1 Introduction

There are two main techniques to handle transactions with small value. \(Payment \ channel\) [1] is emerging in bitcoin community [15, 16] that needs two transactions being confirmed in blockchain network: creating channel transaction and closing channel transaction. \(Probabilistic \ payment\) [5, 20] lets payee receive a macro-value with a given probability and a micro-value for each transaction in expectation.

Decentralized Micropayments. In decentralized system, all participants achieve an agreement together via consensus mechanism, i.e., proofs-of-work. Realizing micropayments in decentralized system brings us new challenge to balance efficiency and security.

Double Spending. Micropayments scheme, which requires payee responding to payer in short time and just doing local confirmation, is easy suffering from double-spending attack that payer reuses a valid voucher cert to different unsynchronized payees repeatedly before being detected.

User Privacy. User privacy is not only concealment of identity, such as the pseudonym in bitcoin system. In this work, we also consider protecting user transaction message among the unsynchronized points of sale.

We here ask the following question:

Is that possible to strengthen micropayments scheme for decentralized blockchain-based payment system so that it can be secure even adversary reuses a voucher repeatedly before being detected and enhance user privacy among the unsynchronized points of sale?

1.1 Our Contributions

We give an affirmative answer to the above question. Most existing micropayments schemes [5, 14, 16, 20] focus on general setting, where payee is a single entity. In real word, it is usual that a merchant consists of several geographically distributed and unsynchronized points of sale. We mainly focus on the security of micropayments scheme in this complex setting.

General Setting. The first step, we assume that payee B is a single entity and accepts small payments as shown in \(micropayment \ 1\) (Fig. 1).

Complex Setting. Based on step one, We go further to explore a complex setting [19] as shown in \(micropayment \ 2\) (Fig. 2), where B consists of several geographically distributed and unsynchronized points of sale. We then propose our construction \(micropayment \ 3\) (Fig. 3) that solves the security problems of \(micropayment \ 2\).

Robustness Requirements for Achieving Micropayments:

  1. 1.

    Basic requirements in general setting:

    1. (1)

      Instant Confirmation. Micropayment requires quick response, i.e., payer will receive service as soon as he sends valid messages (voucher).

    2. (2)

      Small Transaction Fees. Payer is unwilling to use a payments system to handle small transactions, which costs high transaction fess, since the fees maybe higher than the value of transaction.

  2. 2.

    Additional requirements in complex setting:

    1. (1)

      Preventing Double-Spending. Security in the presence of reusing a voucher (cert), i.e., payer spends a cert to different points of sale with the risk of being detected and losing coins.

    2. (2)

      Protecting User Privacy. Security in the presence of using the voucher provided by the last transaction in the current transaction, i.e., payer spends a voucher cert signed by last payee to current payee without disclosing the identity of last payee.

Expiry Time. To solve the above questions, we propose a notion of \(expiry \ time\), which means that each voucher is valid during a given time.

Upper Bound of Penalty. We give a proper value of penalty, which means that it makes the malicious payer at a disadvantage for his dishonesty and is reasonable for honest payer. What’s more, we get the upper bound of penalty as \(p\le (\hat{T}\)/T̃)\(\,*\,u_2\) (more details are in Sect. 3.3).

For user privacy, we utilize \(ring \ signature\) during the process of \(paying \ through \ channel\) to break linkage between singer and signature.

1.2 Related Work

Many off-line micropayments schemes are proposed [8, 14, 18] with a trusted third party to sign a voucher for payer and punish cheaters. Bitcoin system is a peer-to-peer fully decentralized payment system introduced in [13]. Unlike traditional e-cash system [2, 4], where there is a central bank to handle transactions and detect cheaters. Decentralized system utilizes distributed public ledger blockchain to record all transactions.

Probabilistic payment was proposed in [12, 17] that allows payer to execute series of small transactions. Rivest [17] and Micali [12] proposed \(lottery{-}based \ payment\) to overcome the relative high fees of small transactions. [12, 20] are implementations of this idea. [5] presents a decentralized micropayment scheme by following the way of probability payment.

Creating payment channel was introduced in [1, 9]. [21] discusses two major questions about why we need micropayments. Further studies as [6, 16]. Constructing anonymity set [11] enhances privacy in some certain situations. [10] uses TumbleBit, a new unidirectional unlinkable payment hub, to allow payer to execute payment via an untrusted intermediary. These schemes are secure if the size of set is big enough and majority of participants are alive. [19] proposed a micropayment scheme in complex setting, but there are two problems obviously in this scheme: double-spending and user privacy leakage. More details are in Sect. 3.2.

1.3 Outline of the Paper

The rest of the paper is organized as follows. In Sect. 2, we give preliminaries in our construction. In Sect. 3, we show our detailed construction. In Sect. 4, security proofs are presented. Conclusion is in Sect. 5.

2 Preliminaries

In this section, we give the main techniques behind our construction and the definitions of security properties are presented in game-based fashion.

2.1 Techniques

Definition 1

(Ring Signature). A ring signature scheme is a triple of p.p.t. algorithms \(\mathcal {RS}=(Gen,Sign, Vrfy)\) [3]. Formally:

  • \(Gen(1^\lambda )\). Takes as input the security parameter \(\lambda \), outputs a public key pk and a secret key sk.

  • \(Sign_{sk}(R,M)\). Outputs a signature \(\sigma \) on message M with respect to ring \(R=(pk_1,...,pk_n)\).

  • \(Vrfy_R(M,\sigma )\). Takes as input a ring R, a message m, and a signature \(\sigma \) for M to return a single bit \(b=1/0\).

Definition 2

(Accountable Assertion). We recall the definition in [19] that consists of four algorithms \(\prod = (Gen, Assert, Verify, Extract)\):

  • \((pk, sk, auxsk)\leftarrow Gen(1^\lambda )\): Outputs a key pair consisting of a public key pk and a secret key sk, and auxiliary secret information auxsk.

  • \(\tau /\perp \leftarrow Assert(sk, auxsk, ct, st)\): Takes as input a secret key sk, auxiliary secret information auxsk, a context ct, and a statement st and returns either an assertion \(\tau \) or \(\perp \) to indicate failure.

  • \(b \leftarrow Verify(pk, ct, st, \tau )\): Outputs 1 if \(\tau \) is a valid assertion of a statement st in the context ct under the public key pk.

  • \(sk/\perp \leftarrow Extract(pk, ct, st_0, st_1, \tau _0, \tau _1)\): Takes as input a public key pk, a context ct, two statements \(st_0, st_1\), two assertions \(\tau _0, \tau _1\) and returns either the secret key sk or \(\perp \) to indicate failure.

2.2 Security Properties

According to our goals, the micropayments scheme should satisfy three security properties: \(unforgeability, \ unlinkability \) and double-spending detection. We show these security properties in the following three experiments as Exp\(_{\varPi ^m,\mathcal {A}}^{uf}(\lambda )\), Exp\(_{\varPi ^m,\mathcal {A}}^{ul}(\lambda )\) and Exp\(_{\varPi ^m,\mathcal {A}}^{ds}(\lambda )\).

Definition 3

(Unforgeability, Unlinkability, double-spending detection). Given a micropayments scheme \(\varPi ^m\) in blockchain-based system, a p.p.t. adversary \(\mathcal {A}\), security parameter \(\lambda \) and consider the followings:

figure a
figure b
figure c

We define the advantage of \(\mathcal {A}\) in the above experiments as:

figure d

3 Micropayments System

In this section, we propose a scheme about achieving micropayments in decentralized blockchain-based system in three steps.

3.1 Micropay 1

Before showing the description of \(micropay \ 1\), we assume that A has a bitcoin address \(pk_1\) with value v and unforgeable digital signature scheme with algorithms (GenSignVrfy). We show this scheme in Fig. 1.

Security Analysis. In \(micropay \ 1\), A succeeds to micropay to B with one security problem that B can get all knowledge of \(A's\) purchase messages that breaks \(A's\) privacy.

3.2 Micropay 2

Now we show a scheme in which B is a distributed entity by recalling the construction in [19]. We give a simple description in Fig. 2.

Security Analysis. In \(micropay \ 2\), A succeeds to micropay to a distributed B, but with the following security problems:

  1. (1)

    During Stage 1, it does not specify the size of p, so that A can spend more than \(d+p\) easily. For example, A reuses a cert signed by B many times and spends \(\{\{b_i\}^n_1|b_i<d\}\) to \(\{B_i\}^n_1\) in time \(T'\). Consequently \(\sum _{1}^{n}b_i>d+p\), which makes penalty useless.

  2. (2)

    During Stage 2, A sends cert signed by \(B_j\) to \(B_i\). So \(B_i\) verifies cert by doing \(Vrfy(pk_{B_j}, cert^*) = 1\) and \(B_i\) gets knowledge that A has bought service from \(B_j\), which breaks \(A's\) privacy.

Fig. 1.
figure 1

A micropays to a single B

Full size image

3.3 Micropay 3

To overcome the problems in \(micropay \ 2\), we present \(micropay \ 3\). In this scheme, we employ \(expiry \ time\) to control the number of a cert being reused and use \(ring \ signature\) scheme to hide \(A's\) former purchase messages to current payee.

Notations. dp is denoted the amount of deposit and penalty respectively. T is time that escrow transaction is locked and \(T'\) is the expiry time of voucher cert. Price of service provided by \(B_i\) is \(v_i\) and we let \(u_1=min\{v_1,...,v_n\},u_2=max\{v_1,...,v_n\}\). The average time of each transaction is denoted by T̃, is time slot that B collects all transactions recorded by each point \(B_i\) and \(\hat{T}\) is the working time of each point \(B_i\) within time . Let to ensure that B can close the payment channel before A revokes escrow transaction and \(T_{conf}\) is a safety margin to guarantee transactions broadcasted by B being confirmed on blockchain. The number of transactions that A can have is \(\lfloor \frac{d}{u_2}\rfloor \le k \le \lfloor \frac{d}{u_1} \rfloor \) and \(g(d,u_2)\) is a function to specify the remaining number of transactions that A can have. Function \(f(d,u_2)\) denotes the total number that A can double-spend in the worst case.

Assumptions. (1) \(k=\lfloor \frac{d}{u_2}\rfloor >1\). (2) A can only have one transaction synchronously.

Upper Bound of Penalty: Preventing Double-Spending

Case 1

  1. (1)

    A broadcasts escrow transaction with value \(d+p\).

  2. (2)

    B computes and signs cert with expiry time \(T'=\)k for A.

  3. (3)

    A sends \(cert^*=(state^*, \sigma ^*)\) to \(B_i\) and gets an updated \(cert'\) signed by \(B_i\) with expiry time \(T'=\)\(\,*\,(k^*-1)\).

We let \(g(d,u_2)\leftarrow g(d,u_2)-1\). In the worst case, the number of cert signed by \(B_i\) can be double-spent is \((k^*-1-1)\), So \(f(d,u_2)=\frac{d(d\,-\,u_2)}{2u_2^2}\) and we set \(p=f(d,u_2)\,*\,u_2\) for \(f(d,u_2)*\)\(\le \hat{T}\) or \(p=(\hat{T}\)/T̃)\(\,*\,u_2\).

Case 2

  1. (1)

    A broadcasts escrow transaction with value \(d+p\).

  2. (2)

    B computes and signs \(cert_0\) with expiry time \(T'=\)\(\lceil P_0k_0 \rceil (0<P_0 \le 1, k_0=k)\) for A.

  3. (3)

    A sends \(cert_{i-1}=(state_{i-1}, \sigma _{i-1})\) to \(B_i\) and gets \(cert_{i}\) signed by \(B_i\) with expiry time \(T'=\)\(\lceil P_ik_{i} \rceil \) \((k_{i}=k_{i-1}-1, 0<P_i \le 1)\).

In case 2, we let \(g_{i}(d,u_2)\leftarrow \lceil P_i(k_{i-1}-1)\rceil \). So \(f(d,u_2)=\sum _{i=0}^{n}(P_ik_i-1)\) and we set \(p=f(d,u_2)\,*\,u_2\) for \(f(d,u_2)\,*\,\)\(\le \hat{T}\) or \(p=(\hat{T}\)/T̃)\(\,*\,u_2\). In this case, double-spending attack can be prevented drastically when \(P_i=\frac{1}{k_i}\) and expiry time of each cert is T̃. But T̃ is short in micropayments scheme, so A is required to keep on having transactions in case that the voucher expires. \(B_i\) can selects a proper \(P_i(P_i>\frac{1}{k_i})\) according to demands.

Ring Signature: Protecting User Privacy

The main idea that we apply ring signature scheme [3] in our scheme is as following. Payee in ring R generates a ring signature \(\sigma \) of state, which contains of n ciphertexts and a proof \(\pi \). Proof \(\pi \) is produced by ZAP (the definition can be referred in [7]) to proof that one of ciphertexts is an encryption of a signature on the state with respect to the ring members, that corresponds to \(\sigma \). Finally, payee sends cert to payer without actually exposing the signature. The formal construction is given in Appendix A.

Full Protocol \(\varPi ^m\). Based on the above analysis, we give our construction that with higher security in Fig. 3.

Fig. 2.
figure 2

A micropays to a distributed B

Full size image
Fig. 3.
figure 3

A micropays to a distributed B with high security

Full size image

4 Security Proofs

Theorem 1

If the ring signature scheme \(\mathcal {RS}=(Gen,Sign,Vrfy)\) is unforgeable and anonymous, the accountable assertion is extractable efficiently. Then, for any p.p.t. adversary \(\mathcal {A}\) and security parameter \(\lambda \), the micropayments scheme \(\varPi ^m\) is secure as defined in Sect. 3.3.

Proof

(Unforgeability). Suppose that \(\varPi ^m\) does not achieve unforgeability, then it follows that there is a p.p.t. adversary \(\mathcal {A}\) that succeeds in experiment \(Exp_{\varPi ^m,\mathcal {A}}^{uf}(\lambda )\) with non-negligible probability. So there exists polynomial function \(p(\cdot )\) such that for security parameter \(\lambda \) and holds that: \(Pr[Exp_{\varPi ^m,\mathcal {A}}^{uf}(\lambda )=1]\ge 1-\frac{1}{p(\lambda )}\). Using \(\mathcal {A}\) as a subroutine, we construct a p.p.t. adversary \(\mathcal {A'}\). with input of (Rstate): (1) invoke \(\mathcal {A}\) with (Rstate) and \(\mathcal {A}\) outputs \(cert=(state,\sigma )\) (2) if \(\mathcal {RS}.Vrfy_R(cert)=1\), then halt and output cert, otherwise output a uniformly selected number \(r \in _R \left\{ 0,1 \right\} ^{\lambda }\).

When \(\mathcal {A}\) outputs a valid forgery cert, then \(\mathcal {A'}\) outputs the same forgery. Note that \(\mathcal {A'}\) outputs a valid signature whenever \(\mathcal {A}\) does.

since \(cert=(state, \sigma )=(state, \mathcal {RS}.Sign_{sk}(R,state))\)

implies \(\mathcal {RS}.Vrfy_R(state, \sigma )=1\)

So \(\mathcal {A}'\) can forge a valid signature with respect to \(ring \ signature \ scheme\) (in Appendix A) with non-negligible probability, which contracts the unforgeability property of ring signature scheme. This completes the proof.

Proof

(Unlinkability). Suppose that \(\varPi ^m\) does not achieve unlinkability, then it follows that there is a p.p.t. adversary \(\mathcal {A}\) that succeeds in experiment \(Exp_{\varPi ^m,\mathcal {A}}^{ul}(\lambda )\) with non-negligible probability. So there exists polynomial function \(p(\cdot )\) such that for security parameter \(\lambda \) and holds that: \(Pr[Exp_{\varPi ^m,\mathcal {A}}^{ul}(\lambda )=1]\ge \frac{1}{n}+\frac{1}{p(\lambda )} \). Using \(\mathcal {A}\) as a subroutine, we construct a p.p.t. adversary \(\mathcal {A'}\): (1) \(\mathcal {A'}\) selects two public keys \(pk_0,pk_1\) and a valid state, (2) \(\mathcal {A'}\) is given \(cert_b\), \(b \in \left\{ 0,1 \right\} \) and invokes \(\mathcal {A}\) with \((cert_b,R)\), (3) \(\mathcal {A}\) outputs \((cert_b, R, b')\), then \(\mathcal {A'}\) halts with output \(b'\).

Note that \(\mathcal {A'}\) outputs \(b'\) whenever \(\mathcal {A}\) does. By assumption we have that \(Pr[\mathcal {A'}(cert_b, state, pk_0,pk_1)=b':b=b']\ge \frac{1}{2}+\frac{1}{p(\lambda )}\). So \(\mathcal {A'}\) can distinguish the signatures signed by different members of a ring with non-negligible probability, which contracts the anonymity property of ring signature scheme (in Appendix A). This completes the proof.

Proof

(Double-Spending Detection). According to the extraction of accountable assertion that for any p.p.t. adversary \(\mathcal {A}\), there exists a negligible function \(negl(\cdot )\) such that for security parameter \(\lambda \) and holds that:

\(Pr[Extract(pk,ct,st_0,st_1,\tau _0,\tau _1)\ne sk \wedge \forall b \in \left\{ 0,1 \right\} ,Verify(pk,ct,st_b,\tau _b) =1 \wedge st_0 \ne st_1:\tau _b \leftarrow Assert(sk, auxsk, ct, st_b)]<negl(\lambda ).\)

Suppose that if there is a p.p.t. adversary \(\mathcal {A'}\), which spends a cert twice with the form: \((tx_0,\tau _0,cert)\) and \((tx_1,\tau _1,cert)\) without being detected. It follows that \(\mathcal {A}\) succeeds in experiment \(Exp_{\varPi ^m,\mathcal {A'}}^{ds}(\lambda )\) with non-negligible probability. So we have that for some polynomial function \(p(\cdot )\) and security parameter \(\lambda \): \(Pr[Exp_{\varPi ^m,\mathcal {A'}}^{ds}(\lambda )=1]\ge 1-\frac{1}{p(\lambda )}\). That implies: \(Pr[sk_{\mathcal {A'}} \leftarrow Extract(pk_{\mathcal {A'}},Q)\!\!:(pk_{\mathcal {A'}},sk_{\mathcal {A'}})\notin \prod .Gen(1^{\lambda })|(tx_0,\tau _0,cert) \in Q \wedge (tx_1,\tau _1,cert)\in Q]\ge 1-negl(\lambda )\).

So that contracts to the extraction property of accountable assertion. This completes the proof.

5 Conclusion

In this paper, we analysed previous works, extracted the robustness requirements for achieving micropayments in decentralized blockchain-based system and explored efficient solutions to achieve these requirements.