Jump to content
pedrorechez

CreditMix: a decentralized mixing protocol for Ripple

Recommended Posts

Hello,

We are a security and privacy research group, with members in Germany and USA, interested in payment networks and cryptocurrencies.

Recently, we have written a research paper in which we propose CreditMix, a decentralized protocol that allows to mix Ripple transactions  without requiring any change to the current Ripple network. In a nutshell, CreditMix allows a set of Ripple users to solve the following contract:

    1. Assume that every user has x IOU on her input wallet.
    2. Assume that every user has created a fresh output wallet and thus it does not have any IOU.
    3. If every user correctly follows CreditMix, IOU on each user’s input wallet is decreased by x. Moreover, each user can send x IOU from her output wallet.
    4. If at least one user misbehaves, IOU in all wallets is maintained as defined in steps 1 and 2.

CreditMix is a decentralized protocol that realizes this contract and ensures that nobody can determine the input and output wallets belonging to the same user (i.e., unlinkability of wallets is preserved). Moreover, CreditMix does not require any change to the Ripple definition and thus can be seamlessly deployed in the current Ripple network. In fact, we have successfully tested our proof-of-concept implementation of CreditMix in the current Ripple network.  We have simulated a successful run of CreditMix for 5 users: each user wants to send 10 IOU from her input to her output wallet. The details of this test can be observed in the following Ripple tools:
    * Involved wallets: https://www.ripplecharts.com/#/graph/rMDvFAhSPYEaUNxqrqo88xCwiZXG9P3LNK (You can click on the nodes to expand the network)
    * Payment to perform the mixing of the IOU: https://www.ripplecharts.com/#/graph/21BCE61D6843F23D9A02D745AB788CFF679C6E99ECF70D56C141ACB8560AA370

A preliminary version of the paper is available at http://crypsys.mmci.uni-saarland.de/projects/FastDC. There, we provide a detailed description of the protocol (including the full pseudocode) and the illustrative example that we have tested in the Ripple network.

We would be happy to hear your feedback and critique about our proposal.

Edited by pedrorechez

Share this post


Link to post
Share on other sites
27 minutes ago, pedrorechez said:

A preliminary version of the paper is available at http://crypsys.mmci.uni-saarland.de/projects/FastDC. There, we provide a detailed description of the protocol (including the full pseudocode) and the illustrative example that we have tested in the Ripple network.

Hi Pedro,

FYI, the link to the paper directs to this thread.

Share this post


Link to post
Share on other sites
1 hour ago, pedrorechez said:

    * Involved wallets: https://www.ripplecharts.com/#/graph/rMDvFAhSPYEaUNxqrqo88xCwiZXG9P3LNK (You can click on the nodes to expand the network)
    * Payment to perform the mixing of the IOU: https://www.ripplecharts.com/#/graph/21BCE61D6843F23D9A02D745AB788CFF679C6E99ECF70D56C141ACB8560AA370

Can you explain how is this transaction mixing funds?

According to RippleCharts it just sent funds from one account to another:

Quote

The payment is from rM3U73YQWd4ewijyEsieDWaLf2ektvMmoK to r3AJt7VUhK8e9BaBemKydfmHuLPZx2ibZd.
It was instructed to deliver 50 PSH.rPBCgQXeXvcPhUzto8YhGoDYG9n9V6owRR by spending up to 50PSH.rM3U73YQWd4ewijyEsieDWaLf2ektvMmoK.

 

Share this post


Link to post
Share on other sites

Let me explain more in detail the example that we used to test the CreditMix protocol in the Ripple network. I hope that this clarifies how the CreditMix protocol works and what is the goal of the CreditMix protocol. Please, refer to the paper for the figures and protocol details. If you still have any doubt, please do not hesitate to ask.

I include in the end the list of Ripple wallets used in the test as shown in the Ripple graph tool here

Setup:

Assume that there are five users: Alice, Bob, Carol, Dave and Eve.
Further assume that each user has a pair of Ripple wallets. For example, Alice has A_input and A_output ripple wallets. Input wallets are known to every other user in the protocol, while each output wallet is only known to its owner.
Finally, assume that each user wants to send a fixed amount of IOU (e.g., 10 PSH) from her input to her output wallet.

Goals:

Each user wants to send 10 IOU from her input wallet to her (private) output wallet making sure that anybody is able to link together her input and output wallets after the transaction (i.e., unlinkability is preserved). For instance, Alice wants to transfer 10 IOU from A_input to A_output in a manner that nobody is able to successfully associate the fact that  A_input wanted to transfer 10 IOU to A_output. This effectively provides private transactions in Ripple. 
Moreover, CreditMix must not require any change to the Ripple definition and thus must be seamlessly deployable in the current Ripple network.

Protocol:

1. Users run a P2P mixing protocol to create a shuffle list of their (private) output wallets. In practice, they use the Fast-DC protocol that we present in the paper. Fast-DC ensures unlinkability between each user and her private output wallet. At this point, each user knows the input and output wallets from every other user and thus can continue with the CreditMix protocol.

2. Users jointly create two shared wallets (i.e., shared input and shared output). A transaction with a shared wallet set as sender is only valid if all users agree with the transaction. In practice, this can be done setting a shared wallet as a MultiSig Ripple wallet and only if all users sign the transaction, it becomes valid.

3. Users create a link from each input wallet to the shared input wallet and issue 10 IOU on each link. Moreover, users create a link from the gateway to the shared output wallet with no credit on it. Finally, users create a link from the each output wallet to the shared output wallet and they create an upper limit of 10 IOU in these links. After these steps, the network is as depicted in Figure 4.a in the paper.

4. Users create a transaction from shared input wallet to shared output wallet for a value of 50 IOU. This transaction is the one referred in my previous post (mixing tx). After this transaction,  the resulting network is depicted in Figure 4.b in the paper. The key ideas here are:
* Because the sender of the transaction is a shared wallet, the transaction must be signed by all users. Thus, each user can ensure that every other user correctly follows the protocol or otherwise can just refuse to sign the transaction.
* This transaction uses the 5 paths available from shared input wallet to shared output wallet  to set 50 IOU in the link between the gateway and the shared output wallet. However, it does not reveal the link between the specific input and output wallets of a given user.

At the end of the protocol, the credit on each user's input wallet has been decreased by 10, while each user's output wallet can later create a transaction for 10 IOU. This effectively means that 10 IOU have been transferred from each input to each output wallet in a privacy-preserving manner.

 

List of Ripple wallets in the test:

Shared input = 'rM3U73YQWd4ewijyEsieDWaLf2ektvMmoK';

Shared output = 'r3AJt7VUhK8e9BaBemKydfmHuLPZx2ibZd';

Gateway = 'rPBCgQXeXvcPhUzto8YhGoDYG9n9V6owRR';

Alice_input = 'rMDvFAhSPYEaUNxqrqo88xCwiZXG9P3LNK'
Bob_input = 'rBnkLfFPvabAhEXnBH76UMoyygGUQeYZA3'
Carol_input = 'rhgJUmYMAwQjq5mtnRyFE74fu8sKPf1Nmn'
Dave_input = 'rs6MgypVJgpdDuFk5X8mwoywHezN1gh91Y'
Eve_input = 'rDWuswR94qHuFD6GsGWxtujpZkSg3sNZnX'

Alice_output = 'rK2ByNQvPQBEe1r2WHasY53Z7Tj9ZJrjr8'
Bob_output = 'r9euchAFnRqYJDBngmKD4tXhuLEAcHtCRK'
Carol_output = 'rz2TRTy1Y7b4t1ZEaG98s7brwwTXmi97f'
Dave_output = 'rE6sMibroiWdZADCUqPmEemFeaohVJYWuR'
Eve_output = 'rhjY2JshgYCgkhDVK3jSfZhiqQ3ZKsWUU8'
 

Share this post


Link to post
Share on other sites
2 hours ago, pedrorechez said:

List of Ripple wallets in the test:

Shared input = 'rM3U73YQWd4ewijyEsieDWaLf2ektvMmoK';

Shared output = 'r3AJt7VUhK8e9BaBemKydfmHuLPZx2ibZd';

Gateway = 'rPBCgQXeXvcPhUzto8YhGoDYG9n9V6owRR';

Alice_input = 'rMDvFAhSPYEaUNxqrqo88xCwiZXG9P3LNK'
Bob_input = 'rBnkLfFPvabAhEXnBH76UMoyygGUQeYZA3'
Carol_input = 'rhgJUmYMAwQjq5mtnRyFE74fu8sKPf1Nmn'
Dave_input = 'rs6MgypVJgpdDuFk5X8mwoywHezN1gh91Y'
Eve_input = 'rDWuswR94qHuFD6GsGWxtujpZkSg3sNZnX'

Alice_output = 'rK2ByNQvPQBEe1r2WHasY53Z7Tj9ZJrjr8'
Bob_output = 'r9euchAFnRqYJDBngmKD4tXhuLEAcHtCRK'
Carol_output = 'rz2TRTy1Y7b4t1ZEaG98s7brwwTXmi97f'
Dave_output = 'rE6sMibroiWdZADCUqPmEemFeaohVJYWuR'
Eve_output = 'rhjY2JshgYCgkhDVK3jSfZhiqQ3ZKsWUU8'
 

Why did rK2ByNQvPQBEe1r2WHasY53Z7Tj9ZJrjr8 receive 10 PSH issued by  r3AJt7VUhK8e9BaBemKydfmHuLPZx2ibZd  and not 10 PSH issued by rPBCgQXeXvcPhUzto8YhGoDYG9n9V6owRR?

 

Quote

Each user wants to send 10 IOU from her input wallet to her (private) output wallet making sure that anybody is able to link together her input and output wallets after the transaction (i.e., unlinkability is preserved). For instance, Alice wants to transfer 10 IOU from A_input to A_output in a manner that nobody is able to successfully associate the fact that  A_input wanted to transfer 10 IOU to A_output. This effectively provides private transactions in Ripple. 

Is it possible to send XRP and not just IOUs? If each user has to create and activate new Ripple account then XRPs that are needed for activation can be tracked and possibly associated with one of the users.

 

Edited by T8493

Share this post


Link to post
Share on other sites
Quote

Why did rK2ByNQvPQBEe1r2WHasY53Z7Tj9ZJrjr8 receive 10 PSH issued by  r3AJt7VUhK8e9BaBemKydfmHuLPZx2ibZd  and not 10 PSH issued by rPBCgQXeXvcPhUzto8YhGoDYG9n9V6owRR?

Could you point me to the corresponding transaction?

Quote

Is ti possible to send XRP and not just IOUs? If each user has to create and activate new Ripple account then XRPs that are needed for activation can be tracked and possibly associated with one of the users.

This is indeed a great observation!. We did observe that too and we designed a mixing protocol to send XRP instead of IOUs. You can find the details in Appendix B of the paper. The core idea is similar, but a few modifications have been necessary to handle the fact that XRP are directly exchanged between wallets that might not have a path between them in the credit network.

Share this post


Link to post
Share on other sites

So to me it seems it boils down to:

  1. Each user sends 10 IOU to a shared account.
  2. The shared account "distributes" the 50 IOUs to the 5 output wallets.
  3. None can link single input and output wallets because IOUs went through the shared account.

But it seems to me that this has some limitation for privacy:

  • What happens if only one user want to send IOUs?
  • What happens if users want to send different amount of IOUs? Let's say Alice sends 35, Bob 10 and Carl 45. At the end you'll see which output wallet will receive the different amount, so an external person can link input-output wallets? Isn't it?

Maybe I'm oversimplifying your solution and I should read the paper :)

Share this post


Link to post
Share on other sites
1 minute ago, tulo said:
  • What happens if only one user want to send IOUs?
  • What happens if users want to send different amount of IOUs? Let's say Alice sends 35, Bob 10 and Carl 45. At the end you'll see which output wallet will receive the different amount, so an external person can link input-output wallets? Isn't it?

You're correct, mixing can't work in these two cases. 

Second case can be somewhat mitigated if you split amounts so that in every mixing round all inputs have the same size.

 

 

Share this post


Link to post
Share on other sites

I think it's "the goal is to transform XRP into the equivalent of an anonymous medium of exchange for irreversible transactions?" 

Even if a service offers this, what's to stop a government from issuing an order to see all client records for that company or service? 

Share this post


Link to post
Share on other sites

×