Fast Lottery-Based Micropayments for Decentralized Currencies

Abstract

Transactions using the Bitcoin system, which is built atop a novel blockchain technology where miners run distributed consensus to ensure the security, will cause relatively high transaction costs to incentivize miners to behave honestly. Besides, a transaction should wait a quite long time (about 10 min on average) before being confirmed on the blockchain, which makes micropayments not cost-effective. In CCS’15, Pass and shelat proposed three novel micropayment schemes for any ledger-based transaction system, using the idea of probabilistic payments suggested by Wheeler (1996) and Rivest (1997), which are called as the “Lottery-based Micropayments”. However, the one among the three schemes, which is fully compatible with the current Bitcoin system and only requires an “invisible” verifiable third party, needs two on-chain transactions during each execution, even if both the user and the merchant are honest. To reduce the transaction costs and increase efficiency, this paper proposes a fast lottery-based micropayment scheme to improve their work. By setting up a time-locked deposit, whose secure utilization is assured by the security of a primitive called accountable assertions under the discrete logarithm assumption, our scheme reduces the number of on-chain transactions to one, and yet maintains the original scheme’s advantages.

Change history

• 09 May 2020

  In the original version of this chapter the second affiliation was missing for both authors. This has now been corrected. The University of Chinese Academy of Sciences has been added as second affiliation.

A Proofs for Theorems

Theorem 1

If\({{\textsf {\textit{COMM}}}}\) is a secure commitment scheme, and signature scheme \((\mathtt {Gen,Sig,Vrf})\) is existentially unforgeable under adaptively chosen-message attacks (EUF-CMA), then the probability that an execution of the proposed lottery-based micropayment protocol results in an transaction on the blockchain is exactly \(1/\eta \).

Proof

Suppose the user can bias the result and spend less than he ought to be, which means that after he receiving a commitment c from the merchant, the user can select a \(r_2\) satisfying \([r_1\bigoplus r_2]=0\). This equals to that the user can know \(r_2\), the committed value of the commitment c, before the merchant opens c. This will break the hiding property of the commitment scheme.

Suppose the merchant can bias the result and earn more money, which means that he can either present a new \(r_1'(\ne r_1)\) satisfying \(([r_1'\bigoplus r_2]=1)\wedge (c=\textsf {COMM}_{s'}{(r_1')})\) which breaks the binding property of the commitment scheme where c is the commitment of \(r_1\), or he can succeed by presenting a new pair \((r_2',\sigma ')\) satisfying \(([r_1\bigoplus r_2']=1)\wedge (\mathtt {Vrf}_{pk_a}(\sigma ',(c,r_2',a^M))=1)\), and this will break the existentially unforgeable of the signature scheme.    \(\square \)

Theorem 2

If accountable assertions \((\mathtt {Setup,KeyGen,Assert,Verify,Extr}\mathtt {act})\)is extractable, and \(\textsf {COMM}\)is a secure commitment scheme, then the proposed lottery-based micropayment protocol is double-spending deterrable.

Proof

Suppose an adversary \(\mathcal {A}\) can break the double-spending determent of our lottery-based micropayment protocol, then he can produce at least two assertions \(\tau \) and \(\tau '\) with \(\tau \leftarrow \mathtt {Assert}(sk_d,auxsk,k,c)\), \(\tau '\leftarrow \mathtt {Assert}(sk_d,auxsk,k,c')\) and finish the corresponding payments without being caught, where c and \(c'\) belong to two different payments generated by the corresponding merchants, and k denotes a serial number. When \(c\ne c'\), this means that \(\mathcal {A}\) can break the extractability of the accountable assertions. When \(c=c'\), where \(c=\textsf {COMM}_{s}{(r_1)}\) and \(c=\textsf {COMM}_{s'}{(r_1')}\), according to the binding property of the commitment scheme, \((r_1,s)=(r_1',s')\). However, this happens with only a negligible probability when two merchants randomly choose the same pair \((r_1,s)\) which is used to ensure the merchants asset security.    \(\square \)

Theorem 3

If \(\textsf {COMM}\)is a secure commitment scheme, signature scheme \((\mathtt {Gen,Sig,Vrf})\)is EUF-CMA, and accountable assertions \((\mathtt {Setup,KeyGen,}\mathtt {Assert,Verify,Extract})\)satisfy extractability and secrecy, then the proposed lottery-based micropayment protocol can achieve financial fairness.

Proof

Suppose a malicious merchant can break the financial fairness of the user by receiving more money than the user should pay for the payment. This means that the merchant can either (1) bias the result of the lottery ticket, or (2) transfer the money from a to his account \(a^M\) even if he loses the lottery ticket by forging a signature \(\sigma =\mathtt {Sig}_{sk_a}(a,a^M)\), or (3) collect all published assertions related to the user and extract the private key of \(a^{dep}\) then generate a valid signature, or (4) transfer the money from \(a^{dep}\) to his account \(a^M\) by forging a signature \(\sigma =\mathtt {Sig}_{sk_\mathcal {T}}(a^{dep},a^M,V)\) before time T, or (5) publish a signature \(\sigma =\mathtt {Sig}_{sk_d}(a^{dep},a^M,V)\) to withdraw the money in \(a^{dep}\) after time T.

The condition (1) is infeasible due to our proof for Theorem 1. For the condition (2), (4) and (5), any one of them can break the existentially unforgeable of the signature scheme. The condition (3) is conflicting with the secrecy of the accountable assertions. Besides, a transaction published by the user in order to transfer money from a and a transaction published by \(\mathcal {T}\) in order to transfer money from \(a^{dep}\) will not coexistent, due to the assumptions that the blockchain is available and public, and the discrete clock blockchain embodies makes the time in the system is synchronous.

Suppose a malicious user can break the financial fairness of the merchant by refusing to pay the merchant even the lottery ticket has won. The user may refuse to publish a transaction from a to \(a^M\), and M cannot obtain the money he deserves from the deposit account \(a^{dep}\) by himself. Remember that there exist a verifiable third party \(\mathcal {T}\) whose operations should follow the instructions of the scheme. Thus, a merchant can ask \(\mathcal {T}\)’s help to obtain the money from the deposit account \(a^{dep}\) when facing a malicious user. The user cannot withdraw the money in the locked account \(a^{dep}\) before time T, otherwise it violates the assumption of the correctness of the blockchain. Although the deposit is unlocked after the time T and the user can freely withdraw the money, the protocol limits that every request received by M should be before the time \(T-T'\) where it leaves a period of time \(T'\) for \(\mathcal {T}\) to handle a dispute.

It remains one more case that should be considered, i.e., the money in the deposit account \(a^{dep}\) may be insufficient to compensate M. In this case, the user has conducted multiple (more than d) payments by issuing n assertions \(\{\tau _i\}_{i=1}^n\), where n (\(n>d\)) is the number of payments the user conducts hoping that the deposit cannot afford all merchants compensation requests. As a result, there must be at least two assertions satisfying \((\tau _i\leftarrow \mathtt {Assert}(sk_d,auxsk,k_i,c_i))\wedge (\tau _j\leftarrow \mathtt {Assert}(sk_d,auxsk,k_j,c_j))\wedge (\mathtt {Verify}(pk,k_i,c_i,\tau _i)=1)\wedge (\mathtt {Verify}(pk,k_j,c_j,\tau _j)=1)\wedge (k_i=k_j)\). According the proof of Theorem 2, this can either break the extractability of the accountable assertions, or the binding property of the commitment scheme.    \(\square \)