diff --git a/docs/bib.bib b/docs/bib.bib new file mode 100644 index 0000000..93955dd --- /dev/null +++ b/docs/bib.bib @@ -0,0 +1,77 @@ + + +@inproceedings{BoltCCS, + author = {Green, Matthew and Miers, Ian}, + title = {Bolt: Anonymous Payment Channels for Decentralized Currencies}, + booktitle = {Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security}, + series = {CCS '17}, + year = {2017}, + isbn = {978-1-4503-4946-8}, + location = {Dallas, Texas, USA}, + pages = {473--489}, + numpages = {17}, + url = {http://doi.acm.org/10.1145/3133956.3134093}, + doi = {10.1145/3133956.3134093}, + acmid = {3134093}, + publisher = {ACM}, + address = {New York, NY, USA}, + keywords = {bitcoin, blockchain, off chain, payments}, +} + +@inproceedings{Zerocash, +author={E. B. Sasson and A. Chiesa and C. Garman and M. Green and I. Miers and E. Tromer and M. Virza}, +booktitle={2014 IEEE Symposium on Security and Privacy}, +title={Zerocash: Decentralized Anonymous Payments from Bitcoin}, +year={2014}, +volume={}, +number={}, +pages={459-474}, +keywords={data privacy;electronic money;Bitcoin;DAP schemes;Zero cash;Zerocash;decentralized anonymous payment schemes;decentralized anonymous payments;full-fledged ledger-based digital currency;payment transactions;privacy guarantees;public decentralized ledger;zero-knowledge succinct noninteractive arguments of knowledge;zk-SNARKs;Logic gates;Online banking;Privacy;Protocols;Public key;Bitcoin;decentralized electronic cash;zero knowledge}, +doi={10.1109/SP.2014.36}, +ISSN={1081-6011}, +month={May}, +} + +@InProceedings{PedersenCommits, +author="Pedersen, Torben Pryds", +editor="Feigenbaum, Joan", +title="Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing", +booktitle="Advances in Cryptology --- CRYPTO '91", +year="1992", +publisher="Springer Berlin Heidelberg", +address="Berlin, Heidelberg", +pages="129--140", +abstract="It is shown how to distribute a secret to n persons such that each person can verify that he has received correct information about the secret without talking with other persons. Any k of these persons can later find the secret (1 ≤ k ≤ n), whereas fewer than k persons get no (Shannon) information about the secret. The information rate of the scheme is 1/2 and the distribution as well as the verification requires approximately 2k modular multiplications pr. bit of the secret. It is also shown how a number of persons can choose a secret ``in the well'' and distribute it verifiably among themselves.", +isbn="978-3-540-46766-3" +} + +@InProceedings{CLSigs02, +author="Camenisch, Jan +and Lysyanskaya, Anna", +editor="Cimato, Stelvio +and Persiano, Giuseppe +and Galdi, Clemente", +title="A Signature Scheme with Efficient Protocols", +booktitle="Security in Communication Networks", +year="2003", +publisher="Springer Berlin Heidelberg", +address="Berlin, Heidelberg", +pages="268--289", +abstract="Digital signature schemes are a fundamental cryptographic primitive, of use both in its own right, and as a building block in cryptographic protocol design. In this paper, we propose a practical and provably secure signature scheme and show protocols (1) for issuing a signature on a committed value (so the signer has no information about the signed value), and (2) for proving knowledge of a signature on a committed value. This signature scheme and corresponding protocols are a building block for the design of anonymity-enhancing cryptographic systems, such as electronic cash, group signatures, and anonymous credential systems. The security of our signature scheme and protocols relies on the Strong RSA assumption. These results are a generalization of the anonymous credential system of Camenisch and Lysyanskaya.", +isbn="978-3-540-36413-9" +} + +@InProceedings{DY05, +author="Dodis, Yevgeniy +and Yampolskiy, Aleksandr", +editor="Vaudenay, Serge", +title="A Verifiable Random Function with Short Proofs and Keys", +booktitle="Public Key Cryptography - PKC 2005", +year="2005", +publisher="Springer Berlin Heidelberg", +address="Berlin, Heidelberg", +pages="416--431", +abstract="We give a simple and efficient construction of a verifiable random function (VRF) on bilinear groups. Our construction is direct. In contrast to prior VRF constructions [14,15], it avoids using an inefficient Goldreich-Levin transformation, thereby saving several factors in security. Our proofs of security are based on a decisional bilinear Diffie-Hellman inversion assumption, which seems reasonable given current state of knowledge. For small message spaces, our VRF's proofs and keys have constant size. By utilizing a collision-resistant hash function, our VRF can also be used with arbitrary message spaces. We show that our scheme can be instantiated with an elliptic group of very reasonable size. Furthermore, it can be made distributed and proactive.", +isbn="978-3-540-30580-4" +} + diff --git a/docs/bolt_design.tex b/docs/bolt_design.tex index 4715d76..ebc6673 100644 --- a/docs/bolt_design.tex +++ b/docs/bolt_design.tex @@ -77,7 +77,7 @@ \label{ch:abstract} \thispagestyle{myfancypage} -This document describes the design and implementation of the Blind Off-chain Lightweight Transactions (BOLT) library. The BOLT protocol comprises a number of techniques for enabling privacy-preserving unlinkable payment channels for decentralized crypto-currencies between pairs of individual parties. BOLT is designed to provide a ``Layer 2'' payment protocol for privacy-preserving crypto-currencies such as Zerocash (or Zcash)~\cite{TODO}, by allowing individuals to establish and use payment channels for rapid or instantaneous payments that do not require an on-chain transaction. This document describes the cryptographic instantiations of the BOLT protocol according to the published paper by Matthew Green and Ian Miers~\cite{TODO}. +This document describes the design and implementation of the Blind Off-chain Lightweight Transactions (BOLT) library. The BOLT protocol comprises a number of techniques for enabling privacy-preserving unlinkable payment channels for decentralized crypto-currencies between pairs of individual parties. BOLT is designed to provide a ``Layer 2'' payment protocol for privacy-preserving crypto-currencies such as Zerocash (or Zcash)~\cite{Zerocash}, by allowing individuals to establish and use payment channels for rapid or instantaneous payments that do not require an on-chain transaction. This document describes the cryptographic instantiations of the BOLT protocol according to the published paper by Matthew Green and Ian Miers~\cite{BoltCCS}. The intended use of this document is for understanding BOLT and the associated software implementation in the Rust programming language. This document is hereby released to the public domain free of charge. @@ -157,7 +157,12 @@ This section describes the core cryptographic primitives required to implement t \begin{itemize} -\item FOO +\item Commitment Scheme +\item Signatures with efficient protocols ({\em e.g.} includes interactive protocols for generating blind or partially blind signatures) +\item Symmetric Key Encryption +\item Pseudo-random Functions +\item One-time Encryption +\item Non-interactive Zero-Knowledge Proofs %\item support for multiple types of attribute-based encryption (ABE) Key Encapsulation (KEM) schemes including for Key-Policy ABE, Ciphertext-Policy ABE and Multi-Authority ABE. We provide chosen-ciphertext security for each ABE KEM scheme type as well. %\item support for public-key encryption with chosen-ciphertext security, digital signatures, and authenticated symmetric-key encryption. @@ -171,7 +176,8 @@ This section describes the core cryptographic primitives required to implement t \subsection{Commitment Scheme} \label{sec:commit} -BOLT instantiates a commitment primitive using the Pedersen commitment scheme~\cite{TODO}. The scheme has the following interface: +BOLT instantiates a commitment primitive using the Pedersen commitment scheme~\cite{PedersenCommits}. The scheme has the following interface: + \medskip \noindent ${\sf CSetup}() \rightarrow PP$: the algorithm generates public parameters and outputs the $PP$. @@ -196,7 +202,7 @@ ${\sf Decrypt}(K, C, N) = M \cup \bot$. The decryption algorithm takes as input \subsection{Digital Signatures with Efficient Protocols} % CL sigs \label{sec:signatures} -BOLT includes signatures due to Camenisch and Lysyanskaya~\cite{TODO} which features: (1) a protocol for a user to obtain a signature on the value(s) in a commitment without the signer learning anything about the message(s), and (2) a non-interactive protocol for proving knowledge of a signature. +BOLT includes signatures due to Camenisch and Lysyanskaya~\cite{CLSigs02} which features: (1) a protocol for a user to obtain a signature on the value(s) in a commitment without the signer learning anything about the message(s), and (2) a non-interactive protocol for proving knowledge of a signature. \medskip \noindent ${\sf SigKeygen}(\tau) \rightarrow (\PK, \SK)$. The key generation algorithm takes as input a security parameter $\tau$, runs the ${\sf ECSetup}(1^\tau)$ to select the elliptic curve parameters and outputs the public and secret key. @@ -213,7 +219,7 @@ ${\sf Verify}(\PK, M, \sigma) = \{true, false\}$. The verification algorithm ta \subsection{Pseudo-random Functions (PRF)} \label{sec:prf} -For the unidirectional construction, BOLT includes a pseudo-random function $F$ that supports efficient proofs of knowledge. $F$ is instantiated using the Dodis-Yampolskiy PRF~\cite{TODO}, the public parameters are a group $\G_1$ of prime order $q$ with generator $g$. The seed is a random value $s \in \Z_q$ and the function is computed as $F_{s}(x) = g^{1/(s+x)}$. +For the unidirectional construction, BOLT includes a pseudo-random function $F$ that supports efficient proofs of knowledge. $F$ is instantiated using the Dodis-Yampolskiy PRF~\cite{DY05}, the public parameters are a group $\G_1$ of prime order $q$ with generator $g$. The seed is a random value $s \in \Z_q$ and the function is computed as $F_{s}(x) = g^{1/(s+x)}$. \subsection{One-Time Encryption} \label{sec:ote} @@ -232,8 +238,11 @@ ${\sf OTDec}(K, C) = M$ or $\bot$. The algorithm takes as input a key $K$ and th \subsection{Non-interactive Zero Knowledge Proofs} \label{sec:nizkp} -\todo{Add description here.} - +BOLT features non-interactive zero-knowledge proofs of knowledge for the purposes of proving statements about committed values: +\begin{enumerate} +\item a proof of knowledge of a committed value +\item a proof of that a committed value is in a range +\end{enumerate} %%%%%%%%%%%% Crypto Tools %%%%%%%%%%%% \section{Constructions}