Abstract
Enforcement of policy regulations and availability of auditing mechanisms are crucial building blocks for the adoption of distributed payment systems. In this work we review a number of existing proposals for distributed payment systems that offer some form of auditability for regulators. We identify two major distinct lines of work: payment systems that are not privacy-preserving such as Bitcoin, where regulation functionalities are typically tailored for organizations controlling many accounts, and privacy-preserving payment systems where regulation functionalities are typically targeted to user level. We provide a systematization methodology over several axes of characteristics and performance, while highlighting insights and research gaps that we have identified, such as lack of dispute-resolution solutions between the regulator and the entity under audit, and the incompatibility of ledger pruning or off-chain protocols with regulatory requirements. Based on our findings, we propose a number of exciting future research directions.
P. Chatzigiannis—did part of this work during an internship at Novi Financial/Facebook Research. Foteini Baldimtsi and Panagiotis Chatzigiannis were supported by NSF #1717067, NSA #204761 and a Facebook research Award.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
In some scenarios, non-private auditing might suffice. However, such a protocol would be trivial from a security standpoint, and to our knowledge no related proposal exists.
- 2.
This property is sometimes referred to as “transaction graph obfuscation”.
- 3.
In typical DAPs, a “human user” might control multiple payment addresses. By user/participant regulation below we refer to address-level regulation, unless we explicitly explain otherwise in certain permissioned schemes.
- 4.
- 5.
References
Bitgo announces “verified by bitgo” proof of asset service. https://www.businesswire.com/news/home/20150630005466/en/BitGo-Announces-%E2%80%9CVerified-BitGo%E2%80%9D-Proof-Asset-Service#.VZKYwO1Viko
Bitstamp proof of reserves. https://www.bitstamp.net/s/documents/Bitstamp_proof_of_reserves_statement.pdf
CSBS state regulatory requirements for virtual currency activities. https://www.csbs.org/sites/default/files/2017-11/CSBS%20Draft%20Model%20Regulatory%20Framework%20for%20Virtual%20Currency%20Proposal%20-%20Dec.%2016%202014.pdf
Deloitte COINIA and the future of audit. https://www2.deloitte.com/us/en/pages/audit/articles/impact-of-blockchain-in-accounting.html
FATF travel rule: What you need to know. https://complyadvantage.com/knowledgebase/fatf-travel-rule/
IRS is trying to deanonymize privacy coins like monero and zcash. https://www.forbes.com/sites/shehanchandrasekera/2020/07/06/irs-is-trying-to-deanonymize-privacy-coins-like-monero-and-zcash/#4607506c4174
Maxwell summation trees. https://bitcointalk.org/index.php?topic=595180.0
Proof of solvency: Technical overview. https://medium.com/iconominet/proof-of-solvency-technical-overview-d1d0e8a8a0b8
Tether: Fiat currencies on the bitcoin blockchain. https://tether.to/wp-content/uploads/2016/06/TetherWhitePaper.pdf
Tether’s bank says it invests customer funds in bitcoin. https://www.coindesk.com/tethers-bank-says-it-invests-customer-funds-in-bitcoin
On blockchain auditability (2016). https://bitfury.com/content/downloads/bitfury_white_paper_on_blockchain_auditability.pdf
Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (general data protection regulation). Official Journal of the European Union L119, pp. 1–88 (2016)
Deloitte’s 2020 global blockchain survey (2020). https://www2.deloitte.com/content/dam/insights/us/articles/6608_2020-global-blockchain-survey/DI_CIR%202020%20global%20blockchain%20survey.pdf
Androulaki, E., et al.: Hyperledger fabric: a distributed operating system for permissioned blockchains. In: Proceedings of the Thirteenth EuroSys Conference, EuroSys 2018, Porto, Portugal, 23–26 April 2018, pp. 30:1–30:15 (2018)
Androulaki, E., Camenisch, J., Caro, A.D., Dubovitskaya, M., Elkhiyaoui, K., Tackmann, B.: Privacy-preserving auditable token payments in a permissioned blockchain system. In: AFT 2020: 2nd ACM Conference on Advances in Financial Technologies, New York, NY, USA, 21–23 October 2020, pp. 255–267. ACM (2020). https://doi.org/10.1145/3419614.3423259
Barki, A., Gouget, A.: Achieving privacy and accountability in traceable digital currency. Cryptology ePrint Archive, Report 2020/1565 (2020). https://eprint.iacr.org/2020/1565
Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE Computer Society Press, May 2014. https://doi.org/10.1109/SP.2014.36
Bitansky, N., Chiesa, A., Ishai, Y., Paneth, O., Ostrovsky, R.: Succinct non-interactive arguments via linear interactive proofs. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 315–333. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_18
Bogatov, D., De Caro, A., Elkhiyaoui, K., Tackmann, B.: Anonymous transactions with revocation and auditing in hyperledger fabric. Cryptology ePrint Archive, Report 2019/1097 (2019). https://eprint.iacr.org/2019/1097
Brands, S.: Untraceable off-line cash in wallet with observers. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 302–318. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_26
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334. IEEE Computer Society Press, May 2018. https://doi.org/10.1109/SP.2018.00020
Cecchetti, E., Zhang, F., Ji, Y., Kosba, A.E., Juels, A., Shi, E.: Solidus: confidential distributed ledger transactions via PVORM. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 701–717. ACM Press, October/November 2017. https://doi.org/10.1145/3133956.3134010
Chalkias, K., Lewi, K., Mohassel, P., Nikolaenko, V.: Distributed auditing proofs of liabilities. Cryptology ePrint Archive, Report 2020/468 (2020). https://eprint.iacr.org/2020/468
Chase, M., Ganesh, C., Mohassel, P.: Efficient zero-knowledge proof of algebraic and non-algebraic statements with applications to privacy preserving credentials. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 499–530. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_18
Chatzigiannis, P., Baldimtsi, F.: Miniledger: compact-sized anonymous and auditable distributed payments. In: ESORICS 2021 (2021)
Chen, Yu., Ma, X., Tang, C., Au, M.H.: PGC: decentralized confidential payment system with auditability. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12308, pp. 591–610. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58951-6_29
Conti, M., Kumar, E.S., Lal, C., Ruj, S.: A survey on security and privacy issues of bitcoin. IEEE Commun. Surv. Tutor. 20(4), 3416–3452 (2018). https://doi.org/10.1109/COMST.2018.2842460
Dagher, G.G., Bünz, B., Bonneau, J., Clark, J., Boneh, D.: Provisions: privacy-preserving proofs of solvency for bitcoin exchanges. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 720–731. ACM Press, October 2015. https://doi.org/10.1145/2810103.2813674
Damgård, I., Ganesh, C., Khoshakhlagh, H., Orlandi, C., Siniscalchi, L.: Balancing privacy and accountability in blockchain identity management. Cryptology ePrint Archive, Report 2020/1511 (2020). https://eprint.iacr.org/2020/1511
Decker, C., Guthrie, J., Seidel, J., Wattenhofer, R.: Making bitcoin exchanges transparent. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015, Part II. LNCS, vol. 9327, pp. 561–576. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_28
Doerner, J., Shelat, A., Evans, D.: Zeroledge: proving solvency with privacy (2015)
Dutta, A., Vijayakumaran, S.: Mprove: a proof of reserves protocol for monero exchanges. In: 2019 IEEE European Symposium on Security and Privacy Workshops, EuroS&P Workshops 2019, Stockholm, Sweden, 17–19 June 2019, pp. 330–339. IEEE (2019). https://doi.org/10.1109/EuroSPW.2019.00043
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Frankle, J., Park, S., Shaar, D., Goldwasser, S., Weitzner, D.J.: Practical accountability of secret processes. In: Enck, W., Felt, A.P. (eds.) USENIX Security 2018, pp. 657–674. USENIX Association, August 2018
Fuchsbauer, G., Orrù, M., Seurin, Y.: Aggregate cash systems: a cryptographic investigation of mimblewimble. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part I. LNCS, vol. 11476, pp. 657–689. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_22
Garay, J., Kiayias, A.: SoK: a consensus taxonomy in the blockchain era. In: Jarecki, S. (ed.) CT-RSA 2020. LNCS, vol. 12006, pp. 284–318. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-40186-3_13
Garman, C., Green, M., Miers, I.: Accountable privacy for decentralized anonymous payments. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 81–98. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_5
Goldwasser, S., Park, S.: Public accountability vs. secret laws: can they coexist?: a cryptographic proposal. In: Thuraisingham, B.M., Lee, A.J. (eds.) Proceedings of the 2017 on Workshop on Privacy in the Electronic Society, Dallas, TX, USA, 30 October–3 November 2017, pp. 99–110. ACM (2017). https://doi.org/10.1145/3139550.3139565
Graf, M., Küsters, R., Rausch, D.: Accountability in a permissioned blockchain: formal analysis of hyperledger fabric, pp. 236–255 (2020). https://doi.org/10.1109/EuroSP48549.2020.00023
Groth, J.: Non-interactive zero-knowledge arguments for voting. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 467–482. Springer, Heidelberg (2005). https://doi.org/10.1007/11496137_32
Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part II. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11
Guts, N., Fournet, C., Zappa Nardelli, F.: Reliable evidence: auditability by typing. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 168–183. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04444-1_11
Heilman, E., Alshenibr, L., Baldimtsi, F., Scafuro, A., Goldberg, S.: TumbleBit: an untrusted bitcoin-compatible anonymous payment hub. In: NDSS 2017. The Internet Society, February/March 2017
Hu, K., Zhang, Z., Guo, K.: Breaking the binding: attacks on the merkle approach to prove liabilities and its applications. Comput. Secur. 87 (2019). https://doi.org/10.1016/j.cose.2019.101585
Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_12
Küsters, R., Truderung, T., Vogt, A.: Accountability: definition and relationship to verifiability. In: Al-Shaer, E., Keromytis, A.D., Shmatikov, V. (eds.) ACM CCS 2010, pp. 526–535. ACM Press, October 2010. https://doi.org/10.1145/1866307.1866366
Lamport, L., Shostak, R.E., Pease, M.C.: The byzantine generals problem. ACM Trans. Program. Lang. Syst. 4(3), 382–401 (1982)
Maxwell, G.: Coinjoin: Bitcoin privacy for the real world (2013). https://bitcointalk.org/index.php?topic=279249.0
Meiklejohn, S., et al.: A fistful of bitcoins: characterizing payments among men with no names. In: Papagiannaki, K., Gummadi, P.K., Partridge, C. (eds.) Proceedings of the 2013 Internet Measurement Conference, IMC 2013, Barcelona, Spain, 23–25 October 2013, pp. 127–140. ACM (2013). https://doi.org/10.1145/2504730.2504747
Moore, T., Christin, N.: Beware the middleman: empirical analysis of bitcoin-exchange risk. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 25–33. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_3
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2009). http://bitcoin.org/bitcoin.pdf
Narula, N., Vasquez, W., Virza, M.: zkledger: privacy-preserving auditing for distributed ledgers. In: 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2018), Renton, WA, pp. 65–80. USENIX Association, April 2018. https://www.usenix.org/conference/nsdi18/presentation/narula
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9
Poelstra, A.: Mimblewimble (2016). https://download.wpsoftware.net/bitcoin/wizardry/mimblewimble.pdf
Poelstra, A., Back, A., Friedenbach, M., Maxwell, G., Wuille, P.: Confidential assets. In: Zohar, A., et al. (eds.) FC 2018. LNCS, vol. 10958, pp. 43–63. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-662-58820-8_4
Roose, S.: Standardizing bitcoin proof of reserves. https://blockstream.com/2019/02/04/en-standardizing-bitcoin-proof-of-reserves/
Van Saberhagen, N.: Cryptonote v 2.0 (2013). https://cryptonote.org/whitepaper.pdf
Wang, H., He, D., Ji, Y.: Designated-verifier proof of assets for bitcoin exchange using elliptic curve cryptography. Future Gener. Comput. Syst. 107, 854–862 (2020). https://doi.org/10.1016/j.future.2017.06.028
Wüst, K., Kostiainen, K., Čapkun, V., Čapkun, S.: PRCash: fast, private and regulated transactions for digital currencies. In: Goldberg, I., Moore, T. (eds.) FC 2019. LNCS, vol. 11598, pp. 158–178. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-32101-7_11
Acknowledgements
We thank Kaoutar Elkhiyaoui (IBM Research) for the clarifications on [15] and Dmitry Korneev (Facebook) for his input on needed regulation and compliance.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Cryptographic Background
A Cryptographic Background
1.1 A.1 Consensus
A consensus protocol allows a number of nodes to output a common agreement on input of a sequence of messages. In our setting, the commonly agreed value is typically recorded on a public ledger. The basic properties of a consensus protocol are [36] a) Consistency: On some input, all honest nodes make the same output. b) Liveness: An input proposed by some honest node will be eventually processed by all honest nodes after a finite number of rounds. A common distinction among consensus protocols is according to their failure model, where crash tolerant protocols assume failed nodes may become offline or otherwise stop interacting with the system, while Byzantine tolerant [47] protocols assume such nodes might also engage into malicious activity in order to defeat the above properties. These models typically assume different levels of adversarial power needed for the system to fail. Another distinction is based on the participation model, where permissioned consensus participation is open only to a closed set of parties, while permissionless is open to anyone, which however needs a mechanism to prevent attacks through “sybil” identities such as Bitcoin’s Proof of Work [51] or Proof of Stake protocols [45].
1.2 A.2 Distributed Payment Systems
A distributed payment system DPS (also known as ledger-based payment system) can be simply defined by the following algorithms and protocols when already assuming the existence of a consensus layer.
-
\(\mathsf {pp},L \leftarrow \mathsf {Setup}(\lambda )\): on input of security parameter \(\lambda \), outputs public parameters pp and initializes a public ledger L to be maintained by the consensus layer. This algorithm is executed once in the setup phase of the system, and is run by either a single party or a quorum of parties in a multi-party computation (MPC) protocol. In the following algorithms and protocols, \(\mathsf {pp}\) and L are default inputs and are omitted for simplicity.
-
\((\mathsf {pk_{{}_{}}},\mathsf {sk_{{}_{}}}) \leftarrow \mathsf {CreateAcc}()\): Run by any party wishing to transact in the systemFootnote 5, outputs a public key pair.
-
\(\mathsf {tx}_{} \leftarrow \mathsf {CreateTx}(\mathsf {sk_{{S}_{}}},\mathsf {pk_{{R}_{}}},v)\): Run by a sender wishing to send value v to receiver, and outputs a transaction \(\mathsf {tx}_{}\). Although here for simplicity we assume a single sender and receiver, a transaction can generally accommodate multiple senders and receivers. \(\mathsf {tx}_{}\) is sent to the consensus layer in order to be included in L after verification.
-
\(\mathsf {VerifyTx}(\mathsf {tx}_{}):= \{0,1\}\) Verifies the validity of a transaction \(\mathsf {tx}_{}\), given the state of the ledger L. Verification is typically performed in a distributed fashion in the consensus layer among all verifiers (often called “miners”), where agreement results in the update of the ledger’s state to \(L'\) which contains \(\mathsf {tx}_{}\).
1.3 A.3 Commitment Schemes
Commitment schemes are very commonly used in private DPSs, to hide transaction information. A non-interactive commitment scheme \(\mathsf {Com}(\mathsf {pp}, m, r)\) takes as input public parameters \(\mathsf {pp}\), a message m and randomness r and outputs a commitment value \(\mathsf {cm}\). This value reveals no information about the message (hiding property) while it is hard to find \((m', r')\) such that \(\mathsf {Com}(\mathsf {pp}, m, r) = \mathsf {Com}(\mathsf {pp}, m', r')\), when \(m' \ne m\) (binding property). Certain commitment schemes, i.e. Pedersen commitments [53] allow for homomorphic operations over committed values, a useful property in private DPSs.
1.4 A.4 Zero Knowledge Proofs
A Zero Knowledge proof is an interactive protocol between a prover P and a verifier V where P based on a common input statement proves knowledge of a witness w without revealing to V any additional information other than this fact alone. In DPSs, zero-knowledge proofs are used extensively to provide privacy-preserving attributes, with transacting parties proving validity of a transactions based on a public ledger without revealing the full transaction details, while in recent works they are also used to prove compliance with regulatory requirements.
Range Proofs are Zero Knowledge protocols proving that a committed value v lies within some interval (a, b), with v as the witness. In a payment system setting, such proofs are typically used to show that v is positive or does not overflow a maximum presentable value. Most well-known construction families for range proofs include square decomposition [40], multi-base decomposition [55] and Bulletproofs [21], with the latter being the most efficient in terms of proof size. Obviously, one can generate constant size range proofs from trusted-setup based SNARKs like Groth16 [41]. In privacy-preserving DPSs they are often used to ensure their basic core properties discussed in Sect. A.2, but they are also used for regulation purposes (e.g. distinguish between transactions that exceed a value limit).
1.5 A.5 Interactive Zero Knowledge Proofs
An interactive zero-knowledge proof (ZKP) for statement \(\{w: f(w,x)\}\) where x is publicly known and witness w is known only to prover P, is a protocol between P and verifier V that proves P’s knowledge of w such that f(w, x) holds. This protocol needs to satisfy the following:
-
Completeness: Honest V is always convinced by an honest P who knows a valid witness w.
-
Soundness: A malicious prover \(P^*\) cannot convince a verifier for a false statement.
-
Zero Knowledge: After executing the protocol, a verifier does not learn any additional information other than the validity of the statement.
An interactive ZKP can be converted to a non-interactive zero knowledge proof (NIZK) using the Fiat-Shamir heuristic [33]. In turn, a ZK - Succinct Non-interactive ARgument of Knowledge (zk-SNARK) is a non-interactive zero-knowledge proof that is succinct, namely its proofs are very short \(O(\lambda )\) with efficient verification \(O(\lambda |x|)\) [18].
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Chatzigiannis, P., Baldimtsi, F., Chalkias, K. (2021). SoK: Auditability and Accountability in Distributed Payment Systems. In: Sako, K., Tippenhauer, N.O. (eds) Applied Cryptography and Network Security. ACNS 2021. Lecture Notes in Computer Science(), vol 12727. Springer, Cham. https://doi.org/10.1007/978-3-030-78375-4_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-78375-4_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-78374-7
Online ISBN: 978-3-030-78375-4
eBook Packages: Computer ScienceComputer Science (R0)