Summary: | We explore privacy-preserving payments in a centralized setting, such as CBDCs. Specifically, we focus on two classes of designs that hide the transaction graph: Chaumian e-cash and Merkle tree-based systems (e.g., Tornado Cash), which differ both in their security assumptions and scalability. In our work we highlight scalability limitations in Merkle tree-based privacy systems that would be encountered in a network as large as a CBDC, and propose a sharded Merkle tree design to improve scalability while maintaining strong privacy. However, as we analyze, conventional sharding methods pose privacy risks, prompting introduction of a ’tree of sharded trees’ design that preserves privacy at a modest increase of latency. We describe, implement and evaluate all three designs, and find that unmodified Tornado Cash indeed suffers from resource-contention induced scalability bottlenecks. In contrast, our new design is achieves throughput that is less than an order of magnitude away from e-cash, despite providing auditability.
|