Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

DAO to (Anonymous) DAO Transactions

Minfeng Qi, Lin Zhong, Qin Wang

Abstract

Blockchain assets are increasingly controlled by organizations rather than individuals. DAO treasuries, consortium wallets, and custodial exchanges rely on threshold authorization and multi-party key management, yet existing payment mechanisms still target single-user wallets, leaving no unified solution for organizational transfers. We formalize the problem of \emph{DAO-to-(anonymous)-DAO} transactions and present \textsc{Dao$^2$}, a framework that enables one threshold-controlled organization to pay another, optionally with recipient anonymity, while keeping received funds under distributed control. \textsc{Dao$^2$} combines three components: \emph{distributed key derivation} (DKD) for non-stealth child addresses, \emph{distributed stealth-address generation} (DSAG) for unlinkable one-time destinations, and \emph{threshold signatures} for authorization. For ordinary transfers, the receiver derives a non-stealth address via DKD; for anonymous transfers, it derives a stealth address via DSAG. The sender then threshold-signs the payment, and the receiver redeems the funds without reconstructing any master secret. We formally prove its security and evaluate a prototype. A complete anonymous DAO-to-DAO transaction for a typical-sized (e.g., 7-member) DAO finishes in under 27\,ms with less than 1.2\,KB of communication, and scales linearly with DAO size.

DAO to (Anonymous) DAO Transactions

Abstract

Blockchain assets are increasingly controlled by organizations rather than individuals. DAO treasuries, consortium wallets, and custodial exchanges rely on threshold authorization and multi-party key management, yet existing payment mechanisms still target single-user wallets, leaving no unified solution for organizational transfers. We formalize the problem of \emph{DAO-to-(anonymous)-DAO} transactions and present \textsc{Dao}, a framework that enables one threshold-controlled organization to pay another, optionally with recipient anonymity, while keeping received funds under distributed control. \textsc{Dao} combines three components: \emph{distributed key derivation} (DKD) for non-stealth child addresses, \emph{distributed stealth-address generation} (DSAG) for unlinkable one-time destinations, and \emph{threshold signatures} for authorization. For ordinary transfers, the receiver derives a non-stealth address via DKD; for anonymous transfers, it derives a stealth address via DSAG. The sender then threshold-signs the payment, and the receiver redeems the funds without reconstructing any master secret. We formally prove its security and evaluate a prototype. A complete anonymous DAO-to-DAO transaction for a typical-sized (e.g., 7-member) DAO finishes in under 27\,ms with less than 1.2\,KB of communication, and scales linearly with DAO size.

Paper Structure

This paper contains 49 sections, 19 theorems, 55 equations, 7 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Basic Notation
  4. Stealth Addresses
  5. Threshold Signatures
  6. BIP32-Style Key Derivation
  7. Threat Model & Security Goals
  8. System Model
  9. Adversary Model
  10. Security Goals
  11. Construction
  12. Overview
  13. Distributed Key Derivation
  14. Distributed Stealth Address Generation
  15. Threshold-Signature Instantiation
  16. ...and 34 more sections

Key Result

Theorem 1

For every honestly executed transaction involving qualified subsets $S_1 \subseteq [n_1]$ and $S_2 \subseteq [n_2]$, the one-time destination $D^{(k)}$ produced in Phase I satisfies where $d_j^{(k)} = b_j^{(k)} + \rho^{(k)}$ are the recovered one-time shares in Phase II. Furthermore, any qualified receiver-side subset can produce a valid threshold signature under $D^{(k)}$, and all honest parties

Figures (7)

  • Figure 1: Dao$^2$ framework. ➀ DKG distributes key shares to each DAO. ➁ The receiver derives a child key (DKD); for anonymous transfers the sender also generates a stealth destination (DSAG). ➂ The sender threshold-signs the payment. ➃ Blockchain validates and confirms the transaction. ➄ The receiver detects the output, recovers one-time shares, redeems via threshold signing, and updates its state.
  • Figure 2: End-to-end execution of a Dao$^2$ transaction. The left column covers transaction generation (child-key allocation, stealth-destination generation, threshold authorization); the right column covers receiver-side detection, distributed one-time share recovery, threshold redemption, and state evolution. Cross-phase parameters: chaincode $cc^{(k)}$, shared secret $\Omega^{(k)} \leftrightarrow \Omega'^{(k)}$, and Lagrange-based aggregation throughout.
  • Figure 3: Per-module computation cost versus DAO size $n$ ($t=2$). DKD and threshold signing remain lightweight; DSAG cost grows linearly with $n$ due to per-member EC scalar multiplications.
  • Figure 4: End-to-end transaction latency versus DAO size $n$ ($t=2$). Phase I and Phase II have comparable cost; total latency grows linearly and remains below 75 ms even for $n{=}20$.
  • Figure 5: Per-transaction communication overhead versus DAO size $n$. DKD metadata and the two threshold-signature outputs are constant; DSAG communication scales linearly with $n$ due to per-member commitments, openings, and share verifications.
  • ...and 2 more figures

Theorems & Definitions (37)

  • Definition 1: Transaction correctness
  • Definition 2: Threshold spending security
  • Definition 3: Recipient privacy and unlinkability
  • Definition 4: Robustness and state evolution
  • Theorem 1: Transaction correctness
  • Theorem 2: Threshold spending security
  • Theorem 3: Recipient privacy and unlinkability
  • Theorem 4: Robustness and state evolution
  • Proposition 1: Forward secrecy under key erasure
  • Lemma 1: Distributed key derivation consistency
  • ...and 27 more