Towards fully privacy-preserving payment channel hubs

Abstract

Payment channel hubs (PCH) support off-chain payments between a sender and receiver through an intermediary known as the tumbler. The thesis presents the first Bitcoin-compatible PCH that achieves relationship anonymity and supports variable payment amounts. The contribution is achieved through three key developments: In Chapter 4, the thesis proposes a generalized adaptor signature based on the Type-T canonical identification. This construction can combine with various privacy- preserving cryptosystems and serves as a general framework. Additionally, a linkable ring adaptor signature is introduced, which has various applications in blockchain. Chapter 5 provides the first formal security analysis of the one-more unforgeability of blind ECDSA. Firstly, a general attack on blind ECDSA is discussed, and the ECDSA-ROS problem is formulated to capture this attack. Secondly, a new generic construction of blind ECDSA is proposed, which is significantly more bandwidth-efficient than previous constructions. Thirdly, the first formal proof of one-more unforgeability for blind ECDSA is presented under a new model called algebraic bijective random oracle. Fourthly, the hardness of the ECDSA-ROS problem in the algebraic bijective random oracle model is analyzed. Finally, an impossibility result is provided to rule out any algebraic reductions from one-more discrete logarithm assumption to break- ing the one-more unforgeability of a certain class of blind ECDSA signature schemes, assuming the hardness of one-more discrete logarithm assumption. Chapter 6 proposes the first Bitcoin-compatible PCH that achieves relationship anonymity and supports variable amounts for payment. The construction involves several layers of technical constructions, each of which could be of independent interest to the community. Firstly, the thesis introduces BlindChannel, a bi-directional payment channel protocol for privacy-preserving payments. Secondly, a three-party protocol for private conditional payments is proposed, called BlindHub, where the tumbler pays to the receiver only if the sender pays to the tumbler. The tumbler cannot link the sender and the receiver while supporting a variable payment amount. To construct Blind- Hub, two new cryptographic primitives are introduced as building blocks, namely Blind Adaptor Signature (BAS) and Flexible Blind Conditional Signature (FBCS). Finally, the practicality of both BlindChannel and BlindHub protocols is demonstrated through their instantiation and implementation results.