Re: [bitcoin-dev] Create a BIP to implement Confidential Transactions in Bitcoin Core

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: ZmnSCPxj <ZmnSCPxj@protonmail•com>
To: "Kenshiro \\[\\]" <tensiam@hotmail•com>,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists•linuxfoundation.org>
Cc: SomberNight <somber.night@protonmail•com>
Subject: Re: [bitcoin-dev] Create a BIP to implement Confidential Transactions in Bitcoin Core
Date: Wed, 02 Jan 2019 13:39:57 +0000	[thread overview]
Message-ID: <knV3VcCBvchmrBDvcYs8I2mImVR7_fbYmtWPY1GOxHkhKlYsMjFCReM1d3_me13YekyI4NZYRovD8s103Yj6wLWBMir6SOBYlrCdS1tLqgo=@protonmail.com> (raw)
In-Reply-To: <DB6PR10MB1832A1A6EB2628CAB0035192A6B00@DB6PR10MB1832.EURPRD10.PROD.OUTLOOK.COM>

Good morning SomberNight,

> "Bulletproofs ... are computationally binding. An adversary that could
> break the discrete logarithm assumption could generate acceptable range
> proofs for a value outside the correct range. ... An adversary that can
> break the binding property of the commitment scheme or the soundness of
> the proof system can generate coins out of thin air and thus create
> uncontrolled but undetectable inflation rendering the currency useless"
>
> I don't have the domain knowledge to debate whether quantum computers will
> ever exist but AFAICT their emergence would easily kill a currency that
> uses these kind of range proofs for confidential transactions.

This can be mitigated by splitting the blockchain into a public part and a confidential-transactions part (i.e. extension block).
This may be necessary for softforking of CT onto the blockchain anyway; existing pre-CT coins remain in the public part.

When moving from public to CT, you send to some special "lockbox address" on the public part, then they will now be put in a coinbase-like transaction on the CT part.
You then do some mixing and splitting in the CT part to obscure which of your UTXOs have what value.
Then to move from CT to public, you can claim any of the lockboxes on the public part, by revealing the values of your CT UTXOs (and destroying them) and showing that they are equal or less than the lockboxes you are claiming on the public part, and putting back any remainder between the lockboxes total and your own CT UTXOs into another lockbox UTXO.

This is essentially the same concept as sidechains, but with the "side" chain here being part of the consensus, and thus an extension block instead of a true sidechain.

In this way, the amount of total money in the CT part is the sum of all the lockboxes.
In case of a cryptographic break in the CT rangeproof protocol, then the first owner of a quantum computer can claim all the lockboxes, but at least the damage is bounded to only those UTXOs in the CT part.
UTXOs in the public part retain their money.
In addition, since creation of new coins remains in the public part, coin supply is protected, which I believe is the most important property.

The weakness in this scheme is that there is incentive not to put your money for long in the CT part.

Note that CT only hides transaction values.
Structure of transactions from payers to payees remains visible onchain.
I would suggest rather to use MimbleWimble, since at least under MimbleWimble transaction structure will need to be stored by the monitors of the blockchain rather than by the blockchain itself, which would help reduce their ability to see into historical data (they would only be able to see data they recorded themselves, and MimbleWimble allows third-party trustless CoinJoin so they might not even record accurate transaction structure).
Drawback is lack of SCRIPT, but Scriptless Script should be sufficient for e.g. LN.

Regards,
ZmnSCPxj

next prev parent reply	other threads:[~2019-01-02 13:40 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-28 21:41 SomberNight
2018-12-29 11:56 ` Kenshiro []
2019-01-02 13:39   ` ZmnSCPxj [this message]
  -- strict thread matches above, loose matches on Subject: below --
2018-12-27 20:15 Kenshiro []

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='knV3VcCBvchmrBDvcYs8I2mImVR7_fbYmtWPY1GOxHkhKlYsMjFCReM1d3_me13YekyI4NZYRovD8s103Yj6wLWBMir6SOBYlrCdS1tLqgo=@protonmail.com' \
    --to=zmnscpxj@protonmail$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    --cc=somber.night@protonmail$(echo .)com \
    --cc=tensiam@hotmail$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox