Black-Box Wallets: Fast Anonymous Two-Way Payments for Constrained Devices

Open access


Black-box accumulation (BBA) is a building block which enables a privacy-preserving implementation of point collection and redemption, a functionality required in a variety of user-centric applications including loyalty programs, incentive systems, and mobile payments. By definition, BBA+ schemes (Hartung et al. CCS ‘17) offer strong privacy and security guarantees, such as unlinkability of transactions and correctness of the balance flows of all (even malicious) users. Unfortunately, the instantiation of BBA+ presented at CCS ‘17 is, on modern smartphones, just fast enough for comfortable use. It is too slow for wearables, let alone smart-cards. Moreover, it lacks a crucial property: For the sake of efficiency, the user’s balance is presented in the clear when points are deducted. This may allow to track owners by just observing revealed balances, even though privacy is otherwise guaranteed. The authors intentionally forgo the use of costly range proofs, which would remedy this problem.

We present an instantiation of BBA+ with some extensions following a different technical approach which significantly improves efficiency. To this end, we get rid of pairing groups, rely on different zero-knowledge and fast range proofs, along with a slightly modified version of Baldimtsi-Lysyanskaya blind signatures (CCS ‘13). Our prototype implementation with range proofs (for 16 bit balances) outperforms BBA+ without range proofs by a factor of 2.5. Moreover, we give estimates showing that smart-card implementations are within reach.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Dash - Dash is Digital Cash You Can Spend Anywhere. URL

  • [2] Zcash – Privacy-protecting digital currency. URL

  • [3] M. Abe. A Secure Three-Move Blind Signature Scheme for Polynomially Many Signatures. In G. Goos J. Hartmanis J. van Leeuwen and B. Pfitzmann editors Advances in Cryptology — EUROCRYPT 2001 volume 2045 pages 136–151. Springer Berlin Heidelberg Berlin Heidelberg 2001. 10.1007/3-540-44987-6_9. URL

  • [4] D. F. Aranha and C. P. L. Gouvêa. RELIC is an Efficient LIbrary for Cryptography. URL

  • [5] F. Baldimtsi and A. Lysyanskaya. Anonymous credentials light. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security - CCS ‘13 pages 1087–1098 Berlin Germany 2013. ACM Press. 10.1145/2508859.2516687.

  • [6] F. Baldimtsi M. Chase G. Fuchsbauer and M. Kohlweiss. Anonymous Transferable E-Cash. In J. Katz editor Public-Key Cryptography – PKC 2015 pages 101–124. Springer Berlin Heidelberg 2015.

  • [7] R. Barbulescu and S. Duquesne. Updating Key Size Estimations for Pairings. Journal of Cryptology Jan. 2018. ISSN 1432-1378. 10.1007/s00145-018-9280-5.

  • [8] D. J. Bernstein. Curve25519: New Diffie-Hellman Speed Records. In M. Yung Y. Dodis A. Kiayias and T. Malkin editors Public Key Cryptography - PKC 2006 pages 207–228. Springer Berlin Heidelberg 2006.

  • [9] D. J. Bernstein N. Duif T. Lange P. Schwabe and B.-Y. Yang. High-speed high-security signatures. Journal of Cryptographic Engineering 2(2):77–89 Sept. 2012. ISSN 2190-8516. 10.1007/s13389-012-0027-1.

  • [10] B. Bünz J. Bootle D. Boneh A. Poelstra P. Wuille and G. Maxwell. Bulletproofs: Short Proofs for Confidential Transactions and More. In 2018 IEEE Symposium on Security and Privacy (SP) pages 315–334 May 2018. 10.1109/SP.2018.00020.

  • [11] J. Camenisch and A. Lysyanskaya. A Signature Scheme with Efficient Protocols. In S. Cimato G. Persiano and C. Galdi editors Security in Communication Networks pages 268–289. Springer Berlin Heidelberg 2003.

  • [12] J. Camenisch and A. Lysyanskaya. Signature Schemes and Anonymous Credentials from Bilinear Maps. In M. Franklin editor Advances in Cryptology – CRYPTO 2004 pages 56–72. Springer Berlin Heidelberg 2004.

  • [13] J. Camenisch S. Hohenberger and A. Lysyanskaya. Compact E-Cash. In R. Cramer editor Advances in Cryptology – EUROCRYPT 2005 pages 302–321. Springer Berlin Heidelberg 2005.

  • [14] S. Canard and A. Gouget. Anonymity in Transferable E-cash. In S. M. Bellovin R. Gennaro A. Keromytis and M. Yung editors Applied Cryptography and Network Security pages 207–223. Springer Berlin Heidelberg 2008.

  • [15] C. Costello and P. Longa. Four$$\mathbb {Q}$$: Four-Dimensional Decompositions on a $$\mathbb {Q}$$-curve over the Mersenne Prime. In T. Iwata and J. H. Cheon editors Advances in Cryptology – ASIACRYPT 2015 pages 214–235. Springer Berlin Heidelberg 2015.

  • [16] I. Damgård. Concurrent Zero-Knowledge is Easy in Practice. Technical Report 014 1999. URL

  • [17] T. Dimitriou. Privacy-respecting rewards for participatory sensing applications. In 2018 IEEE Wireless Communications and Networking Conference (WCNC) pages 1–6 Apr. 2018. 10.1109/WCNC.2018.8377269.

  • [18] P. Dzurenda S. Ricci J. Hajny and L. Malina. Performance Analysis and Comparison of Different Elliptic Curves on Smart Cards. In 2017 15th Annual Conference on Privacy Security and Trust (PST) pages 365–36509 Aug. 2017. 10.1109/PST.2017.00050.

  • [19] J. Groth and Y. Ishai. Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle. In N. Smart editor Advances in Cryptology – EUROCRYPT 2008 pages 379–396. Springer Berlin Heidelberg 2008.

  • [20] J. Groth and A. Sahai. Efficient Non-interactive Proof Systems for Bilinear Groups. IACR Cryptology ePrint Archive 2007:155 Jan. 2007. URL

  • [21] G. Hartung M. Hoffmann M. Nagel and A. Rupp. BBA+: Improving the Security and Applicability of Privacy-Preserving Point Collection. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security pages 1925–1942 New York NY USA 2017. ACM. 10.1145/3133956.3134071.

  • [22] G. Hinterwälder F. Riek and C. Paar. Efficient E-cash with Attributes on MULTOS Smartcards. In S. Mangard and P. Schaumont editors Radio Frequency Identification pages 141–155. Springer International Publishing 2015.

  • [23] M. Hoffmann V. Fetzer M. Nagel A. Rupp and R. Schwerdt. P4TC—Provably-Secure yet Practical Privacy-Preserving Toll Collection. Technical Report 1106 2018. URL

  • [24] T. Jager and A. Rupp. Black-Box Accumulation: Collecting Incentives in a Privacy-Preserving Way. Proceedings on Privacy Enhancing Technologies 2016(3):62–82 July 2016. 10.1515/popets-2016-0016.

  • [25] V. Jourová. Strengthened EU rules to prevent money laundering and terrorism financing July 2018. URL

  • [26] T. Kim and R. Barbulescu. Extended Tower Number Field Sieve: A New Complexity for the Medium Prime Case. In M. Robshaw and J. Katz editors Advances in Cryptology – CRYPTO 2016 pages 543–571. Springer Berlin Heidelberg 2016.

  • [27] A. Langley M. Hamburg and S. Turner. Elliptic Curves for Security. Technical Report RFC7748 RFC Editor Jan. 2016. URL

  • [28] Z. Liu P. Longa G. C. C. F. Pereira O. Reparaz and H. Seo. Four$$\mathbb {Q}$$on Embedded Devices with Strong Countermeasures Against Side-Channel Attacks. In W. Fischer and N. Homma editors Cryptographic Hardware and Embedded Systems – CHES 2017 pages 665–686. Springer International Publishing 2017.

  • [29] U. Maurer. Zero-knowledge proofs of knowledge for group homomorphisms. Designs Codes and Cryptography 77 (2-3):663–676 Dec. 2015. ISSN 0925-1022 1573-7586. 10.1007/s10623-015-0103-5.

  • [30] M. Milutinovic I. Dacosta A. Put and B. D. Decker. uCentive: An Efficient Anonymous and Unlinkable Incentives Scheme. In 2015 IEEE Trustcom/BigDataSE/ISPA volume 1 pages 588–595 Aug. 2015. 10.1109/Trust-com.2015.423.

  • [31] D. Pointcheval and O. Sanders. Short Randomizable Signatures. In K. Sako editor Topics in Cryptology - CT-RSA 2016 pages 111–126. Springer International Publishing 2016.

  • [32] A. Rupp G. Hinterwälder F. Baldimtsi and C. Paar. P4R: Privacy-Preserving Pre-Payments with Refunds for Transportation Systems. In A.-R. Sadeghi editor Financial Cryptography and Data Security pages 205–212. Springer Berlin Heidelberg 2013.

  • [33] E. B. Sasson A. Chiesa C. Garman M. Green I. Miers E. Tromer and M. Virza. Zerocash: Decentralized Anonymous Payments from Bitcoin. In 2014 IEEE Symposium on Security and Privacy pages 459–474 May 2014. 10.1109/SP.2014.36.

  • [34] J. T. Schwartz. Fast Probabilistic Algorithms for Verification of Polynomial Identities. J. ACM 27(4):701–717 Oct. 1980. ISSN 0004-5411. 10.1145/322217.322225.

  • [35] V. Shoup. Lower Bounds for Discrete Logarithms and Related Problems. In W. Fumy editor Advances in Cryptology — EUROCRYPT ‘97 pages 256–266. Springer Berlin Heidelberg 1997.

  • [36] T. Unterluggauer and E. Wenger. Efficient Pairings and ECC for Embedded Systems. In L. Batina and M. Robshaw editors Cryptographic Hardware and Embedded Systems – CHES 2014 pages 298–315. Springer Berlin Heidelberg 2014.

Journal information
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 25 25 25
PDF Downloads 24 24 24