|Authors||P. Fauzi, S. Meiklejohn, R. Mercer and C. Orlandi|
|Editors||S. D. Galbraith and S. Moriai|
|Title||Quisquis: A New Design for Anonymous Cryptocurrencies|
|Publication Type||Proceedings, refereed|
|Year of Publication||2019|
|Conference Name||Advances in Cryptology – ASIACRYPT 2019|
|Pagination||649 - 678|
|Publisher||Springer International Publishing|
|Keywords||cryptocurrencies, cryptographic protocols / anonymity, Zero knowledge|
Despite their usage of pseudonyms rather than persistent identifiers, most existing cryptocurrencies do not provide users with any meaningful levels of privacy. This has prompted the creation of privacy-enhanced cryptocurrencies such as Monero and Zcash, which are specifically designed to counteract the tracking analysis possible in currencies like Bitcoin. These cryptocurrencies, however, also suffer from some drawbacks: in both Monero and Zcash, the set of potential unspent coins is always growing, which means users cannot store a concise representation of the blockchain. Additionally, Zcash requires a common reference string and the fact that addresses are reused multiple times in Monero has led to attacks to its anonymity.
In this paper we propose a new design for anonymous cryptocurrencies, Quisquis, that achieves provably secure notions of anonymity. Quisquis stores a relatively small amount of data, does not require trusted setup, and in Quisquis each address appears on the blockchain at most twice: once when it is generated as output of a transaction, and once when it is spent as input to a transaction. Our result is achieved by combining a DDH-based tool (that we call updatable keys) with efficient zero-knowledge arguments.