The Dusk Network And Blockchain Architecture Scalable consensus and low-latency data transmissions for privacy-driven cryptosystems Emanuele Francioni Fulvio Venturelli Dusk Foundation Dusk Foundation Amsterdam, The Netherlands Amsterdam, The Netherlands [email protected] [email protected] ABSTRACT (4) Implement efficient payment mechanism for high QoS appli- In order to satisfy a broad set of data transfer scenario, the Dusk cations such as secure and anonymous voice calls network adds an additional layer of security to the IP protocol An important difference with CryptoNote, is that Dusk does suite (used mostly in a peer-to-peer fashion). Through the adop- not make use of proof-of-work mining and therefore drops com- tion of a mix of established strategies and novel techniques, the pletely CryptoNight and deviates substantially from the hashing Dusk network has been conceived specifically to protect the pri- algorithms therein adopted. In particular, Dusk uses what we call vacy of the communicating peers from any form of eavesdropping Segregated Byzantine Agreement (SBA?) protocol which enhances while satisfying a variety of challenging use cases varying from classic BA? by implementing specific measures to protect peer fast communication (e.g. voice calls) to large data transfer (e.g. privacy. SBA? has been developed specifically to power the Dusk file transmission). Dusk circumvents the notorious unreliability of Blockchain and help meeting the aforementioned requirements. crowd-sourced infrastructures by embedding economic incentives These efforts do not solely relate to the application layer but extend into the core mechanism of the network itself. Such incentives to the networking layer as well. This is why the Dusk protocol are designed to encourage peers to partake in the network in a makes use of: permission-less, anonymous and private fashion. • Stealth addresses: to protect transaction recipient anonymity • RingCT signature KEYWORDS : to protect transaction sender’s identity • Anonymous Network Layer: to protect the IP address of Dusk, blockchain, cryptocurrency, privacy, consensus, segregated the network peers; to provide secure data transfer mecha- byzantine agreement nism; to implement off-line data retrieval strategy; to power the anonymous gossip network for transaction propagation 1 INTRODUCTION and verification The Dusk network makes use of a decentralized and privacy-oriented • Non-Interactive Verifiable Secret Sharing Scheme: to digital currency that evolves the CryptoNote protocol[12] through conceal all but highest priority time-locked transactions from the groundbreaking discoveries in the field of Byzantine consensus the participants to the Block Generation sortition and pseudo-random functions of world renown cryptographers • Cryptographically Committed Provisioners: to protect such as Silvio Micali, Michael Rabin, Alexander Yampolskiy and the information about stake; to implement a division of re- Evgeniy Dodis. Dusk radically departs from any other blockchain sponsibilities between Block Generators and the electable by employing an adaptive consensus mechanism, called Segregated Block Voters and Verifiers; to boost network efficiency by Byzantine Agreement (or SBA?), which does not require the com- acting as state channel guarantors; to incentivise participa- putational intensity of proof-of-work and is a fairer alternative to tion to the network; to protect the balance information of proof-of-stake. Built on such consensus algorithm, Dusk is poised transacting nodes; to prepare SBA? for future expansion to be the first to simultaneously achieve previously conflicting with non-balance and non-payment related weights such as goals of guaranteeing transaction untraceability and unlinkability, storage contributed to the network (as in proof-of-storage), safeguarding user privacy, reaching transactional "finality" after a availability expressed in elapsed time since joining the net- bound number of rounds within a single block election and achiev- work (as in proof-of-idle), etc. ing virtually unbounded user scalability without any significant performance degradation. 2 PRELIMINARIES The Dusk network requires a heightened security setup designed 2.1 Diffie-Hellman Hardness Assumption specifically to: In any group, a discrete logarithm loдb a is a number x 2 Z such (1) Obfuscate IP addresses of the communicating peers that bx = a. (2) Prevent linkability and traceability of accounts Most of the cryptographic building blocks related to this work (3) Guarantee network performance are linked to the Diffie-Hellman assumption which uses the hard- ness of discrete logarithms in cyclic groups [13]. Considering a This paper is published under the MIT International license. Authors reserve their rights to disseminate the work on their personal and corporate Web sites with the multiplicative cyclic group G of order p and generator [2] д, we appropriate attribution. can formulate the following assumption: given дa and дb for uni- WEB3 Symposium, April 2018, Amsterdam, The Netherlands 2 Z ab © 2018 Stichting Dusk Foundation, published under MIT License. formly and independently chosen a ,b p then д performs like a random element in G of order p. 1 WEB3 Symposium, April 2018, Amsterdam, The Netherlands E. Francioni and F. Venturelli q : a prime number; q = 2255 − 19 ; This is the number of points in the curve. d : an element of Fq ; d = −121665/121666; Value used in the curve equation below E : an elliptic curve equation; −x2 + y2 = 1 + dx2y2; The Twisted Edwards curve/equation we are using G : a base point; G = ¹x; −4/5º; The**generator** point. This is a base - starting point used for all Elliptic modulo operations. Figure 1: A generic elliptic curve l : a prime order of the base point; l = 2252 + 27742317777372353535851937790883648493 ; The order of the base point G. This defines the maximum size of As a consequence of such assumed randomness, the Decisional scalars and the maximum number of points that can be used. Diffie-Hellman (DDH) Problem relates to distinguishing the follow- ∗ Hs : a cryptographic hash function f0; 1g ! Fq ; ing two probability distributions: Hp : a deterministic hash function E¹Fq º ! E¹Fq º; • (дa;дb ;дab ) a;b 2 Z All private and public keys in Dusk will be using 64 hex charac- 8 // ¹дa;дb ;дab º are defined as a Diffie-Hellman Tuple ters. • (дa;дb ;дc ) a;b;c 2 Z 8 2.2.3 Accounts and Addresses 2.2 Hiding Recipients: Stealth Addresses The following procedure will be used to create an address. Inspired by the CryptoNote white-paper[12], stealth address tech- (1) We pick a random /textitprivate spend key, by generating nology is at the basis of Dusk recipient hiding technique. Already 256 random bits, and reducing mod l. We call this b. widely tested in other privacy-oriented digital currencies, it is the (2) b is hashed with hashing algorithm H(Keccak_256). We inter- proven choice for concealing the true recipient address of a trans- pret the result of the hashing as an integer, reduce it mod l action while keeping uniqueness within the context of the ledger as before. We call this key a. (meaning no other address can be linked to a stealth address). Addi- (3) We generate our public spend and view keys B = bG and tionally, a derivation of an unbound number of receiving addresses A = aG is also possible without any of them allowing traceability back to (4) We hash (network prefix (0xEF) + B + A) with H. the recipient’s main address. As an anonymous key agreement pro- (5) Append the first 4 bytes of this operation to (prefix + B + A), tocol, Dusk uses the Elliptic Curve Diffie-Hellman (ECDH) due to obtaining a 69 bytes value (1 + 32 + 32 + 4) the desired property of allowing two parties to generate a shared (6) Convert this to cnBase58. secret by solely knowing each other’s public key, and the generator We will explain how stealth addresses work by first going trough point of the Elliptic Curve used in the Twisted Edward equation. a brief explanation about key exchanges on an ECC scenario, in the Following is a detailed explanation of how Dusk implements Stealth next section. Address technology. 2.2.4 The Elliptic Curve Diffie-Hellman 2.2.1 Elliptic-Curve Cryptography The Elliptic Curve Diffie-Hellman (ECDH) is an anonymous key The system makes use of Elliptic-Curve Cryptography (ECC), hence agreement protocol, a variant of the Diffie-Hellman protocol adapted approaching public-key cryptography through the algebraic struc- to work with Elliptic-Curve Cryptography. ture of elliptic curves and thus allowing for the creation of smaller Thanks to ECDH, two parties can generate a shared secret over and more efficient cryptographic keys. ECC gives the same security an unsecured connection only by knowing each other’s public levels of, for example, RSA, but using a much smaller security key. keys, and the generator point of the Elliptic Curve used in the ECC The structure of an elliptic curve is a plane curve satisfying the equation. equation y2 = x3 + ax + b, which returns us the graph in Figure 1. To demonstrate this, we will use Alice (with private key a and In ECC, a Galois Field is created by taking the modulo of all public key A=aG) and Bob (with private key b and public key B=bG). points using a large prime number, creating a finite number of (Where G is the generator point) values for the used equation. The following axioms are furthermore As previously stated, points on a curve can be added together, taken into account: and Alice could calculate a point C = A + B, but this could also be (1) A point can’t be multiplied or divided by another point. potentially done by anyone eavesdropping the conversation, since (2) Any point on the curve can be added or subtracted to another A and B are publicly available. point (or itself). Now, let’s remember that A and B are points on the elliptical (3) Adding a point to itself allows for scalar multiplication.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages16 Page
-
File Size-