Cryptography for the Blockchain

Summary : The main themes of this research project are privacy and decentralization, more specifically means of privacy-preserving authentication, such as electronic currencies, and other applications of blockchain and distributed transparency mechanisms.


Background : Bitcoin and other cryptocurrencies propose a new approach to currency which removes the need for a central bank and instead distributes control of the currency across all the parties in the system. Both creation and validation of coins are decentralized using a blockchain, which is a decentralized data structure that keeps a record of all transactions ever performed and to which valid transactions get added. To guarantee security, bitcoin uses proofs of work, and any user can contribute computing power, the amount of which determines the user’s probability of adding a new block to the chain, for which he is rewarded newly created coins.

This allows anyone to check transactions and to extend the blockchain without having first been invited by someone to join the system. At the same time this solves the problem of Sybil attacks, as splitting one’s identity entails also splitting one’s computation power.

Bitcoin is an open system and its security is guaranteed if the majority of computing power is honest. The advantage is that because the system is no longer controlled by a single entity, it can be more reliable, and because it is controlled and managed digitally, it potentially allows for lower fees and faster transactions. This digital model also allows for more flexibility, in particularly it allows for smart contracts, which in turn leads to a whole host of applications, as implemented by ethereum [1]. However, this is a very young field, and there is still much work to be done. Here we propose the following directions:


Privacy and accountability: The open nature of bitcoin and ethereum has led to abuses such as ransomware and the attack on the DAO [2].

At the same time, the public nature of the blockchain means that ordinary users do not have a strong expectation of privacy. Existing proposals for addressing the latter such as ZCash [3] do not distinguish between low-value transactions that should be fully private and high-value or high-frequency transactions for which accountability, anti-corruption measures and governance is paramount. One direction we will consider is to devise accountability mechanisms that punish abuse while at the same time promoting privacy for legitimate uses.


Addressing computational costs: While the blockchain concept as described above has many advantages, the approach of using proof of work has led to an enormous consumption of electricity. As a response to this issue, there have been several alternative suggestions such as proof of stake and proof of space, which all come with their own disadvantages, making proof of work the prevailing technique.We will aim to investigate further ways of basing the security of blockchains on greener technologies.One possible avenue would be studying solutions available in closed systems, which combine blockchains with centrally determined participants. Although blockchains based on proof of stake are somewhat closed, as only owners of the cryptocurrency can extend the blockchain and one can only participate in the system by investing into the currency, other restricted models may provide more options and stronger security.

Another direction is to consider systems in which the work required in a proof of work is applied to useful computation; one could for example envisage a payment system that is combined with an outsourced computation system. Users could pay for computation using the currency whose security is maintained by that computation, and the system could potentially be implemented in a decentralized manner by using smart contracts.


Allowing offline transactions: A drawback of all cryptocurrencies is that transactions have to be broadcast and validated by the network before they are confirmed. Our aim is to add to cryptocurrencies the feature of letting users do (low-value) transactions offline, a feature provided by transferable e-cash. E-cash was invented in the 1980s and allows users to anonymously spend electronic coins after withdrawing them from a bank. A shortcoming of traditional e-cash is that after a coin is spent, it must be returned to the bank by the receiver.

Transferable e-cash mimics physical cash more faithfully by enabling transfers of coins between users, without involving the bank or any communication beyond the sender and receiver of the coins. In prior work, we presented such a scheme [4], which achieves the strongest guarantees in terms of security and in particular user anonymity.

Unfortunately, existing implementations of transferable e-cash are still purely theoretical in terms of efficiency; thus, our challenge here is to devise more practical schemes.We believe that although (centralized) e-cash has never been deployed on a large scale, the success of bitcoin shows the demand for means of electronic payments that offer some form of privacy.With the decline of physical cash, this demand will only increase and e-cash could become an alternative to decentralized (and less regulated) cryptocurrencies.

A further research direction we envisage is the design of hybrid constructions which are situated between traditional (transferable) e-cash and (blockchain-based) cryptocurrencies and can combine the advantages of both. One potential combination would result in a decentralized scheme which allows to do transfers offline; in this case immediately detecting double-spending would be impossible, but smart contracts could force users to first freeze some amount as collateral and thus deter double-spending.


Transparency applications: Another natural application of decentralization via blockchains is to transparency systems. These are systems that are only partially decentralized, in that an append-only log may be stored by only one (or a few) parties, while verification of that log is distributed among everyone in the system. An advantage of this restricted approach is that it avoids the expensive proofs of work; a disadvantage is that it still relies on a few parties for liveness and reliability. Several recent examples include certificate transparency, which was proposed to decentralize the verification of web certificates, and CONIKS [5], which considers decentralized verification of a public-key infrastructure system. These techniques seem applicable to a wide variety of areas.

One promising direction would be to consider using them to allow users to monitor uses of their credentials, and potentially detect when their credentials have been compromised. This would involve additional privacy constraints, and so would likely need to combine transparency ideas with techniques from more traditional privacy-preserving schemes.


Formal analysis: In order to analyze cryptographic schemes and give rigorous security guarantees, formal models are required (such as the one for transferable e-cash in [4]). Many of the recent concepts emerging around bitcoin and blockchains still lack such models and we will pursue the formalization of such concepts. Another area where formal analysis is desirable is in the analysis of smart contracts; For instance, we would like to identify which properties one would have to prove about a contract in order to avoid disasters such as the DAO attack. This would allow for more rigorous analysis of smart-contract-based systems before they are deployed.


Conclusion: Improvements in the privacy and accountability and the computational costs of decentralized blockchains would make them more attractive for a wider range of applications.These features, together with their formal analysis, are what is needed to turn blockchain technology from an exciting and risky innovation into a reliable mainstream infrastructure.





[4] Baldimtsi, Chase, Fuchsbauer, Kohlweiss: Anonymous transferable  e-cash (PKC’15)


  • Melissa Chase
    I am a researcher in the Cryptography group at Microsoft Research Redmond. My research focuses on defining and constructing ...
  • Georg Fuchsbauer
    I am an Inria research scientist (chargé de recherche) in the Crypto team at École Normale Supérieure, Paris. I am the PI of the ANR ...