Black-Box Wallets: Fast Anonymous Two-Way Payments for Constrained Devices


Black-box accumulation (BBA) is a building block which enables a privacy-preserving implementation of point collection and redemption, a functionality required in a variety of user-centric applications including loyalty programs, incentive systems, and mobile payments. By definition, BBA+ schemes (Hartung et al. CCS ‘17) offer strong privacy and security guarantees, such as unlinkability of transactions and correctness of the balance flows of all (even malicious) users. Unfortunately, the instantiation of BBA+ presented at CCS ‘17 is, on modern smartphones, just fast enough for comfortable use. It is too slow for wearables, let alone smart-cards. Moreover, it lacks a crucial property: For the sake of efficiency, the user’s balance is presented in the clear when points are deducted. This may allow to track owners by just observing revealed balances, even though privacy is otherwise guaranteed. The authors intentionally forgo the use of costly range proofs, which would remedy this problem.

We present an instantiation of BBA+ with some extensions following a different technical approach which significantly improves efficiency. To this end, we get rid of pairing groups, rely on different zero-knowledge and fast range proofs, along with a slightly modified version of Baldimtsi-Lysyanskaya blind signatures (CCS ‘13). Our prototype implementation with range proofs (for 16 bit balances) outperforms BBA+ without range proofs by a factor of 2.5. Moreover, we give estimates showing that smart-card implementations are within reach.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Dash - Dash is Digital Cash You Can Spend Anywhere. URL

  • [2] Zcash – Privacy-protecting digital currency. URL

  • [3] M. Abe. A Secure Three-Move Blind Signature Scheme for Polynomially Many Signatures. In G. Goos, J. Hartmanis, J. van Leeuwen, and B. Pfitzmann, editors, Advances in Cryptology — EUROCRYPT 2001, volume 2045, pages 136–151. Springer Berlin Heidelberg, Berlin, Heidelberg, 2001. 10.1007/3-540-44987-6_9. URL

  • [4] D. F. Aranha and C. P. L. Gouvêa. RELIC is an Efficient LIbrary for Cryptography. URL

  • [5] F. Baldimtsi and A. Lysyanskaya. Anonymous credentials light. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security - CCS ‘13, pages 1087–1098, Berlin, Germany, 2013. ACM Press. 10.1145/2508859.2516687.

  • [6] F. Baldimtsi, M. Chase, G. Fuchsbauer, and M. Kohlweiss. Anonymous Transferable E-Cash. In J. Katz, editor, Public-Key Cryptography – PKC 2015, pages 101–124. Springer Berlin Heidelberg, 2015.

  • [7] R. Barbulescu and S. Duquesne. Updating Key Size Estimations for Pairings. Journal of Cryptology, Jan. 2018. ISSN 1432-1378. 10.1007/s00145-018-9280-5.

  • [8] D. J. Bernstein. Curve25519: New Diffie-Hellman Speed Records. In M. Yung, Y. Dodis, A. Kiayias, and T. Malkin, editors, Public Key Cryptography - PKC 2006, pages 207–228. Springer Berlin Heidelberg, 2006.

  • [9] D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, and B.-Y. Yang. High-speed high-security signatures. Journal of Cryptographic Engineering, 2(2):77–89, Sept. 2012. ISSN 2190-8516. 10.1007/s13389-012-0027-1.

  • [10] B. Bünz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, and G. Maxwell. Bulletproofs: Short Proofs for Confidential Transactions and More. In 2018 IEEE Symposium on Security and Privacy (SP), pages 315–334, May 2018. 10.1109/SP.2018.00020.

  • [11] J. Camenisch and A. Lysyanskaya. A Signature Scheme with Efficient Protocols. In S. Cimato, G. Persiano, and C. Galdi, editors, Security in Communication Networks, pages 268–289. Springer Berlin Heidelberg, 2003.

  • [12] J. Camenisch and A. Lysyanskaya. Signature Schemes and Anonymous Credentials from Bilinear Maps. In M. Franklin, editor, Advances in Cryptology – CRYPTO 2004, pages 56–72. Springer Berlin Heidelberg, 2004.

  • [13] J. Camenisch, S. Hohenberger, and A. Lysyanskaya. Compact E-Cash. In R. Cramer, editor, Advances in Cryptology – EUROCRYPT 2005, pages 302–321. Springer Berlin Heidelberg, 2005.

  • [14] S. Canard and A. Gouget. Anonymity in Transferable E-cash. In S. M. Bellovin, R. Gennaro, A. Keromytis, and M. Yung, editors, Applied Cryptography and Network Security, pages 207–223. Springer Berlin Heidelberg, 2008.

  • [15] C. Costello and P. Longa. Four$$\mathbb {Q}$$: Four-Dimensional Decompositions on a $$\mathbb {Q}$$-curve over the Mersenne Prime. In T. Iwata and J. H. Cheon, editors, Advances in Cryptology – ASIACRYPT 2015, pages 214–235. Springer Berlin Heidelberg, 2015.

  • [16] I. Damgård. Concurrent Zero-Knowledge is Easy in Practice. Technical Report 014, 1999. URL

  • [17] T. Dimitriou. Privacy-respecting rewards for participatory sensing applications. In 2018 IEEE Wireless Communications and Networking Conference (WCNC), pages 1–6, Apr. 2018. 10.1109/WCNC.2018.8377269.

  • [18] P. Dzurenda, S. Ricci, J. Hajny, and L. Malina. Performance Analysis and Comparison of Different Elliptic Curves on Smart Cards. In 2017 15th Annual Conference on Privacy, Security and Trust (PST), pages 365–36509, Aug. 2017. 10.1109/PST.2017.00050.

  • [19] J. Groth and Y. Ishai. Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle. In N. Smart, editor, Advances in Cryptology – EUROCRYPT 2008, pages 379–396. Springer Berlin Heidelberg, 2008.

  • [20] J. Groth and A. Sahai. Efficient Non-interactive Proof Systems for Bilinear Groups. IACR Cryptology ePrint Archive, 2007:155, Jan. 2007. URL

  • [21] G. Hartung, M. Hoffmann, M. Nagel, and A. Rupp. BBA+: Improving the Security and Applicability of Privacy-Preserving Point Collection. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 1925–1942, New York, NY, USA, 2017. ACM. 10.1145/3133956.3134071.

  • [22] G. Hinterwälder, F. Riek, and C. Paar. Efficient E-cash with Attributes on MULTOS Smartcards. In S. Mangard and P. Schaumont, editors, Radio Frequency Identification, pages 141–155. Springer International Publishing, 2015.

  • [23] M. Hoffmann, V. Fetzer, M. Nagel, A. Rupp, and R. Schwerdt. P4TC—Provably-Secure yet Practical Privacy-Preserving Toll Collection. Technical Report 1106, 2018. URL

  • [24] T. Jager and A. Rupp. Black-Box Accumulation: Collecting Incentives in a Privacy-Preserving Way. Proceedings on Privacy Enhancing Technologies, 2016(3):62–82, July 2016. 10.1515/popets-2016-0016.

  • [25] V. Jourová. Strengthened EU rules to prevent money laundering and terrorism financing, July 2018. URL

  • [26] T. Kim and R. Barbulescu. Extended Tower Number Field Sieve: A New Complexity for the Medium Prime Case. In M. Robshaw and J. Katz, editors, Advances in Cryptology – CRYPTO 2016, pages 543–571. Springer Berlin Heidelberg, 2016.

  • [27] A. Langley, M. Hamburg, and S. Turner. Elliptic Curves for Security. Technical Report RFC7748, RFC Editor, Jan. 2016. URL

  • [28] Z. Liu, P. Longa, G. C. C. F. Pereira, O. Reparaz, and H. Seo. Four$$\mathbb {Q}$$on Embedded Devices with Strong Countermeasures Against Side-Channel Attacks. In W. Fischer and N. Homma, editors, Cryptographic Hardware and Embedded Systems – CHES 2017, pages 665–686. Springer International Publishing, 2017.

  • [29] U. Maurer. Zero-knowledge proofs of knowledge for group homomorphisms. Designs, Codes and Cryptography, 77 (2-3):663–676, Dec. 2015. ISSN 0925-1022, 1573-7586. 10.1007/s10623-015-0103-5.

  • [30] M. Milutinovic, I. Dacosta, A. Put, and B. D. Decker. uCentive: An Efficient, Anonymous and Unlinkable Incentives Scheme. In 2015 IEEE Trustcom/BigDataSE/ISPA, volume 1, pages 588–595, Aug. 2015. 10.1109/Trust-com.2015.423.

  • [31] D. Pointcheval and O. Sanders. Short Randomizable Signatures. In K. Sako, editor, Topics in Cryptology - CT-RSA 2016, pages 111–126. Springer International Publishing, 2016.

  • [32] A. Rupp, G. Hinterwälder, F. Baldimtsi, and C. Paar. P4R: Privacy-Preserving Pre-Payments with Refunds for Transportation Systems. In A.-R. Sadeghi, editor, Financial Cryptography and Data Security, pages 205–212. Springer Berlin Heidelberg, 2013.

  • [33] E. B. Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, and M. Virza. Zerocash: Decentralized Anonymous Payments from Bitcoin. In 2014 IEEE Symposium on Security and Privacy, pages 459–474, May 2014. 10.1109/SP.2014.36.

  • [34] J. T. Schwartz. Fast Probabilistic Algorithms for Verification of Polynomial Identities. J. ACM, 27(4):701–717, Oct. 1980. ISSN 0004-5411. 10.1145/322217.322225.

  • [35] V. Shoup. Lower Bounds for Discrete Logarithms and Related Problems. In W. Fumy, editor, Advances in Cryptology — EUROCRYPT ‘97, pages 256–266. Springer Berlin Heidelberg, 1997.

  • [36] T. Unterluggauer and E. Wenger. Efficient Pairings and ECC for Embedded Systems. In L. Batina and M. Robshaw, editors, Cryptographic Hardware and Embedded Systems – CHES 2014, pages 298–315. Springer Berlin Heidelberg, 2014.


Journal + Issues