokens onchain. All other blockchain details are beyond the scope of this paper. Suppose we have an offchain analogue of the UTXO model. For each s there is a so-called note. Therefore, an offchain token transfer transaction means a transaction for transfer of a note with s value. Let G, H be generators in G, xi £ Zq (Pi = xiG) be the private (public) key of the i-th participant of the offchain transaction scheme, i = 1,..., n. We formulate the problem as follows - to create a scheme based on [5] that allows: - to transfer of a note between users with these keys without transaction validation; - to reveal the public key of the user who transfered the note more than once when the current owner of the note wants to make the corresponding transaction onchain and not link the transactions for the note transfer with the corresponding public keys of other users. 2. Description of the Scheme Let H be a cryptographic hash function to Zq, n({al,..., an}, {bl,..., bn} : /l(al,..., an, bl,..., bn) = cl,..., /n(al,..., an, bl,..., bn) = cn) be a zero knowledge proof of knowledge of such private al,... ,an and public bl,... ,bn (in general from different sets) that /l(al,... ,an,bl,... ,bn) = ci, ..., /n(al,..., an, bl,..., bn) = Cn, where /ь ..., / are the corresponding functions, c1, ... ,cn are constants. 2.1. Note Issue To issue a note, the owner of the tokens in the blockchain (he knows s): - generates some message msg (transaction description) and computes the hash function m0 = H(msg); - computes r0 = (x + m0)-lG, where x is the owner's private key; - computes f0 = H(r0 ,m0); - computes T0 = xG + f0(x + s + 1)-lH; - computes a proof П0 = n({x}, {s,T0, r0,m0} : T0 = xG + fo(x + s + 1)-lH, r0 = (x + m0)-lG); - creates the note (s, V0), where V0 = (T0,n0,r0,m0). 2.2. Note Transfer Assume that user A owns a note (s, V), where V = (V0,..., V), Vj = (Tj,П, rj,mj), j = 0,..., / , that he legitimately received from another user. If A legitimately received the note (s, V), it is necessary that ri = (xA + m^)-lG, where xA is the private key of A. The following steps describe the interactive procedure for transfer of the note (s, V) from user A to user B. First, the Receiver (B): - generates some message msg (transaction description) and computes the hash function mi+l = H(msg); - computes rl+l = (xB + ml+l)-lG, where xB is the receiver's private key; - sends ml+l, rl+l to the Sender. Next, the Sender (A): - computes fl+l = H(rl+l,ml+l); - computes hl+l = H(s, T0,... , Tl); - computes Tl+l = xaG + fl+l(x^ + s + hl+l)-lH; - computes a proof nl+l=n({xA}, {s, Tl+l, n+l, ml+l}:Tl+l = xAG+fl+l(xA+s+hl+l)-lH, n = (xA+ml)-lG); - creates and sends the note (s, V), where V = (V0,..., Vl+l), Vl+l = (Tl+l, nl+l, rl+l, ml+l), to the Receiver. The Receiver can optionally verify the proof nl+l. 2.3. Note Redeem When the current owner of the note wants to make the corresponding transaction in the blockchain, he sends the note (s, V), V = (V0,..., Vt), Vj = (T,П, rj,mj), to the Operator. The Operator verifies that: - the proof nj is valid for all j = 0,..., t; - the note with s has not been redeemed. If the note with s has been redeemed, there was a double spend. 2.4. Double Spender Detection A double spend is equivalent to the fact that the Operator received notes with the same s and different V = (Vo,..., Vfc,..., Vt) and V' = (Vo,..., Vk',..., V/,). The Operator: - looks for the minimal k that Vk = (Tk, nk, rk, mk) = V" = (Tk, n'k, r'., m'k); - computes fk = H(rk,mk) and f = H(r'.,m'k); - computes the public key of the double spender: P = (r^ - fk )-1(fkTk - f'Tk). 3. Conclusion This paper is dedicated to the research of the possibility of constructing a protocol for offchain transactions that, without transaction validation, allows to detect a double spender and not trace other transactions. We describe a possible scheme based on the transferable anonymous e-cash system proposed in [5]. In future papers, we would like to reformulate the security properties from [5] and provide the proofs.

Ключевые слова

blockchain, offchain, unlinkability, double spend detection, блокчейн, оффчейн, анонимность, несвязываемость, повторная трата

Авторы

ФИООрганизацияДополнительноE-mail
Кяжин Сергей НиколаевичСбербанк Россиикандидат физико-математических наук, руководитель проектов Лаборатории блокчейнblockchain-research@sberbank.ru
Клименко Константин АлександровичСбербанк Россиидиректор по продуктам Лаборатории блокчейнblockchain-research@sberbank.ru
Всего: 2

Ссылки

Gudgeon L., Moreno-Sanchez P., Roos S., et al. SoK: Off The Chain Transactions. Cryptology ePrint Archive: Report 2019/360.
Heilman E., Alshenibr L., Baldimtsi F., et al. TumbleBit: An Untrusted Bitcoin-Compatible Anonymous Payment Hub. Cryptology ePrint Archive: Report 2016/575.
Green M. and Miers I. Bolt: Anonymous Payment Channels for Decentralized Currencies. Cryptology ePrint Archive: Report 2016/701.
Camenisch J., Hohenberger S., and Lysyanskaya A. Compact E-Cash // EUROCRYPT 2005. LNCS. 2005. V. 3494. P. 302-321.
Canard S., Gouget A., and Traore J. Improvement of efficiency in (unconditional) anonymous transferable E-Cash // Financial Cryptography and Data Security. LNCS. 2008. V. 5143. P. 202-214.
 Анонимные оффчейн-транзакции без валидации с возможностью обнаружения повторной траты | ПДМ. Приложение. 2020. № 13. DOI: 10.17223/2226308X/13/27

Анонимные оффчейн-транзакции без валидации с возможностью обнаружения повторной траты | ПДМ. Приложение. 2020. № 13. DOI: 10.17223/2226308X/13/27