分布式账本环境中平衡保密性和可审核性（英文版）.pdf

STELLA joint research project of the European Central Bank and the Bank of Japan February 2020 Balancing confidentiality and auditability in a distributed ledger environmentThe analysis and results presented in this report are not geared towards replacing or complementing existing arrangements, which include central bank-operated payment systems. Legal and regulatory aspects are outside the scope of the project.Project Stella Balancing confidentiality and auditability in a distributed ledger environment Executive summary Over the past years a number of solutions have been developed to cater for the privacy and confidentiality aspects which arise as a result of the sharing of transaction information in distributed ledgers. These solutions focus, for example, on limiting access to information by unauthorised parties and are generally known as privacy-enhancing technologies/techniques (PETs). The use of PETs may pose challenges, however, when third parties need to view and interpret the transaction for auditing purposes. To ensure accountability, the level of auditability aimed for in payment and settlement systems based on distributed ledger technologies (DLT) should be similar to that in centralised systems. This is applicable regardless of the different types of settlement assets, including stablecoins, central bank digital currency (CBDC) and others. Against this background, Stella phase 4 explores through conceptual studies and practical experimentation how confidentiality and auditability could be balanced in a distributed ledger environment. Specifically, it assesses the way in which PETs would ensure confidentiality as well as the arrangements that accommodate effective auditing for transactions in a financial market infrastructure (FMI) based on DLT. Stella phase 4 divides PETs into three categories based on the underlying concepts for making transaction information confidential to unauthorised third parties. Segregating PETs ensure that each participant only has visibility into a subset of all transactions conducted in the network. Hiding PETs make use of cryptographic techniques to prevent third parties from interpreting transaction details. Unlinking PETs make it difficult to determine transacting relationships from the information recorded on the shared ledger. Stella phase 4 proposes that the auditability of transactions in a DLT-based FMI using PETs can be assessed from the following key perspectives: accessibility to necessary information, reliability of the obtained information and efficiency of the auditing process. Accessibility refers to whether the auditor can access the information it needs to conduct auditing activities. Accessibility may be ensured if the auditor receives the information either from trusted sources (i.e. central components of the DLT system or credible third parties which provide particular functions for enabling PETs and possess necessary information) or from identifiable participants.Reliability indicates whether the auditor can be certain that the original transaction information can be acquired using the obtained information. Reliability may be ensured if the auditor receives the necessary information from trusted sources or if it can use information recorded on the ledger to verify the correctness of the obtained information. The efficiency of the auditing process, which could be measured by the consumption of resources, is also considered since it would affect the feasibility of the process. The assessment of the auditability of each PET setup based on the above perspectives finds that the following arrangements would contribute to effective auditing: (i) the auditor obtains the necessary information from trusted sources or (ii) the auditor obtains the necessary information from identifiable participants and has the means of verifying the correctness of the obtained information using information recorded on the ledger, and the entire process could be conducted without consuming excessive resources. Stella phase 4 raises points to be considered further when expanding the discussion on balancing confidentiality and the auditability of transactions for practical application. First, it notes that the reliance on a trusted source could pose single point of failure risks for the network. Second, when multiple PETs are used in combination, there could be a trade-off between enhancing confidentiality and effective auditability. Third, when the model accommodates multiple payment and settlement systems as well as multi-tiered payment systems, it would be necessary to coordinate different standards and processes between systems. Last but not least, the inclusion of end-users may increase the complexity of managing the confidentiality of end-user information and necessitate the creation of appropriate standards to determine the transactions to be audited.Contents 1 Introduction 1 2 Abstract FMI model based on DLT 2 3 Privacy-enhancing technologies/techniques on DLT 5 3.1 Segregating PETs 6 3.2 Hiding PETs 8 3.3 Unlinking PETs 11 3.4 Summary 14 4 Auditability of confidential transaction information 15 4.1 Three perspectives for assessing auditability 15 4.2 Assessment based on the perspectives 18 4.3 Further consideration for practical application 22 4.4 Summary 23 5 Experiments on selected PETs 24 5.1 Pedersen commitment 25 5.2 Hierarchical deterministic wallet 27 Annex 30 A.1 Pedersen commitment 30 A.2 Hierarchical deterministic wallet 34European Central Bank and Bank of Japan: Project Stella 1 1 Introduction Over the last few years, the European Central Bank (ECB) and the Bank of Japan (BOJ) have jointly explored the opportunities and challenges of distributed ledger technologies (DLT) for financial market infrastructures (FMI) in Project Stella. Launched in December 2016, Project Stella aims to contribute to the wider debate on the possible usage of DLT in the field of payments and financial market infrastructures via experimental work and conceptual studies. Previous phases of Project Stella 1 arrived at quantitative results on performance and resilience testing around DLT-based market infrastructures (September 2017) and explored the synchronisation mechanisms between different ledgers including those between DLT-based and centralised ledgers and asset classes (March 2018 and June 2019). Progress has been made by the blockchain community in improving DLT for implementation in various use cases. There are also learnings from initiatives by various entities to create DLT-based platforms for payments and securities settlements. In this context, a number of solutions have been developed to cater for the privacy and confidentiality aspects which arise as a result of sharing transaction information on distributed ledgers. These solutions focus, for example, on limiting access to information by unauthorised parties and are generally known as privacy- enhancing technologies/techniques (PETs). 2 To ensure accountability on DLT-based FMIs, it is necessary to have an arrangement in place in which authorised third parties can understand details of transactions to the same extent as in existing FMIs. This becomes a challenge, however, when PETs are applied to transactions since they could prevent third parties from viewing and interpreting transaction information. This report uses the term “auditability” to refer to the understanding of transaction information by the authorised third parties, or the degree to which a given environment allows an authorised entity to audit confidential transaction information by viewing and interpreting the information. Explorations of privacy and confidentiality of transaction information in a distributed ledger environment have been made publicly available by the central bank 1 See Payment systems: liquidity saving mechanisms in a distributed ledger environment, ECB and BOJ, September 2017; Securities settlement systems: delivery-versus-payment in a distributed ledger environment, ECB and BOJ, March 2018; Synchronised cross-border payments, ECB and BOJ, June 2019. 2 There are wide-ranging definitions of PETs. See Readiness analysis for the adoption and evolution of privacy enhancing technologies, European Union Agency for Network and Information Security (ENISA), March 2016.European Central Bank and Bank of Japan: Project Stella 2 community. 3 It appears, however, that only limited research and experimentation is available with regards to the auditability of transaction information to which PETs have been applied (hereafter referred to as confidential transaction information). Against this background, Stella phase 4 aims to offer insight into striking a balance between confidentiality and auditability of transaction information. More specifically, it introduces and systematically groups several PETs used in a DLT environment and assesses whether confidential transaction information can be effectively audited by an authorised entity in the DLT network. 4 Chapter 2 outlines an abstract and hypothetical FMI model in a DLT environment on which the analysis is based. Chapter 3 introduces a selection of PETs used in the DLT context, explains the basic nature of PETs which attempt to enhance confidentiality and offers a categorisation. Chapter 4 proposes perspectives for assessing auditability and then assesses whether confidential transaction information could be audited effectively. Experiments which supported the analysis are outlined in Chapter 5. 2 Abstract FMI model based on DLT This chapter introduces an abstract FMI model based on DLT on which PETs are applied. The DLT-based FMI model assumes that a group of entities form a network in which transaction information is recorded and shared in a decentralised manner (Figure 1). This model is in contrast to the existing approach where transaction information is recorded, stored and shared based on a centralised FMI model (Figure 2). Under the DLT-based model, each participating entity operates its own DLT node, through which transactions are processed and transaction information is stored and viewed. For the purpose of the report, it is assumed that there also exists an entity or a group of entities which are authorised to audit transactions by viewing and interpreting the 3 See Distributed ledger technical research in Central Bank of Brazil, Central Bank of Brazil, August 2017; Project Jasper: a Canadian experiment with distributed ledger technology for domestic interbank payments settlement, Bank of Canada, Payments Canada and R3, September 2017; Project Ubin Phase 2: re-imagining interbank real-time gross settlement system using distributed ledger technologies, Monetary Authority of Singapore and the Association of Banks in Singapore, November 2017; Chain fintech proof of concept, Bank of England, April 2018; Project Khokha: exploring the use of distributed ledger technology for interbank payments settlement in South Africa, South African Reserve Bank, June 2018; and Beyond theory: getting practical with blockchain, Federal Reserve Bank of Boston, February 2019. 4 The joint research was conducted by Dirk Bullmann (ECB team leader), Andrej Bachmann, Diego Castejn Molina, Cedric Humbert, Austeja Sostakaite and Naisa Tussi from the ECB, with contributions from Giuseppe Galano (Banca dItalia), Kurt Alonso (Directorate General Information Systems, ECB); and by Michinobu Kishi (BOJ team leader), Takeshi Yamada, Tetsuro Matsushima, Masashi Hojo and Amika Matsui from the BOJ, with contributions from Shuji Kobayakawa (Professor at Meiji University and Advisor to the BOJ Stella team).European Central Bank and Bank of Japan: Project Stella 3 transaction information recorded on the ledger 5 (“auditors”) 6 . The focus of the report is on back-end arrangements and thus only covers transactions between participants. Accordingly, end-users (e.g. each participants clients) do not appear in the model. The DLT-based model is a permissioned network 7 , also referred to as a private or restricted network, where all participants with granted access are expected to follow the terms and conditions (rules) of the network and fulfil their responsibilities. Participants are required to implement and use basic functions on their nodes that are compliant with the rules, and use a designated transaction format to process transactions. If the participants do not comply with the rules, they may be subject to sanctions, including losing access to the network, as well as face reputational risks. It should be noted that the DLT-based model, for reasons of simplicity, does not cover system administrator roles such as gatekeeping and governance since these 5 It is theoretically possible to incorporate auditing into the transaction validation process. For example, see Exploring anonymity in central bank digital currencies, ECB, December 2019. However, this approach is not within the scope of this report. 6 If there are multiple auditors in the DLT network, there would need to be mechanisms in place to ensure that effective auditing is conducted. These can include: a) a mechanism to ensure that every piece of transaction information is auditable by at least one auditor; b) a mechanism that enables auditors to know which auditor is responsible for a given transaction; and c) a mechanism that enables auditors or other entities to share relevant information amongst themselves as necessary, for example, through a shared database between auditors. 7 A permissioned network is a type of DLT network where an entity cannot participate without authorisation by other participants or a system administrator, if there is one. Figure 2 Centralised FMI model Note: The central operator owns a centralised ledger in which transaction information is stored. A participants access to the centralised ledger is controlled by the central operator. Figure 1 DLT-based FMI model Note: Each participant stores relevant transaction information in its own ledger and shares the information with other participants.European Central Bank and Bank of Japan: Project Stella 4 are not the primary focus of this report. The role of a transaction validator could be assumed by participants or other authorised entities and is addressed in the report where relevant. Moreover, for the sake of simplicity, transaction information only contains the transacting parties (participant identifiers, or addresses of the sender and receiver) and the transaction amount. While information on end-users or that related to smart contracts 8 could have enriched the DLT-based model, it is disregarded because its inclusion would not have materially impacted the main findings in Chapter 4. Figure 3 illustrates the transaction information on the ledger for a transaction where Entity A (sender) transfers 100 to Entity B (receiver). Figure 3 Illustrative example of transaction information Note: The dashed line denotes the relationship between addresses (a, b) and transacting parties (A, B) who use them. Confide