On Tue, Nov 14, 2017 at 01:21:14AM +0000, Gregory Maxwell via bitcoin-dev wrote: > Jump to "New things here" if you're already up to speed on CT and just > want the big news. > This work also allows arbitrarily complex conditions to be proven in > the values, not just simple ranges, with proofs logarithmic in the > size of the arithmetic circuit representing the conditions being > proved--and still with no trusted setup. As a result it potentially > opens up many other interesting applications as well. > > The pre-print on this new work is available at https://eprint.iacr.org/2017/1066 Re: section 4.6, "For cryptocurrencies, the binding property is more important than the hiding property. An adversary that can break the binding property of the commitment scheme or the soundness of the proof system can generate coins out of thin air and thus create uncontrolled but undetectable inflation rendering the currency useless. Giving up the privacy of a transaction is much less harmful as the sender of the transaction or the owner of an account is harmed at worst." I _strongly_ disagree with this statement and urge you to remove it from the paper. The worst-case risk of undetected inflation leading to the destruction of a currency is an easily quantified risk: at worst any given participant loses whatever they have invested in that currency. While unfortunate, this isn't a unique or unexpected risk: cryptocurrencies regularly lose 50% - or even 90% - of their value due to fickle markets alone. But cryptocurrency owners shrug these risks off. After all, it's just money, and diversification is an easy way to mitigate that risk. But a privacy break? For many users _that_ threatens their very freedom, something that's difficult to even put a price on. Furthermore, the risk of inflation is a risk that's easily avoided: at a personal level, sell your holdings in exchange for a less risky system; at a system-wide level, upgrade the crypto. But a privacy leak? Once I publish a transaction to the world, there's no easy way to undo that act. I've committed myself to trusting the crypto indefinitely, without even a sure knowledge of what kind of world I'll live in ten years down the road. Sure, my donation to Planned Parenthood or the NRA might be legal now, but will it come back to haunt me in ten years? Fortunately, as section 4.6 goes on to note, Bulletproofs *are* perfectly hiding. But that's a feature we should celebrate! The fact that quantum computing may force us to give up that essential privacy is just another example of quantum computing ruining everything, nothing more. -- https://petertodd.org 'peter'[:-1]@petertodd.org