`EfTrEC – Efficient Transferable E-cash`

Project funded by the French research funding agency ANR
Duration: 08/11/2016 – 07/11/2020

`Consortium`

Georg Fuchsbauer (PI), chargé de recherche Inria, ENS
Céline Chevalier, maître de conférences à Paris 2
Damien Vergnaud, professeur à UPMC
Balthazar Bauer, PhD student EfTrEC, Inria/ENS

`Project`

Physical cash is slowly disappearing and with it the possibility to make anonymous payments. Electronic payments offered by traditional providers are all traceable and violate the citizens' right to privacy. The rise of cryptocurrencies, in particular of more advanced ones like Monero or Zcash, show a demand for privacy-respecting electronic payments; however, these decentralized currencies operate outside the public monetary system. Moreover, the energy consumption caused by cryptocurrencies is ecologically alarming.

Ef TrEC reinvestigates cryptographic e-cash, which entrusts banks with the issuing of electronic coins and whose primary concern is the protection of user privacy. The major drawback of all schemes proposed up to now is that an e-coin received as payment must be deposited at the bank and cannot be reused like physical cash. The main goal of Ef TrEC are practical schemes that allow transfer of coins: efficient transferable e-cash. Our research program is structured as follows:

Definitions: give a clean formal model of transferable e-cash
Tools: devise more efficient tools on which schemes will be based
Trust assumptions: work on reducing the trust that needs to be put in the setup
Schemes: practical transferable e-cash
Post-quantum: devise schemes that resist attacks on quantum computers

`Results`

Proof systems
Zero-knowledge (ZK) proof systems are a central cryptographic tool for anonymous authentication and in particular for transferable e-cash. Their main drawback is that they require a trusted setup, as is the case for their efficient variant zk-SNARKs. At PKC'18, we proved that the main efficient SNARK schemes proposed so far remain zero-knowledge under setup subversion; we also showed that Zcash is anonymous even if even if its parameter-generation ceremony was subverted.
At ACNS'18 we proposed a (witness-indistinguishable) proof of knowledge that does not require any setup. And at CRYPTO'18 we proved Groth's SNARK (the most efficient scheme) sound in the algebraic group model, a weaker idealization than the generic group model, in which the scheme was originally proven secure.
- G. Fuchsbauer. Subversion-Zero-Knowledge SNARKs. PKC '18 [eprint] [slides]
- G. Fuchsbauer, M. Orrù. Non-interactive Zaps of Knowledge. ACNS '18 (best student paper) [eprint]
- G. Fuchsbauer, E. Kiltz, J. Loss. The Algebraic Group Model and Its Applications. CRYPTO '18 [eprint]
Equivalence-class signatures
The classical approach to (transferable) e-cash consists of combining signatures with ZK proofs of knowledge: a coin is a proof of knowledge of a signature by the bank. Transferable e-cash uses re-randomizable proofs, as anonymity requires coins to change after every transfer, which leads to a loss in efficiency. Equivalence-class signatures avoid proofs, as their signatures and messages are randomizable themselves. We have used this primitive to construct the first anonymous credential scheme with constant-size credentials.
- G. Fuchsbauer, C. Hanser, D. Slamanig. Structure-Preserving Signatures on Equivalence Classes and Constant-Size Anonymous Credentials. Journal of Cryptology [eprint]
- G. Fuchsbauer, R. Gay. Weakly Secure Equivalence-Class Signatures from Standard Assumptions. PKC '18 [eprint]

Cryptocurrencies
All of today's main cryptocurrencies rely on the concept of proof of work, which is the cause of the colossal energy consumption provoked by these schemes. With researchers at MIT and IST Austria we have proposed a cryptocurrency scheme whose security relies on proof of space instead (more on this here).
All cryptocurrencies store all transactions that ever occurred in the blockchain forever, and keeping this history is essential to verify the system state. Mimblewimble is a proposal for a cryptocurrency that only requires to store the current state and discard spent transaction outputs, while maintaining verifiability. We have recently finished a formal security evaluation of the proposal.
- S. Park, A. Kwon, G. Fuchsbauer, P. Gaži, J. Alwen, K. Pietrzak. SpaceMint: A Cryptocurrency Based on Proofs of Space. Financial Crypto '18 [eprint] [slides]
- G. Fuchsbauer, M. Orrù, Y. Seurin. Aggregate Cash Systems: A Cryptographic Investigation of Mimblewimble. EUROCRYPT '19 [eprint] [slides]