Privacy meets accountability in token payment systems


Token management systems have been a central application of blockchain technology ever since its early days. Despite their popularity, though, the scope of their adoption has been limited by their lack of privacy protection. This is for instance the case in systems like Bitcoin and Ethereum where transactions are submitted in plaintext to the blockchain, making them linkable and traceable.

While the privacy of transactions is important, it should not come at the cost of transparency and auditability, two especially important features in permissioned networks. These networks derive some of their advantages from a strong identity management and the promise to ensure accountability and non-deniability.

To meet these requirements, we introduce a new token management based on the unspent transaction model (UTXO) pioneered by Bitcoin and that leverages the properties of permissioned networks to allow for authorization and auditing of transactions. We believe that this work adds to the toolsets of the PRIVILEDGE project, which aims, among other things, at building more privacy-friendly and accountable blockchains.


The story so far

Let us review some of the most relevant previous work aimed at improving privacy in this context.  

Zerocoin allows users to anonymize their bitcoins by converting them into zerocoins that rely on Pedersen commitments and zero-knowledge proofs. Zerocoins can be changed back to bitcoins without leaking their origin. Zerocoin however does not offer any transacting or auditing capabilites. 

Confidential Assets protect privacy (in a limited form) by hiding the types and the values of the traded assets. The idea, similarly to Zerocoin, is to use Pedersen commitments to encode the amount and types of traded assets, and zero-knowledge proofs to show the validity of a transaction.

This scheme however does not hide the transaction graph or the public keys of the transactors. While this allows for some form of public auditability it compromises the privacy of the parties involved in transactions.  

Zerocash is the first fully anonymous decentralized payment scheme. It offers unconditional anonymity, to the extent that users can repudiate their participation in a transaction. Thanks to a combination of hash-based commitments and zkSNARKs, Zerocash validates payments and prevents double-spending in a relatively efficient manner.

On the downside, Zerocash requires a trusted setup and an expensive transaction generation and its security relies on non-falsifiable assumptions. 

There is a proposal to extend Zerocash by supporting expressive validity rules to provide accountability. Notably, the proposed solution ensures regulatory closure (i.e. allowing exchanges of assets of the same type only) and enforcing spending limits.

In terms of accountability, the proposed scheme allows the tracing of certain tainted coins, but it doesn’t really allow extensive and consistent auditing of transactions.

By building on Zerocash, the proposed scheme inherits the same limitations regarding computational assumptions and trusted setup. 

QuisQuis and Zether propose solutions that provide partial anonymity. Here, the sender obfuscates the identity of the participants in a transaction by adding accounts of other users not involved in it, who act as an anonymity set. Both schemes couple ElGamal encryption with Schnorr zero-knowledge proofs to ensure that obfuscated user accounts reflect the correct payment flows. Unlike Zerocash, QuisQuis and Zether rely on falsifiable assumptions and do not require any trusted setup. 

Solidus is a privacy-preserving protocol for asset transfer that is suitable for intermediated bilateral transactions, where banks act as mediators. Solidus conceals the transaction graph and values by using banks as proxies. The authors leverage ORAMs to allow banks to update the accounts of their clients without revealing which accounts are being updated. The novelty of Solidus is PVORM, which is an ORAM that comes with zero-knowledge proofs that show that the ORAM updates are correct with respect to the transaction triggering them. In Solidus there is no dedicated auditing functionality; however, banks could open the content of relevant transactions at the behest of authorized auditors. 

HAWK is a framework for privacy-preserving smart contracts that enables execution of  smart contracts in a verifiable way without revealing any transactional data to the blockchain.  HAWK relies on a minimally trusted and potentially distributed manager that facilitates the execution of a smart contract by collecting users' inputs to that smart contracts. The manager cannot affect the execution of the smart contract and she is only trusted not to disclose users' inputs.  HAWK was shown to protect users' privacy against the blockchain and parties involved in the smart contract, and to ensure financial fairness by establishing refund mechanisms.

In order to enable privacy-preserving refunds and payments, HAWK builds upon the Zerocash machinery, and therefore, as for now it does not support any auditability.  

The zkLedger protocol is a permissioned asset transfer scheme that hides transaction amounts as well as the payer-payee relationship and supports auditing. One main difference with our approach is the end user: zkLedger aims at a setting where the transacting parties are banks, whereas our solution considers the end user to be the client of “a bank”. This is why zkLedger enjoys relatively more efficient proofs and could afford a transaction size that grows linearly with the number of total transactors in the platform (i.e. banks), which is inherently small. (In our scheme, transaction sizes do not grow with the number of overall parties.)

Similarly when it comes to auditability, zkLedger offers richer and more flexible semantics but at the expense of audit granularity. Auditing in zkLedger is limited to banks and does not cover cases where auditors are required to monitor the transaction flow of the clients (of the banks).


Combining Privacy, authorization and auditability in one system


In contrast to previous systems that offer some sort trade-off between privacy and auditability, our token management system for permissioned networks features the following properties:


•   Privacy: Transactions written on the blockchain conceal both the values that are transferred and the payer-payee relationship. The transaction leaks no information about the tokens spent in this transaction beyond the fact that they are valid and unspent.


•   Authorization: Users authorize transactions via credentials; i.e., the authorization for spending a token is bound to the user's identity instead of a pseudonym (or address). The authorization makes use of anonymous credentials and is privacy-preserving.


•   Auditability: Each user has an assigned auditor that is allowed to see the transaction information related to that particular user.


Satisfying these three requirements is crucial for implementing a payment system that protects the users' privacy but at the same time complies with regulation. 

The system we propose inherits several ideas from prior work, such as the use of Pedersen commitments from Confidential Assets and the use of serial numbers to prevent double-spending from Zerocash. These are combined with a blind certification mechanism that guarantees the validity of tokens via threshold signatures, and with an auditing mechanism that allows flexible and fine-grained assignment of users to auditors.  

Another goal we pursue with this system is to move away from complex and non-falsifiable computational assumptions that underpin zkSNARK-based schemes and instead work with more conservative assumptions. Restricting ourselves to the permissioned setting allows us to leverage a combination of signatures and standard ZK-proofs to achieve these goals.  

We use a selection of cryptographic schemes that are based in the discrete-logarithm or pairing settings and are structure-preserving, such as Dodis-Yampolskiy VRF, ElGamal encryption, Groth signatures, Pedersen commitments, and Pointcheval-Sanders signatures. This allows us to use the relatively efficient Groth-Sahai proofs and achieve security under standard assumptions, in the random-oracle model.


Written by Kaoutar Elkhiyaoui, IBM Research Zurich
Photo by Pixabay.

For more details, a research paper is available at or contact us at