PrivPay: Privacy Preserving Payments in Credit Networks

PrivPay Logo

A credit network models trust between agents in a distributed environment and enables payments between arbitrary pairs of agents. With their flexible design and robustness against intrusion, credit networks form the basis of several Sybil-tolerant social networks, spam-resistant communication protocols, and payment systems. Existing systems, however, expose agents’ trust links as well as the existence and volumes of payment transactions, which is considered sensitive information in social environments or in the financial world. This raises a challenging privacy concern, which has largely been ignored by the research on credit networks so far.

In this work, we present the first available formal definitions of privacy for credit networks. Morever, we present PrivPay, the first provably secure privacy preserving payment protocol for credit networks. The distinguishing feature of PrivPay is the obliviousness of transactions, which entails strong privacy guarantees for the network links. PrivPay does not require any trusted third party, maintains a high accuracy of the transactions, and provides an economical solution to network service providers. It is also general-purpose and applicable to all credit network-based systems. We implemented PrivPay and demonstrated its practicality by privately emulating transactions performed in the Ripple payment system over a period of four months.

PrivPay Overview

PrivPay Overview

The functionality at the client is kept as simple as possible. In particular, Privpay only requires the client to be able to create a secure communication channel (e.g., TLS channel) with the service provider. On the other hand, the functionality at the service provider is divided into two modules: universe creator module and transaction module. PrivPay does not introduce significant computational or financial overhead to either the credit network service provider or the users. In particular, we avoid computationally burdensome cryptography at the user ends, which paves the way for deploying PrivPay on mobile devices such as smartphones.

PrivPay's achieves the following system goals:

  • Performance. The response time of PrivPay to a transaction request is on the order of a few seconds.
  • Accuracy. PrivPay maintains the same level of accuracy as non-privacy preserving credit networks.
  • Rate limiting. Privpay restricts the number of queries that a (malicious) user issues aiming at reducing the usability for the rest of users.
  • Generality. Our privacy-preserving credit network is applicable to many credit network-based systems.
  • Scalability. PrivPay is able to cater to a growing user base without significantly decreasing the performance.

The details of our system can be found in our research paper.

Privacy Definitions

This work presents for first time formal definitions for privacy properties within credit networks. In particular, we characterize two fundamental privacy properties for transactions in a credit network, namely, value privacy and receiver privacy.

Transaction value privacy We say that a credit network maintains value privacy if the adversary cannot determine the value of a transaction between two non-compromised users.

Transaction receiver privacy We say that a credit network maintains receiver privacy if the adversary cannot determine the receiver of a transaction, as long as this is issued by a non-compromised sender.

Our research paper contains the full details of the corresponding crytographic definitions.


We have developed a prototypical C++ implementation to demonstrate the feasibility of our construction. The implementation encompasses both the universe creator module and the transaction module. For symmetric encryption, we have used the Intel AES-NI library to interact with the AES hardware implementation available on our test machine. We conducted our experiments on a machine with an Intel Xeon E5-4650L 2.60 GHz processor and 790 GB RAM.

We have extracted the full Ripple credit network (i.e., its full ledger) at two different points in time: ledger 2830040 in October 2013 and ledger 4547183 in January 2014, along with all the transactions carried out in this period of time. The obtained raw dataset has been filtered according to a criteria detailed in our research paper. Our final experiment dataset contains a graph with a set of 14,317 nodes and 14,176 links along with a transaction set composed of 8,124 payment transactions and 14,922 modify link transactions.

Adapted Canal PrivPay
payment time (ms) 0.078 1510
create/modify link time (ms) 0.005 95
Accuracy 97% 95%

Viswanath et al. gave us access to their Canal prototype code. We have adapted it to support directed graphs; thus we are able to simulate our Ripple credit network dataset. This experiment has allowed us to study the impact of adding privacy into a payment system.