The present invention relates to a method, system and computer-readable medium for fast blockchain payments.

Digital currencies implemented as permissionless blockchains such as Ethereum offer a radically different alternative to traditional payment systems. One of the most striking differences is that there is no or only few centralized entities that would control all user account balances or payments. Instead, each transaction is approved by a large and decentralized system where anyone can participate. This provides strong guarantees that prevent entities from censoring payments.

However, such systems are not practical for scenarios such as retail or online payments. In particular, they have high latency and no on-chain privacy, which makes them unusable for small day-to-day payments. There are means to address these shortcomings. The most prominent technique is to leverage smart contracts that provide further functionality. Two types of such systems relevant for retail payments can be identified in addition to standard blockchain payments: those that provide low latency, and those that provide on-chain privacy.

There are multiple techniques to address latency issues through smart contracts. Payment channels enable users to establish a relationship with a single service provider. However, they require separate locked-in collaterals for each such relationship, which is impractical. Payment hubs connect users to multiple service providers, but the locked-in collateral is large and thus not scalable for a higher number of registered users. Sidechains enable payments that are quickly approved by a smaller set of verifying entities, but they introduce additional trust assumptions and high communication complexity. The Snappy payment system (for reference, see V. Mavroudis, K. Wust, A. Dhar, K. Kostiainen, and S. Capkun: “Snappy: Fast On-Chain Payments with Practical Collaterals”, in 27 ^th Annual Network and Distributed System Security (NDSS) Symposium 2020, 23-26 Feb 2020, San Diego, CA, USA. https://www.ndss-symposium.org/wp-content/uploads/2020/02/24 049- paper.pdf), on the other hand, uses small user collaterals, but it violates the strong censorship-resilience guarantees of permissionless blockchains. On the other side, the Zether payment system (for reference, see B. Bunz, S. Agrawal, M. Zamani, and D. Boneh: “Zether: Towards Privacy in a Smart Contract World, 07 2020, pp. 423-443. https://crypto.stanford.edu/~buenz/papers/zether.pdf) addresses on-chain privacy by providing confidential and anonymous transactions. It has much stronger security and privacy guarantees than standard blockchain transactions, however its payments are slow because the system does not provide any mechanism to address latency issues.

It can be observed that most systems only provide very specific additional functionality, while often violating other properties. In the current state of the art, there is no system that provides (a) fast payments, (b) resilience to censoring, (c) small collaterals, (d) on-chain privacy, and (e) no additional trust assumptions.

It is therefore an object of the present invention to improve and further develop a method and a system for fast blockchain payments in such a way that at least some of the above mentioned shortcomings are mitigated or overcome.

In accordance with the invention, the aforementioned object is accomplished by a computer-implemented method for fast blockchain payment, the payment involving a transfer of funds from an account of a user to a private collateral account of a service provider, the method comprising: receiving, by the service provider, a private payment intent from the user, the private payment intent including a payment index, a random payment ID and an address of the service provider’s private collateral account; modifying, by the service provider, the payment intent by replacing the address of the service provider’s collateral account by a commitment and providing the modified payment intent to a majority of a blockchain’s statekeepers; receiving, by the service provider, payment approvals from blockchain’s statekeepers, each payment approval including the modified payment intent signed with a private key of the respective statekeeper; evaluating, by the service provider, the received payment approvals, aggregating the successfully evaluated payment approvals, and transmitting the aggregation result to the user; and receiving, by the service provider, a final transaction created by the user after having verified the aggregation result, verifying that the user correctly constructed the final transaction according to a given protocol, and accepting the payment in case of successful verification of the final transaction.

Furthermore, the above-mentioned object is accomplished by a system for fast blockchain payment and by a non-transitory processor readable medium according to the independent claims.

Embodiments of the present invention provide blockchain payment methods and systems, which take a hybrid approach that provides both fast and private payments with practical collaterals, as well as strong security guarantees including censorshipresilience and no additional trust assumptions.

According to an embodiment of the invention, the random payment ID of the user’s payment intent is generated by computing a verifiable random function, VRF, hash of the payment index. In this regard, it is noted that a verifiable random function (VRF) is a public-key version of a keyed cryptographic hash (for reference, see S. Goldberg, L. Reyzin, D. Papadopoulos, and J. Vcelak, “Verifiable Random Functions (VRFs),” Internet Engineering Task Force, Internet-Draft draft-irtf-cfrg-vrf- 09, May 2021 , work in Progress. [Online], Available: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-vrf-09 ). Anyone in possession of the public key pk can verify the correctness of the hash, but only the holder of the secret key sk can generate the hash. More precisely, given an input value x, the holder of the private key sk can compute the hash y = VRFhash(sk, x) for input x. The holder of the private key can also compute a matching proof n = VRFprove(sk,x). A key property of VRFs is that the hashing algorithm is deterministic in the sense that it always produces the same output y given the same pair of inputs (sk,x). Using the public key and the proof, one can verify that the hash was correctly computed. Given pk, x and TT the hash is valid if VRFverify(pk, x, TT) outputs valid. Anyone can deterministically obtain the VRF output y from the proof TT by computing y = VRFproof2hash(π).

Embodiments of the present invention take advantage of one or more of the following VRFs’ properties: • Trusted uniqueness: Assuming that the keys were generated in a trustworthy manner, i.e. with correct randomness, a computationally bounded adversary cannot find pk, x, two different hash outputs y1 and y2, two proofs TT1 and TT2 such that VRFverify(pk, and VRFverify(pk, x, n2) both output valid.

• Trusted collision resistance: Assuming that the keys were generated in a trustworthy manner, it should be computationally infeasible to find x1 and x2 that have the same hash output even if the adversary knows the secret key.

• Full pseudorandomness: An adversarial verifier cannot distinguish a genuine hash output y from a random one without knowing the proof of the genuine hash. The adversary is allowed at any time to observe the output hash and proof of a variety of chosen inputs.

According to an embodiment of the invention, the service provider’s modification of the payment intent received from the user includes replacing the address of the service provider’s collateral account by the commitment c _m = C(m,r _m ), where m is the address of the service provider’s collateral account, r _m is a random blinding factor, and C is a commitment function. In general, the goal of cryptographic commitments is to commit to a value that remains hidden, and reveal it at a later point in time. Pedersen commitments is one particular variant of such schemes. It provides commitments that are perfectly hiding (a computationally unbounded adversary cannot learn anything about the original message) and computationally binding (a computationally bounded adversary cannot compute two distinct messages for the same commitment). Furthermore, Pedersen commitments are homomorphic, that means two commitments can be combined without requiring the knowledge of neither the original messages nor the blinding factors. Details about Pedersen commitments are describe in T. P. Pedersen, “Non-interactive and information-theoretic secure verifiable secret sharing,” in Advances in Cryptology - CRYPTO ’91 , 1992, pp. 129-140, which is hereby incorporated herein by reference).

According to an embodiment of the invention, it may be provided that the service provider evaluates a private payment intent received from the user by verifying the correctness of a zero-knowledge proof computed by the user to show that the user’s balance is sufficient for executing the payment. According to an embodiment of the invention, it may be provided that the service provider evaluates a private payment intent received from the user by verifying the correctness of a zero-knowledge proof computed by the user over a user’s collateral balance to show that the sum of all pending payments including the current payment is less than the user’s current collateral balance.

According to an embodiment of the invention, the payment approvals from the blockchain’s statekeepers may include a BLS signature computed by the respective statekeeper over the modified payment intent using the secret key of the respective statekeeper. BLS (Boneh-Lynn-Shacham) digital signature (for reference, see D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the Weil pairing,” in Advances in Cryptology - ASIACRYPT 2001 , 2001 , pp. 514-532) is a signature scheme that provides short and secure digital signatures. Furthermore, it allows to aggregate multiple signatures 01, ..., o _n of different signers into one single signature. For simplicity, it can be assumed that the user is given functions Sign(sk, m), Vf(pk, m, a), AggrSig({σ1, ..., σ _n }), AggrPk({pki, ..., pk _n }) which implement signature creation, verification, and signature/public key aggregation, respectively.

According to an embodiment of the invention, the service provider, upon receiving payment approvals from at least half of the statekeepers, verifies the statekeepers’ signatures of the modified payment intent using the respective statekeeper’s public key and aggregates the successfully verified signatures to obtain an aggregated approval signature.

According to an embodiment of the invention, a smart contract running in the blockchain may be used to administer collateral accounts of the user, the service provider and each of the blockchain’s statekeepers, wherein the smart contract stores a dictionary that maps account addresses to EIGamal homomorphic encrypted values. Smart contracts are pieces of software that run on the blockchain and provide an interface via which to interact with the data. In other words, a smart contract is a computer program or transaction protocol that is configured to automatically execute and operate on the blockchain. Specifically, a smart contract is a processor-executable program (code) stored on a non-transitory processor readable medium that, when executed by processing circuitry, causes the processing circuitry to carry out program functions. The code is available (i.e. can be inspected) to all the members present on the network. A person of ordinary skill in the art would recognize that a “smart contract” is a technical aspect of blockchain networks used for, e.g., automation, and not a legal instrument or other means of constraining human activity.

According to an embodiment of the invention, the smart contract running in the blockchain, upon receipt of the payment, the following actions, may finalize the payment which transfers funds from the user to the service provider. Upon success, the smart contract may store the random payment ID, the service provider’s committed address, the aggregated approval signature, and the quorum of the approving statekeepers in a list of the user’s finalized transactions.

According to an embodiment of the invention, it may be provided that the user’s final transaction in the smart contract is executed using encrypted payment amounts on private accounts of the user and the service provider.

According to an embodiment of the invention, it may be provided that the smart contract running in the blockchain is used to process settlement requests initiated by the service provider in case the transaction does not appear on the blockchain after a predefined or configurable time.

According to an embodiment of the invention, it may be provided that the service provider directs a settlement request to the user or to a statekeeper to be refunded through a confidential payment either from the private collateral account of the user or the private collateral account of the respective statekeeper.

There are several ways how to design and further develop the teaching of the present invention in an advantageous way. To this end, it is to be referred to the dependent claims on the one hand and to the following explanation of preferred embodiments of the invention by way of example, illustrated by the figure on the other hand. In connection with the explanation of the preferred embodiments of the invention by the aid of the figure, generally preferred embodiments and further developments of the teaching will be explained. In the drawing

Fig. 1 is a table showing Snappy data structures used in a system according to embodiments of the present invention,

Fig. 2 is a table showing Zether functions used in a system according to embodiments of the present invention,

Fig. 3 is a table showing data structures of a transaction format used in a system according to embodiments of the present invention,

Fig. 4 is a table showing data structures of a smart contract used in a system according to embodiments of the present invention,

Fig. 5 is a schematic view illustrating a payment process between a user and a service provider in accordance with an embodiment of the present invention, and

Fig. 6 is a diagram showing modifications of a payment intent performed in accordance with an embodiment of the present invention.

Figs. 1-4 are illustrative of the notification used in the embodiments of the present invention described hereinafter in detail.

Apart from normal blockchain transactions, there are countless other payment systems that sit on top of a blockchain as smart contracts. These systems introduce arbitrary additional functionality, mainly to provide specific properties that are not provided by normal blockchain transactions. In the current state of the art, one can categorize three major types of payment systems that are primarily relevant to scenarios such as retail or online stores. 1. Standard blockchain payments. In Ethereum, for instance, such a transaction simply contains the sender, receiver, payment amount and a digital signature created by the sender’s account. Once the transaction is mined and finalized on the blockchain, the payment value is transferred from the sender’s account to the receiver’s account.

Due to their simplicity, such payments have low fees but are slow, as it is necessary to wait (usually several minutes) until the transaction is safely finalized on the blockchain. As such, they are not practical for small, fast payments during day-to- day use. However, the main advantage over e.g. credit card providers is that these blockchain payments are decentralized, and hence there is no particular entity that could block the transactions.

2. Fast blockchain payments. To address latency issues, there are systems implemented as smart contracts that allow fast approval of payments. The main idea is for users to deposit a collateral to a smart contract. This collateral is used to provide a guarantee to a receiving service provider, such that they can accept the payment before it is finalized on the blockchain. There are several systems which use such mechanisms.

Payment channels enable to establish a relationship between a particular user and service provider. Such channels allow to create multiple transactions without submitting all transactions to the blockchain network. In particular, it is possible to combine hundreds or thousands of transactions into a single blockchain transaction. However, such channels are not practical for retail payments because users need to set up a payment channel with every service provider individually. This results in high locked-in collaterals, which is not scalable for users.

Payment hubs, on the other hand, allow users to communicate with several service providers. In this case, users register in a single smart contract that connects them with multiple service providers. During registration, they also need to deposit a collateral as a guarantee. The major drawback in such systems is that the size of the collateral that the hub operator needs to place scales with the total amount of registered users in the system, and hence becomes very large. Thus, such a system is not scalable for larger deployment scenarios.

Sidechains are an alternative that rely on a smaller set of transaction validators. These validators collectively track and approve incoming transactions. However, the main problem with such systems are its trust assumptions. In particular, at least 2/3 of the validators must be trusted. Furthermore, these systems usually communicate through a BFT (Byzantine fault tolerance) protocol, which has high complexity and is therefore expensive in terms of latency and computational effort.

The Snappy payment system (as already mentioned above), which builds a point of reference for embodiments of the present invention, allows fast approval of payments with small user collaterals. This is achieved through a mechanism where each transaction is approved by a statekeeping entity. Statekeepers act as untrusted entities who collectively track and approve Snappy transactions. It can be assumed that most merchants also act as statekeepers, as this ensures them a fixed transaction fee (in contrast to value-based fees e.g. from credit-card providers). Statekeepers are also required to deposit a collateral during a one-time registration process.

The major benefit of Snappy is that user collaterals only need to cover a specific user’s expenditure, i.e. they do not depend on any other factors. Statekeeper collaterals, on the other hand, scale with the total amount of sales in the system. This is acceptable, because service providers benefit from low, fixed payment fees if they act as statekeepers. These fees are much lower compared to credit card providers.

3. Private blockchain payments. It is possible to achieve on-chain privacy through smart contracts as well. Embodiments of the present invention use the private payment system Zether (as already mentioned above) as point of reference. By using the zero-knowledge proof system Z-Bullets, it manages custom accounts that store and transfer encrypted amounts. Hence, it provides confidential (and optionally anonymous) payments on top of permissionless blockchains. Such systems have strong security and privacy guarantees as opposed to standard blockchain payments.

The payment systems mentioned above provide each interesting properties. However, they still have noteworthy limitations and drawbacks.

Vulnerability to censorship. Resilience to censoring is one major motivation to use permissionless blockchains for payments. However, in fast payment systems like payment hubs, sidechains and Snappy, these guarantees are violated. This is because a transaction can be safely accepted only if a majority approval of the statekeeping entities is received. It is recalled that the statekeeping entities are usually other competing service providers. Since statekeepers receive approval requests with the details of the payment intents in plain text, they can perform arbitrary censoring against particular service providers or users. This is a realistic threat in a competitive environment such as retail or online stores. As such, the security properties provided by fast blockchain payment systems that leverage a majority approval are weak and do not provide benefits over other existing systems such as credit card providers - in particular with regards to censoring.

Lack of confidentiality and anonymity. Another particular limitation of fast payment systems is weak privacy. In Snappy, for instance, users register to the system with their main blockchain accounts. Therefore, every transaction is traceable to their identity. All data in such a system is publicly available, and thus allows anyone to perform profiling of all users. This can be abused for example for marketing or political purposes. Such profiling can raise even stronger privacy concerns than for example payments by credit card.

Apart from user profiling, current fast payment systems also disclose essential business information of service providers to the public. In particular, all transaction details are stored publicly in plain text in the smart contract’s state. Therefore, it is possible to track each service provider’s transactions and thus retrieve information about their sales. In a competitive scenario of retail or online businesses, this is a realistic disadvantage of using such a system. Security instead of practicality. There are payment systems that do not suffer from the above problems. In particular, private payment systems introduce strong security and privacy guarantees as opposed to fast payment systems. By design, they are resilient to any censorship and do not enable any profiling of its userbase. However, such systems are impractical in real world scenarios such as retail and online payments. In particular, they do not provide any mechanism to reduce approval latency, and hence they suffer from the same latency problems as normal blockchain payments.

In view of the above, the system and the method proposed in accordance with embodiments of the present invention takes a hybrid approach that provides both fast and private payments. According to embodiments, the proposed payment method/system has a further property of being is flexible by design - it is possible to deploy it in different scenarios depending on whether public, confidential or anonymous payments are desired. In particular, it is designed to be resilient to any censoring - no matter whether the public, confidential or anonymous deployment scenario is chosen.

According to an embodiment of the present invention, the payment method/system accepts payments fast similar to Snappy. That is, it provides both payment and settlement protocols, wherein these protocols, as compared to Snappy, are particularly designed around stronger security and privacy guarantees. Furthermore, the processes are compatible with improved, Zether-style private accounts for payments and for collaterals.

In contrast to Snappy, the payment method/system according to embodiments of the present invention provides and administers its own (private) accounts. This allows easier integration of both private payments and private settlements. The administration may be performed by a dedicated smart contract. In addition to Zether-style accounts, the payment method/system according to embodiments of the present invention also introduces a new type of private collateral account. To allow settlement claims to be transferred confidentially, these collateral accounts are administered completely differently compared to general Zether-style accounts. The exact details of the individual steps in the payment process according to embodiments of the invention are completely changed with respect to Zether. In particular, service providers and users create a new type of payment intent that hides all details and guarantees resilience to any censoring from the statekeepers. Additionally, since all accounts contain encrypted balances, service providers verify zero-knowledge proofs created by users to ensure that the private collateral balance is sufficient to cover the pending payments. Finally, the finalized transaction in the payment system’s smart contract is executed using encrypted payment amounts on the private accounts. All of these mechanisms provide fast payments that are secure (censorship-resilient) and private (confidential and anonymous).

According to embodiments of the invention, the settlement process, in contrast to Snappy, may be split into two separate functions for claiming different entities. In particular, a process for claiming users and a process for claiming statekeepers may be provided. In both cases, the processes are completely redesigned to allow service providers to be refunded through confidential payments from the newly introduced private collateral accounts.

All of the mentioned mechanisms contribute to a new, unique payment system with properties that have not been achieved in any previous system. In conclusion, the solution according to embodiments of the invention leads to a system that is fast, censorship-resilient, confidential, anonymous, has small user collaterals, and does not require any additional trust assumptions.

The main technical challenges that need to be solved to build such a new system are as follows:

Censoring:

Service providers require a majority approval for each payment. In particular, statekeepers need to ensure that they have not signed a conflicting transaction for a particular user. Hence, they require some notion of the user’s identity. In previous designs of fast payment systems (Snappy), statekeepers approve payment intents that contain the user’s identity, the service provider’s identity, and the payment value all in plaintext. This automatically introduces a link of failure, because statekeepers can purposefully censor particular users or service providers. It is recalled that if a service provider does not receive signature from the majority of the statekeepers, they cannot safely accept the payment. This is considered to be a realistic threat in a typical retail payment scenario, where service providers take the role of statekeepers. A set of colluding service providers (statekeepers) could decide to not process any payments of another competing victim service provider. In order to prevent censorship in decentralized payment systems like Snappy, the payment method/system according to embodiments of the present invention is designed to meet the following three high-level goals (a.-c.). a. Payment value based censoring. The first goal towards censorship-resilience is to hide the payment price. The main problem is that malicious statekeepers may be able to guess the recipient’s identity based on the payment price. Certain goods are almost uniquely identifiable according to their price. Therefore, malicious statekeepers could still discriminate against a particular service provider in specific cases. Similarly, in certain scenarios, malicious statekeepers could discriminate against particular users. They could prevent a targeted user from buying some goods if they manage to guess what is purchased. The goal of this mitigation is that statekeepers cannot discriminate against service providers (or users) based on the transaction amount. b. Service provider identity based censoring. In a simple design like in Snappy, statekeepers receive the service provider’s identity in plain text. This is to ensure that nobody can create a second transaction for a different transaction that would conflict with the approved transaction. Therefore, in such a design, the statekeepers can still see who the recipient of the payment in plain text. Hence, they could perform censorship based on the service provider’s identity (recall that statekeepers are usually other competing service providers). Thus, one wants all service providers to be treated equally. More precisely, the goal is to hide the service provider’s identity from the statekeepers during the payment approval process. The rationale is that if the statekeepers do not know who the payment recipient (service provider) is, they cannot discriminate against a particular service provider by selectively blocking its payments. It is noted that a blanket DoS attack, where statekeepers do not approve any payment, is of course possible. c. User identity based censoring. Statekeepers need to ensure whether they have already signed a transaction for a particular user and payment index. In a simple design as in previous systems the payment intent would simply contain the user’s identity. Therefore, the statekeepers can discriminate against a particular user because their address is available in plaintext in a payment intent. This is arguably the most difficult problem to solve, because the statekeepers need to know some connection to the user’s identity.

Privacy:

Embodiments of the present invention leverage techniques introduced in private payment systems and combine it with a design of a system like Snappy that supports fast payments. In this regard, one of the problems is to devise a system that provides the same security guarantees as in fast payment systems, but does not compromise any privacy guarantees provided by private payment systems. The main challenges throughout a private payment and private settlement process are as follows:

Private payment process. In a naive design, one could devise a payment process identically to e.g. the Snappy payment system, with the only difference that the final step in the smart contract simply triggers a payment in an existing private payment system like Zether. Such a design has several flaws. First of all, it would violate the privacy guarantees of private payment systems, because Snappy discloses user’s details. Furthermore, it would also violate the Snappy security guarantees. In particular, a service provider needs to check whether a user’s or statekeeper’s collateral is sufficient to cover the current and all pending transactions. Since all payments contain encrypted amounts, the payment process needs to provide additional mechanisms to enable such checks.

Private settlement process. Most problems arise with respect to correct processing of settlement claims. In particular, statekeepers need to verify whether there are conflicting transactions in the system, i.e. whether a particular user has created two different transaction for the same payment index.

According to embodiments, the present invention provides a payment method/system that supports fast, confidential and anonymous payments, as well as confidential settlements.

In order to account for censorship-resilience, embodiments of the invention implement at least one of payment value obfuscation, service provider identity obfuscation and user identity obfuscation.

Payment value obfuscation. One of the inventors’ main observation is that statekeepers do not need to know the value of each approved payment. Previously, a Snappy transaction was uniquely identified given all four values, i.e. the Snappy index, the user’s address, the service provider’s address, and the payment value. However, it is sufficient to consider a transaction unique if the triplet containing only the payment index, the user’s address, and the service provider’s address is unique.

Service provider identity obfuscation. Further, it has been recognized that the Snappy protocol can be modified such that service provider addresses remain hidden from statekeepers during the payment approval, which prevents censorship against service providers. The main technical challenge is to hide the address such that it is still securely bound to the payment approval and can be later revealed for settlement if needed. In this context, embodiments of the present invention leverage Pedersen commitments where the service provider can blind the address for the duration of the payment approval, and evaluate the additional cost.

The idea is that once the service provider receives the initial payment intent INT _C from the user, the service provider replaces their address in the payment intent by a Pedersen commitment c = C(r _m , r), where r is a random blinding value. The statekeepers will sign the payment intent that contains the blinded service provider identity. The commitment will be only opened if the service provider needs to request a settlement, in which case an entity acting as an arbiter will verify it. User identity obfuscation. According to embodiments of the invention, censorship is prevented by replacing the address of the user payment Intent with a randomized payment ID (RPID) that is generated using a verifiable random function (VRF) for each payment separately.

More precisely, at enrollment, the user may generate a VRF key-pair. The VRF public key is registered to the payment system’s smart contract together with the user’s deposit and the user keeps the secret key to themselves. For each new payment, the user uses the private key to generate a new RPID as VRF output using the current (monotonically increasing) payment index as the VRF input. The user also creates a VRF proof that allows the service provider to verify that the RPID was created correctly for the current payment index. Statekeepers approve only one payment per RPID.

The security and privacy guarantees of such mitigation rely on two properties of VRFs. The first property is uniqueness, which ensures that for the same VRF input (payment index, in the present case) only one correct VRF output (RPID, in the present case) can be generated. Because malicious users cannot create multiple RPIDs for the same index, and because statekeepers track double-spending per payment index, a malicious user cannot double-spend. The second property is pseudorandomness, which ensures that every RPID is unlinkable to the address of the user or any previous RPID used by the same user. This prevents statekeepers from censoring payments based on the identity of the user.

In order to account for the privacy of payments, i.e. to provide strong privacy guarantees during payment, embodiments of the invention leverage Zether-style transactions that confidentially (or potentially anonymously) transfer funds from the user to the service provider. These payments can be processed the same way as in Zether (i.e. encrypted payment values are transferred using zero-knowledge proofs). However, according to embodiments further improvements to the payment process may be introduced such that it provides a guarantee to the service provider. This consists of a user’s additional zero-knowledge proof and a signature signing a settlement request which can be used later during settlement to show that the collateral is sufficient to cover the payment value. As such, embodiments of the present invention provide a payment method/system realizing the following aspects:

1. Hiding the payments values using commitment schemes and using VRF to hide the user identity.

2. Using range proofs to prove balance at time of payments.

3. Combining the above with payment collateral systems to reach privacypreserving and censorship resistant fast payments in the blockchain.

Embodiments of the present invention employ two types of accounts - user accounts and collateral accounts. User accounts can be used to freely transfer funds to other user accounts. Collateral accounts, on the other hand, are administered solely by a smart contract and are used during settlement claims. The main idea is for users to deposit a collateral to the smart contract. This collateral is used to provide a guarantee to a receiving service provider, such that they can accept the payment before it is finalized on the blockchain.

For both types of accounts, the balances are stored as ciphertexts. In this regard, it may be provided that the smart contract stores a dictionary that maps account addresses (i.e. EIGamal public keys) to EIGamal homomorphic encrypted values.

For user accounts, embodiments of the present invention assume the same model as in existing private payment systems, such as Zether (as disclosed in B. Bunz, S. Agrawal, M. Zamani, and D. Boneh: “Zether: Towards Privacy in a Smart Contract World, 07 2020, pp. 423-443. https://crypto.stanford.edu/~buenz/papers/zether.pdf, which is hereby incorporated herein by reference). In particular, accounts may be managed in epochs. A receiving account stores incoming transactions in a pending list and rolls them over into the account balance only at the end of each epoch. This prevents front-running of transactions. Furthermore, embodiment of the invention may leverage the same type of zero-knowledge proofs for user accounts as described in the above Zether reference. Collateral accounts are similar to user accounts, however, they are administered differently. In particular, transfers apart from registration and deregistration can be only triggered internally by the smart contract during settlement. Furthermore, the statements of the zero-knowledge proofs are slightly different to the ones required for user accounts. Specific details are described more in-depth further below.

According to embodiments, in order to use the system according to the present invention, users should ensure to meet the following conditions:

• Own a VRF (Verifiable Random Function) key pair used to create Random Payment IDs (RPID).

• Own an EIGamal key pair for a system user account which holds the user’s main funds for payments.

• Own an EIGamal key pair for a system collateral account which is used during settlement.

To register the details in the system, it may be provided that the users trigger a registration process by initiating a blockchain transaction which contains the following details:

• Register the corresponding VRF public key to the system.

• Register the collateral account address which will be linked to the VRF public key.

Finally, upon registration the system’s smart contract may create a new user entry C[c] in its state, which may contain the following details (as in the table shown in Fig. 4):

• The address corresponding to the user’s collateral account.

• A new dictionary D of finalized transactions.

• A new dictionary O of observed transaction hashes.

• A new dictionary T (trace) of past settlement claims. Its first entry is initialised as and where c _b is the ciphertext corresponding to the initial balance of the user’s collateral account. With regard to service provider registration, before using the system, service providers need to ensure they meet the following conditions:

• Own a valid keypair for one main user account where the payments will be transferred to.

• Own a valid keypair for one secondary user account where settlements will be transferred to.

• The service provider has received a value v _t from each statekeeper. This value is a fraction of each statekeeper’s collateral that they have allocated to the service provider.

As will be appreciated by those skilled in the art, in the case where only confidential payments are required and used, the main user account and the secondary user account can be the same.

To register the details in the system, service providers may trigger a service provider registration process by initiating a blockchain transaction that contains the following details:

• Register the secondary user account address.

Finally, upon registration the system’s smart contract creates a new user entryMfm] in its state containing (as in the Table shown in Fig. 4):

• The secondary user account address that the service provider has submitted.

With regard to statekeeper registration, before using the system, statekeepers need to ensure they meet the following conditions:

• Own a valid BLS (Boneh-Lynn-Shacham) keypair.

• Own an EIGamal key-pair for a collateral account that is used during settlement.

• Allocate a fraction of the total collateral to each service provider, i.e. create k values for each service provider, all values should add up to the total collateral amount.

• Encrypt each value v _t into a ciphertext c _i with the EIGamal public key of the collateral account.

• Send each allocated value v _t to the corresponding service provider. • Create a zero-knowledge proof n _reg that shows that the sum of all ciphertexts is equal to the total collateral.

To register the details in the system, statekeepers may trigger a statekeeper registration process by initiating a blockchain transaction that contains the following details:

• The BLS public key.

• A proof of knowledge of the BLS private key to prevent rogue key attacks (as described in T. Ristenpart and S. Yilek, “The power of proofs-of-possession: Securing multiparty signatures against rogue-key attacks,” in Advances in Cryptology - EUROCRYPT 2007, M. Naor, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2007, pp. 228-245)

• All ciphertexts c _i , ..., c _k .

• The zero-knowledge proof n _reg .

Finally, upon registration the system’s smart contract may perform the following actions: (as in the Table shown in Fig. 4):

• Verifies the proof of knowledge of the BLS secret key.

• Verifies the zero-knowledge proof π _reg .

• Creates a new entry S[s] in its state (according to the Table shown in Fig. 4) which contains:

- The BLS public key.

- The statekeeper’s collateral account address.

- A list of k ciphertexts corresponding to the allocated fraction to each service provider.

The most important function in the system is the payment process. This process, which may be triggered by a transaction signed by a user, transfers funds confidentially (or anonymously) to a particular service provider. This is the intended use case according to embodiments of the present invention, and in general this payment process should be successful - unless either a user or a statekeeper acts maliciously. Next, the exact process and steps involved in creating and processing a fast transaction according to embodiments of the present invention will be described with reference to Fig. 5, in which method steps 1-8 are indicated. The notation follows the Tables shown in Figs. 1-4, in particular Fig. 4, which provides a list of transaction details.

1. Payment initialization

As shown at step 1 in Fig. 5, the user 110 creates a private payment intent PINT _C which includes:

• a payment index i,

• a random payment ID RPID = VRFhash(

• the address of the service provider’s private collateral account m.

Next, the user 110 may create details for a confidential (or optionally anonymous) transaction:

Confidential payment. In this case, the user 110 may execute a Zether function, namley CreateTransferTx, with the inputs being the user’s 110 EIGamal public key y, the service provider’s 120 EIGamal public key y, the user’s 110 EIGamal secret key x, the user’s110 user account balance bf, and the payment amount v. This method returns ci phertexts (c*, c"*), a zero-knowledge proof ir _trans (showing that the user’s 110 balance is sufficient and that c* = ?, and a signature a _trans .

Anonymous payment. In the case of anonymous payments, the user 110 may execute another Zether function, namley CreateAnonTransferTx with inputs being an anonymity set U which contains both the user’s 110 and the service provider’s 120 accounts, the index if of the user’s 110 user account, the index i _t0 of the service provider’s user account, the user’s 110 EIGamal secret key x, the balance bf of the user’s 110 user account, the payment amount v, and the current state of the system’s smart contract 150. This method returns a set of ciphertexts {cj, a nonce u, and a zero-knowledge proof ir _trans . Additionally, the user 110 may create a second zero-knowledge proof TT _CO1 . This proof is over the user private collateral’s balance. In particular, it must show that the sum of all pending payments including the current payment is less than the user’s 110 current private collateral balance. The current collateral balance can be found in the trace C[c]. T. More formally, it must hold that where n denotes the final index of the list C[c]. T. Such a proof can be created and verified efficiently using Z-Bullets, which denotes a hybrid system based on Z- Protocols combined with Bulletproofs (for reference, see B. Bunz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, and G. Maxwell, “Bulletproofs: Short proofs for confidential transactions and more,” Cryptology ePrint Archive, Report 2017/1066, 2017, https://eprint.iacr.org/2017/1066, which is hereby incorporated herein by reference).

According to embodiments of the present invention, the user 110 may send to the service provider 120 the following details:

• the payment intent PINT _C ,

• the VRF public key pk _vr p

• the VRF proof n _vr f = VRFprove(sk _vr p i),

• the encrypted payment amounts,

• the zero-knowledge proof TT _CO1 ,

• the list S _c of pending transactions.

2 User evaluation

After payment initialization, as shown in Fig. 5, at step 2 the service provider 120 may perform the following checks:

• For each index j e {1, ..., PINT _c [i]}, there exists an approved transaction T' with index j such that either T e BC[c] or i e S[c],

• the received pk _vr/ is registered on the system’s smart contract 150,

• VRFverify

• VRFproof2 • verifies the details of the confidential/anonymous payment, in particular the correctness of the zero-knowledge proof ir _trans and the signature a _trans ,

• verifies the additional zero-knowledge proof TT _COI to ensure that the user’s 110 private collateral is sufficient to cover all pending transactions and the current transaction.

3 Service provider address obfuscation

According to embodiments of the present invention, it may be provided that the service provider 120 modifies the payment intent PINT _C to hide their collateral address. That is, the service provider 120 replaces their collateral address by the commitment c _m = C^m. r^ , where r _m is a random blinding factor.

The service provider 120 may then transmit (e.g. via broadcasting) the modified payment intent PINT _C to a majority of statekeepers 130.

Modifications payment intent PINT _C performed by the service provider 120 and by the user 110 are exemplary illustrated in Fig. 6.

4 Payment approval

According to embodiments of the present invention, each statekeeper 130 may evaluate the payment intent received from the service provider 120 as follows:

They check from their local list that they have not already approved a payment with the same RPID. If a matching RPID is found, they abort and notify the service provider 120 accordingly.

On the other hand, if a statekeeper 130 has not seen the respective RPID value for the same index before, they approve the payment and send it back to the service provider 120. According to embodiments of the invention, approving a payment may be performed by computing a BLS signature The statekeeper 130 may append the approved RPID value to their local list.

5 Statekeeper evaluation

If a majority of statekeepers 130 rejects the payment intent, the service provider 120 notifies the user 110 and aborts the payment process.

Upon success, i.e. at least half of the statekeepers 130 approved the payment intent, the service provider 120 checks succeeds for all signatures and upon success, aggregates them into

In addition to the verification of the signatures and their aggregation, the service provider 120 may check that each statekeeper 130 who has approved the intent allocated enough collateral to the service provider 120. This can be done easily because the service provider 120 knows the corresponding fraction of each statekeeper’s 130 collateral in plaintext.

According to an embodiment of the invention, the service provider 120 stores the payment intent PINT _C together with the blinding factor r _m , the VRF proof n _vrf , and the zero-knowledge proof TT _COI in their long-term state. This is to be able to claim settlement later.

Furthermore, the service provider 120 may send the aggregated BLS signature A and the blinding factor r _m to the user 110.

6 Check commitment

According to an embodiment of the invention, as shown at step 6 in Fig. 5, the user 110 verifies the aggregated BLS signature A. Furthermore, the user 110 may check that the service provider’s 120 commitment contained in the payment intent is equal to C(m, r _m ).

7 Transaction finalization

According to an embodiment of the invention, as shown at step 7 in Fig. 5, the user 110 creates a final transaction containing one or more of the following details:

• Ta. system’s smart contract address,

• From, arbitrary blockchain address,

• payment index,

• RPID-. RPID,

• committed address c _m ,

• confidential payment, payment data anonymous payment, payment data

• aggregated BLS signature A,

• approving quorum q,

• operation,

• zero-knowledge proof n _trans >

• user’s system signature c _tra ns,

• skipped index.

The user 110 sends to the service provider 120 the created transaction (signed through a _trans ). According to an embodiment, the user 110 may additionally send a signature a _ciaim that signs the details of a (potential) settlement request, as will be described in more detail further below.

8 Payment acceptance

Upon receipt of the final transaction from the user 110, as shown at step 8 in Fig. 5, the service provider 120 verifies that the user 110 correctly constructed the transaction and correctly signed all details, namely in accordance with a predefined payment protocol. They check that the user has not replaced, omitted, or modified any of the values. Once the user’s 110 transaction is verified, the service provider 120 can safely hand over the goods (for which the funds are intended) to the user 110.

Finally, the service provider 120 broadcasts the transaction to the blockchain 140.

9 Payment logging

According to an embodiment of the invention, upon receipt of the payment, the system’s smart contract 150 finalizes the confidential (or anonymous) payment which transfers funds from the user 110 to the service provider 120.

Furthermore, upon success, the smart contract 150 may store the following details in a list C[c]. £)[i] of the user’s 110 finalized transactions, where i is the current transaction’s index:

• the RPID,

• the service provider’s committed addres c _m ,

• the aggregated approval signature A,

• the quorum q of the approving statekeepers.

As will be appreciated by those skilled in the art, because RPIDs are members of a group Z _n , there is a finite number of them. Therefore, there is a non-zero, but very low probability that the user 110 generates an RPID value that already exists. If this occurs, the statekeepers 130 reject the payment intent and the service provider 120 can notify the user 110 according! 1y. The user 110 can restart the payment procedure from the beginning but this time with payment index i + 1. According to an embodiment of the invention, in the final transaction, an additional field is added to notify that one index has been skipped because of a collision.

In a simple implementation of the payment process as described above, the statekeepers 130 would maintain an ever-increasing list of already approved RPID values. According to an embodiment of the present invention, it may be provided that the statekeepers 130, to reduce their storage requirement, could prune their local list and periodically delete sufficiently old RPID values (e.g. older than 24h). Such pruning is safe to perform because service providers 120 could detect reuse of sufficiently old payment index values from the blockchain 140.

Embodiments of the present invention address the case, in which a transaction does not appear on the blockchain 140 after a reasonable (e.g. predefined or configurable) time. It may be provided that in such case, the service provider 120 can initiate a settlement process. It is possible that the payment fails due to a malicious user 110 double-spending their funds or due to an equivocating statekeeper 130 signing conflicting transactions. In both cases, it may be provided that the service provider 120 is eligible to be refunded by the system’s smart contract 150, given that the service provider 120 has followed to payment protocol.

According to embodiments of the invention, it may be provided that a service provider 120 can claim settlement from either the statekeeper’s 130 collateral or the user’s 110 collateral. Hereinafter, both cases will be described, wherein T denotes the transaction that is being claimed, and T denotes another approved transaction that conflicts with T.

Claim Statekeeper

In the case where there exist conflicting transactions signed by the same statekeeper 130, the service provider 120 can initiate a claim from the equivocating statekeeper’s 130 collateral. To initiate the settlement request, the service provider 120 may submit a transaction to the system, wherein the request may include one or more of the following details:

• The details of the payment intent PINT _C that the service provider 120 wants to settle,

• the aggregated BLS signature A that signs the payment intent PINT _C ,

• the quorum q of signers that signed the payment intent,

• the blinding factor r _m ,

• the VRF proof n _vrf ,

• a signature a _m that signs the details of the settlement request with the public key y' corresponding to the service provider’s 120 secondary account that is registered in the system, • two ciphertexts that encrypt the payment amount with public keys y _sk and y^, respectively (wherein public key y _sk corresponds to the equivocating statekeeper’s 130 collateral account, and public key ^corresponds to the service provider’s 120 secondary user account),

• the address m of the service provider’s 120 secondary user account,

• the address of the equivocating statekeeper’s 130 collateral account,

• a list of conflicting transactions T _cnfl (for efficiency, it may be assumed that |TT _C nfil = 1) containing the details of T' ,

• a zero-knowledge proof ir _claim which shows that both c* and c* encrypt the same value and that the equivocating statekeeper’s 130 collateral is sufficient to cover the current transaction that is being claimed (for efficiency, it is assumed that at most one statekeeper 130 is claimed and hence the service provider 120 needs to submit only one such zero-knowledge proof for a particular equivocating statekeeper 130).

According to an embodiment of the present invention, the settlement request may be processed as follows: Once the payment system’s smart contract 150 receives the above details in a blockchain 140 transaction, it performs the following actions:

• Verifies that the transaction being settled is not yet contained in its state,

• verifies that the service provider’s 120 collateral account is registered in the payment system’s smart contract 150,

• verifies that the equivocating statekeeper’s 130 collateral account is registered in the payment system’s smart contract 150,

• verifies the service provider’s 120 signature a _m ,

• verifies that the statekeeper 130 being claimed is indeed contained in both quora Tq and x _q ' ,

• verifies the aggregated BLS signatures T _A and T' _A given the quora and r' _q , respectively,

• verifies the commitment by checking that z _cm = C(m, r _m ),

• verifies the correctness of the VRF proof ir _vrf by checking that • verifies the correctness of the zero-knowledge proof n _claim , based on the (encrypted) fraction of the collateral balance that the statekeeper 130 has allocated to the service provider 120,

• once all checks succeed, the payment system’s smart contract 150 subtracts the encrypted amount c* from the statekeeper’s 130 collateral account, and adds c* to the service provider’s 120 secondary user account (this can be done in line with the usual transfer process),

• once the corresponding amounts are transferred, the payment system’s smart contract 150 stores the details of the transaction that was claimed in the list C[c]. £) of the user’s 110 finalized transactions,

• returns successfully.

Claim User

In the case where there exist no conflicting transactions, the service provider 120 can initiate a claim from the user’s 110 collateral. To initiate the settlement request, the service provider 120 may create a transaction with one or more of the following details:

• The details of the payment intent PINT _C that the service provider 120 wants to settle,

• the aggregated BLS signature A that signs the payment intent PINT _C ,

• the quorum q of signers that signed the payment intent,

• the blinding factor r _m ,

• the VRF proof ir _vrf ,

• a signature a _c that signs the details of the settlement request with the public key y _c corresponding to the user’s 110 collateral account,

• a signature <j _m that signs the details of the settlement request with the public key y^ corresponding to the service provider’s 120 secondary account that is registered in the system,

• two ciphertexts (c*,-? ⁷ ) that encrypt the payment amount with the public keys y _c and y^, respectively,

• the address m of the service provider’s 120 collateral account,

• a list T _p of transactions that were pending during approval, • the zero-knowledge proof TT _COI which shows that both c* and "c ⁷ encrypt the same value and that the user’s 110 collateral is sufficient to cover all transactions in T _p together with the current transaction that is being claimed.

According to an embodiment of the present invention, the settlement request may be processed as follows: Once the payment system’s smart contract 150 receives the above details in a blockchain 140 transaction, it performs the following actions:

• Verifies that the transaction being settled is not yet contained in its state,

• verifies that the service provider’s 120 collateral account is registered in the payment system’s smart contract 150,

• verifies that the equivocating statekeeper’s 130 collateral account is registered in the payment system’s smart contract 150,

• verifies the service provider’s 120 signature a _m ,

• verifies the user’s 110 signature for transaction T,

• verifies that there is no transaction in its state that conflicts with T or any of the pending transactions. According to embodiments, this may happen in two steps:

- the payment system’s smart contract 150 looks up the list of finalized transactions, i.e. for T and all T' e T _P , it checks that C[T _C ]. £) [T _£ ] and do not conflict with T,

- the payment system’s smart contract 150 looks up the list of observed transactions, i.e. for T and all T' e T _p , it checks that C[T _C ]. 0 [T _£ ]. /I

• verifies the user’s 110 signature for each of the transactions in T _P ,

• verifies the aggregated BLS signature T _A given the quorum z _q ,

• verifies the aggregated BLS signatures T' _A given the quorum x' _q for all T' e T _p ,

• verifies the commitment by checking that z _cm = C(m, r _m ),

• verifies the correctness of the VRF proof ir _vrf by checking that

• looks for the past collateral balance stored in where j is the highest index such that the conditions and are met - in other words, the entry must satisfy that its corresponding system index is smaller than the index T _£ of the settled transaction, and that no transaction with the same system index idx is contained in the set of pending transactions provided by the service provider 120,

• verifies the zero-knowledge proof TT _CO1 , i.e. that the past collateral balance found in the previous step is sufficient to cover the settled transaction and all transactions in T _P and that (c*,-? ⁷ ) encrypt the same value,

• once all checks succeed, the payment system’s smart contract 150 subtracts the encrypted amount c* from the statekeeper’s 130 collateral account, and adds "c ⁷ to the service provider’s 120 secondary user account (this can be done in line with the usual transfer process),

• once the corresponding amounts are transferred, the payment system’s smart contract 150 appends a new entry and where n is the length of the list T and pcol* is the user’s 110 updated collateral balance,

• the payment system’s smart contract 150 stores the details of the settled transaction in the list C[c]. £) of the user’s 110 finalized transactions,

• finally, for each pending transaction T' e T _P that is not yet finalized in C[c].£) such that C[C]. O [T-]. /I = 1, the payment system’s smart contract 150 sets where H is a collision-resistant hash function (in other words, the smart contract logs the hash of the payment intent if it has not yet been finalized and only observed now),

• returns successfully.

The fast payment method/system according to embodiments as disclosed herein provides the advantage of censorship-resilience. During approval, the only way for statekeepers to learn additional information about the transaction is by inspecting the payment intent. In this case, they are unable to perform censoring on the payment amount as it is completely removed from the intent. Furthermore, they cannot learn the service provider’s identity, as Pedersen commitments are perfectly hiding and the blinding value is never disclosed to the statekeepers. It can be observed that a dictionary attack on the RPID is impossible, as the statekeepers would need to learn the VRF proof which is not provided to them at any point. It is recalled that the service providers have an economic incentive to protect privacy. Therefore, also the user’s identity remains hidden.

The fast payment method/system according to embodiments as disclosed herein provides the further advantage of guaranteed funds. Once a service provider’s payment intent is approved and they followed the protocol, they must be guaranteed to receive the funds, even if the payment fails. This guarantee is trivially satisfied if the payment succeeds. If the payment fails, it has to be shown that the payment system’s smart contract will always accept a service provider’s settlement request if the service provider has followed the protocol.

In the statekeeper settlement, the only difference to the prior art designs of fast payment systems such as Snappy is that the final transaction while claiming a statekeeper is performed through the confidentially. As a benign service provider creates a correct zero-knowledge proof on the collateral account balance, such a transaction is thus guaranteed to succeed.

In the case where a user is claimed, it has to be shown that the provided zeroknowledge proof π _CO1 always succeeds. The main idea here is that for a correct proof to not succeed, the payment system’s smart contract would need to find a different past collateral entry. By design, this entry would be corresponding to a transaction T with a lower index and which was settled later (after the creation of the zeroknowledge proof). If T was pending during the creation of the zero-knowledge proof, then it is the service provider’s own fault, because they did not account for this transaction in the proof. On the other hand, if T was not pending (i.e. finalized), the service provider did not follow the protocol, because they should have created the zero-knowledge proof on the more recent collateral balance. It can be seen that in any case, if the proof fails, the service provider did not follow the protocol.

The fast payment method/system according to embodiments as disclosed herein provides the further advantage of correct settlement. For the statekeeper settlement, the payment system’s smart contract verifies the zero-knowledge proof which shows that the private statekeeper collateral suffices to cover the current transaction and all pending transactions. Therefore, it is guaranteed that the statekeeper’s collateral is not overspent, given that an adversary is not able to create false proofs.

The argument for correct user settlement is a bit more involved, and we will only describe a high-level intuition. The main idea is that the user creates a zeroknowledge proof on the current collateral during payment. During settlement, the payment system’s smart contract backtraces its state to find the corresponding past collateral. One knows that if the state Sc (see Table in Fig. 1) is compatible with the transaction (i.e. the service provider did its due diligence) and there are no conflicting transactions in the system, then the user’s collateral is sufficient to cover the costs. Hence, the payment system’s smart contract checks that there are no conflicting transactions and finds a past collateral that is compatible with the information the service provider provided. Proof of compatibility provides the attached zero-knowledge proof.

The fast payment method/system according to embodiments as disclosed herein provides the further advantage of payment privacy. During payment, no benign service provider nor the user reveals their identity or the payment amount at any point during payment. Thus, the same guarantees with regards to confidentiality and anonymity as in Zether apply to the payment process according to embodiments of the present invention. The fast payment method/system according to embodiments as disclosed herein provides the further advantage of settlement privacy. The settlements do not support anonymity. However, they support confidentiality of both the user’s and statekeeper’s collateral. For statekeepers, the total balance of their collateral remains private if not all service providers disclose every allocated fraction of the total collateral. If only one service provider keeps their allocation private, the exact total amount remains private. The only information that could be learned from revealing the fractional allocations is a lower bound on the statekeeper’s collateral. This is due to the fact that the statekeeper does not share the disclosed total value with any other party - only a fraction to each service provider. Furthermore, all operations on the collateral can be performed either through zero-knowledge proofs or through encrypted homomorphic operations.

Furthermore, the user’s collateral remains completely private. Neither the user nor the service provider disclose their identities and the payment amount at any point, and all operations on user collaterals are performed through zero-knowledge proofs. Hence, it can be concluded that the same privacy guarantees apply as in Zether. As will be appreciated by those skilled in the art this holds under the assumption that neither the user nor the service provider disclose the payment amount publicly in plaintext. This is a fair assumption because both parties have an economic incentive to protect each other’s privacy.

Many modifications and other embodiments of the invention set forth herein will come to mind to the one skilled in the art to which the invention pertains having the benefit of the teachings presented in the foregoing description and the associated drawings. Therefore, it is to be understood that the invention is not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.