pathshuffle: credit mixing and anonymous payments for ripple · pedro moreno-sanchez purdue...
TRANSCRIPT
Pedro Moreno-Sanchez Purdue University
$
$
$$
$
PathShuffle: Credit Mixing and Anonymous Payments for Ripple
Tim Ruffing Saarland University
Aniket Kate Purdue University
Credit (or IOU Settlement) Networks: Basics
2
Credit (or IOU Settlement) Networks: Basics
Dinner
Transactions in the real world
IOweYou $40
2
Aniket Pedro
Aniket Pedro
Credit (or IOU Settlement) Networks: Basics
Dinner
Transactions in the real world A credit network representation
IOweYou $40
40
2
Aniket Pedro
Aniket Pedro
Aniket
Pedro
IOweYou $10
Credit (or IOU Settlement) Networks: Basics
Dinner
Transactions in the real world A credit network representation
IOweYou $40
Beer
40
During a visit from Antonio
2
Aniket Pedro
Aniket Pedro
Aniket Antonio
Aniket Antonio
Aniket
Pedro
IOweYou $10
Credit (or IOU Settlement) Networks: Basics
Dinner
10
Transactions in the real world A credit network representation
IOweYou $40
Beer
40
During a visit from Antonio
2
Aniket Pedro
Aniket Pedro
Aniket Antonio
Aniket Antonio
Aniket
Pedro
Antonio
IOweYou $10
Credit (or IOU Settlement) Networks: Basics
Dinner
10
Transactions in the real world A credit network representation
IOweYou $40
Beer
4050
During a visit from Antonio
2
Aniket Pedro
Aniket Pedro
Aniket Antonio
Aniket Antonio
Aniket
Pedro
Antonio
05
40
15
Ripple Credit Network: an Example of Transaction
Bob
Dave
Alice
115
10Eve
Carol
20
3
05
40
15
Ripple Credit Network: an Example of Transaction
Bob
Dave
Alice
115
15
10Eve
Carol
20
3
05
40
15
Ripple Credit Network: an Example of Transaction
Bob
Dave
Alice
115
15
10Eve
Carol
20
3
05
40
15
Ripple Credit Network: an Example of Transaction
Bob
Dave
Alice
115
15
10Eve
Carol
20
3
Sender BobReceiver CarolPath1 {10}, Path2 {5}
Bob
05
40
15
Ripple Credit Network: an Example of Transaction
Bob
Dave
Alice
115
15
100Eve
Carol
20
3
Sender BobReceiver CarolPath1 {10}, Path2 {5}
Bob
05
40
15
Ripple Credit Network: an Example of Transaction
Bob
Dave
25
Alice
115
15
100Eve
Carol
20
3
Sender BobReceiver CarolPath1 {10}, Path2 {5}
Bob
05
4050
15
Ripple Credit Network: an Example of Transaction
Bob
Dave
25
Alice
115
15
100Eve
Carol
20
3
Sender BobReceiver CarolPath1 {10}, Path2 {5}
Bob
0
4050
15
Ripple Credit Network: an Example of Transaction
Bob
Dave
25
Alice
115
15
100Eve
Carol
20
3
Sender BobReceiver CarolPath1 {10}, Path2 {5}
Bob
0
4050
15
Ripple Credit Network: an Example of Transaction
Bob
Dave
25
Alice
115
100Eve
Carol
20
3
Ripple Credit Network
4
Ripple Credit Network
4
Ripple Credit Network
4
Ripple Credit Network
4
Ripple Credit Network
4
Ripple Credit Network
4
Ripple Credit Network
4
£ 70
CAD 100
$ 60
€ 45€ 30
Ripple Credit Network
4
AED 10
£ 70
CAD 100
$ 60
€ 45€ 30
Ripple Credit Network
4
BTC 5 BTC 10AED 10
£ 70
CAD 100
$ 60
€ 45€ 30
Ripple Credit Network
4
BTC 5 BTC 10
Coffee 4
Books 2
Meal 10Car rides 3
AED 10
£ 70
CAD 100
$ 60
€ 45€ 30
Ripple Credit Network
4
BTC 5 BTC 10
Coffee 4
Books 2
Meal 10Car rides 3
~ 1 day
~ 5 seconds
High fees
Tiny fees
Tx time Worldwide, cross-currency tx Integrity
Bank only
Public verifiability
AED 10
Ripple can significantly
improve cross-currency
remittance and settlements
Public Verifiability & Privacy Problem
5
The Ripple Ledger
Public Verifiability & Privacy Problem
5
Credit Graph
Transaction Details
The Ripple Ledger
Public Verifiability & Privacy Problem
5
Credit Graph
Transaction Details
The Ripple Ledger
Listening to Whispers of Ripple: Linking Wallets and Deanonymizing Transactions
in the Ripple Network
Pedro Moreno-Sanchez, Muhammad Bilal Zafar, Aniket Kate.
PETS ‘16
6
Can we achieve anonymous payments in the current Ripple network?
Image source: https://community.dynamics.com/crm/b/crmbusiness/archive/2014/10/31/how-to-check-what-products-are-compatible-with-different-microsoft-dynamics-crm-versions
Related Work
7
Related Work
7
Privacy Preserving Payments in Credit Networks
Pedro Moreno-Sanchez, Aniket Kate, Matteo Maffei, Kim Pecina
NDSS ‘15
SilentWhispers: Enforcing Security and Privacy in Decentralized Credit Networks
Giulio Malavolta, Pedro Moreno-Sanchez, Aniket Kate, Matteo Maffei
NDSS ‘17
Privacy Preserving Credit Networks
Related Work
7
Privacy Preserving Payments in Credit Networks
Pedro Moreno-Sanchez, Aniket Kate, Matteo Maffei, Kim Pecina
NDSS ‘15
SilentWhispers: Enforcing Security and Privacy in Decentralized Credit Networks
Giulio Malavolta, Pedro Moreno-Sanchez, Aniket Kate, Matteo Maffei
NDSS ‘17
Privacy Preserving Credit Networks
Require structural changes in the Ripple network
Related Work
7
Privacy Preserving Payments in Credit Networks
Pedro Moreno-Sanchez, Aniket Kate, Matteo Maffei, Kim Pecina
NDSS ‘15
SilentWhispers: Enforcing Security and Privacy in Decentralized Credit Networks
Giulio Malavolta, Pedro Moreno-Sanchez, Aniket Kate, Matteo Maffei
NDSS ‘17
Privacy Preserving Credit Networks
Require structural changes in the Ripple network
Privacy Preserving Cryptocurrencies
Monero, Zcash, …
Related Work
7
Privacy Preserving Payments in Credit Networks
Pedro Moreno-Sanchez, Aniket Kate, Matteo Maffei, Kim Pecina
NDSS ‘15
SilentWhispers: Enforcing Security and Privacy in Decentralized Credit Networks
Giulio Malavolta, Pedro Moreno-Sanchez, Aniket Kate, Matteo Maffei
NDSS ‘17
Privacy Preserving Credit Networks
Require structural changes in the Ripple network
Privacy Preserving Cryptocurrencies
Monero, Zcash, …
Solutions tied to cryptocurrencies: - Specific cryptographic algorithms
Related Work
7
Privacy Preserving Payments in Credit Networks
Pedro Moreno-Sanchez, Aniket Kate, Matteo Maffei, Kim Pecina
NDSS ‘15
SilentWhispers: Enforcing Security and Privacy in Decentralized Credit Networks
Giulio Malavolta, Pedro Moreno-Sanchez, Aniket Kate, Matteo Maffei
NDSS ‘17
Privacy Preserving Credit Networks
Require structural changes in the Ripple network
Privacy Preserving Cryptocurrencies
Monero, Zcash, …
Solutions tied to cryptocurrencies: - Specific cryptographic algorithms
Bitcoin Mixing (CoinJoin)Input
AddressesOutput
AddressesA (1 BTC) B’ (1 BTC)B (1 BTC) C’ (1 BTC)C (1 BTC) A’ (1 BTC)
AliceBobCarol
Path Mixing for Privacy-preserving Transactions
8
Gateway
C’
B’
A’
15
30
60
12
10
20
Path Mixing for Privacy-preserving Transactions
✦ Idea: Transaction paths sharing a common node can be mixed
8
A
B
C
Gateway
C’
B’
A’
15
30
60
12
10
20
Path Mixing for Privacy-preserving Transactions
✦ Idea: Transaction paths sharing a common node can be mixed✦ Goal: Hide who pays to whom (unlinkability) from an adversary
who controls up to (n-2) input wallets
8
A
B
C
Gateway
C’
B’
A’
12
10
20
Path Mixing for Privacy-preserving Transactions
✦ Idea: Transaction paths sharing a common node can be mixed✦ Goal: Hide who pays to whom (unlinkability) from an adversary
who controls up to (n-2) input wallets
50
20
05
8
A
B
C
Gateway
C’
B’
A’
Path Mixing for Privacy-preserving Transactions
✦ Idea: Transaction paths sharing a common node can be mixed✦ Goal: Hide who pays to whom (unlinkability) from an adversary
who controls up to (n-2) input wallets
3050
20
05
20
22
8
A
B
C
Gateway
C’
B’
A’
Path Mixing for Privacy-preserving Transactions
✦ Idea: Transaction paths sharing a common node can be mixed✦ Goal: Hide who pays to whom (unlinkability) from an adversary
who controls up to (n-2) input wallets
3050
20
05
20
22
8
✦ Multi-input-multi-output (CoinJoin) transaction: Not supported in Ripple.
A
B
C
Gateway
C’
B’
A’
Path Mixing for Privacy-preserving Transactions
✦ Idea: Transaction paths sharing a common node can be mixed✦ Goal: Hide who pays to whom (unlinkability) from an adversary
who controls up to (n-2) input wallets
3050
20
05
20
22
8
✦ Multi-input-multi-output (CoinJoin) transaction: Not supported in Ripple.✦ Atomicity problem: Who sends first?
A
B
C
Gateway
Gateway
Key Idea: Synchronization Using Shared Wallets
A
B
C
C’
B’
A’
A’/B’/C’
✦ Shared Wallet: Using a distributed signature scheme to share the ownership of the wallet
9
Gateway
Key Idea: Synchronization Using Shared Wallets
A
B
C
C’
B’
A’
A’/B’/C’
✦ Shared Wallet: Using a distributed signature scheme to share the ownership of the wallet
9
Gateway
Key Idea: Synchronization Using Shared Wallets
A
B
C
C’
B’
A’
A’/B’/C’
✦ Shared Wallet: Using a distributed signature scheme to share the ownership of the wallet
9
Gateway
Key Idea: Synchronization Using Shared Wallets
A
B
C
C’
B’
A’
A’/B’/C’
✦ Shared Wallet: Using a distributed signature scheme to share the ownership of the wallet
9
Gateway
Key Idea: Synchronization Using Shared Wallets
A
B
C
C’
B’
A’
A’/B’/C’
✦ Shared Wallet: Using a distributed signature scheme to share the ownership of the wallet
9
Gateway
Key Idea: Synchronization Using Shared Wallets
A
B
C
C’
B’
A’
A’/B’/C’
✦ Shared Wallet: Using a distributed signature scheme to share the ownership of the wallet
9
Gateway
Key Idea: Synchronization Using Shared Wallets
A
B
C
C’
B’
A’
A’/B’/C’
✦ Shared Wallet: Using a distributed signature scheme to share the ownership of the wallet
9
Gateway
Key Idea: Synchronization Using Shared Wallets
A
B
C
C’
B’
A’
A’/B’/C’
✦ Shared Wallet: Using a distributed signature scheme to share the ownership of the wallet
✦ The atomicity problem persists ✦ Who sends first to the shared wallet? ✦ Funds can be locked
9
Gateway
Our Protocol for Atomic Transactions: PathJoin
A
B
C
C’
B’
A’
20
30
40
10
Gateway
Our Protocol for Atomic Transactions: PathJoin
A
B
C
C’
B’
A’
✦ Two shared wallets (two rounds of synchronization suffice)
20
30
40
10
Gateway
Our Protocol for Atomic Transactions: PathJoin
A
B
C
C’
B’
A’
✦ Two shared wallets (two rounds of synchronization suffice)✦ Pre-fund the input and output shared wallets (e.g., mix 10 credit)
20
30
40
10
Gateway
Our Protocol for Atomic Transactions: PathJoin
A
B
C
A/B/C
C’
B’
A’
✦ Two shared wallets (two rounds of synchronization suffice)✦ Pre-fund the input and output shared wallets (e.g., mix 10 credit)
20
30
40
10
Gateway
Our Protocol for Atomic Transactions: PathJoin
A
B
C
A/B/C
C’
B’
A’
✦ Two shared wallets (two rounds of synchronization suffice)✦ Pre-fund the input and output shared wallets (e.g., mix 10 credit)
20
30
40
10
10
10
10
Gateway
Our Protocol for Atomic Transactions: PathJoin
A
B
C
A/B/C
C’
B’
A’
A’/B’/C’
✦ Two shared wallets (two rounds of synchronization suffice)✦ Pre-fund the input and output shared wallets (e.g., mix 10 credit)
20
30
40
10
10
10
10
Gateway
Our Protocol for Atomic Transactions: PathJoin
A
B
C
A/B/C
C’
B’
A’
A’/B’/C’
✦ Two shared wallets (two rounds of synchronization suffice)✦ Pre-fund the input and output shared wallets (e.g., mix 10 credit)
20
30
40
10
10
10
10
1010
0
10
Gateway
Our Protocol for Atomic Transactions: PathJoin
A
B
C
A/B/C
C’
B’
A’
A’/B’/C’
✦ Two shared wallets (two rounds of synchronization suffice)✦ Pre-fund the input and output shared wallets (e.g., mix 10 credit)✦ Perform the mixing transaction
20
30
40
10
10
10
10
1010
0
10
Gateway
Our Protocol for Atomic Transactions: PathJoin
A
B
C
A/B/C
C’
B’
A’
A’/B’/C’
✦ Two shared wallets (two rounds of synchronization suffice)✦ Pre-fund the input and output shared wallets (e.g., mix 10 credit)✦ Perform the mixing transaction
20
30
40
10
10
10
10
1010
0
10
Gateway
Our Protocol for Atomic Transactions: PathJoin
A
B
C
A/B/C
C’
B’
A’
A’/B’/C’
✦ Two shared wallets (two rounds of synchronization suffice)✦ Pre-fund the input and output shared wallets (e.g., mix 10 credit)✦ Perform the mixing transaction
20
30
40
10
10
10
10
1010
0
10
Gateway
Our Protocol for Atomic Transactions: PathJoin
A
B
C
A/B/C
C’
B’
A’
A’/B’/C’
✦ Two shared wallets (two rounds of synchronization suffice)✦ Pre-fund the input and output shared wallets (e.g., mix 10 credit)✦ Perform the mixing transaction
20
30
40
10
1010
0
0
0
0
10
Gateway
Our Protocol for Atomic Transactions: PathJoin
A
B
C
A/B/C
C’
B’
A’
A’/B’/C’
✦ Two shared wallets (two rounds of synchronization suffice)✦ Pre-fund the input and output shared wallets (e.g., mix 10 credit)✦ Perform the mixing transaction
10
1010
0
0
0
0
10
20
30
10
Gateway
Our Protocol for Atomic Transactions: PathJoin
A
B
C
A/B/C
C’
B’
A’
A’/B’/C’
✦ Two shared wallets (two rounds of synchronization suffice)✦ Pre-fund the input and output shared wallets (e.g., mix 10 credit)✦ Perform the mixing transaction
10
1010
0
0
0
0
10
20
30
30
10
PathShuffle: PathJoin + DiceMix
11
PathShuffle: PathJoin + DiceMix
11
✦ Atomic transactions (PathJoin) alone do not suffice✦ How to know the output wallets in the first place?
PathShuffle: PathJoin + DiceMix
11
✦ Atomic transactions (PathJoin) alone do not suffice✦ How to know the output wallets in the first place?
✦ We require:✦ Mechanism to find participants (bootstrapping)
10
10
10
A
B
C
PathShuffle: PathJoin + DiceMix
11
✦ Atomic transactions (PathJoin) alone do not suffice✦ How to know the output wallets in the first place?
✦ We require:✦ Mechanism to find participants (bootstrapping)✦ Anonymously construct the list of output wallets (DiceMix)
A’
B’
C’
10
10
10
A
B
C
PathShuffle: PathJoin + DiceMix
11
✦ Atomic transactions (PathJoin) alone do not suffice✦ How to know the output wallets in the first place?
✦ We require:✦ Mechanism to find participants (bootstrapping)✦ Anonymously construct the list of output wallets (DiceMix)
A’
B’
C’
10
10
10
P2P Mixing and Unlinkable Bitcoin Transactions
Tim Ruffing, Pedro Moreno-Sanchez, Aniket Kate.
NDSS ‘17
A
B
C
PathShuffle: PathJoin + DiceMix
11
✦ Atomic transactions (PathJoin) alone do not suffice✦ How to know the output wallets in the first place?
✦ We require:✦ Mechanism to find participants (bootstrapping)✦ Anonymously construct the list of output wallets (DiceMix)
A’
B’
C’
10
10
10
P2P Mixing and Unlinkable Bitcoin Transactions
Tim Ruffing, Pedro Moreno-Sanchez, Aniket Kate.
NDSS ‘17
A
B
C
Discussion
12
Discussion
✦ PathJoin enables atomic transactions ✦ Interesting applications other than privacy (e.g., crowdfunding) ✦ Discussion on forums (e.g., ICO):
https://www.xrpchat.com/topic/6879-pathjoin/
12
Discussion
✦ PathJoin enables atomic transactions ✦ Interesting applications other than privacy (e.g., crowdfunding) ✦ Discussion on forums (e.g., ICO):
https://www.xrpchat.com/topic/6879-pathjoin/
✦ PathShuffle enables path mixing in the Ripple network ✦ Successfully tested in the real Ripple network! ✦ Compatible with other credit networks (e.g., Stellar)
12
Discussion
✦ PathJoin enables atomic transactions ✦ Interesting applications other than privacy (e.g., crowdfunding) ✦ Discussion on forums (e.g., ICO):
https://www.xrpchat.com/topic/6879-pathjoin/
✦ PathShuffle enables path mixing in the Ripple network ✦ Successfully tested in the real Ripple network! ✦ Compatible with other credit networks (e.g., Stellar)
✦ PathShuffle is a simple smart contract ✦ However, Ripple does not have script language ✦ Are other “scriptless” contracts possible? Limitations?
12
Take Home Message
13
Take Home Message
13
✦ Credit Networks (e.g., Ripple) allow worldwide, fast, cheap, cross-currency transactions
Take Home Message
13
✦ Credit Networks (e.g., Ripple) allow worldwide, fast, cheap, cross-currency transactions
✦ There exist privacy breaches because of the publicly available Ripple ledger
Take Home Message
13
✦ Credit Networks (e.g., Ripple) allow worldwide, fast, cheap, cross-currency transactions
✦ There exist privacy breaches because of the publicly available Ripple ledger
✦ PathJoin: protocol for atomic payments in Ripple with interesting applications
Take Home Message
13
✦ Credit Networks (e.g., Ripple) allow worldwide, fast, cheap, cross-currency transactions
✦ There exist privacy breaches because of the publicly available Ripple ledger
✦ PathJoin: protocol for atomic payments in Ripple with interesting applications
✦ PathShuffle: protocol for anonymous payments fully compatible with current Ripple
Take Home Message
13
✦ Credit Networks (e.g., Ripple) allow worldwide, fast, cheap, cross-currency transactions
✦ There exist privacy breaches because of the publicly available Ripple ledger
✦ PathJoin: protocol for atomic payments in Ripple with interesting applications
✦ PathShuffle: protocol for anonymous payments fully compatible with current Ripple
Thanks! @pedrorechez