Zef: Low-latency, Scalable, Private Payments

We introduce Zef, the first Byzantine-Fault Tolerant (BFT) protocol to support payments in anonymous digital coins at arbitrary scale. Zef follows the communication and security model of FastPay [5]: both protocols are asynchronous, low-latency, linearly-scalable, and powered by partially-trusted sharded authorities. In contrast with Fastpay, user accounts in Zef are uniquely-identified and safely removable. Zef coins are bound to an account by a digital certificate and otherwise stored off-chain by their owners. To create and redeem coins, users interact with the protocol via privacy-preserving operations: Zef uses randomized commitments and NIZK proofs to hide coin values; and, created coins are made unlinkable using the blind and randomizable threshold anonymous credentials of Coconut [30]. Besides the detailed specifications and our analysis of the protocol, we are making available an open-source implementation of Zef in Rust. Our extensive benchmarks on AWS confirm textbook linear scalability and demonstrate a confirmation time under one second at nominal capacity. Compared to existing anonymous payment systems based on a blockchain [23, 36], this represents a latency speedup of three orders of magnitude, with no theoretical limit on throughput.

[1]  Nancy A. Lynch,et al.  Consensus in the presence of partial synchrony , 1988, JACM.

[2]  Marc Shapiro,et al.  A comprehensive study of Convergent and Commutative Replicated Data Types , 2011 .

[3]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[4]  Victor Shoup,et al.  Random Oracles in Constantinople: Practical Asynchronous Byzantine Agreement Using Cryptography , 2000, Journal of Cryptology.

[5]  Matthew Green,et al.  Zerocoin: Anonymous Distributed E-Cash from Bitcoin , 2013, 2013 IEEE Symposium on Security and Privacy.

[6]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[7]  Sarah Meiklejohn,et al.  An Empirical Analysis of Anonymity in Zcash , 2018, USENIX Security Symposium.

[8]  S. Bano,et al.  Twins: BFT Systems Made Robust , 2020, OPODIS.

[9]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[10]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[11]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[12]  George Danezis,et al.  Narwhal and Tusk: A DAG-based Mempool and Efficient BFT Consensus , 2021, ArXiv.

[13]  Morten L. Bech,et al.  Federal Reserve Bank of New York Staff Reports Technology Diffusion within Central Banking: the Case of Real-time Gross Settlement Technology Diffusion within Central Banking: the Case of Real-time Gross Settlement , 2022 .

[14]  Ittai Abraham,et al.  HotStuff: BFT Consensus with Linearity and Responsiveness , 2019, PODC.

[15]  A. Sonnino,et al.  FastPay: High-Performance Byzantine Fault Tolerant Settlement , 2020, AFT.

[16]  Cristina Nita-Rotaru,et al.  Turret: A Platform for Automated Attack Finding in Unmodified Distributed System Implementations , 2014, 2014 IEEE 34th International Conference on Distributed Computing Systems.

[17]  Ethan Heilman,et al.  An Empirical Analysis of Traceability in the Monero Blockchain , 2017, Proc. Priv. Enhancing Technol..

[18]  Jing Xu,et al.  Dumbo: Faster Asynchronous BFT Protocols , 2020, IACR Cryptol. ePrint Arch..

[19]  David Pointcheval,et al.  Short Randomizable Signatures , 2016, CT-RSA.

[20]  Rachid Guerraoui,et al.  Introduction to Reliable and Secure Distributed Programming , 2011 .

[21]  Amit Sahai,et al.  Pseudonym Systems , 1999, Selected Areas in Cryptography.

[22]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[23]  George Danezis,et al.  Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed Ledgers , 2018, NDSS.

[24]  Pieter Wuille,et al.  Enabling Blockchain Innovations with Pegged Sidechains , 2014 .

[25]  Alfredo Rial,et al.  Security Analysis of Coconut, an Attribute-Based Credential Scheme with Threshold Issuance , 2022, IACR Cryptol. ePrint Arch..