FinTech - Lecture 12 : Other Ledger Technology and Applications (2)

Transcript

1. QIPUP
   CZ
   0MJWFS
   ) FinTech — Financial Innovation and the Internet 2020 Fall

   Lecture 12 : Other Ledger Technology and Applications (2) Kenji Saito Professor, Graduate School of Business and Finance, Waseda University Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.1/25

2. This class is recorded Camera ON is recommended, but not

   required You do need to speak often (we are going to have a lot of dialogue) We will use breakout rooms a lot, but those won’t be recorded unless you do it yourselves (need to be allowed) Keep your Zoom client updated! We might use latest features The recordings could be used for research on online learning Transcribed for use and anonymized Will let you know when the necessity arises Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.2/25

3. The lecture slides can be found at : https://speakerdeck.com/ks91 Recording

   and chat text will be posted at Moodle and Discord Trial automatic transcription of the lecturer’s part will be posted at Discord Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.3/25

4. Schedule (provisional) Lecture 1 9/25 Overview of FinTech (1) •

   Lecture 2 10/2 Overview of FinTech (2) • Lecture 3 10/9 Internet Technology and Governance (1) • Lecture 4 10/16 Internet Technology and Governance (2) • Lecture 5 10/23 The World of Apps (1) • Lecture 6 10/30 The World of Apps (2) • Lecture 7 11/13 Blockchain (1) • Lecture 8 11/20 Blockchain (2) • Lecture 9 11/27 Smart Contracts (1) • Lecture 10 12/4 Smart Contracts (2) • Lecture 11 12/11 Other Ledger Technology and Applications (1) • Lecture 12 12/18 Other Ledger Technology and Applications (2) • Lecture 13 1/8 Cyber-Physical Society and Future of Finance Lecture 14 1/15 FinTech Ideathon Lecture 15 1/22 Presentations and Conclusions Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.4/25

5. Last Week, We Did. . . How to Disappear Re-assignment

   — how to disappear completely More on Anonymity UTXO and anonymity Mixing with or without trust More on Ethereum Applications and demonstrations Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.5/25

6. Today’s Topic Assignment Review Q & A Assignment Lecture 12

   : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.6/25

7. How to Disappear (reprise) Lecture 12 : Other Ledger Technology

   and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.7/25

8. ZoE (Zcash on Ethereum) In Ethereum, too, an “address” is

   a public key digest In Ethereum, which manages account status (balance, etc.) rather than UTXO (coin with destination), it’s difficult to adopt the Bitcoin-like method of changing the receiver’s address from transaction to transaction Which is not a perfect way to hide themselves anyway zk-SNARKs, zero-knowledge proof algorithm used in Zcash, has also been implemented for Ethereum Can conceal transactions (Who sent it to whom ← not straightforward, and) how much? Deployed with Byzantium hardfork in 2017 Gas (transaction cost) is expensive Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.8/25

9. zk-SNARKs Zero Knowledge - Succinct (compact) Non-interactive ARgument of Knowledge

   3 parts G is Generator : G(λ, C) → (pk, vk) where C is a circuit, λ is a secret Circuit (or function) C returns true or false; pk is the prover key, vk is the verifier key P is Prover : P(pk, x, w) → π where x is the public input of C, w (witness) is the secret input of C π is the proof V is Verifier : V (vk, x, π) = true ⇒ ∃w : C(x, w) = true Can perform in Ethereum by executing V inside smart contracts G and P (knows secret) are executed “off-chain” so to speak Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.9/25

10. C’s (circuits) to Conceal Balances and Remittances Use the cryptographic

    hash function H The contract manages H(a’s balance) for all accounts a C s (x, w) for sender : x is [H(pre-tx balance), H(post-tx balance), H(remittance)], w is [pre-tx balance, remittance] Confirm pre-tx balance ≥ remittance Apply H to w to verify that H(pre-tx balance) and H(remittance) in x are correct Verifies that H(post-tx balance) in x equals H(pre-tx balance − remittance) C r (x, w) for receiver : x is [H(pre-tx balance), H(post-tx balance), H(remittance)], w is [pre-tx balance, remittance] Apply H to w to verify that H(pre-tx balance) and H(remittance) in x are correct Verifies that H(post-tx balance) in x equals H(pre-tx balance + remittance) Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.10/25

11. Contract to Conceal Balances and Remittances Accepts the following as

    arguments (sender address is self-evident as the caller of the contract) Receiver address, H(remittance), H(post-tx balance s ), H(post-tx balance r ) π s , π r obtained by applying P in advance Verifies sending by V (vk s , [H(balances ), H(post-tx balances ), H(remittance)], π s ) Verifies receiving by V (vk r , [H(balancer ), H(post-tx balancer ), H(remittance)], π r ) Replaces both H(balance) with their H(post-tx balance) Sender and receiver need to communicate off-chain They cannot tell how much each other had and has now Others cannot tell, in addition to the above, how much was sent But they can tell who sent money to whom Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.11/25

12. In One Picture Fact that Alice sent some money to

    Bob is known To avoid preimage at- tacks, balances and re- mittances should contain many digits below deci- mal point Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.12/25

13. Assignment Review Lecture 12 : Other Ledger Technology and Applications

    (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.13/25

14. Assignment 5. “How to Disappear Completely” Please think of a

    method of remittance using zk-SNARKs that conceals the following, and write the algorithm briefly (in English) Who sends money? ← NEW! To whom? ← NEW! How much? How much were the balances of those before remittance, and how much afterward? Is your solution perfect? What problems are there? Deadline and how to submit December 15, 2020 at 23:59 JST From Moodle (mandatory) Optionally, you can also post to #assignments channel at Discord So that your classmates can read your report, refer to it, and comment on it Just plain text, and be concise, please Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.14/25

15. Trends and Measures Trends . . . of your reports

    Measures . . . how to improve the class 13 out of 16 students submitted (as of Wednesday; always better late than never) Your answers : Fixed third party, like mixing (5) / using digests of addresses (4) / using a ticket (1) / checking transaction history (1) / non zk-SNARKs solution (1) / ring signature (1) / not exactly an answer (1) Nice try! Some referred to techniques used in Zcash and/or Monero Ring signature would be an interesting topic to explore Please note : A cryptographic hash function is not an encryption (as we cannot decrypt the output) Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.15/25

16. F’s Solution (1/2) 1. Carol initiates a transaction with Anna

    to receive amount “$” As Kenji mentioned on Discord, having the receiver initiate the contract is technically possible, so as long as Carol and Anna coordinate properly, this should be feasible 2. Using Kenji’s method (Lecture 11, pg. 10; henceforth K-Method) for hiding the amount sent and balances involved This is entirely necessary because even if Carol is a mediator, it might be easy for an outsider to see Anna pay amount “$” to Carol and Carol pay amount “$” to Bob, making the transaction apparent Also, if we assume Carol is some kind of service (highly likely) some nosey people might be paying attention 3. Carol initiates a transaction with Bob 4. Amount “$” is remitted via the K-method to hide values once again Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.16/25

17. F’s Solution (2/2) The problem with this method, besides the

    reliability of the service, is that I imagine Carol would still need to know Bob and Anna’s public keys Since I have not used the service, I am still not certain whether the following is possible, but I think it could theoretically fix that issue: Register with Carol’s service with H(public_key) and use a transaction process similar to the K-method to hide the public key the same way it hides w ⇒ Pretty good! Although in Ethereum, H(public_key) is like the identifier (the address of an account), and you would need something like H(H(public_key)) Not quite strong against guessing the preimage (Like if you suspect that Anna paid Bob, and know their account addresses) Have to solve how to perform receiver-initiated transaction without revealing the sender’s identity So-called K-Method is well-known, and not mine Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.17/25

18. W’s Solution (1/2) Suppose all the conditions are the same

    as the one on the lecture; Before the transaction, sender and receiver needs to communicate off-chain with receiver’s address In addition, sender needs to find a third party to invoke a contract and pay him in advance (with whatever off-chain) Sender also needs to give the third party hash_receiver_address After the above things are done, the third party starts to invoke a contract with (hash_receiver_address), and the rest things would be the same as the one on the lecture Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.18/25

19. W’s Solution (2/2) Problems get solved: Sender’s address are not

    revealed to public; Receiver’s address are not revealed as well; Remittance and balance would not revealed as it’s stated on lecture Problem: Sender’s information may be known by a third party; A third party needs to accept payment off-chain; It may require trust for a third party (if a third party is authorized, is it contradictious to the concept of decentralization?) ⇒ Pretty good! Perhaps the sender’s address is also hashed Need for a third party is not exactly contradicting to decentralization as long as their behaviors can be verified (instead of trusted) (cf. TumbleBit) Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.19/25

20. Saito’s Solution (second receiver as sender agent) (may be a

    known solution) H′ can be any arbitrary function, but linkability remains a problem Balance’s digits below decimal point is like a private key, protected by H Carole can run verifiers prior to issuing a trans- action to verify if she can really receive the fee Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.20/25

21. Tor (The Onion Router) What is Onion Routing? → technology

    for anonymity Build a circuit that runs through multiple nodes from the user to the terminating node The user shares a shared key with each node that appears on the circuit (the user does not tell who they are) Data encryption is applied for the terminating node, and then for each node appearing in the circuit in reverse order, and finally the data is sent The relay peels off the encryption at each hop, as if it were an onion, and sends it to the next node The relay has no way of knowing what content is being sent from whom to whom Reference Tor : https://www.torproject.org There are concerns about its application to crimes, but it is also a tool for protecting citizens’ privacy and enforcing human rights Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.21/25

22. Q & A We’ve had more than 16.5 hours together

    by now Any questions so far? Any answers? Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.22/25

23. Assignment Lecture 12 : Other Ledger Technology and Applications (2)

    — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.23/25

24. Assignment 6. “Cyber-Physical” Summarize an idea of combining self-driving cars

    and FinTech i.e., please select one or more from “settlement and remittance”, “asset management”, “deposits and loans”, “financing”, “insurance”, and “capital market” Apply FinTech to it with respect to self-driving cars Deadline and how to submit January 5, 2021 at 17:59 JST From Moodle (mandatory) Optionally, you can also post to #assignments channel at Discord So that your classmates can read your report, refer to it, and comment on it Just plain text, and be concise, please Lecture 12 : Other Ledger Technology and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.24/25

25. See You Next Year! Lecture 12 : Other Ledger Technology

    and Applications (2) — FinTech — Financial Innovation and the Internet 2020 Fall — 2020-12-18 – p.25/25