Abstract
Transactions using the Bitcoin system, which is built atop a novel blockchain technology where miners run distributed consensus to ensure the security, will cause relatively high transaction costs to incentivize miners to behave honestly. Besides, a transaction should wait a quite long time (about 10 min on average) before being confirmed on the blockchain, which makes micropayments not cost-effective. In CCS’15, Pass and shelat proposed three novel micropayment schemes for any ledger-based transaction system, using the idea of probabilistic payments suggested by Wheeler (1996) and Rivest (1997), which are called as the “Lottery-based Micropayments”. However, the one among the three schemes, which is fully compatible with the current Bitcoin system and only requires an “invisible” verifiable third party, needs two on-chain transactions during each execution, even if both the user and the merchant are honest. To reduce the transaction costs and increase efficiency, this paper proposes a fast lottery-based micropayment scheme to improve their work. By setting up a time-locked deposit, whose secure utilization is assured by the security of a primitive called accountable assertions under the discrete logarithm assumption, our scheme reduces the number of on-chain transactions to one, and yet maintains the original scheme’s advantages.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Change history
09 May 2020
In the original version of this chapter the second affiliation was missing for both authors. This has now been corrected. The University of Chinese Academy of Sciences has been added as second affiliation.
Notes
- 1.
In this paper, we use the terms “address” and “account” interchangeably.
References
Barber, S., Boyen, X., Shi, E., Uzun, E.: Bitter to better—how to make bitcoin a better currency. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 399–414. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32946-3_29
Bitcoin Wiki: BIP 0010. https://en.bitcoin.it/wiki/Multisignature
Bitcoin Wiki: BIP 0065. https://en.bitcoin.it/wiki/BIP_0065
Bitcoin Wiki: Script. https://en.bitcoin.it/wiki/Script
Bitcoinj Project: Working with micropayment channels. https://bitcoinj.github.io/working-with-micropayments
BLOCKCHAIN: Blockchain Charts. https://blockchain.info/charts
Bonneau, J., Miller, A., Clark, J., Narayanan, A., Kroll, J.A., Felten, E.W.: SoK: research perspectives and challenges for Bitcoin and cryptocurrencies. In: 2015 IEEE Symposium on Security and Privacy, pp. 104–121. IEEE (2015)
Chiesa, A., Green, M., Liu, J., Miao, P., Miers, I., Mishra, P.: Decentralized anonymous micropayments. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017 Part II. LNCS, vol. 10211, pp. 609–642. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_21
Decker, C., Wattenhofer, R.: A fast and scalable payment network with bitcoin duplex micropayment channels. In: Pelc, A., Schwarzmann, A.A. (eds.) SSS 2015. LNCS, vol. 9212, pp. 3–18. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21741-3_1
INVESTOPEDIA: Bitcoin Exchange. https://www.investopedia.com/terms/b/bitcoin-exchange.asp
Krupp, J., Schröder, D., Simkin, M., Fiore, D., Ateniese, G., Nuernberger, S.: Nearly optimal verifiable data streaming. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016 Part I. LNCS, vol. 9614, pp. 417–445. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_16
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008). https://bitcoin.org/bitcoin.pdf
Noether, S.: Ring signature confidential transactions for Monero. Cryptology ePrint Archive, Report 2015/1098 (2015). http://eprint.iacr.org/
Pass, R., Shelat, A.: Micropayments for decentralized currencies. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 207–218. ACM (2015)
Pass, R., Shelat, A.: Micropayments for decentralized currencies (2016). http://eprint.iacr.org/2016/332
Poon, J., Dryja, T.: The Bitcoin lightning network: scalable off-chain instant payments. Technical report, Technical Report Draft v. 0.5.9.2 (2016) https://lightning.network/lightning-network-paper.pdf
Reid, F., Harrigan, M.: An analysis of anonymity in the Bitcoin system. In: 2011 IEEE Third International Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third International Conference on Social Computing, pp. 1318–1326. IEEE (2011)
Rivest, R.L.: Electronic lottery tickets as micropayments. In: Hirschfeld, R. (ed.) FC 1997. LNCS, vol. 1318, pp. 307–314. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-63594-7_87
Ruffing, T., Kate, A., Schröder, D.: Liar, liar, coins on fire! Penalizing equivocation by loss of Bitcoins. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 219–230. ACM (2015)
Sasson, E.B., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., Virza, M.: Zerocash: decentralized anonymous payments from Bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE (2014)
Schöder, D., Simkin, M.: VeriStream – a framework for verifiable data streaming. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 548–566. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47854-7_34
Schröder, D., Schröder, H.: Verifiable data streaming. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 953–964. ACM (2012)
Sompolinsky, Y., Zohar, A.: Secure high-rate transaction processing in Bitcoin. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 507–527. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47854-7_32
Trillo, M.: Stress Test Prepares VisaNet for the Most Wonderful Time of the Year (2013). http://www.visa.com/blogarchives/us/2013/10/10/stress-test-prepares-visanet-for-the-most-wonderful-time-of-the-year/index.html
Wheeler, D.: Transactions using bets. In: Lomas, M. (ed.) Security Protocols 1996. LNCS, vol. 1189, pp. 89–92. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-62494-5_7
Acknowledgements
We thank the anonymous reviewers for their comments which helped to improve the paper. This work was supported by the National Key R&D Program of China (Nos. 2017YFB0802500, 2017YFB0802000), and the National Natural Science Foundation of China (No. U1536205).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proofs for Theorems
A Proofs for Theorems
Theorem 1
If\({{\textsf {\textit{COMM}}}}\) is a secure commitment scheme, and signature scheme \((\mathtt {Gen,Sig,Vrf})\) is existentially unforgeable under adaptively chosen-message attacks (EUF-CMA), then the probability that an execution of the proposed lottery-based micropayment protocol results in an transaction on the blockchain is exactly \(1/\eta \).
Proof
Suppose the user can bias the result and spend less than he ought to be, which means that after he receiving a commitment c from the merchant, the user can select a \(r_2\) satisfying \([r_1\bigoplus r_2]=0\). This equals to that the user can know \(r_2\), the committed value of the commitment c, before the merchant opens c. This will break the hiding property of the commitment scheme.
Suppose the merchant can bias the result and earn more money, which means that he can either present a new \(r_1'(\ne r_1)\) satisfying \(([r_1'\bigoplus r_2]=1)\wedge (c=\textsf {COMM}_{s'}{(r_1')})\) which breaks the binding property of the commitment scheme where c is the commitment of \(r_1\), or he can succeed by presenting a new pair \((r_2',\sigma ')\) satisfying \(([r_1\bigoplus r_2']=1)\wedge (\mathtt {Vrf}_{pk_a}(\sigma ',(c,r_2',a^M))=1)\), and this will break the existentially unforgeable of the signature scheme. \(\square \)
Theorem 2
If accountable assertions \((\mathtt {Setup,KeyGen,Assert,Verify,Extr}\mathtt {act})\)is extractable, and \(\textsf {COMM}\)is a secure commitment scheme, then the proposed lottery-based micropayment protocol is double-spending deterrable.
Proof
Suppose an adversary \(\mathcal {A}\) can break the double-spending determent of our lottery-based micropayment protocol, then he can produce at least two assertions \(\tau \) and \(\tau '\) with \(\tau \leftarrow \mathtt {Assert}(sk_d,auxsk,k,c)\), \(\tau '\leftarrow \mathtt {Assert}(sk_d,auxsk,k,c')\) and finish the corresponding payments without being caught, where c and \(c'\) belong to two different payments generated by the corresponding merchants, and k denotes a serial number. When \(c\ne c'\), this means that \(\mathcal {A}\) can break the extractability of the accountable assertions. When \(c=c'\), where \(c=\textsf {COMM}_{s}{(r_1)}\) and \(c=\textsf {COMM}_{s'}{(r_1')}\), according to the binding property of the commitment scheme, \((r_1,s)=(r_1',s')\). However, this happens with only a negligible probability when two merchants randomly choose the same pair \((r_1,s)\) which is used to ensure the merchants asset security. \(\square \)
Theorem 3
If \(\textsf {COMM}\)is a secure commitment scheme, signature scheme \((\mathtt {Gen,Sig,Vrf})\)is EUF-CMA, and accountable assertions \((\mathtt {Setup,KeyGen,}\mathtt {Assert,Verify,Extract})\)satisfy extractability and secrecy, then the proposed lottery-based micropayment protocol can achieve financial fairness.
Proof
Suppose a malicious merchant can break the financial fairness of the user by receiving more money than the user should pay for the payment. This means that the merchant can either (1) bias the result of the lottery ticket, or (2) transfer the money from a to his account \(a^M\) even if he loses the lottery ticket by forging a signature \(\sigma =\mathtt {Sig}_{sk_a}(a,a^M)\), or (3) collect all published assertions related to the user and extract the private key of \(a^{dep}\) then generate a valid signature, or (4) transfer the money from \(a^{dep}\) to his account \(a^M\) by forging a signature \(\sigma =\mathtt {Sig}_{sk_\mathcal {T}}(a^{dep},a^M,V)\) before time T, or (5) publish a signature \(\sigma =\mathtt {Sig}_{sk_d}(a^{dep},a^M,V)\) to withdraw the money in \(a^{dep}\) after time T.
The condition (1) is infeasible due to our proof for Theorem 1. For the condition (2), (4) and (5), any one of them can break the existentially unforgeable of the signature scheme. The condition (3) is conflicting with the secrecy of the accountable assertions. Besides, a transaction published by the user in order to transfer money from a and a transaction published by \(\mathcal {T}\) in order to transfer money from \(a^{dep}\) will not coexistent, due to the assumptions that the blockchain is available and public, and the discrete clock blockchain embodies makes the time in the system is synchronous.
Suppose a malicious user can break the financial fairness of the merchant by refusing to pay the merchant even the lottery ticket has won. The user may refuse to publish a transaction from a to \(a^M\), and M cannot obtain the money he deserves from the deposit account \(a^{dep}\) by himself. Remember that there exist a verifiable third party \(\mathcal {T}\) whose operations should follow the instructions of the scheme. Thus, a merchant can ask \(\mathcal {T}\)’s help to obtain the money from the deposit account \(a^{dep}\) when facing a malicious user. The user cannot withdraw the money in the locked account \(a^{dep}\) before time T, otherwise it violates the assumption of the correctness of the blockchain. Although the deposit is unlocked after the time T and the user can freely withdraw the money, the protocol limits that every request received by M should be before the time \(T-T'\) where it leaves a period of time \(T'\) for \(\mathcal {T}\) to handle a dispute.
It remains one more case that should be considered, i.e., the money in the deposit account \(a^{dep}\) may be insufficient to compensate M. In this case, the user has conducted multiple (more than d) payments by issuing n assertions \(\{\tau _i\}_{i=1}^n\), where n (\(n>d\)) is the number of payments the user conducts hoping that the deposit cannot afford all merchants compensation requests. As a result, there must be at least two assertions satisfying \((\tau _i\leftarrow \mathtt {Assert}(sk_d,auxsk,k_i,c_i))\wedge (\tau _j\leftarrow \mathtt {Assert}(sk_d,auxsk,k_j,c_j))\wedge (\mathtt {Verify}(pk,k_i,c_i,\tau _i)=1)\wedge (\mathtt {Verify}(pk,k_j,c_j,\tau _j)=1)\wedge (k_i=k_j)\). According the proof of Theorem 2, this can either break the extractability of the accountable assertions, or the binding property of the commitment scheme. \(\square \)
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Hu, K., Zhang, Z. (2018). Fast Lottery-Based Micropayments for Decentralized Currencies. In: Susilo, W., Yang, G. (eds) Information Security and Privacy. ACISP 2018. Lecture Notes in Computer Science(), vol 10946. Springer, Cham. https://doi.org/10.1007/978-3-319-93638-3_38
Download citation
DOI: https://doi.org/10.1007/978-3-319-93638-3_38
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-93637-6
Online ISBN: 978-3-319-93638-3
eBook Packages: Computer ScienceComputer Science (R0)