papers
As innovation in electronic payments accelerates, privacy considerations are becoming ever more important. While the generation and use of data is an intrinsic part of electronic payments and can benefit consumers and businesses, it may also present privacy concerns, particularly if there are not sufficient safeguards.
To study how emerging technology might safeguard consumers’ private information when making payments with a central bank digital currency, we conducted research with staff from the Bank of England over the past year. Our findings, published today, identify options for “Enhancing the Privacy of a Digital Pound.”
James Lovejoy, of the Federal Reserve Bank of Boston, presented "Hamilton: A High-Performance Transaction Processor for Central Bank Digital Currencies" at NSDI '23. This paper was co-authored by Madars Virza, Cory Fields, and Neha Narula of the DCI and James Lovejoy, Kevin Karwaski, and Anders Brownworth of the FRBB, and it proposes the Hamilton transaction processor, one of the primary results of this collaboration.
The featured image on this post is by Thomas Hawk, and used under a Creative Commons license.
The Massachusetts Institute of Technology (MIT) Digital Currency Initiative (DCI) and associated organizations marshaled a sizable team of researchers in four low- and middle-income countries — India, Indonesia, Nigeria and Mexico — to study inclusion issues related to retail central bank digital currency (CBDC) design. They released the results of their 15-month research project on Jan. 13.
In spite of a growing body of work related to CBDCs, “few if any proponents have offered practical insight into how CBDC will promote greater access to financial services,” the DCI, along with the MIT Media Lab and Maiden Labs, claimed.
The DCI’s Nicolas Xuan-Yi Zhang coauthored a paper at IMF on multi-currency exchange.
Cross-border payments can be slow, expensive, and risky. They are intermediated by counterparties in different jurisdictions which rely on costly trusted relationships to offset the lack of a common settlement asset as well as common rules and governance. In this paper, we present a vision for a multilateral platform that could improve cross-border payments, as well as related foreign exchange transactions, risk sharing, and more generally, financial contracting. The approach is to leverage technological innovations for public policy objectives. A common ledger, smart contracts, and encryption offer significant gains to market efficiency, completeness, and access, as well as to transparency, transaction and compliance costs, and safety. This paper is a first step aiming to stimulate further work in this space.
Read the technical paper, A High Performance Payment Processing System Designed for Central Bank Digital Currencies, and executive summary here.
The goal of Utreexo is to make running a full node easier, faster, and smaller, and while that’s more of an asymptote than a point on any curve, we’re getting there. Today we’ve released Utreexo demonstration 0.2, which pairs the Utreexo accumulator with a modified version of btcd(temporarily called utcd). Most of the utcd work was done by Calvin Kim, as Niklas Gögge and myself have been working on improving the accumulator and how it interacts with the bitcoin data structures. Calvin has written a post about the work as well.
This new release works more like a normal bitcoin node: it starts up, finds peers, and verifies the blockchain. There are still things it doesn’t have, like a mempool, or a way to deal with reorgs. (It currently deals with reorgs by crashing.)
Re: Comments to the Financial Crimes Enforcement Network on Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets
FinCEN Docket No. FINCEN-2020-0020, RIN 1506-AB47
January 4, 2021
DCI Director, Neha Narula and Patrick Murck (@virtuallylaw) submitted this comment on FinCEN's latest proposed rule. They explain this might limit policy choices for a future digital dollar, reduce market competition, and most importantly, that's not how addresses actually work.
“Despite the focus on operating in adversarial environments, cryptocurrencies have suffered a litany of security and privacy problems. Sometimes, these issues are resolved without much fanfare following a disclosure by the individual who found the hole. In other cases, they result in costly losses due to theft, exploits, unauthorized coin creation, and destruction. These experiences provide regular fodder for outrageous news headlines. In this article, we focus on the disclosure process itself, which presents unique challenges compared to other software projects.15 To illustrate, we examine some recent disclosures and discuss difficulties that have arisen…”
The Bank of England released a Central Bank Digital Currency (CBDC) Discussion Paper on March 12th, 2020. The DCI curated a response, led by Rob Ali, which explored topics in the paper (June 12th, 2020)
Abstract:
Large scale cryptocurrencies require the participation of millions of participants and support economic activity of billions of dollars, which has led to new lines of work in binary Byzantine Agreement (BBA) and consensus. The new work aims to achieve communication-efficiency---given such a large n, not everyone can speak during the protocol. Several protocols have achieved consensus with communication-efficiency, even under an adaptive adversary, but they require additional strong assumptions---proof-of-work, memory-erasure, etc. All of these protocols use multicast: every honest replica multicasts messages to all other replicas. Under this model, we provide a new communication-efficient consensus protocol using Verifiable Delay Functions (VDFs) that is secure against adaptive adversaries and does not require the same strong assumptions present in other protocols.
A natural question is whether we can extend the synchronous protocols to the partially synchronous setting---in this work, we show that using multicast, we cannot. Furthermore, we cannot achieve always safe communication-efficient protocols (that maintain safety with probability 1) even in the synchronous setting against a static adversary when honest replicas only choose to multicast its messages. Considering these impossibility results, we describe a new communication-efficient BBA protocol in a modified partially synchronous network model which is secure against adaptive adversaries with high probability.
Abstract:
Exchanges are critical for providing liquidity and price transparency to markets, but electronic exchanges sometimes front run their users: because the exchange is in a privileged position, it can observe incoming orders and insert its own orders or alter execution to profit, if undetected, risk-free. There are cryptographic schemes to address front-running, but they either require an assumption of non-collusion or do not definitively prevent it, and none can provide the exchange with useful evidence of good behavior: a transcript the exchange can show to an offline entity, like a potential new customer or a regulator, to prove that it is not front running.
We present ClockWork, a practical exchange protocol which gives an exchange the ability to prove to a user that it did not front-run their order. In ClockWork, users commit to and encrypt orders inside a timelock puzzle. By assuming a lower bound on the time it takes to solve the puzzle, we ensure that no one, including the exchange, can submit new orders or selectively drop orders after the batch is fixed, and that users cannot repudiate committed orders. Users interacting with the exchange are convinced that the exchange did not front-run, and the protocol creates a transcript between the exchange and the users that serves as evidence orders were matched correctly and has attestations from users who agree they were not front-run. We implement ClockWork and show that despite using computationally expensive timelock puzzles, it provides reasonable performance for batch auctions . This is a useful tradeoff to provide a verifiably correct exchange.
Dan Cline worked with the DCI via the Co-op program from the University of Massachusetts Amherst. His mentors were Neha Narula and Tadge Dryja
Abstract
The United States financial system can be restructured by giving universal direct access to credit risk-free central bank money. In the 10 years since the financial crisis, technological advancements and regulatory tools have laid the foundation for Central Bank Digital Currencies to emerge as this economic resolution. Our paper analyzes similar economic cases and contends that introducing Central Bank Digital Currencies (CBDCs) can improve financial stability without degrading credit availability in the long term. We illustrate this by focusing on similar market shifts, namely in the U.S. student loan market and the New Zealand agribusiness sector. Our analysis showcases that by introducing CBDCs, market participants can subsequently remove certain market subsidies that promote poor risk practices and improper pricing. This subsidy to financial institutions is both explicit in the form of FDIC deposit insurance and implicit in the stipulation of taxpayer funded bailouts that materialized in 2008. We calculate the effect of introducing CBDCs by focusing on historical market examples when similar fundamental market shifts happened. Our conclusion is that CBDCs may diminish credit availability, but this effect is ameliorated as financial stability improves in subsequent years. Accordingly, we recommend a roadmap for rolling out CBDCs in the least disruptive fashion.
Member Company: Boston Consulting Group (BCG)
Project Group: Healthcare Applications
Executive Summary
Over the past decade, significant breakthroughs in DNA sequencing have accelerated our capacity for genetic research and created new disciplines of precision medicine, promising a generation of novel therapies for previously incurable ailments. However, with an influx of vast amounts of genetic data, another challenge arose: the problem of data stewardship and governance. As of today, an individual who has their DNA analyzed through consumer-focused products like 23andMe or Ancestry.com, or through their personal healthcare provider has no promise of knowing where the genetic data goes or how it will be used. This historical lack of transparency has had cascading consequences across the industry- from disincentivizing participation in programs that would benefit from sharing genetic or health data, to driving a profound lack of genetic diversity in clinical trials. We believe that a blockchain tool, leveraging non-fungible tokens, can enable a degree of transparency and traceability to allow individuals to become informed stewards of their own genetic data. By doing so, we strive to build guardrails for privacy and security around the exchange of genetic data, thereby regaining the trust of participants, and encouraging our community to drive a thriving genetic data marketplace for the greater good of society.
Abstract
This work addresses the ongoing lack of legal clarity and inconsistent pronouncements regard- ing the regulatory status of cryptographic assets by introducing a novel series of classification approaches employing non-binary scoring systems. Novel taxonomies have been constructed based upon multi-level categorical and numerical discrimination methods following design science of information systems best practices. The aim is to provide greater explanatory insight with respect to the nuanced and complex ensemble of attributes which may be exhibited within this sui generis type of objects. The notions of Secu- rityness (S), Moneyness (M) and Commodityness (C) are proposed as candidate meta-characteristics for “TokenSpace”: a three-dimensional visual construction of subjective classification approaches towards a co- herent and customisable conceptual framework. TokenSpace can be used to make reasoned qualitative and / or quantitative comparisons of asset properties. TokenSpace has more in common with successful prior classification frameworks in other domains and greater development potential using axiomatic, empirical and qualitative approaches than the sorting, clustering, intuitive or na ̈ıve categorisation approaches pre- viously employed for cryptographic assets. TokenSpace provides a basis upon which real-time information feeds and predictive analytical tools may be developed in future.
Abstract:
We design, implement, and evaluate a zero knowledge succinct non-interactive argument (SNARG) for Rank-1 Constraint Satisfaction (R1CS), a widely-deployed NP language undergoing standardization. Our SNARG has a transparent setup, is plausibly post-quantum secure, and uses lightweight cryptography. A proof attesting to the satisfiability of n constraints has size 𝑂(log2𝑛)O(log2n); it can be produced with 𝑂(𝑛log𝑛)O(nlogn) field operations and verified with O(n). At 128 bits of security, proofs are less than 250kB250kB even for several million constraints, more than 10×10× shorter than prior SNARGs with similar features.
A key ingredient of our construction is a new Interactive Oracle Proof (IOP) for solving a univariate analogue of the classical sumcheck problem [LFKN92], originally studied for multivariate polynomials. Our protocol verifies the sum of entries of a Reed–Solomon codeword over any subgroup of a field.
We also provide 𝚕𝚒𝚋𝚒𝚘𝚙libiop, a library for writing IOP-based arguments, in which a toolchain of transformations enables programmers to write new arguments by writing simple IOP sub-components. We have used this library to specify our construction and prior ones, and plan to open-source it.
Abstract
This paper shows several connections between data structure problems and cryptography against preprocessing attacks. Our results span data structure upper bounds, cryptographic applications, and data structure lower bounds, as summarized next.
First, we apply Fiat–Naor inversion, a technique with cryptographic origins, to obtain a data structure upper bound. In particular, our technique yields a suite of algorithms with space S and (online) time T for a preprocessing version of the N-input 3SUM problem where S3 ·T = O(N6). This disproves a strong conjecture (Goldstein et al., WADS 2017) that there is no data structure that solves this problem for S = N2−δ and T = N1−δ for any constant δ > 0.
Secondly, we show equivalence between lower bounds for a broad class of (static) data struc- ture problems and one-way functions in the random oracle model that resist a very strong form of preprocessing attack. Concretely, given a random function F : [N] → [N] (accessed as an oracle) we show how to compile it into a function GF : [N2] → [N2] which resists S-bit prepro- cessing attacks that run in query time T where ST = O(N2−ε) (assuming a corresponding data structure lower bound on 3SUM). In contrast, a classical result of Hellman tells us that F itself can be more easily inverted, say with N2/3-bit preprocessing in N2/3 time. We also show that much stronger lower bounds follow from the hardness of kSUM. Our results can be equivalently interpreted as security against adversaries that are very non-uniform, or have large auxiliary input, or as security in the face of a powerfully backdoored random oracle.
Thirdly, we give lower bounds for 3SUM which match the best known lower bounds for static data structure problems (Larsen, FOCS 2012). Moreover, we show that our lower bound generalizes to a range of geometric problems, such as three points on a line, polygon containment, and others.
Abstract
A zero-knowledge proof or protocol is a cryptographic technique for verifying private data without revealing it in its clear form. In this paper, we evaluate the potential for zero-knowledge distributed ledger technology to alleviate asymmetry of information in the asset-backed securitization market. To frame this inquiry, we conducted market data analyses, a review of prior literature, stakeholder interviews with investors, originators and security issuers and collaboration with blockchain engineers and researchers. We introduce a new system which could enable all market participants in the securitization lifecycle (e.g. investors, rating agencies, regulators and security issuers) to interact on a unique decentralized platform while maintaining the privacy of loan-level data, therefore providing the industry with timely analytics and performance data. Our platform is powered by zkLedger (Narula et al. 2018), a zero-knowledge protocol developed by the MIT Media Lab and the first system that enables participants of a distributed ledger to run publicly verifiable analytics on masked data
Introduction
In a 2019 speech, Bank of England governor Mark Carney said that “Technology has the potential to disrupt the network externalities that prevent the incumbent global reserve currency from being displaced.” Certainly one of the most interesting places where technology is disrupting payments and finance is in cryptocurrencies. Cryptocurrencies have emerged from open source development communities in large part because electronic transaction systems are too expensive and they have not evolved fast enough to keep pace with the demand for retail online digital payments and more sophisticated types of financial transactions. The wide variety of experimentation in cryptocurrencies is causing technologists and central bankers to rethink the interface to money and explore a digital form which can be held by users and companies directly. This could lead to a financial system with a simplified institutional structure, capable of serving the public at a much lower cost. Though there has been much discussion about the policy design for central bank-issued digital currency (CBDC), there are important technical points missing from the conversation: CBDC should not be a direct copy of existing cryptocurrencies with exactly the same design and features but there are things we can learn from their emergence - the usefulness of programmability in money and the importance of preserving user privacy.
Cryptocurrency technology, in some instances, can provide an important feature: Anyone can participate and build applications with financial transactions to a standard, which creates a free-entry market that enables competition. These rules are set and maintained by users of the system, not by a coalition of companies or other large market participants. This is due in large part to the fact that many participate in observing, auditing, and validating the creation of money and the legitimacy of payments by observing a highly replicated audit trail of activities.
The cryptocurrency ecosystem should be viewed as a laboratory where developers are inventing different technologies, monetary policies, governance strategies, and reward systems which are competing. The space is still in its infancy, but make no mistake -- successful ideas from this area will eventually find their way into the more conservative world of fiat digital payments. Libra and other stablecoins are the latest prominent example of these ideas breaking through. There will be more.
DCI Senior Advisor Gary Gensler’s Final Testimony on ‘Examining Facebook’s Proposed Cryptocurrency and Its Impact on Consumers, Investors, and the American Financial System’. Presented during the ‘Financial Services Committee’ at the United States House of Representatives on July 17, 2019.
Read Here
by Thaddeus Dryja (MIT’s Digital Currency Initiative)
Abstract: In the Bitcoin consensus network, all nodes come to agreement on the set of Unspent Transaction Outputs (The “UTXO” set). The size of this shared state is a scalability constraint for the network, as the size of the set expands as more users join the system, increasing resource requirements of all nodes. Decoupling the network’s state size from the storage requirements of individual machines would reduce hardware requirements of validating nodes. We introduce a hash based accumulator to locally represent the UTXO set, which is logarithmic in the size of the full set. Nodes attach and propagate inclusion proofs to the inputs of transactions, which along with the accumulator state, give all the information needed to validate a transaction. While the size of the inclusion proofs results in an increase in network traffic, these proofs can be discarded after verification, and aggregation methods can reduce their size to a manageable level of overhead. In our simulations of downloading Bitcoin’s blockchain up to early 2019 with 500MB of RAM allocated for caching, the proofs only add approximately 25% to the amount otherwise downloaded.
by Sunoo Park (MIT Media Lab) and Adam Sealfon (MIT CSAIL)
To appear in the International Cryptology Conference (CRYPTO 2019).
By Ethan Heilman (Boston Uni), Neha Narula (MIT Media Lab), Garrett Tanzer (Harvard), James Lovejoy (MIT Media Lab), Michael Colavita (Harvard), Madars Virza (MIT Media Lab), and Tadge Dryja (MIT Media Lab)
We present attacks on the cryptography formerly used in the IOTA blockchain, including under certain conditions the ability to forge signatures. We developed practical attacks on IOTA’s cryptographic hash function Curl-P-27, allowing us to quickly generate short colliding messages. These collisions work even for messages of the same length. Exploiting these weaknesses in Curl-P-27, we broke the EU-CMA security of the former IOTA Signature Scheme (ISS). Finally, we show that in a chosen-message setting we could forge signatures and multi-signatures of valid spending transactions (called bundles in IOTA).
by Jiri Chod (BU), Nikolaos Trikakis (MIT), Gerry Tsoukalas (Upenn Wharton), Henry Aspegren (MIT), and Mark Weber (MIT). Nominated for an award in the Journal of Management Science. Sept 15th, 2018
In this paper, we develop a new theory that shows signaling a firm's fundamental quality (e.g., its operational capabilities) to lenders through inventory transactions to be more efficient --- it leads to less costly operational distortions --- than signaling through loan requests, and we characterize how the efficiency gains depend on firm operational characteristics such as operating costs, market size, inventory salvage value and failure probability.
By Thibaut Horel, Sunoo Park, Silas Richelson, and Vinod Vaikuntanathan. Published in the Innovations in Theoretical Computer Science conference (ITCS 2019).
By Aloni Cohen and Sunoo Park. Published in the Harvard Journal of Law and Technology (JOLT), Fall 2018 issue.
By Jonathan Frankle, Sunoo Park, Daniel Shaar, Shafi Goldwasser, and Daniel J. Weitzner. Published in the 27th USENIX Security Symposium (USENIX Security 2018).
By Sunoo Park, Albert Kwon, Georg Fuchsbauer, Peter Gaži, Joël Alwen, and Krzysztof Pietrzak. Published in the 22nd International Conference on Financial Cryptography and Data Security (Financial Crypto 2018)
One of the earliest-seen and most persistent problems with Bitcoin has been scalability. Bitcoin takes the idea of "be your own bank" quite literally, with every computer on the bitcoin network storing every account of every user who owns money in the system. In Bitcoin, this is stored as a collection of "Unspent transaction outputs", or "utxo"s, which are somewhat unintuitive, but provide privacy and efficiency benefits over the alternative "account" based model used in traditional finance.
By Thaddeus Dryja, Quanquan C. Liu and Sunoo Park
Static-Memory-Hard Functions, and Modeling the Cost of Space vs. Time was presented at the Cryptography Conference 2019, which is organized by the International Association for Cryptologic Research (IACR).
This paper by DCI Reserach Scientist Robleh Ali sets out a structure for a digital fiat currency system. The primary benefit of the cellular structure is that it lowers barriers to entry for payments by using trustless intermediation between cells in the system. The larger purpose of this structure is to create an open foundation for a decentralized financial system in which competition can thrive but which cannot be captured by private interests.