pith. sign in

arxiv: 2409.01958 · v3 · submitted 2024-09-03 · 💻 cs.CR · cs.CY

Private Electronic Payments with Self-Custody and Zero-Knowledge Verified Reissuance

Daniele Friolo , Geoffrey Goodell , Dann Toliver , Hazem Danny Nakib This is my paper

Pith reviewed 2026-05-23 20:48 UTC · model grok-4.3

classification 💻 cs.CR cs.CY
keywords private electronic paymentszero-knowledge proofsaudit logself-custodyanonymityreissuancedigital assetscompliance
0
0 comments X

The pith

Zero-knowledge proofs on an audit log let consumers reissue private digital assets without revealing their identity or prior transactions.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper extends an earlier protocol for private electronic payments that already gives consumers privacy by design and recipients compliance checks, plus self-validating assets. The extension adds an audit log paired with zero-knowledge proofs so that a payer spending an asset can prove it was created according to issuer rules without naming the log entry or exposing any details that could identify the payer or past activity. This change lets assets be reissued inside the system without needing operators controlled by the original issuer. The authors also argue that payers should never have to keep transaction secrets from one payment to the next, because retaining those secrets creates blackmail and coercion risks. If the design works, payer anonymity stays strong while no party except the issuer can create net new assets.

Core claim

The modified protocol combines an audit log with zero-knowledge proofs so that a consumer spending an asset can demonstrate that there exists a valid entry on the audit log associated with the asset without specifying which entry it is. This property allows money to be reissued within the system without the involvement of system operators within the zone of control of the original issuer. The design strongly protects the anonymity of payers with respect to their payment transactions while preventing the creation of assets by any party other than the original issuer without destroying assets of equal value. Payers are not required to retain secrets arising from one transaction until the next,

What carries the argument

Audit log combined with zero-knowledge proofs that prove existence of a valid associated entry without revealing which entry or any identifying information.

If this is right

  • Reissuance of assets can proceed without any action by operators under the original issuer's control.
  • Payer anonymity holds even after assets move through reissuance steps.
  • No party can create net new assets except the original issuer.
  • Digital wallets need not store transaction secrets across payments, lowering coercion exposure.
  • Recipient compliance checks remain enforceable while payer privacy is preserved.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same audit-log-plus-ZK pattern could support other self-custodial systems that must enforce global rules without central oversight.
  • Wallet software could be designed around the no-secret-retention property to reduce long-term data-at-rest risks.
  • A simulation that injects malformed reissuance attempts would directly test whether the proof system blocks unauthorized creation.

Load-bearing premise

The zero-knowledge proof system can show that a spent asset has a matching valid audit-log entry without revealing which entry or any details about the payer or earlier transactions.

What would settle it

A concrete test in which a reissued asset appears on the ledger without a matching destruction of an equal-value asset elsewhere, or in which the proof system leaks enough information to link a specific payer to a transaction.

Figures

Figures reproduced from arXiv: 2409.01958 by Daniele Friolo, Dann Toliver, Geoffrey Goodell, Hazem Danny Nakib.

Figure 1
Figure 1. Figure 1: Bulletin Board BB 23 [PITH_FULL_IMAGE:figures/full_fig_p023_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Central Bank Setup Protocol C Proofs C.1 Proof of Claim 1 Recall that the common random string is generated honestly by the challenger (acting as a central bank) during setup. Also, recall that the honest players signing keys as well as the secrets of the genesis tokens V KCB are generated by the challenger/oracle but kept oblivious to the adversary. The adversary, to forge a new token maliciously, shall b… view at source ↗
read the original abstract

This article builds upon the protocol for digital transfers described by Goodell, Toliver, and Nakib, which combines privacy by design for consumers with strong compliance enforcement for recipients of payments and self-validating assets that carry their own verifiable provenance information. We extend the protocol to allow for the verification that reissued assets were created in accordance with rules prohibiting the creation of new assets by anyone but the issuer, without exposing information about the circumstances in which the assets were created that could be used to identify the payer. The modified protocol combines an audit log with zero-knowledge proofs, so that a consumer spending an asset can demonstrate that there exists a valid entry on the audit log that is associated with the asset, without specifying which entry it is. This property is important as a means to allow money to be reissued within the system without the involvement of system operators within the zone of control of the original issuer. Additionally, we identify a key property of privacy-respecting electronic payments, wherein the payer is not required to retain secrets arising from one transaction until the following transaction, and argue that this property is essential to framing security requirements for storage of digital assets and the risk of blackmail or coercion as a way to exfiltrate information about payment history. We claim that the design of our protocol strongly protects the anonymity of payers with respect to their payment transactions, while preventing the creation of assets by any party other than the original issuer without destroying assets of equal value.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The manuscript extends the authors' prior protocol for private electronic payments by integrating an audit log with zero-knowledge proofs. This allows verification that reissued assets were created according to rules (only issuer can create, without destroying equal value) without revealing identifying information about the payer or prior transactions. The paper also discusses a property of privacy-respecting payments where payers do not retain transaction secrets across payments, arguing its importance for security against coercion.

Significance. If the construction holds, it provides a mechanism for self-custody payments with reissuance that maintains both privacy and asset conservation, potentially useful for compliant private digital cash systems. The emphasis on non-retention of secrets is a useful framing for threat models involving blackmail. However, the result depends heavily on the correctness of the base protocol and the soundness of the ZK extension.

major comments (2)
  1. [Abstract] Abstract (paragraph on modified protocol): The description states that a consumer can 'demonstrate that there exists a valid entry on the audit log that is associated with the asset, without specifying which entry it is.' An existence proof alone does not prevent reuse of the same entry for multiple independent spends. No mechanism (nullifier, serial number, or consumption proof) is indicated to bind each log entry to at most one spend, which is load-bearing for the central non-creation claim.
  2. [Abstract] Abstract: The anonymity and conservation claims rest directly on the base protocol from the self-cited prior work. No independent security definitions, proof sketches, or concrete ZK statement are supplied to allow assessment of the extension without relying on the earlier construction.
minor comments (1)
  1. The abstract would benefit from explicit mention of the security model or assumptions under which the ZK proofs are claimed to hold.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the careful reading and constructive comments. We address each major point below. Where the abstract is insufficiently precise, we will revise the manuscript to improve clarity and self-containment while preserving the core technical contribution.

read point-by-point responses

  1. Referee: [Abstract] Abstract (paragraph on modified protocol): The description states that a consumer can 'demonstrate that there exists a valid entry on the audit log that is associated with the asset, without specifying which entry it is.' An existence proof alone does not prevent reuse of the same entry for multiple independent spends. No mechanism (nullifier, serial number, or consumption proof) is indicated to bind each log entry to at most one spend, which is load-bearing for the central non-creation claim.

    Authors: The referee correctly identifies that a bare existence statement would be insufficient. The full protocol (Section 4) inherits from the base construction a per-asset nullifier that is revealed in the clear upon spend and checked against the audit log; the ZK statement proves both membership of a valid reissuance record and that the supplied nullifier matches the spent asset. This binding is present in the prior work but was omitted from the abstract for brevity. We will revise the abstract and add an explicit sentence in the protocol overview clarifying the nullifier mechanism and its role in preventing double-spending of log entries. revision: yes

  2. Referee: [Abstract] Abstract: The anonymity and conservation claims rest directly on the base protocol from the self-cited prior work. No independent security definitions, proof sketches, or concrete ZK statement are supplied to allow assessment of the extension without relying on the earlier construction.

    Authors: We agree that the current abstract and introduction make the dependence on the base protocol too implicit. While the extension re-uses the same security model and ZK relation, we will add a short subsection (new Section 3.2) that restates the relevant security properties, gives the concrete ZK statement used for reissuance verification, and sketches why the new audit-log membership proof preserves the original anonymity and conservation invariants. This will allow readers to evaluate the extension without first consulting the prior paper in full. revision: yes

Circularity Check

1 steps flagged

Central conservation claim rests on self-cited base protocol

specific steps
  1. self citation load bearing [Abstract, first paragraph]
    "This article builds upon the protocol for digital transfers described by Goodell, Toliver, and Nakib, which combines privacy by design for consumers with strong compliance enforcement for recipients of payments and self-validating assets that carry their own verifiable provenance information. We extend the protocol to allow for the verification that reissued assets were created in accordance with rules prohibiting the creation of new assets by anyone but the issuer... We claim that the design of our protocol strongly protects the anonymity of payers with respect to their payment transactions, "

    The central premise that the protocol prevents creation of assets by non-issuers without destroying equal value is justified by building upon the self-cited prior protocol whose authors overlap with the present paper; the new ZK mechanism is described only as proving existence of a log entry, inheriting the conservation property from the cited base construction without independent verification.

full rationale

The paper's strongest claim (preventing non-issuer asset creation without equal-value destruction) is presented as following from the modified protocol's audit-log + ZK construction. However, the enabling properties (self-validating assets, provenance, compliance enforcement) are imported wholesale from the cited prior work by overlapping authors (Goodell, Toliver, Nakib). No independent derivation, machine-checked proof, or external benchmark is supplied here to decouple the result. This matches the self_citation_load_bearing pattern at a moderate level; the ZK extension adds content but does not remove dependence on the self-cited foundation.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The protocol depends on standard cryptographic assumptions for zero-knowledge soundness and on the security properties of the authors' earlier protocol; no new free parameters or invented entities are introduced in the abstract.

axioms (2)
  • domain assumption Zero-knowledge proofs exist that can prove membership of an asset in the audit log without revealing the specific entry or payer identity.
    Invoked in the description of the modified protocol that combines the audit log with zero-knowledge proofs.
  • domain assumption The base protocol from Goodell, Toliver, and Nakib already provides privacy by design and self-validating assets.
    The extension is explicitly built upon this prior construction.

pith-pipeline@v0.9.0 · 5800 in / 1479 out tokens · 31413 ms · 2026-05-23T20:48:40.911015+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

26 extracted references · 26 canonical work pages

  1. [1]

    Privacy-preserving auditable token payments in a permissioned blockchain system

    Elli Androulaki, Jan Camenisch, Angelo De Caro, Maria Dub ovitskaya, Kaoutar Elkhiyaoui, and Bj¨ orn Tackmann. Privacy-preserving auditable token payments in a permissioned blockchain system. In AFT ’20: 2nd ACM Conference on Advances in Financial Technologies, New York, NY, USA, October 21-23 , 2020 , pages 255–

    work page 2020

  2. [2]

    Compressin g proofs of k-out- of-n partial knowledge

    Thomas Attema, Ronald Cramer, and Serge Fehr. Compressin g proofs of k-out- of-n partial knowledge. In Tal Malkin and Chris Peikert, edi tors, Advances in Cryptology - CRYPTO 2021 - 41st Annual International Crypto logy Conference, CRYPTO 2021, Virtual Event, August 16-20, 2021, Proceeding s, Part IV , volume 12828 of Lecture Notes in Computer Science , p...

    work page 2021

  3. [3]

    Zerocash: Decentralized ano nymous payments from bitcoin

    Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Ma tthew Green, Ian Miers, Eran Tromer, and Madars Virza. Zerocash: Decentralized ano nymous payments from bitcoin. In 2014 IEEE Symposium on Security and Privacy, SP 2014, Berke- ley, CA, USA, May 18-21, 2014 , pages 459–474. IEEE Computer Society, 2014

    work page 2014

  4. [4]

    Erratum: Succinct non-interactive arguments via linear in teractive proofs

    Nir Bitansky, Alessandro Chiesa, Yuval Ishai, Rafail Ost rovsky, and Omer Paneth. Erratum: Succinct non-interactive arguments via linear in teractive proofs. In Amit Sahai, editor, Theory of Cryptography - 10th Theory of Cryptography Confer ence, TCC 2013, Tokyo, Japan, March 3-6, 2013. Proceedings , volume 7785 of Lecture Notes in Computer Science . Spri...

    work page 2013

  5. [5]

    Blind signatures for untraceable payments

    David Chaum. Blind signatures for untraceable payments. In David Chaum, Ronald L. Rivest, and Alan T. Sherman, editors, Advances in Cryptology: Proceed- ings of CRYPTO ’82, Santa Barbara, California, USA, August 2 3-25, 1982 , pages 199–203. Plenum Press, New York, 1982

    work page 1982

  6. [6]

    KAIME: central bank digital c urrency with realistic and modular privacy

    Ali Dogan and Kemal Bicakci. KAIME: central bank digital c urrency with realistic and modular privacy. In Gabriele Lenzini, Paolo Mori, and St even Furnell, editors, Proceedings of the 10th International Conference on Inform ation Systems Security and Privacy, ICISSP 2024, Rome, Italy, February 26-28, 2024 , pages 672–681. SCITEPRESS, 2024

    work page 2024

  7. [7]

    Mina protocol

    MINA Foundation. Mina protocol. https://minaprotocol.com/

    work page

  8. [8]

    Monero protocol

    Monero Foundation. Monero protocol. https://www.getmonero.org/

    work page

  9. [9]

    Zcash protocol

    ZCash Foundation. Zcash protocol. https://z.cash/

    work page

  10. [10]

    Snarkp ack: Practical SNARK aggregation

    Nicolas Gailly, Mary Maller, and Anca Nitulescu. Snarkp ack: Practical SNARK aggregation. In Ittay Eyal and Juan A. Garay, editors, Financial Cryptography and Data Security - 26th International Conference, FC 2022, Grenada, May 2-6, 2022, Revised Selected Papers, volume 13411 of Lecture Notes in Computer Science , pages 203–229. Springer, 2022

    work page 2022

  11. [11]

    zksaas: Zero-knowledge snarks as a service

    Sanjam Garg, Aarushi Goel, Abhishek Jain, Guru-Vamsi Po licharla, and Sruthi Sekar. zksaas: Zero-knowledge snarks as a service. In Josep h A. Calandrino and Carmela Troncoso, editors, 32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, August 9-11, 2023 , pages 4427–4444. USENIX Associ- ation, 2023

    work page 2023

  12. [12]

    Stacking sigmas: A framework to compose $\varsigma $-protocols for disjunctions

    Aarushi Goel, Matthew Green, Mathias Hall-Andersen, an d Gabriel Kaptchuk. Stacking sigmas: A framework to compose $\varsigma $-protocols for disjunctions. In Orr Dunkelman and Stefan Dziembowski, editors, Advances in Cryptology - EUROCRYPT 2022 - 41st Annual International Conference on th e Theory and Applications of Cryptographic Techniques, Trondheim, ...

    work page 2022

  13. [13]

    Geoffrey Goodell, D. R. Toliver, and Hazem Danny Al-Nakib . A scalable archi- tecture for electronic payments. In Shin’ichiro Matsuo, Le wis Gudgeon, Ariah Klages-Mundt, Daniel Perez Hernandez, Sam Werner, Thomas H aines, Aleksander Essex, Andrea Bracciali, and Massimiliano Sala, editors, Financial Cryptography and Data Security. FC 2022 International Work...

    work page 2022

  14. [14]

    On the size of pairing-based non-interactiv e arguments

    Jens Groth. On the size of pairing-based non-interactiv e arguments. In Marc Fis- chlin and Jean-S´ ebastien Coron, editors, Advances in Cryptology - EUROCRYPT 2016 - 35th Annual International Conference on the Theory an d Applications of Cryptographic Techniques, Vienna, Austria, May 8-12, 2016 , Proceedings, Part II , volume 9666 of Lecture Notes in Com...

    work page 2016

  15. [15]

    Peredi: Privacy- enhanced, regulated and distributed central bank digital c urrencies

    Aggelos Kiayias, Markulf Kohlweiss, and Amirreza Saren cheh. Peredi: Privacy- enhanced, regulated and distributed central bank digital c urrencies. In Heng Yin, Angelos Stavrou, Cas Cremers, and Elaine Shi, editors, Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Secur ity, CCS 2022, Los Angeles, CA, USA, November 7-11, 2022 ,...

    work page 2022

  16. [16]

    Pedersen

    Torben P. Pedersen. Non-interactive and information-t heoretic secure verifiable secret sharing. In Joan Feigenbaum, editor, Advances in Cryptology - CRYPTO ’91, 11th Annual International Cryptology Conference, San ta Barbara, California, USA, August 11-15, 1991, Proceedings , volume 576 of Lecture Notes in Computer Science, pages 129–140. Springer, 1991. 17

    work page 1991

  17. [17]

    UTT: decentralized ecash w ith accountable privacy

    Alin Tomescu, Adithya Bhat, Benny Applebaum, Ittai Abra ham, Guy Gueta, Benny Pinkas, and Avishay Yanai. UTT: decentralized ecash w ith accountable privacy. IACR Cryptol. ePrint Arch. , page 452, 2022

    work page 2022

  18. [18]

    Cryptonote v2

    Nicolas van Saberhagen. Cryptonote v2. https://github.com/monero-project/research-lab/blob/master/whitepape

    work page

  19. [19]

    Prcash: Fast, private and regulated transactions for digital currencies

    Karl W¨ ust, Kari Kostiainen, Vedran Capkun, and Srdjan C apkun. Prcash: Fast, private and regulated transactions for digital currencies . In Ian Goldberg and Tyler Moore, editors, Financial Cryptography and Data Security - 23rd Internatio nal Conference, FC 2019, Frigate Bay, St. Kitts and Nevis, Febru ary 18-22, 2019, Revised Selected Papers, volume 115...

    work page 2019

  20. [20]

    Platypus: A cen- tral bank digital currency with unlinkable transactions an d privacy-preserving reg- ulation

    Karl W¨ ust, Kari Kostiainen, Noah Delius, and Srdjan Cap kun. Platypus: A cen- tral bank digital currency with unlinkable transactions an d privacy-preserving reg- ulation. In Heng Yin, Angelos Stavrou, Cas Cremers, and Elai ne Shi, editors, Proceedings of the 2022 ACM SIGSAC Conference on Computer an d Communi- cations Security, CCS 2022, Los Angeles, C...

    work page 2022

  21. [21]

    Prove(crs,x,w ): Take as input the crs, a statement x and a witness w such that (x,w )∈R and returns a proof π

    A non-interactive proof system NIZK is composed of a tuple of algorithms described as follows: Setup(R): On input the NP-relation R returns a common reference string crs and a trapdoor td. Prove(crs,x,w ): Take as input the crs, a statement x and a witness w such that (x,w )∈R and returns a proof π . Vrfy(crs,x,π ): Takes as input the crs, a statement x a...

    work page

  22. [22]

    Sign(skS1, vkR1 ) and choose a ran- dom set of indexes I of cardinality n between the indexes of the tokens in Mvalid, including the index k of the token burned using βS1

    Compute a signature σS1← $ SIG. Sign(skS1, vkR1 ) and choose a ran- dom set of indexes I of cardinality n between the indexes of the tokens in Mvalid, including the index k of the token burned using βS1

    work page

  23. [23]

    denied”,F S1,R 1) to S1, who forwards it to R1. Else, send (“ post

    Compute π← $ NIZK. Prove((crs,β 1,...,β n, vkS1), (r,k )) where βi is the burning factor of M I⌉ burnt[i]. Finally, send (σS1,π, I) to R1, which sends FS1,R 1= ( vkS1, vkR1,σ S1,π, I) to BS1. Token Post: BS1 , on input FS1,R 1, if CheckRegulation(FS1,R 1,M ) = 0 (i.e., the asset is not regulation compliant) send (“ denied”,F S1,R 1) to S1, who forwards it...

    work page

  24. [24]

    for which he does not know the signing key related to the receiver verification key

    Generate new proof for a token the adversary does not own, i.e . for which he does not know the signing key related to the receiver verification key

    work page

  25. [25]

    Re-use the same proof of another token (could be an adversar ial or an honest one)

    work page

  26. [26]

    Regarding case 1, we distinguish three sub-cases

    Generate a new proof related to a token that has been already b urnt and then redeemed by the adversary (double-spending). Regarding case 1, we distinguish three sub-cases. First, the adversary might try to burn a live token for which he does not know the signing key corresponding to the receiver verification key and t hen use the 24 commitment randomness ...

    work page