An Anonymous Trust-Marking Scheme on Blockchain Systems

An Anonymous Trust-Marking Scheme on Blockchain Systems

An Anonymous Trust-Marking Scheme on Blockchain Systems Teppei Sato Keita Emura Tomoki Fujitani Kazumasa Omote University of Tsukuba National Institute of University of Tsukuba University of Tsukuba Japan Information and National Institute of National Institute of Communications Technology Information and Information and Japan Communications Technology Communications Technology Japan Japan Abstract—During the Coincheck incident, which recorded During the Coincheck incident, which recorded the largest the largest damages in cryptocurrency history in 2018, it was damages in cryptocurrency history in 2018, some volun- demonstrated that using Mosaic token can have a certain effect. teers tracked leaked New Economy Movement (NEM) cryp- Although it seems attractive to employ tokens as countermea- sures for cryptocurrency leakage, Mosaic is a specific token tocurrencies using Mosaic, which is a NEM-specific fea- for the New Economy Movement (NEM) cryptocurrency and ture allowing a self-made token to be sent on the NEM is not employed for other blockchain systems or cryptocurren- blockchain. These volunteers sent Mosaic to addresses that cies. Moreover, although some volunteers tracked leaked NEM received leaked NEMs from Coincheck addresses and warned using Mosaic in the CoinCheck incident, it would be better the recipients that these should not be exchanged for other to verify that the volunteers can be trusted. Simultaneously, if someone (e.g., who stole cryptocurrencies) can identify the cryptocurrencies or legal currencies. A criminal can discard volunteers, then that person or organization may be targets of such marked addresses, so it can be seen as a cat-and- them. In this paper, we propose an anonymous trust-marking mouse game. It was not recognized that a large amount scheme on blockchain systems that is universally applicable of NEM was exchanged via legally authorized exchanges. to any cryptocurrency. In our scheme, entities called token The criminal finally exchanged stolen NEM via a self-made admitters are allowed to generate tokens adding trustworthiness or untrustworthiness to addresses. Anyone can anonymously exchange established on the dark web (hidden service) until verify whether these tokens were issued by a token admitter. the removal of the system on March 18, 2018 [1]. Thus, the Simultaneously, only the designated auditor and no one else, effectiveness of tokens in preventing the spread of leaked including nondesignated auditors, can identify the token admit- NEMs is admitted. Because theft of cryptocurrencies has ters. Our scheme is based on accountable ring signatures and become a real risk, it seems effective to employ tokens as commitment, and is implemented on an elliptic curve called Curve25519, and we confirm that both cryptographic tools are countermeasures for cryptocurrency leakage. However, there efficient. Moreover, we also confirm that our scheme is applicable are issues to be solved: to Bitcoin, Ethereum, and NEM. • Mosaic is a specific token for NEM, and it is not em- ployed for other blockchain systems or cryptocurrencies. I. INTRODUCTION • There is no way to check whether the volunteers can be trusted. Cryptocurrencies (cryptoassets) such as Bitcoin, Ethereum, • If someone (e.g., who stole cryptocurrencies) can iden- and NEM have attracted attention in various aspects, such arXiv:2010.00206v3 [cs.CR] 25 Feb 2021 tify the volunteers, then that person or organization may as the large market capitalization and the use of smart con- be targets of them. tracts. Because of a cryptocurrency’s decentralized structure, From a functionality standpoint, it seems effective to add there is merit in fault tolerance and anyone can check the trustworthiness to addresses, but the Mosaic token instead content of transactions; thus, a certain level of transparency adds untrustworthiness to addresses. For example, if an ad- is guaranteed. However, cryptocurrencies have been used for dress is authorized by adding a token for trustworthiness, then crimes because of their anonymity and have become a target anyone can recognize it by checking whether the token is of cyberattacks as their value increases. Furthermore, since it included in the corresponding transaction. seems difficult to stop suspicious transactions such as unau- One might think that claims, which are defined in the ERC- thorized withdrawals or exchanges before they happen, it is 725/ERC-735 Ethereum Identity Standard1 could be used to important to consider countermeasures after cryptocurrencies add and remove tokens. When a user wants to deploy smart are stolen. contracts, a claim issuer (who may or may not be the user) ∗ An extended abstract appeared at the 3rd IEEE International Conference 1See https://erc725alliance.org/ or https://github.com/ethereum/EIPs/ on Blockchain and Cryptocurrency, ICBC 2021. This is the full version. issues/735. can add some information relative to the user’s identity, and it ring signatures have been widely employed in blockchain can be verified as a credential. However, anonymity of claim systems. By checking accountable ring signatures, anyone issuers is not a primary subject of the standards; thus, it cannot could anonymously check whether a token admitter generated be directly employed for our usage. One naive solution is to a signature. Moreover, because of anonymity, even if someone employ anonymous signatures such as ring signatures [36], who stole cryptocurrencies wanted to retaliate against the especially linkable ring signatures [4], [27], [29], [39], [40], corresponding token admitter, that person or organization [42], which have been widely used to add anonymity in would not be able to identify the token admitter. If an cryptocurrencies such as Monero [32]. This solution assumes accident happened, only the designated auditor could identify that there are token admitters who are trusted; i.e., they are the signer. In other words, our scheme preserves decen- recognized as entities that can issue tokens but are not allowed tralized structures, because nondesignated auditors cannot further responsibilities. They generate a signature and include break anonymity. We also consider a case in which a token the signature on a transaction. In the signed message, anyone admitter revokes trustworthiness or untrustworthiness tokens. can check whether the address is authorized or unauthorized Subsequently, only the actual token admitter can issue a by verifying the signature. This method is applicable to trustworthiness or untrustworthiness token. The fact that two any blockchain system. Moreover, anyone can anonymously tokens were issued by the same token admitter is revealed but check whether a token admitter generates a signature. This still the token admitter is anonymous. naive solution looks promising, but an issue of anonymity We implemented our scheme using the Bootle et al. arises. For example, if an address will behave maliciously accountable ring signature scheme [13] and the Pedersen using a trustworthiness token, then the trustworthiness of the commitment scheme [34], employed Curve25519 [11]. To corresponding token admitter should be reduced. Moreover, if confirm whether our scheme is universally applicable to any some users who have addresses deny the addition of a token cryptocurrency, we selected Bitcoin, Ethereum, and NEM for for untrustworthiness, then the corresponding token admitter capturing various features.2 needs to be traced. However, there is no way to identify the corresponding token admitter if (linkable) ring signatures are Related Work: The word “Tokens” has been widely used employed. Thus, it seems effective to consider auditors, who in other blockchain systems. Here, for the sake of clarity can identify token admitters from signatures. and for explaining the difference from our work, we intro- Another naive solution is to employ group signatures [17]. duce these works as follows. Basically, a token is a non- In this scenario, a group manager issues signing keys to sensitive surrogate value which is replaced from sensitive el- users. A user generates a signature, and a verifier verifies the ements (this replacement procedure is so-called tokenization), signature anonymously, i.e., checks whether the signer is a and is employed for privacy-preserving payment system. group member. If an accident happens, the group manager Here, token is regarded as cryptocurrency itself. To name a can identify the signer using a secret key. However, this few: Zerocoin [30], Zerocash [8], Confidential Assets [35], centralized structure does not match decentralized blockchain QuisQuis [18], and Zether [14]. systems. If we consider permissioned blockchain systems, For adding auditability (as in our scheme), Androulaki et then there is an additional access control layer and it may al. [3] proposed a privacy-preserving and auditable token allow us to prepare such centralized organizations. However, management system for permissioned blockchain systems it would be better to cover both public and permissioned such as Hyperledger Fabric [2]. The Androulaki et al. system blockchain systems. architecture is somewhat similar to our scheme where users, issuers, and auditors are defined (in their paper a certifier and Our Contribution: In this paper, we propose a trust-marking a registration authority are also defined). Briefly, users own scheme on blockchain systems explained as follows: tokens that represent some real-world assets. They wish to • The trust-marking scheme is universally applicable exchange their tokens with other

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    9 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us