First Monday

A trusted cryptocurrency scheme for secure and verifiable digital transactions by Marco Baldi and Franco Chiaraluce

Decentralized digital currency systems known as cryptocurrencies are a breakthrough in electronic payments: the absence of a central authority can avoid the risk that a not fully reliable government seizes assets or causes hyperinflation, very small transactions can be made without incurring high costs and transactions can be traced, thus providing a tool to counter laundering and tax evasion. Furthermore, decentralization provides robustness against many attacks. Despite these advantages, cryptocurrencies have still not become mainstream solutions, because of scarce users’ inclination to adopt them as a privileged payment tool. This is mostly due to the absence of a structured form of control, which also prevents from having some credit insurance. Moreover, some present and future attacks, like quantum computer-based attacks, may threaten their security. In this paper we define new technical solutions to allow cryptocurrencies to become trusted tools for secure and verifiable digital transactions, and also for deposits, while preserving decentralization and users’ privacy. Based on a thorough security analysis, a new cryptocurrency model is first defined, exploiting a set of secure and post-quantum cryptographic primitives. Then, a secure supervision and authentication network is designed, which allows to control transactions, while guaranteeing users’ privacy. A robust reputation system for this context is also proposed, which helps to increase users’ trust and to reduce misconduct.


1. Introduction
2. Secure post-quantum cryptocurrency
3. Supervision and authentication network
4. Robust reputation system
5. Conclusion



1. Introduction

The concept of cryptocurrency was first introduced in 1998 (Dai, 1998) and, more recently, has become real through a number of schemes, Bitcoin being one of the most widespread (Nakamoto, 2008; Peck, 2013).

Current cryptocurrency schemes exploit decentralized networks, making them immune to risks arising from the presence of a centralized issuing authority, like a national bank. Some of these risks include the possibility to seize assets and to cause hyperinflation by controlling the money supply. Furthermore, the use of a decentralized system reduces the cost of transactions, thus making these tools suitable for very small money transfers. At the same time, being digitally transmitted and embodied within peer-to-peer infrastructures, cryptocurrencies may mediate new forms of peer-driven interactions and collaborations among Internet users (Kow, 2017). Another very important advantage of cryptocurrencies is that every network node (user) may have access to all transactions. In principle, this provides a tool to trace the movements of money and to counter laundering and tax evasion. In practice, however, this is very difficult to implement.

The rationale of these schemes is in the use of a public virtual ledger, where all transactions are registered in sequential order and are made publicly available. However, only those transactions which have been registered in the public ledger for not less than some time are considered officially valid. An asymmetric encryption scheme is used to generate a public-private key pair for each user, who then retains his private key. The public key is instead used as the starting point to generate a unique public address which is associated with the user and allows him to receive money through public transactions. When a transaction has a user’s public address as the destination address, only that user (holding the corresponding private key) can spend that money through a subsequent transaction. Each transaction needs to be verified in order to be appended to the transactions chain in the public ledger, and such a verification can be made by any other user in the network. However, performing such a verification has significant computational cost, since it must be performed through a proof-of-work scheme (Back, 2002), which requires to solve some computationally difficult puzzle. Therefore, it is not easy for a user to self-verify transactions, unless he controls a great deal of the network computing power. The users who offer their computing power to provide the proof-of-work are called miners (Taylor, 2013), and they receive a reward per each verified transactions block. Rewards can be generated in two ways: as newly coined money or as transactions fees. For many (but not all) cryptocurrencies the amount of newly coined money is progressively reduced over time, in order to put a limit on the total amount of money in circulation. Therefore, in this case, transaction fees represent the only rewarding mechanism over the long term.

From a theoretical standpoint, these protocols are not completely anonymous, since the virtual ledger is public and each address is uniquely associated to one user. However, each user can generate his address autonomously, and is free to change an address as many times as he wants, even one per transaction. This, together with suitable network anonymization techniques, makes it possible for a user to become anonymous, in such a way that his transactions cannot be traced.

The fully decentralized nature of cryptocurrency protocols represents a breakthrough in the context of electronic payments, where a central issuing authority normally controls the account of an individual and his transactions. However, the lack of visibility over transactions by law enforcement agencies in these networks raises several problems which strongly limit the level of trust, and have relegated their use to relatively small (and sometimes misbehaving) communities. More recently, the use of some cryptocurrencies has come to the attention of the public, and the number of online sellers (and also real shops) accepting them has increased. However, there is still no serious involvement of a large part of electronic cash users, and the scarce inclination to the use of cryptocurrencies remains. As a matter of fact, the scenario is highly unpredictable and is reflected in the high volatility of these currencies — wide fluctuations of their market value — which in turn makes deposits and investments in cryptocurrencies risky. In addition, the number of successful cyber-attacks against cryptocurrency protocols and networks has significantly increased over time (Khandelwal, 2017; Schroeder, 2017) [1]. Moreover, the absence of control makes it impossible to provide some form of insurance on assets, compared to classical bank accounts. For these reasons, the number of countries which accept cryptocurrencies as official financial instruments is still very small, and also some political concerns have been expressed about their official use (European Youth Parliament, 2014). Other concerns treat cryptocurrencies from legal and regulatory perspectives (Guadamuz and Marsden, 2015).

These issues push the need to search for new decentralized virtual currency algorithms and protocols that will gain the trust of users, by providing privacy but, at the same time, allowing for some form of control on transactions and assets. This need is confirmed by the existence of some early experiments in this direction (Ripple, 2016; NxtCoin, 2016; Monetas, 2016). However, none fulfill the requirements of a new secure, post-quantum [2], decentralized and trustworthy cryptocurrency. Some, like Ripple, are operated by a unique private entity having control of the whole money supply, but the decentralized nature is lost. Moreover, these solutions are often built on top of existing cryptocurrencies, thus inheriting some of their vulnerabilities, and making options even more fragmented.

In this paper, we present a new cryptocurrency model built upon three pillars: a new secure and post-quantum cryptocurrency, a supervision and authentication network able to control all transactions and to protect users’ privacy while preventing anonymity, and a robust reputation system which helps to detect and isolate misbehaving users.

A scheme of these three systems is reported in Figure 1. They will be designed to work together in such a way as to overcome the main limitations and the scarce inclination to use which characterize current cryptocurrencies. These three main components of the proposed solution are described in detail in the next sections.


Scheme of the proposed cryptocurrency model
Figure 1: Scheme of the proposed cryptocurrency model.
Note: Larger version of figure available here.




2. Secure post-quantum cryptocurrency

Current cryptocurrencies exploit an innovative decentralized paradigm which allows a public verification of transactions without the need of any central issuing authority. This breakthrough is at the basis of many potential and practical advantages of cryptocurrencies. However, there are some characteristics which strongly limit the trust of users in current cryptocurrencies. Most are due to the chance of performing transactions in an almost completely anonymous way. Furthermore, several vulnerabilities of current cryptocurrencies have recently emerged, allowing malicious attackers to divert significant amounts of digital money.

A crucial point in current cryptocurrencies is the use of asymmetric cryptographic primitives and the generation of users’ public addresses through them. Current cryptocurrencies use a classical digital signature algorithm for this purpose. For example, Bitcoin and many other cryptocurrencies exploit the Elliptic Curve Digital Signature Algorithm (ECDSA). A private-public key pair is generated through ECDSA and it is used to put a unique digital signature on each outgoing transaction. Then, any user in the network is able to check the authenticity of that signature through an associated public key. The public key is also used as each user’s public address, which is obtained from the public key by performing some hashing. This way of managing users’ identities causes two orders of problems, as specified in the following two parts.

2.1. Anonymity of users

In current cryptocurrencies, each user is able to generate as many private-public key pairs as he wishes, and the association between his identity and such a pool of addresses exists only in his private wallet, which is stored somewhere, usually in non-encrypted form. This makes users potentially anonymous.

In classical digital payment systems, instead, users are not completely anonymous. Concerning credit cards, for example, there is an issuing bank which knows the association between each credit card number and its owner identity. Furthermore, a user trusts some legal entity, like his bank, to store his data and trace all his transactions. In case of law enforcement for investigations, the bank can provide a user’s identity and a list of all transactions.

A similar behavior should also become possible with cryptocurrencies, in order to increase trust, but without endangering privacy. Furthermore, in order to preserve the decentralized nature of the network, such a controlling authority must be unable to interfere with money supply, that is, with the mining activity of the cryptocurrency. Technical details on the issues and implementation of such a supervision network will be provided in Section 3.

2.2. Susceptibility to attacks against cryptographic primitives

It has been shown that many currently used cryptographic primitives will succumb to attacks exploiting quantum computers. This is due to the fact that there exist algorithms able to exploit the intrinsic features of this new generation of computers to easily solve otherwise hard problems. In particular, Shor’s algorithm (Shor, 1997) is a quantum algorithm for the solution of the integer factorization problem, which can be exploited to attack cryptosystems based on the hardness of factorizing large integers. After the introduction of quantum computers, many of today’s most popular public-key cryptographic systems are insecure, including Rivest-Shamir-Adleman (RSA), Digital Signature Algorithm (DSA), and ECDSA (Bernstein, et al., 2009). While the threat represented by quantum computers was rather unrealistic until a few years ago, some quantum computers now exist (Jones, 2013). Even if these first quantum computing machines have an experimental nature and are not ready to perform cryptographic attacks based on Shor’s algorithm, they represent a first important step. They point to the need to consolidate some post-quantum cryptographic primitives and use them in the place of quantum-vulnerable ones. One of the first objectives of the proposed solution is to exploit post-quantum cryptographic primitives.

The most important step in this direction is to define a new algorithm for the verification of transactions and generation of public addresses based on a post-quantum digital signature scheme. A first solution of this type is the Lamport One-Time Signature Scheme (LOTSS) (Lamport, 1979), which only exploits hash functions to generate digital signatures. However, in LOTSS, each time a new signature is generated, it discloses half of the private key, therefore the private key must be used only once. In the context of cryptocurrency, each public address would be used only once, which is a strong limitation. Other one-time post-quantum signature schemes exist, and all suffer from the same problem. This one-time nature can be overcome by using the Merkle Signature Scheme (MSS) (Merkle, 1990), which starts from a one-time signature scheme and exploits a Merkle tree to allow the generation of more signatures with the same key pair. However, in order to use the same key pair for a reasonably large number of times, very large signatures are needed, which makes this scheme rather unpractical for cryptocurrency. Nevertheless, improved and generalized versions of MSS exist (Buchmann, et al.., 2006; Buchmann, et al., 2007), which are promising solutions for cryptocurrency, despite a slow signing process.

Another solution is to exploit trapdoors based on lattices in order to build a post-quantum digital signature scheme. However, finding robust and efficient lattice-based signature schemes is not a simple task: in fact, the first proposals based on lattices were broken (Nguyen and Regev, 2009). Recently, this line of research has been revitalized by the appearance of new solutions (Bansarkhani and Buchmann, 2014), which seem promising for cryptocurrency. However, they may require longer signing and verification times.

Another approach is to exploit trapdoors based on coding theory. This leads to the definition of code-based digital signature schemes basically derived from the well-known McEliece (1978) and Niederreiter (1986) cryptosystems, which are post-quantum public-key cryptosystems based on the difficulty of decoding a large linear block code having no visible structure. In order to build the trapdoor, these schemes rely on the classical family of Goppa codes, which are a class of algebraic error correcting codes well suited for cryptographic applications. However their use yields a large size of the public keys. The same issue affects the sole digital signature scheme which has been derived from the classical McEliece and Niederreiter schemes, that is the Courtois-Finiasz-Sendrier (CFS) signature scheme (Courtois, et al., 2001). Furthermore, it has been recently shown that the CFS scheme may be vulnerable to new attacks based on Goppa code distinguishers (Faugere, et al., 2013), due to the high code rates needed to make this scheme practically usable. A reduction in the public key size can be achieved by adopting Goppa codes in quasi-dyadic form (Barreto, et al., 2011). However, some of the main drawbacks of this scheme remain, like the high complexity of generating signatures, introducing new vulnerabilities (Niebuhr, et al., 2011). Research has reduced the public key size of these schemes. The most promising approach seems to be the replacement of Goppa codes with other families of codes, which allow for a more compact representation of the public keys. Concerning the McEliece and Niederreiter cryptosystems, it has been shown that a promising solution to this problem consists in replacing Goppa codes with low-density parity-check (LDPC) codes, which are able to achieve reductions of the public key size by one or two orders of magnitude (Baldi, et al., 2008; Baldi, et al., 2013a; Baldi, 2014). Concerning code-based digital signature schemes, replacing Goppa codes with LDPC codes is a difficult challenge, but achieves great reductions in public key size. A first proposal (Baldi, et al., 2013b) was able to achieve compact keys and efficient signing and verification procedures.

2.3. Susceptibility to other attacks

Even when all the used cryptographic primitives are secure and do not expose weaknesses, there are several other ways to attack the system. A first example is the theft of private keys, allowing diversion of digital money. When a user’s wallet is not encrypted, it may expose its owner to this kind of attack. To prevent these attacks, wallets must be encrypted with strong authentication methods.

Some attacks, like denial-of-service and Sybil attacks, exploit the potential anonymity of users in current cryptocurrency networks. In fact, by using a high number of pseudonym identities which cannot be traced, an attacker may be able to influence network behavior for malicious purposes. These attacks can be prevented by exploiting the supervision and authentication network, working in strict cooperation with a robust reputation system. These tools prevent any user from being anonymous, while, at the same time, preserving his privacy, and allow to keep control over the pools of public addresses associated to each user.



3. Supervision and authentication network

The rationale of the proposed network is to exploit a peer-to-peer network for building a system able to supervise cryptocurrency users’ identities and monitor their transactions, while preserving privacy.

There are a number of private and public entities that we trust our identities while using online services. For example, most individuals have one or more e-mail addresses, one or more social network accounts, one or more traditional bank accounts and one or more accounts for public administration services. These service providers know users’ identities while protecting privacy.

The main idea behind the proposed supervision and authentication network is to involve these entities in the process of generating and signing public addresses to be used in transactions, without requiring them to take part in actual transaction verification activities. In fact, the mining network will remain substantially unchanged, decentralized and based on proof-of-work or proof-of-stake schemes, so that no central authority will be able to take control. Any node of the supervision and authentication network will play the role of identity directory and key generation server only for the subset of users and miners choosing that node as their authentication and supervision reference. It is also important to observe that authentication nodes do not take part in mining activities as well as, symmetrically, users and miners are not involved in authentication, supervision and “law enforcement” activities.

There are many advantages for several players to take part in the supervision and authentication network. For example, government bodies will be able to control citizens’ transactions for public administration and fiscal purposes, like tax payments and prevention of laundering. Online service providers will be able to attract more users, and also implement easy forms of payments through cryptocurrency. Traditional and online banks will be able to offer new services utilizing cryptocurrency, like account management, exchange and investment services, but without the ability to gain full control over transactions. On the other hand, users will be free to choose the server to which they want to authenticate and from which they will be supervised, thus inducing competition.

The authentication and supervision server to which each user is associated will be publicly known, and will digitally sign public addresses associated to that user. Only public addresses signed by some node of the supervision and authentication network will be accepted for transactions. Each supervision and authentication server will be somehow “responsible” for the behavior of its users. This means that, for example, a query to a server with a user’s public address will retrieve reputation data associated to that user, independently of the number of public addresses he is using or has used in the past. The details of the reputation system will be discussed in the next part.

In order to define and implement the algorithms and protocols which allow this network, two main tools can be used: identity-based encryption and blind authentication. Their use are explained next.

3.1. Identity-based encryption

In classical public-key cryptography, the public key is publicly known and is used to encrypt a plaintext or verify a digital signature, whereas the private key must be retained by its owner and is used to decrypt a ciphertext or create a digital signature. Therefore, a public key distribution infrastructure is needed to make the public key of each user publicly available and to to prevent it from being associated with another user.

The concept of Identity-Based Encryption (IBE), introduced by Shamir (1984), allows the use of public-key encryption without the need for any public key distribution infrastructure. In IBE, the public key of a user is derived from his own identity — it can be formed by an e-mail address, his name on the network, phone number, network address, or some combination of them. The association between the user and his public key is straightforward, so there is no need for a distribution infrastructure. A trusted third party is needed to issue a private key. This task is carried out by the Key Generation Center (KGC), which computes the private key for each user from his identity and sends it to him. The KGC has a master public key and a corresponding master private key. The public key of each user can be computed by any other user starting from that user’s identity and the master public key. The corresponding private key is obtained by the authorized user from the KGC. For this purpose, a secure transmission channel must exist between that user and the KGC, and public-key cryptography is commonly used for this purpose.

In the proposed supervision and authentication network, each node acts as a KGC, and provides private keys for all its users. Each user has one or more public keys obtained from one or more features associated to his identity, or from a combination of them. One-way functions — like hash functions — are used to compute a public address from each public key, as it occurs in current cryptocurrencies. Therefore it is not possible to identify a user’s identity from his public address. Even guessing the public address can be difficult by combining identity-related and biometric features. Using IBE makes each node of the supervision and authentication network become a key escrow server, since it controls all the private keys of its users. Nevertheless, users are able to choose the node which they prefer to authenticate and from which they are supervised. Therefore they choose a node managed by an entity which they trust to act as their key escrow server.

Concerning practical IBE schemes, two solutions were originally proposed. The first method is based on elliptic curves and Weil pairing and was proposed by Boneh and Franklin (2001), while the second solution is based on the quadratic residues and was introduced by Cocks (2001). The latter, however, has a very large message expansion. After the appearance of Boneh and Franklin (2001) solution, instead, a number of variants based on elliptic curves and bilinear pairing have been proposed (Hess, 2003; Yi, 2003; Yoon, et al., 2005). A framework for obtaining Identity-Based Identification (IBI) or Identity-Based Signatures (IBS) has been proposed in Bellare, et al. (2004), based on number theory problems. All these solutions, however, are not secure against attacks based on quantum computers. Therefore, suitable post-quantum IBE schemes must be selected for the use in this paper’s context. A solution to this problem comes from the use of the decoding problem, which is a difficult problem even for quantum computers. The chance to use the decoding problem for identity-based cryptography has been investigated in Alaoui, et al. (2011), by exploiting quasi-dyadic Goppa codes. The rationale of the method is to combine the quasi-dyadic version of the CFS scheme (Barreto, et al., 2011) with Stern’s zero-knowledge authentication scheme in order to associate a secret to a random and public value obtained from the user’s identity. This achieves smaller keys when classic Goppa codes are used.

3.2. Blind authentication

In cryptocurrency schemes exploiting a public ledger, it is necessary to generate multiple public addresses for each user and to change them periodically to preserve privacy. The limit condition which guarantees maximum privacy is to generate a new public address for any user each time he authenticates into the network to perform a new transaction. Therefore, the public keys must not only depend on a static identity feature, but also on some other variable permitting computation of a different public key each time.

One solution is to perform authentication by exploiting some biometric feature which slightly changes each time that it is acquired. Concepts from coding theory can be exploited to build schemes, like the fuzzy commitment scheme (Baldi, et al., 2011), which allows authentication even when the chosen biometric feature slightly alters from one reading to another, by avoiding the transmission of any sensitive biometric data through a public channel. Other blind authentication algorithms (Upmanyu, et al., 2010) exist which allow biometrics-based authentication while avoiding any disclosure of sensitive data.

In blind authentication, a user’s public key is created, by embedding some of the user’s physical features in the key generation procedure. As in other public-key cryptosystems, a trusted third party must exist to obtain the user’s private key from his public key, and it plays the role of the KGC in IBE schemes. In Upmanyu, et al. (2010), a provable blind authentication solution was proposed, in which the biometric authentication protocol does not divulge any information about the biometric samples to the authenticating KGC. This method allows for a non-repudiable identity verification, keys’ revocability and protection against replay and client-side attacks. This way, by exploiting one or more biometric features of any user, or a combination of them, it is possible to generate multiple keys associated with the same user. Each of these public keys will then be used as the starting point to compute a public address for the cryptocurrency network, through one or more applications of a one-way function.



4. Robust reputation system

A robust reputation allows measures of the reputation of cryptocurrency users, based on their behavior. This helps to reduce frauds, limiting their effect. In addition, the reputation system assigns reputation scores to the supervision and authentication network nodes, to prevent some malicious entity from creating fraudulent supervision and authentication nodes. The rationale of this reputation system is that each node of the supervision and authentication network (as described in the previous section) maintains and updates a reputation score for each user it supervises, while keeping track of the pool of public addresses associated with that user. This way, the reputation score of a user may be retrieved by querying his supervising server with one of his public addresses.

A reputation system is a set of functions which compute reputation or trust scores for a member of some community, and store such scores somewhere to make them available to other members. These scores are based on a collection of opinions that other members of the same community have about the behavior of that member, and accept to share with the community (Resnick, et al., 2000). The main idea behind reputation systems is to let users rate each other, for example, after each transaction between them, and use these ratings to compute a score, which helps other users to decide whether or not to interact with that user in the future. A basic element which reputation systems rely on is the history of past interactions with a given user. For this reason, when a reputation system is implemented, users have incentives to maintain good behavior, such that their history helps them to achieve good reputation scores.

There are several attacks which can be mounted against a reputation system in order to artificially alter reputation scores of one or more users. To prevent this, it is important to build robust reputation systems (Jøsang, 2012). Some typical attacks and misconducts concerning reputation systems are: i) unfair ratings assigned by malicious users; ii) collusion and bad mouthing within a group of users against some other users to alter their reputation scores; iii) exploitation of a reputation lag between the misbehavior and its effects on the reputation ratings; iv) discrimination among users based on reputation scores; v) change of identity to reset one’s reputation ratings; and vi) Sybil attacks based on the exploitation of multiple identities to affect reputation scores.

The reputation system must be designed in such a way as to adhere to its purposes, that is, providing a tool for quick detection of misconduct and not for ranking honest users. For this purpose, it is extremely important to define properly the metrics and algorithms that will be used in rating. As an example, assuming users as merchants and consumers, probably they would like rate other users by promptness of payment and so forth, which creates a reputation system conducive for trade but not law enforcement. Similarly, if we let banking institutions rate users, probably they would use criteria like whether a user pays debts promptly or not, so this would function like a credit rating system, which is not the purpose of this system. For these reasons, the design of the reputation computation algorithms and relevant metrics to be used in this context must be carried out carefully, and this is out of the scope of this paper. In the following, we provide a brief (not exhaustive) overview of some approaches that can be followed for this purpose.

4.1. Reputation computation engines

The Reputation Computation Engine (RCE) is responsible for the computation of reputation scores, starting from raw reputation data. The design of a robust RCE, based on suitable algorithms and statistical tools, is fundamental to prevent attacks against the reputation system. The main characteristics of a robust RCE are (Dingledine, et al., 2000): i) accuracy for long-term performance: the system must reflect the confidence of each score and distinguish between new users with non-consolidated reputation and those with poor long-term performance; ii) weighting toward current behavior: the system must take into account recent trends, like sudden changes in the behavior of a user; iii) robustness against attacks: the system should be robust against malicious attempts to alter reputation scores; and iv) smoothness: single ratings and good or bad reputation peaks should not affect scores significantly.

In a scale of ascending complexity of the underlying mathematical methods, we can classify existing RCEs in the following three groups:

From this classification, belief models provide the most accurate tools to compute and update reputation ratings and build a robust reputation system. However, computations using belief model-based RCEs may yield more complex results than simpler systems. Recently, it has been shown that some concepts borrowed from coding theory may also be used in this context. In fact, there is a family of iterative algorithms, known as belief propagation algorithms, which have been used to achieve very good decoding algorithms for certain classes of error correcting codes (Richardson and Urbanke, 2001). It has been shown that these algorithms can also be used for the management of trust and reputation scores (Ayday, et al., 2009; Ayday and Fekri, 2012a; Ayday and Fekri, 2012b). These algorithms work on sparse graphs and have a low complexity.

According to this approach, suitable graph models can be developed in order to model both the cryptocurrency and supervision and authentication networks, and belief propagation algorithms can be used to compute and update reputation scores. For this purpose, feedback provided by users must be taken into account, but also some automatically generated data, collected by the supervision network nodes, can be exploited, like statistics about the amounts and time distributions of transactions. Current cryptocurrencies do not offer any facility of this kind. However, the importance of this topic is confirmed by the existence of a limited experiment, like the “web of trust” of the Bitcoin-OTC Project (2016), which is a marketplace for over-the-counter trading with Bitcoin. In this case, some elementary arithmetic reputation computation is performed concerning investors. Moreover, this tool is limited to the context of a marketplace, and does not involve the money supply and verification of transactions.



5. Conclusion

We have proposed a new cryptocurrency model that exploits and integrates suitable technical solutions to attract trust from users and become a safe and reliable decentralized digital currency system. The three main components of the proposed scheme are a secure post-quantum cryptocurrency, a supervision and authentication network and a robust reputation system.

The same conceptual model can be used for other applications exploiting the same architecture. It has been shown that the concepts behind cryptocurrency can be exploited, for example, in new decentralized domain name systems resistant to censorship (Wachs, et al., 2013) and anonymous credential systems (Garman, et al., 2013), but many other applications (e.g., new decentralized electronic voting systems) can be envisaged. End of article


About the authors

Marco Baldi is an assistant professor at the Università Politecnica delle Marche (Polytechnic University of Marche) in Ancona, Italy, working on information processing, encoding and encryption techniques for data and communications security and reliability. He is coauthor of more than 100 scientific papers, a book and two patents. He serves as an Associate Editor for the IEEE Communications Letters and the EURASIP Journal on Wireless Communications and Networking.
E-mail: m [dot] baldi [at] univpm [dot] it

Franco Chiaraluce is an associate professor at the Department of Information Engineering of the Università Politecnica delle Marche (Polytechnic University of Marche) in Ancona, Italy. His research interests are currently focused on error correcting codes, physical layer security and cryptography. He is co-author of about 280 scientific papers, two books and co-inventor of two patents on code-based cryptography.
E-mail: f [dot] chiaraluce [at] univpm [dot] it



1. In many cases they were “local attacks” which means that cyber criminals exploited vulnerabilities that were subsequently solved and did not compromise the security of the cryptocurrency itself. Moreover, in some cases, (part of) the stolen money were retrieved by means of hard forks. This occured, for example, with DAO and Steemit.

2. “Post-quantum” is explained in Section 2.2.



S. M. Y. Alaoui, P.-L. Cayrel and M. Mohammed, 2011. “Improved identity-based identification and signature schemes using quasi-dyadic Goppa codes,” In: T.-H. Kim, H. Adeli, R. J. Robles and M. Balitanas (editors). Information security and assurance. Communications in Computer and Information Science, volume 200. Berlin: Springer, pp. 146–155.
doi:, accessed 10 October 2017.

E. Ayday and F. Fekri, 2012a. “Iterative trust and reputation management using belief propagation,” IEEE Transaction on Dependable and Secure Computing, volume 9, number 3, pp. 375–386.
doi:, accessed 10 October 2017.

E. Ayday and F. Fekri, 2012b. “An iterative algorithm for trust management and adversary detection for delay tolerant networks,” IEEE Transaction on Mobile Computing, volume 11, number 9, pp. 1,514–1,531.
doi:, accessed 10 October 2017.

E. Ayday, H. Lee and F. Fekri, 2009. “An iterative algorithm for trust and reputation management,” ISIT ’09: Proceedings of the 2009 IEEE International Conference on Symposium on Information Theory, volume 3, pp. 2,051–2,055.
doi:, accessed 10 October 2017.

A. Back, 2002. “Hashcash — A denial of service counter-measure” (1 August), at, accessed 16 September 2016.

M. Baldi, 2014. QC-LDPC code-based cryptography. New York: Springer.
doi:, accessed 10 October 2017.

M. Baldi, M. Bianchi and F. Chiaraluce, 2013a. “Security and complexity of the McEliece cryptosystem based on QC-LDPC codes,” IET Information Security, volume 7, number 3, pp. 212–220.
doi:, accessed 10 October 2017.

M. Baldi, M. Bianchi, F. Chiaraluce, J. Rosenthal and D. Schipani, 2013b. “Using LDGM codes and sparse syndromes to achieve digital signatures,” In: P. Gaborit (editor). Post-quantum cryptography. Lecture Notes in Computer Science, volume 7932. Berlin: Springer, pp. 1–15.
doi:, accessed 10 October 2017.

M. Baldi, M. Bianchi, F. Chiaraluce, J. Rosenthal and D. Schipani, 2011. “On fuzzy syndrome hashing with LDPC coding,” ISABEL ’11: Proceedings of the Fourth International Symposium on Applied Sciences in Biomedical and Communication Technologies, article number 24.
doi:, accessed 10 October 2017.

M. Baldi, M. Bodrato and F. Chiaraluce, 2008. “A new analysis of the McEliece cryptosystem based on QC-LDPC codes,” In: R. Ostrovsky, R. De Prisco and I. Visconti (editors). Security and cryptography for networks. Lecture Notes in Computer Science, volume 5229. Berlin: Springer, pp. 246–262.
doi:, accessed 10 October 2017.

R. Bansarkhani and J. Buchmann, 2014. “Improvement and efficient implementation of a lattice-based signature scheme,” In: T. Lange, K. Lauter and P. Lisonek (editors). Selected Areas in Cryptography — SAC 2013. Lecture Notes in Computer Science, volume 8282. Berlin: Springer, pp. 48–67.
doi:, accessed 10 October 2017.

P. S. L. M. Barreto, P. L. Cayrel, R. Misoczki and R. Niebuhr, 2011. “Quasi-dyadic CFS signatures,” In: X. Lai, M. Yung and D. Lin (editors). Information security and cryptology. Lecture Notes in Computer Science, volume 6584. Berlin: Springer, pp. 336–349.
doi:, accessed 10 October 2017.

M. Bellare, C. Namprempre and G. Neven, 2004. “Security proofs for identity-based authentication and signature schemes,” In: C. Cachin and J. Camensich (editors). Advances in cryptology — Eurocrypt 2004. Lecture Notes in Computer Science, volume 3027. Berlin: Springer, pp. 268–286.
doi:, accessed 10 October 2017.

D. J. Bernstein, J. Buchmann and E. Dahmen (editors), 2009. Post-quantum cryptography. New York: Springer.
doi:, accessed 10 October 2017.

Bitcoin-OTC Project, 2016. “#bitcoin-otc marketplace,” at, accessed 16 September 2016.

D. Boneh and M. Franklin, 2001. “Identity-based encryption from the Weil pairing,” In: J. Kilian (editor). Advances in cryptology — Crypto 2001. Lecture Notes in Computer Science, volume 2139. Berlin: Springer, pp. 213–229.
doi:, accessed 10 October 2017.

J. Buchmann, E. Dahmen, E. Klintsevich, K. Okeya and C. Vuillaume, 2007. “Merkle signatures with virtually unlimited signature capacity,” In: J. Katz and M. Yung (editors). Applied cryptography and network security. Lecture Notes in Computer Science, volume 4521. Berlin: Springer, pp. 31–45.
doi:, accessed 10 October 2017.

J. Buchmann, L. C. Coronado García, E. Dahmen, M. Döring and E. Klintsevich, 2006. “CMSS — An improved Merkle signature scheme,” In: R. Barua and T. Lange (editors). Progress in cryptology — INDOCRYPT 2006. Lecture Notes in Computer Science, volume 4329. Berlin: Springer, pp. 349–363.
doi:, accessed 10 October 2017.

C. Cocks, 2001. “An identity based encryption scheme based on quadratic residues,” In: B. Honary (editor). Cryptography and coding. Lecture Notes in Computer Science, volume 2260. Berlin: Springer, pp. 360–363.
doi:, accessed 10 October 2017.

N. Courtois, M. Finiasz and N. Sendrier, 2001. “How to achieve a McEliece-based digital signature scheme,” In: C. Boyd (editor). Advances in cryptology — ASIACRYPT 2001. Lecture Notes in Computer Science, volume 2248. Berlin: Springer, pp. 157–174.
doi:, accessed 10 October 2017.

W. Dai, 1998. “B-money proposal,” at, accessed 16 September 2016.

R. Dingledine, M. J. Freedman and D. Molnar, 2000. “Accountability,” In: A. Oram (editor). Peer-to-peer: Harnessing the power of disruptive technologies. Sebastopol, Calif.: O’Reilly, pp. 271–340.

European Youth Parliament, 2014. “Motion for a resolution by the Committee on Economic and Monetary Affairs (ECON),” Resolution booklet of the 14th National Selection Conference of EYP, Delft, Netherlands, pp. 19–20, and at, accessed 10 October 2017.

J.-C. Faugere, V. Gauthier-Umana, A. Otmani, L. Perret and J.-P. Tillich, 2013. “A distinguisher for high-rate McEliece cryptosystems,” IEEE Transactions on Information Theory, volume 59, number 10, pp. 6,830–6,844.
doi:, accessed 10 October 2017.

C. Garman, M. Green and I. Miers, 2013. “Decentralized anonymous credentials,” Cryptology eprint archive, report 2013/622, at, accessed 10 October 2017.

A. Guadamuz and C. Marsden, 2015. “Blockchains and Bitcoin: Regulatory responses to cryptocurrencies,” First Monday, volume 20, number 12, at, accessed 10 October 2017.
doi:, accessed 10 October 2017.

F. Hess, 2003, “Efficient identity based signature schemes based on pairings,” In: K. Nyberg and H. Heys (editors). Selected areas in cryptography. Lecture Notes in Computer Science, volume 2595. Berlin: Springer, pp. 310–324.
doi:, accessed 10 October 2017.

N. Jones, 2013. “Google and NASA snap up quantum computer,” Nature, volume 497, number 7449 (16 May), at, accessed 16 September 2016.
doi:, accessed 10 October 2017.

A. Jøsang, 2012. “Robustness of trust and reputation systems: Does it matter?” In: T. Dimitrakos, R. Moona, D. Patel and D. H. McKnight (editors). Trust management VI. IFIP Advances in Information and Communication Technology, volume 374. Berlin: Springer, pp. 253–262.
doi:, accessed 10 October 2017.

S. Khandelwal, 2017. “Largest cryptocurrency exchange hacked! Over $1 million worth Bitcoin and Ether stolen,” Hacker News (4 July), at, accessed 17 September 2017.

Y. M. Kow, 2017. “Cryptocurrencies and their potential for large crowd, cost-effective transactions in peer production,” First Monday, volume 22, number 8, at, accessed 10 October 2017.
doi:, accessed 10 October 2017.

L. Lamport, 1979. “Constructing digital signatures from a one-way function,” SRI International Computer Science Laboratory, Technical Report, SRI-CSL-98 (18 October); version at, accessed 10 October 2017.

R. J. McEliece, 1978. “A public-key cryptosystem based on algebraic coding theory,” Deep Space Network Progress Report, DSN PR 42–44, pp. 114–116, at, accessed 10 October 2017.

R. C. Merkle, 1990. “A certified digital signature,” In: G. Brassard (editor). Advances in cryptology — CRYPTO ’89 proceedings. Lecture Notes in Computer Science, volume 435. Berlin: Springer, pp. 218–238.
doi:, accessed 10 October 2017.

Monetas, 2016. “The world’s most advanced transaction platform,” at, accessed 16 September 2016.

L. Mui, M. Mohtashemi, C. Ang, P. Szolovits and A. Halberstadt, 2001. “Ratings in distributed systems: A Bayesian approach,” Proceedings of the 2001 Workshop on Information Technologies and Systems; version at, accessed 10 October 2017.

S. Nakamoto, 2008. “Bitcoin: A peer-to-peer electronic cash system,” at, accessed 16 September 2016.

P. Q. Nguyen and O. Regev, 2009. “Learning a parallelepiped: Cryptanalysis of GGH and NTRU signatures,” Journal of Cryptology, volume 22, number 2, pp. 139–160.
doi:, accessed 10 October 2017.

R. Niebuhr, P.-L. Cayrel and J. Buchmann, 2011. “Improving the efficiency of generalized birthday attacks against certain structured cryptosystems,” WCC 2011 — Proceedings of the Seventh International Workshop on Coding and Cryptography, pp. 163–172; version at, accessed 10 October 2017.

H. Niederreiter, 1986. “Knapsack-type cryptosystems and algebraic coding theory,” Problems of Control and Information Theory, volume 15, number 2, pp. 159–166.

NxtCoin, 2016. “Nxt — It’s forged,” at, accessed 16 September 2016.

M. E. Peck, 2013. “The bitcoin arms race is on!” IEEE Spectrum, volume 50, number 6, pp. 11–13.
doi:, accessed 10 October 2017.

P. Resnick and R. Zeckhauser, 2002. “Trust among strangers in Internet transactions: Empirical analysis of eBay’s reputation system,” In: M. R. Baye (editor). Advances in applied microeconomics: The economics of the Internet and e-commerce, volume 11. Amsterdam: JAI, pp. 127–157.

P. Resnick, K. Kuwabara, R. Zeckhauser and E. Friedman, 2000. “Reputation systems,” Communications of the ACM, volume 43, number 12, pp. 45–48.
doi:, accessed 10 October 2017.

T. J. Richardson and R. L. Urbanke, 2001. “The capacity of low-density parity-check codes under message-passing decoding,” IEEE Transactions on Information Theory, volume 47, number 2, pp. 599–618.
doi:, accessed 10 October 2017.

Ripple, 2016. “Join RippleNet,” at, accessed 16 September 2016.

A. Shamir, 1984. “Identity-based cryptosystems and signature schemes,” In: G. R. Blakley and D. Chaum (editors). Advances in cryptology: Proceedings of CRYPTO 84, Lecture Notes in Computer Science, volume 196. Berlin: Springer, pp. 47–53.
doi:, accessed 10 October 2017.

S. Schroeder, 2017. “Not again: Hackers steal $32 million worth of Ethereum,” Mashable (20 July), at, accessed 17 September 2017.

P. W. Shor, 1997. “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM Journal on Computing, volume 26, number 5, pp. 1,484–1,509.
doi:, accessed 10 October 2017.

M. B. Taylor, 2013. “Bitcoin and the age of bespoke silicon,” CASES ’13: Proceedings of the 2013 International Conference on Compilers, Architectures and Synthesis for Embedded Systems, article number 16.
doi:, accessed 10 October 2017.

M. Upmanyu, A. M. Namboodiri, K. Srinathan and C. V. Jawahar, 2010. “Blind authentication: A secure crypto-biometric verification protocol,” IEEE Transactions on Information Forensics and Security, volume 5, number 2, pp. 255–268.
doi:, accessed 10 October 2017.

M. Wachs, M. Schanzenbach and C. Grotho, 2013. “On the feasibility of a censorship resistant decentralized name system,” FPS 2013: Revised Selected Papers of the Sixth International Symposium on Foundations and Practice of Security, volume 8352, pp. 19–30.
doi:, accessed 10 October 2017.

A. Withby, A. Jøsang and J. Indulska, 2004. “Filtering out unfair ratings in Bayesian reputation systems,” Proceedings of the Workshop on Trust in Agent Societies, at the Autonomous Agents and Multi Agent Systems Conference (AAMAS2004).

X. Yi, 2003. “An identity-based signature scheme from the Weil pairing,” IEEE Communications Letters, volume 7, number 2, pp. 76–78.
doi:, accessed 10 October 2017.

H. J. Yoon, J. H. Cheon and Y. Kim, 2005. “Batch verifications with ID-based signatures,” In: C. Park and S. Chee (editors). Information security and cryptology — ICISC 2004. Lecture Notes in Computer Science, volume 3506. Berlin: Springer, pp. 233–248.
doi:, accessed 10 October 2017.

B. Yu and M. P. Singh, 2002. “An evidential model of distributed reputation management,” AAMAS ’02: Proceedings of the First International Joint Conference on Autonomous Agents and Multiagent Systems, Part 1, pp. 294–301.
doi:, accessed 10 October 2017.


Editorial history

Received 21 September 2016; revised 27 September 2017; accepted 5 October 2017.

Creative Commons License
This paper is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

A trusted cryptocurrency scheme for secure and verifiable digital transactions
by Marco Baldi and Franco Chiaraluce.
First Monday, Volume 22, Number 11 - 6 November 2017