Private Electronic Payments with Self-Custody and Zero-Knowledge Verified Reissuance

TL;DR

This paper extends a privacy-preserving digital payment protocol with zero-knowledge proofs to enable secure reissuance and verification of assets without revealing sensitive transaction details.

Contribution

It introduces a protocol that combines audit logs and zero-knowledge proofs to verify asset reissuance compliance while maintaining payer anonymity.

Findings

Enhanced privacy by not requiring payers to retain secrets across transactions.

Achieved verification of asset creation rules without exposing transaction details.

Ensured only the issuer can create new assets, preventing unauthorized issuance.

Abstract

This article builds upon the protocol for digital transfers described by Goodell, Toliver, and Nakib, which combines privacy by design for consumers with strong compliance enforcement for recipients of payments and self-validating assets that carry their own verifiable provenance information. We extend the protocol to allow for the verification that reissued assets were created in accordance with rules prohibiting the creation of new assets by anyone but the issuer, without exposing information about the circumstances in which the assets were created that could be used to identify the payer. The modified protocol combines an audit log with zero-knowledge proofs, so that a consumer spending an asset can demonstrate that there exists a valid entry on the audit log that is associated with the asset, without specifying which entry it is. This property is important as a means to allow money to be reissued within the system without the involvement of system operators within the zone of control of the original issuer. Additionally, we identify a key property of privacy-respecting electronic payments, wherein the payer is not required to retain secrets arising from one transaction until the following transaction, and argue that this property is essential to framing security requirements for storage of digital assets and the risk of blackmail or coercion as a way to exfiltrate information about payment history. We claim that the design of our protocol strongly protects the anonymity of payers with respect to their payment transactions, while preventing the creation of assets by any party other than the original issuer without destroying assets of equal value.