PathShuffle: Credit Mixing and Anonymous Payments for Ripple

Pedro Moreno-Sanchez 1 , Tim Ruffing 2 , and Aniket Kate 3
  • 1 Purdue University,
  • 2 Saarland University,
  • 3 Purdue University,


The I owe you (IOU) credit network Ripple is one of the most prominent alternatives in the burgeoning field of decentralized payment systems. Ripple’s path-based transactions set it apart from cryptocurrencies such as Bitcoin. Its pseudonymous nature, while still maintaining some regulatory capabilities, has motivated several financial institutions across the world to use Ripple for processing their daily transactions. Nevertheless, with its public ledger, a credit network such as Ripple is no different from a cryptocurrency in terms of weak privacy; recent demonstrative deanonymization attacks raise important concerns regarding the privacy of the Ripple users and their transactions. However, unlike for cryptocurrencies, there is no known privacy solution compatible with the existing credit networks such as Ripple.

In this paper, we present PathShuffle, the first path mixing protocol for credit networks. PathShuffle is fully compatible with the current credit networks. As its essential building block, we propose PathJoin, a novel protocol to perform atomic transactions in credit networks. Using PathJoin and the P2P mixing protocol DiceMix, PathShuffle is a decentralized solution for anonymizing path-based transactions. We demonstrate the practicality of PathShuffle by performing path mixing in Ripple.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Cryptocurrency market capitalization.

  • [2] Drop the concept of rippling in favor of long lived offers. GitHub Issue.

  • [3] Linking wallets and deanonymizing transactions in Ripple. Thread in XRPChat.

  • [4] List of operations. In: Stellar Documentation. Stellar Development Foundation.

  • [5] New payment solution with blockchain technology. SEB.

  • [6] Reserves. In: Ripple Documentation. Ripple Inc.

  • [7] Ripple allows payments to any Bitcoin address straight from its client.

  • [8] Ripple Charts. Ripple Inc.

  • [9] ripple-lib. A JavaScript API for interacting with Ripple in Node.js.

  • [10] Ripple Strikes Multi-National Deal with SBI Holdings to Meet Growing Demand for Ripple Solutions Across Asia.

  • [11] Ripple website. Ripple Inc.

  • [12] Stellar network. Stellar Development Foundation.

  • [13] Stellar partnerships. Stellar Development Foundation.

  • [14] Understanding the “NoRipple” flag. In: Ripple Documentation. Ripple Inc.

  • [15] Androulaki, E., Karame, G. O., Roeschlin, M., Scherer, T., and Capkun, S. Evaluating user privacy in Bitcoin. FC’13.

  • [16] Armknecht, F., Karame, G. O., Mandal, A., Youssef, F., and Zenner, E. Ripple: Overview and outlook. TRUST’15.

  • [17] Barber, S., Boyen, X., Shi, E., and Uzun, E. Bitter to better. how to make Bitcoin a better currency. FC’12.

  • [18] Ben-Sasson, E., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., and Virza, M. Zerocash: Decentralized anonymous payments from Bitcoin. S&P’14.

  • [19] Bernstein, D. J., Duif, N., Lange, T., Schwabe, P., and Yang, B. High-speed high-security signatures. J. Cryptographic Engineering 2, 2 (2012), 77–89.

  • [20] Bissias, G., Ozisik, A. P., Levine, B. N., and Liberatore, M. Sybil-resistant mixing for Bitcoin. In WPES’14.

  • [21] Bonneau, J., Narayanan, A., Miller, A., Clark, J., Kroll, J., and Felten, E. Mixcoin: Anonymity for Bitcoin with accountable mixes. In FC’14.

  • [22] Brickell, E. F., Lee, P. J., and Yacobi, Y. Secure audio teleconference. In CRYPTO’87.

  • [23] Corrigan-Gibbs, H., and Ford, B. Dissent: Accountable anonymous group messaging. CCS’10.

  • [24] Das, S. Ripple blockchain payment from Canada to Germany takes 20 seconds.

  • [25] Dolev, D., Reischuk, R., and Strong, H. R. Early stopping in byzantine agreement. J. ACM 37, 4 (1990), 720–741.

  • [26] Elison, M. Santander and Reisebank both recognized for innovation. Ripple Inc.

  • [27] Fugger, R. Money as IOUs in social trust networks & a proposal for a decentralized currency network protocol., 2004.

  • [28] Gavin Wood. Ethereum: a secure decentralised generalised transaction ledger.

  • [29] Ghosh, A., Mahdian, M., Reeves, D. M., Pennock, D. M., and Fugger, R. Mechanism design on trust networks. In WINE’07.

  • [30] Heilman, E., Baldimtsi, F., Alshenibr, L., Scafuro, A., and Goldberg, S. TumbleBit: An untrusted tumbler for Bitcoin-compatible anonymous payments. In NDSS’17.

  • [31] Heilman, E., Baldimtsi, F., and Goldberg, S. Blindly signed contracts: Anonymous on-blockchain and off-blockchain Bitcoin transactions. In FC’16.

  • [32] Holley, E. Earthport launches distributed ledger hub via Ripple., 2016.

  • [33] Horster, P., Michels, M., and Petersen, H. Meta-multisignature schemes based on the discrete logarithm problem. In IFIP/Sec’95.

  • [34] Karlan, D., Mobius, M., Rosenblat, T., and Szeidl, A. Trust and social collateral. The Quarterly Journal of Economics 124, 3 (2009), 1307–1361.

  • [35] Kosba, A. E., Miller, A., Shi, E., Wen, Z., and Papamanthou, C. Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. In S&P’16.

  • [36] Koshy, P., Koshy, D., and McDaniel, P. An analysis of anonymity in Bitcoin using P2P network traffic. In FC’14.

  • [37] Liu, A. Santander: Distributed ledger tech could save banks $20 billion a year. Ripple Blog., 2015.

  • [38] Malavolta, G., Moreno-Sanchez, P., Kate, A., and Maffei, M. SilentWhispers: Enforcing security and privacy in decentralized credit networks. In NDSS’17.

  • [39] Maxwell, G. CoinJoin: Bitcoin privacy for the real world. Post in Bitcoin Forum.

  • [40] Meiklejohn, S., and Orlandi, C. Privacy-enhancing overlays in Bitcoin. In BITCOIN’15.

  • [41] Meiklejohn, S., Pomarole, M., Jordan, G., Levchenko, K., McCoy, D., Voelker, G. M., and Savage, S. A fistful of bitcoins: Characterizing payments among men with no names. IMC’13.

  • [42] Miers, I., Garman, C., Green, M., and Rubin, A. D. Zerocoin: Anonymous distributed e-cash from Bitcoin. In S&P’13 (2013).

  • [43] Moreno-Sanchez, P. PathJoin implementation.

  • [44] Moreno-Sanchez, P., Kate, A., Maffei, M., and Pecina, K. Privacy preserving payments in credit networks. In NDSS’15.

  • [45] Moreno-Sanchez, P., Zafar, M. B., and Kate, A. Linking wallets and deanonymizing transactions in the Ripple network. In PETS’16.

  • [46] Nakamoto, S. Bitcoin: A peer-to-peer electronic cash system., 2008.

  • [47] Red. Introducing Goodwill. Post in Ripple Forum.

  • [48] Reid, F., and Harrigan, M. An analysis of anonymity in the Bitcoin system. In SPSN’11.

  • [49] Ripple. Ripple implementation.

  • [50] Rizzo, P. Royal Bank of Canada Reveals Blockchain Trial With Ripple. CoinDesk., 2016.

  • [51] Ruffing, T., Moreno-Sanchez, P., and Kate, A. Coin-Shuffle: Practical decentralized coin mixing for Bitcoin. ESORICS’14.

  • [52] Ruffing, T., Moreno-Sanchez, P., and Kate, A. P2P mixing and unlinkable Bitcoin transactions. In NDSS’17.

  • [53] Schnorr, C. P. Efficient signature generation by smart cards. J. Cryptol. 4, 3 (Jan. 1991), 161–174.

  • [54] Schwartz, D., Youngs, N., and Britto, A. The Ripple protocol consensus algorithm.

  • [55] Serjantov, A., Dingledine, R., and Syverson, P. F. From a trickle to a flood: Active attacks on several mix types. In IH’02.

  • [56] Southurst, J. Australia’s Commonwealth bank latest to experiment with Ripple. CoinDesk., 2015.

  • [57] Spagnuolo, M., Maggi, F., and Zanero, S. BitIodine: Extracting Intelligence from the Bitcoin Network. In FC’14.

  • [58] Srikanth, T. K., and Toueg, S. Simulating authenticated broadcasts to derive simple fault-tolerant algorithms. Distributed Computing 2, 2 (1987), 80–94.

  • [59] Steven Goldfeder, Rosario Gennaro, Harry Kalodner, Joseph Bonneau, Joshua A. Kroll, Edward W. Feltenand Arvind Narayan. Securing Bitcoin wallets via a new DSA/ECDSA threshold signature scheme.

  • [60] Syta, E., Tamas, I., Visher, D., Wolinsky, D. I., Jovanovic, P., Gasser, L., Gailly, N., Khoffi, I., and Ford, B. Keeping authorities “honest or bust” with decentralized witness cosigning. In S&P’16.

  • [61] Valenta, L., and Rowan, B. Blindcoin: Blinded, accountable mixes for Bitcoin. In BITCOIN’15.

  • [62] van Saberhagen, N. CryptoNote, 2013.

  • [63] Ziegeldorf, J. H., Grossmann, F., Henze, M., Inden, N., and Wehrle, K. CoinParty: Secure multi-party mixing of bitcoins. In CODASPY’15.

  • [64] Zyskind, G., Nathan, O., and Pentland, A. Enigma: Decentralized computation platform with guaranteed privacy.


Journal + Issues