The GNU Taler system: practical and provably secure electronic payments. (Le système GNU Taler: Paiements électroniques pratiques et sécurisés)

We describe the design and implementation of GNU Taler, an electronic payment system based on an extension of Chaumian online e-cash with efficient change. In addition to anonymity for customers, it provides the novel notion of income transparency, which guarantees that merchants can reliably receive a payment from an untrusted payer only when their income from the payment is visible to tax authorities. Income transparency is achieved by the introduction of a refresh protocol, which gives anonymous change for a partially spent coin without introducing a tax evasion loophole. In addition to income transparency, the refresh protocol can be used to implement Camenisch-style atomic swaps, and to preserve anonymity in the presence of protocol aborts and crash faults with data loss by participants. Furthermore, we show the provable security of our income-transparent anonymous e-cash, which, in addition to the usual anonymity and unforgeability proper- ties of e-cash, also formally models conservation of funds and income transparency. Our implementation of GNU Taler is usable by non-expert users and integrates with the modern Web architecture. Our payment platform addresses a range of practical issues, such as tipping customers, providing refunds, integrating with banks and know-your-customer (KYC) checks, as well as Web platform security and reliability requirements. On a single machine, we achieve transaction rates that rival those of global, commercial credit card processors. We increase the robustness of the exchange—the component that keeps bank money in escrow in exchange for e-cash—by adding an auditor component, which verifies the correct operation of the system and allows to detect a compromise or misbehavior of the exchange early. Just like bank accounts have reason to exist besides bank notes, e-cash only serves as part of a whole payment system stack. Distributed ledgers have recently gained immense popularity as potential replacement for parts of the traditional financial industry. While cryptocurrencies based on proof-of-work such as Bitcoin have yet to scale to be useful as a replacement for established payment systems, other more efficient systems based on Blockchains with more classical consensus algorithms might still have promising applications in the financial industry. We design, implement and analyze the performance of Byzantine Set Union Consensus (BSC), a Byzantine consensus protocol that agrees on a (super-)set of elements at once, instead of sequentially agreeing on the individual elements of a set. While BSC is interesting in itself, it can also be used as a building block for permissioned Blockchains, where—just like in Nakamoto-style consensus—whole blocks of transactions are agreed upon at once, increasing the transaction rate.

[1]  Ned Freed,et al.  Media Type Specifications and Registration Procedures , 2005, RFC.

[2]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[3]  Nancy A. Lynch,et al.  Easy impossibility proofs for distributed consensus problems , 1985, PODC '85.

[4]  Alexandra Boldyreva,et al.  Efficient threshold signature, multisignature and blind signature schemes based on the Gap-Diffie-Hellman-Group signature scheme , 2002 .

[5]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[6]  Michael K. Reiter,et al.  Fault-scalable Byzantine fault-tolerant services , 2005, SOSP '05.

[7]  Michael K. Reiter,et al.  On k-Set Consensus Problems in Asynchronous Systems , 2001, IEEE Trans. Parallel Distributed Syst..

[8]  Alon Zakai Emscripten: an LLVM-to-JavaScript compiler , 2011, OOPSLA Companion.

[9]  Louise E. Moser,et al.  The SecureRing protocols for securing group communication , 1998, Proceedings of the Thirty-First Hawaii International Conference on System Sciences.

[10]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.

[11]  Tim Bray,et al.  Internet Engineering Task Force (ietf) the Javascript Object Notation (json) Data Interchange Format , 2022 .

[12]  James Aspnes,et al.  Lower bounds for distributed coin-flipping and randomized consensus , 1997, STOC '97.

[13]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[14]  Jan Camenisch,et al.  Compact E-Cash , 2005, EUROCRYPT.

[15]  Steven J. Murdoch,et al.  Security Protocols and Evidence: Where Many Payment Systems Fail , 2014, Financial Cryptography.

[16]  JooSeok Song,et al.  Trend of centralization in Bitcoin's distributed network , 2015, 2015 IEEE/ACIS 16th International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD).

[17]  Han Jiang,et al.  A New Post-Quantum Blind Signature From Lattice Assumptions , 2018, IEEE Access.

[18]  Yaron Minsky,et al.  Set reconciliation with nearly optimal communication complexity , 2003, IEEE Trans. Inf. Theory.

[19]  Yi Mu,et al.  Electronic Cash with Anonymous User Suspension , 2011, ACISP.

[20]  Torben P. Pedersen A Threshold Cryptosystem without a Trusted Party (Extended Abstract) , 1991, EUROCRYPT.

[21]  Donald E. Eastlake,et al.  US Secure Hash Algorithms (SHA and HMAC-SHA) , 2006, RFC.

[22]  Miguel Castro,et al.  Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.

[23]  Amnon Ta-Shma,et al.  On Anonymous Electronic Cash and Crime , 1999, ISW.

[24]  Torben P. Pedersen Electronic Payments of Small Amounts , 1995, Security Protocols Workshop.

[25]  Ben Adida,et al.  Helios: Web-based Open-Audit Voting , 2008, USENIX Security Symposium.

[26]  Fuchun Guo,et al.  Introduction to Security Reduction , 2018, Springer International Publishing.

[27]  Georg Fuchsbauer,et al.  Transferable Constant-Size Fair E-Cash , 2009, IACR Cryptol. ePrint Arch..

[28]  Marko Vukolic,et al.  The Next 700 BFT Protocols , 2015, ACM Trans. Comput. Syst..

[29]  Yvo Desmedt,et al.  Threshold cryptography , 1994, Eur. Trans. Telecommun..

[30]  Satoshi Nakamoto Bitcoin : A Peer-to-Peer Electronic Cash System , 2009 .

[31]  Yehuda Lindell,et al.  How To Simulate It - A Tutorial on the Simulation Proof Technique , 2016, IACR Cryptol. ePrint Arch..

[32]  Dave Crocker,et al.  Augmented BNF for Syntax Specifications: ABNF , 1997, RFC.

[33]  Hugo Krawczyk,et al.  HMAC-based Extract-and-Expand Key Derivation Function (HKDF) , 2010, RFC.

[34]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[35]  Joseph J. LaViola,et al.  Byzantine Consensus from Moderately-Hard Puzzles : A Model for Bitcoin , 2014 .

[36]  David Pointcheval,et al.  Automated Security Proofs with Sequences of Games , 2006, CRYPTO.

[37]  Aiman Erbad,et al.  When A Small Leak Sinks A Great Ship: Deanonymizing Tor Hidden Service Users Through Bitcoin Transactions Analysis , 2018, Comput. Secur..

[38]  Tatsuaki Okamoto,et al.  An Efficient Divisible Electronic Cash Scheme , 1995, CRYPTO.

[39]  Arthur Gervais,et al.  Do you Need a Blockchain? , 2018, 2018 Crypto Valley Conference on Blockchain Technology (CVCBT).

[40]  Matthew Green,et al.  Accountable Privacy for Decentralized Anonymous Payments , 2016, Financial Cryptography.

[41]  Douglas W. Arner,et al.  The Identity Challenge in Finance: From Analogue Identity to Digitized Identification to Digital KYC Utilities , 2019, European Business Organization Law Review.

[42]  Peter E. Yee Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2013, RFC.

[43]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[44]  T. Moore,et al.  Bitcoin: Economics, Technology, and Governance , 2014 .

[45]  Angela Walch Deconstructing 'Decentralization': Exploring the Core Claim of Crypto Systems , 2019, Cryptoassets.

[46]  Joseph Poon,et al.  Plasma : Scalable Autonomous Smart Contracts , 2017 .

[47]  Benoît Libert,et al.  Divisible E-Cash in the Standard Model , 2012, Pairing.

[48]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[49]  Michael Dahlin,et al.  Making Byzantine Fault Tolerant Systems Tolerate Byzantine Faults , 2009, NSDI.

[50]  Yiannis Tsiounis,et al.  Anonymity Control in E-Cash Systems , 1997, Financial Cryptography.

[51]  Jeremy Clark,et al.  Mixcoin: Anonymity for Bitcoin with Accountable Mixes , 2014, Financial Cryptography.

[52]  Xun Yi,et al.  Off-line digital cash schemes providing untraceability, anonymity and change , 2019, Electron. Commer. Res..

[53]  Konrad S. Wrona,et al.  Fair electronic cash withdrawal and change return for wireless networks , 2001, WMC '01.

[54]  Ivan Damgård,et al.  A "proof-reading" of Some Issues in Cryptography , 2007, ICALP.

[55]  Jan Camenisch,et al.  Fair Blind Signatures , 1995, EUROCRYPT.

[56]  Ariel Gabizon,et al.  Cryptocurrencies Without Proof of Work , 2014, Financial Cryptography Workshops.

[57]  Gil Neiger,et al.  Distributed Consensus Revisited , 1994, Inf. Process. Lett..

[58]  Yuchung Cheng,et al.  TCP fast open , 2011, CoNEXT '11.

[59]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[60]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[61]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[62]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[63]  Ethan Heilman,et al.  TumbleBit: An Untrusted Bitcoin-Compatible Anonymous Payment Hub , 2017, NDSS.

[64]  Niels Provos,et al.  A framework for detection and measurement of phishing attacks , 2007, WORM '07.

[65]  Hagit Attiya,et al.  Asynchronous Byzantine consensus , 1984, PODC '84.

[66]  Mihir Bellare,et al.  Code-Based Game-Playing Proofs and the Security of Triple Encryption , 2004, IACR Cryptol. ePrint Arch..

[67]  Yehuda Lindell,et al.  Secure Multi-Party Computation without Agreement , 2005, Journal of Cryptology.

[68]  Dominique Unruh,et al.  Security of Blind Signatures Revisited , 2012, Journal of Cryptology.

[69]  Silvio Micali,et al.  Probabilistic encryption & how to play mental poker keeping secret all partial information , 1982, STOC '82.

[70]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[71]  Micah Sherr,et al.  Users get routed: traffic correlation on tor by realistic adversaries , 2013, CCS.

[72]  Steven J. Murdoch,et al.  Verified by Visa and MasterCard SecureCode: Or, How Not to Design Authentication , 2010, Financial Cryptography.

[73]  Emin Gün Sirer,et al.  Majority Is Not Enough: Bitcoin Mining Is Vulnerable , 2013, Financial Cryptography.

[74]  N. Persily The 2016 U.S. Election: Can Democracy Survive the Internet? , 2017 .

[75]  Florian Dold Cryptographically Secure , Distributed Electronic Voting , 2014 .

[76]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1985, JACM.

[77]  Tatsuaki Okamoto,et al.  Provably Secure Partially Blind Signatures , 2000, CRYPTO.

[78]  Jean-Loup Richet Extortion on the Internet: the Rise of Crypto-Ransomware , 2016 .

[79]  Jürgen Ecker,et al.  Provable Security for Public Key Schemes , 2005 .

[80]  Jae Kwon,et al.  Tendermint : Consensus without Mining , 2014 .

[81]  Elaine Shi,et al.  The Honey Badger of BFT Protocols , 2016, CCS.

[82]  Matthias Fitzi,et al.  Optimally efficient multi-valued byzantine agreement , 2006, PODC '06.

[83]  Chris Okasaki,et al.  Purely functional data structures , 1998 .

[84]  Christian Grothoff,et al.  Byzantine set-union consensus using efficient set reconciliation , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[85]  Jacques Stern,et al.  One Round Threshold Discrete-Log Key Generation without Private Channels , 2001, Public Key Cryptography.

[86]  Sébastien Canard,et al.  A Handy Multi-coupon System , 2006, ACNS.

[87]  Michael K. Reiter,et al.  The Rampart Toolkit for Building High-Integrity Services , 1994, Dagstuhl Seminar on Distributed Systems.

[88]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[89]  Ronald Cramer,et al.  A secure and optimally efficient multi-authority election scheme , 1997, Eur. Trans. Telecommun..

[90]  Danny Dolev,et al.  On the minimal synchronism needed for distributed consensus , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[91]  Sébastien Canard,et al.  Divisible E-Cash Systems Can Be Truly Anonymous , 2007, EUROCRYPT.

[92]  Stuart Haber,et al.  How to time-stamp a digital document , 1990, Journal of Cryptology.

[93]  Berry Schoenmakers Security aspects of the Ecash payment system , 1998 .

[94]  Paul Haynes,et al.  Governance in Blockchain Technologies & Social Contract Theories , 2016, Ledger.

[95]  Christian Grothoff,et al.  CADET: Confidential ad-hoc decentralized end-to-end transport , 2014, 2014 13th Annual Mediterranean Ad Hoc Networking Workshop (MED-HOC-NET).

[96]  Achour Mostéfaoui,et al.  Signature-free asynchronous byzantine consensus with t < n/3 and o(n2) messages , 2014, PODC.

[97]  David Pointcheval,et al.  Cut Down the Tree to Achieve Constant Complexity in Divisible E-Cash , 2015, IACR Cryptol. ePrint Arch..

[98]  Marko Vukolic,et al.  The Quest for Scalable Blockchain Fabric: Proof-of-Work vs. BFT Replication , 2015, iNetSeC.

[99]  Alfred Menezes,et al.  The Brave New World of Bodacious Assumptions in Cryptography , 2010 .

[100]  Danny Dolev,et al.  Simple Gradecast Based Algorithms , 2010, ArXiv.

[101]  Aggelos Kiayias,et al.  The Bitcoin Backbone Protocol: Analysis and Applications , 2015, EUROCRYPT.

[102]  Felix Brandt,et al.  How to obtain full privacy in auctions , 2006, International Journal of Information Security.

[103]  Patrick Märtens Practical Compact E-Cash with Arbitrary Wallet Size , 2015, IACR Cryptol. ePrint Arch..

[104]  E. Weippl,et al.  Fast and Reliable Browser Identification with JavaScript Engine Fingerprinting , 2013 .

[105]  K. Bhattacharya,et al.  Does easy availability of cash affect corruption? Evidence from a panel of countries , 2017 .

[106]  Jean-Sébastien Coron,et al.  On the Exact Security of Full Domain Hash , 2000, CRYPTO.

[107]  Emin Gün Sirer,et al.  Bitcoin-NG: A Scalable Blockchain Protocol , 2015, NSDI.

[108]  Jacques Stern,et al.  Provably Secure Blind Signature Schemes , 1996, ASIACRYPT.

[109]  S A R A H M E I K L E J O H N,et al.  A Fistful of Bitcoins Characterizing Payments Among Men with No Names , 2013 .

[110]  Roy Fielding,et al.  Architectural Styles and the Design of Network-based Software Architectures"; Doctoral dissertation , 2000 .

[111]  Niels Provos,et al.  The Ghost in the Browser: Analysis of Web-based Malware , 2007, HotBots.

[112]  Fergal Reid,et al.  An Analysis of Anonymity in the Bitcoin System , 2011, PASSAT 2011.

[113]  George Varghese,et al.  What's the difference? , 2011, SIGCOMM 2011.

[114]  Nancy A. Lynch,et al.  A Lower Bound for the Time to Assure Interactive Consistency , 1982, Inf. Process. Lett..

[115]  Abhi Shelat,et al.  Doubly-Efficient zkSNARKs Without Trusted Setup , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[116]  Ian Goldberg,et al.  Improving the Robustness of Private Information Retrieval , 2007 .

[117]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[118]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[119]  Ronald L. Rivest,et al.  Peppercoin Micropayments , 2004, Financial Cryptography.

[120]  Paul E. Hoffman,et al.  Concise Binary Object Representation (CBOR) , 2020, RFC.

[122]  Rasmus Pagh,et al.  Simple multi-party set reconciliation , 2013, Distributed Computing.

[123]  Victor Shoup,et al.  Random Oracles in Constantinople: Practical Asynchronous Byzantine Agreement Using Cryptography , 2000, Journal of Cryptology.

[124]  Christian Grothoff,et al.  A Censorship-Resistant, Privacy-Enhancing and Fully Decentralized Name System , 2014, CANS.

[125]  Josh Benaloh Verifiable secret-ballot elections , 1987 .

[126]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[127]  Nitin H. Vaidya,et al.  Leader election algorithms for mobile ad hoc networks , 2000, DIALM '00.

[128]  Sasu Tarkoma,et al.  Theory and Practice of Bloom Filters for Distributed Systems , 2012, IEEE Communications Surveys & Tutorials.

[129]  K. Levy Book-Smart, Not Street-Smart: Blockchain-Based Smart Contracts and The Social Workings of Law , 2017 .

[130]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[131]  Matthew Green,et al.  Bolt: Anonymous Payment Channels for Decentralized Currencies , 2017, CCS.

[132]  Silvio Micali,et al.  Optimal algorithms for Byzantine agreement , 1988, STOC '88.

[133]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[134]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[135]  David Chaum,et al.  Efficient Offline Electronic Checks (Extended Abstract) , 1989, EUROCRYPT.

[136]  Christian Paquin,et al.  U-Prove Cryptographic Specification V1.1 (Revision 3) , 2013 .

[137]  Marc Fischlin,et al.  Security of Blind Signatures under Aborts , 2009, Public Key Cryptography.

[138]  Michel Robert,et al.  Side Channel Attacks , 2011 .

[139]  Steven Pemberton,et al.  Cascading Style Sheets Level 2 Revision 1 (CSS 2.1) Specification , 2010 .

[140]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[141]  Eli Ben-Sasson,et al.  Scalable, transparent, and post-quantum secure computational integrity , 2018, IACR Cryptol. ePrint Arch..

[142]  Pascal Lafourcade,et al.  Formal analysis of e-cash protocols , 2015, 2015 12th International Joint Conference on e-Business and Telecommunications (ICETE).

[143]  Silvio Micali,et al.  Algorand: Scaling Byzantine Agreements for Cryptocurrencies , 2017, IACR Cryptol. ePrint Arch..

[144]  Christof Paar,et al.  P4R: Privacy-Preserving Pre-Payments with Refunds for Transportation Systems , 2013, Financial Cryptography.

[145]  Ernest F. Brickell,et al.  Trustee-based tracing extensions to anonymous cash and the making of anonymous change , 1995, SODA '95.

[146]  Michael J. Fischer,et al.  Scalable Bias-Resistant Distributed Randomness , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[147]  R. Stallman,et al.  Free Software, Free Society , 2002 .

[148]  Paul Voigt,et al.  The EU General Data Protection Regulation (GDPR) , 2017 .

[149]  Chanathip Namprempre,et al.  The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme , 2003, Journal of Cryptology.

[150]  Mahadev Satyanarayanan,et al.  Quantifying interactive user experience on thin clients , 2006, Computer.

[151]  George Danezis,et al.  Centrally Banked Cryptocurrencies , 2015, NDSS.

[152]  Alfred Menezes,et al.  Another Look at "Provable Security" , 2005, Journal of Cryptology.

[153]  Jared Saia,et al.  Recent Results in Scalable Multi-Party Computation , 2015, SOFSEM.

[154]  Tsz Hon Yuen,et al.  RingCT 2.0: A Compact Accumulator-Based (Linkable Ring Signature) Protocol for Blockchain Cryptocurrency Monero , 2017, ESORICS.

[155]  Ramakrishna Kotla,et al.  Zyzzyva: speculative byzantine fault tolerance , 2007, TOCS.

[156]  Bruno Blanchet,et al.  CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols , 2007 .

[157]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[158]  Dan Boneh,et al.  The Decision Diffie-Hellman Problem , 1998, ANTS.

[159]  Amos Fiat,et al.  Untraceable Electronic Cash , 1990, CRYPTO.