đź“… Original date posted:2016-08-08
đź“ť Original message:Hi Henning,
1. The fees are paid by the enclosing BTC transaction.
2. The hash is encoded into an OP_RETURN.
> Regarding the blinding factor, I think you could just use HMAC.
How exactly?
Tony
2016-08-08 18:47 GMT+03:00 Henning Kopp <henning.kopp at uni-ulm.de>:
> Hi Tony,
>
> I see some issues in your protocol.
>
> 1. How are mining fees handled?
>
> 2. Assume Alice sends Bob some Coins together with their history and
> Bob checks that the history is correct. How does the hash of the txout
> find its way into the blockchain?
>
> Regarding the blinding factor, I think you could just use HMAC.
>
> All the best
> Henning
>
>
> On Mon, Aug 08, 2016 at 06:30:21PM +0300, Tony Churyumoff via bitcoin-dev
> wrote:
> > This is a proposal about hiding the entire content of bitcoin
> > transactions. It goes farther than CoinJoin and ring signatures, which
> > only obfuscate the transaction graph, and Confidential Transactions,
> which
> > only hide the amounts.
> >
> > The central idea of the proposed design is to hide the entire inputs and
> > outputs, and publish only the hash of inputs and outputs in the
> > blockchain. The hash can be published as OP_RETURN. The plaintext of
> > inputs and outputs is sent directly to the payee via a private message,
> and
> > never goes into the blockchain. The payee then calculates the hash and
> > looks it up in the blockchain to verify that the hash was indeed
> published
> > by the payer.
> >
> > Since the plaintext of the transaction is not published to the public
> > blockchain, all validation work has to be done only by the user who
> > receives the payment.
> >
> > To protect against double-spends, the payer also has to publish another
> > hash, which is the hash of the output being spent. We’ll call this hash
> *spend
> > proof*. Since the spend proof depends solely on the output being spent,
> > any attempt to spend the same output again will produce exactly the same
> > spend proof, and the payee will be able to see that, and will reject the
> > payment. If there are several outputs consumed by the same transaction,
> > the payer has to publish several spend proofs.
> >
> > To prove that the outputs being spent are valid, the payer also has to
> send
> > the plaintexts of the earlier transaction(s) that produced them, then the
> > plaintexts of even earlier transactions that produced the outputs spent
> in
> > those transactions, and so on, up until the issue (similar to coinbase)
> > transactions that created the initial private coins. Each new owner of
> the
> > coin will have to store its entire history, and when he spends the coin,
> he
> > forwards the entire history to the next owner and extends it with his own
> > transaction.
> >
> > If we apply the existing bitcoin design that allows multiple inputs and
> > multiple outputs per transaction, the history of ownership transfers
> would
> > grow exponentially. Indeed, if we take any regular bitcoin output and
> try
> > to track its history back to coinbase, our history will branch every time
> > we see a transaction that has more than one input (which is not
> uncommon).
> > After such a transaction (remember, we are traveling back in time), we’ll
> > have to track two or more histories, for each respective input. Those
> > histories will branch again, and the total number of history entries
> grows
> > exponentially. For example, if every transaction had exactly two inputs,
> > the size of history would grow as 2^N where N is the number of steps back
> > in history.
> >
> > To avoid such rapid growth of ownership history (which is not only
> > inconvenient to move, but also exposes too much private information about
> > previous owners of all the contributing coins), we will require each
> > private transaction to have exactly one input (i.e. to consume exactly
> one
> > previous output). This means that when we track a coin’s history back in
> > time, it will no longer branch. It will grow linearly with the number of
> > transfers of ownership. If a user wants to combine several inputs, he
> will
> > have to send them as separate private transactions (technically, several
> > OP_RETURNs, which can be included in a single regular bitcoin
> transaction).
> >
> > Thus, we are now forbidding any coin merges but still allowing coin
> > splits. To avoid ultimate splitting into the dust, we will also require
> > that all private coins be issued in one of a small number of
> > denominations. Only integer number of “banknotes” can be transferred,
> the
> > input and output amounts must therefore be divisible by the denomination.
> > For example, an input of amount 700, denomination 100, can be split into
> > outputs 400 and 300, but not into 450 and 250. To send a payment, the
> > payer has to pick the unspent outputs of the highest denomination first,
> > then the second highest, and so on, like we already do when we pay in
> cash.
> >
> > With fixed denominations and one input per transaction, coin histories
> > still grow, but only linearly, which should not be a concern in regard to
> > scalability given that all relevant computing resources still grow
> > exponentially. The histories need to be stored only by the current owner
> > of the coin, not every bitcoin node. This is a fairer allocation of
> > costs. Regarding privacy, coin histories do expose private transactions
> > (or rather parts thereof, since a typical payment will likely consist of
> > several transactions due to one-input-per-transaction rule) of past coin
> > owners to the future ones, and that exposure grows linearly with time,
> but
> > it is still much much better than having every transaction immediately on
> > the public blockchain. Also, the value of this information for potential
> > adversaries arguably decreases with time.
> >
> > There is one technical nuance that I omitted above to avoid distraction.
> > Unlike regular bitcoin transactions, every output in a private payment
> > must also include a blinding factor, which is just a random string. When
> > the output is spent, the corresponding spend proof will therefore depend
> on
> > this blinding factor (remember that spend proof is just a hash of the
> > output). Without a blinding factor, it would be feasible to pre-image
> the
> > spend proof and reveal the output being spent as the search space of all
> > possible outputs is rather small.
> >
> > To issue the new private coin, one can burn regular BTC by sending it to
> > one of several unspendable bitcoin addresses, one address per
> denomination.
> > Burning BTC would entitle one to an equal amount of the new private
> coin,
> > let’s call it *black bitcoin*, or *BBC*.
> >
> > Then BBC would be transferred from user to user by:
> > 1. creating a private transaction, which consists of one input and
> several
> > outputs;
> > 2. storing the hash of the transaction and the spend proof of the
> consumed
> > output into the blockchain in an OP_RETURN (the sender pays the
> > corresponding fees in regular BTC)
> > 3. sending the transaction, together with the history leading to its
> input,
> > directly to the payee over a private communication channel. The first
> > entry of the history must be a bitcoin transaction that burned BTC to
> issue
> > an equal amount of BCC.
> >
> > To verify the payment, the payee:
> > 1. makes sure that the amount of the input matches the sum of outputs,
> and
> > all are divisible by the denomination
> > 2. calculates the hash of the private transaction
> > 3. looks up an OP_RETURN that includes this hash and is signed by the
> > payee. If there is more than one, the one that comes in the earlier
> block
> > prevails.
> > 4. calculates the spend proof and makes sure that it is included in the
> > same OP_RETURN
> > 5. makes sure the same spend proof is not included anywhere in the same
> or
> > earlier blocks (that is, the coin was not spent before). Only
> transactions
> > by the same author are searched.
> > 6. repeats the same steps for every entry in the history, except the
> first
> > entry, which should be a valid burning transaction.
> >
> > To facilitate exchange of private transaction data, the bitcoin network
> > protocol can be extended with a new message type. Unfortunately, it
> lacks
> > encryption, hence private payments are really private only when bitcoin
> is
> > used over tor.
> >
> > There are a few limitations that ought to be mentioned:
> > 1. After user A sends a private payment to user B, user A will know what
> > the spend proof is going to be when B decides to spend the coin.
> > Therefore, A will know when the coin was spent by B, but nothing more.
> > Neither the new owner of the coin, nor its future movements will be
> known
> > to A.
> > 2. Over time, larger outputs will likely be split into many smaller
> > outputs, whose amounts are not much greater than their denominations.
> > You’ll have to combine more inputs to send the same amount. When you
> want
> > to send a very large amount that is much greater than the highest
> available
> > denomination, you’ll have to send a lot of private transactions, your
> > bitcoin transaction with so many OP_RETURNs will stand out, and their
> > number will roughly indicate the total amount. This kind of privacy
> > leakage, however it applies to a small number of users, is easy to avoid
> by
> > using multiple addresses and storing a relatively small amount on each
> > address.
> > 3. Exchanges and large merchants will likely accumulate large coin
> > histories. Although fragmented, far from complete, and likely outdated,
> it
> > is still something to bear in mind.
> >
> > No hard or soft fork is required, BBC is just a separate privacy
> preserving
> > currency on top of bitcoin blockchain, and the same private keys and
> > addresses are used for both BBC and the base currency BTC. Every BCC
> > transaction must be enclosed into by a small BTC transaction that stores
> > the OP_RETURNs and pays for the fees.
> >
> > Are there any flaws in this design?
> >
> > Originally posted to BCT https://bitcointalk.org/index.
> php?topic=1574508.0,
> > but got no feedback so far, apparently everybody was consumed with
> bitfinex
> > drama and now mimblewimble.
> >
> > Tony
>
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev at lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
> --
> Henning Kopp
> Institute of Distributed Systems
> Ulm University, Germany
>
> Office: O27 - 3402
> Phone: +49 731 50-24138
> Web: http://www.uni-ulm.de/in/vs/~kopp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160808/1ce6b828/attachment.html>;
Tony Churyumoff [ARCHIVE] /
npub1nk…pugay
2023-06-07 19:52:24
in reply to nevent1q…c95n
Author Public Key
npub1nk74067d6t4s9rxlad2ldmpr5wfe3uaquafs8hgklwlmh35y97gqrpugayPublished at
2023-06-07 19:52:24Event JSON
{
"id": "8825afadfd68a58eb094cc66e37ba9e13ecb0cca6bab53b92ff885c0c1f7e2ab",
"pubkey": "9dbd57ebcdd2eb028cdfeb55f6ec23a39398f3a0e75303dd16fbbfbbc6842f90",
"created_at": 1686160344,
"kind": 1,
"tags": [
[
"e",
"ae333d0f17a38f0d93813c9365e2b4c52ff978cb9edb0ac873b1bbe342d91c71",
"",
"root"
],
[
"e",
"d5f5cae5c8c15c44dac61f545781360739e255f861ef972695ded6e893821deb",
"",
"reply"
],
[
"p",
"5f0a91713bf7b0eac4f3af9f2a7714d917168ae44ba350b1b95c1d4b32c3ce35"
]
],
"content": "📅 Original date posted:2016-08-08\n📝 Original message:Hi Henning,\n\n1. The fees are paid by the enclosing BTC transaction.\n2. The hash is encoded into an OP_RETURN.\n\n\u003e Regarding the blinding factor, I think you could just use HMAC.\nHow exactly?\n\nTony\n\n\n2016-08-08 18:47 GMT+03:00 Henning Kopp \u003chenning.kopp at uni-ulm.de\u003e:\n\n\u003e Hi Tony,\n\u003e\n\u003e I see some issues in your protocol.\n\u003e\n\u003e 1. How are mining fees handled?\n\u003e\n\u003e 2. Assume Alice sends Bob some Coins together with their history and\n\u003e Bob checks that the history is correct. How does the hash of the txout\n\u003e find its way into the blockchain?\n\u003e\n\u003e Regarding the blinding factor, I think you could just use HMAC.\n\u003e\n\u003e All the best\n\u003e Henning\n\u003e\n\u003e\n\u003e On Mon, Aug 08, 2016 at 06:30:21PM +0300, Tony Churyumoff via bitcoin-dev\n\u003e wrote:\n\u003e \u003e This is a proposal about hiding the entire content of bitcoin\n\u003e \u003e transactions. It goes farther than CoinJoin and ring signatures, which\n\u003e \u003e only obfuscate the transaction graph, and Confidential Transactions,\n\u003e which\n\u003e \u003e only hide the amounts.\n\u003e \u003e\n\u003e \u003e The central idea of the proposed design is to hide the entire inputs and\n\u003e \u003e outputs, and publish only the hash of inputs and outputs in the\n\u003e \u003e blockchain. The hash can be published as OP_RETURN. The plaintext of\n\u003e \u003e inputs and outputs is sent directly to the payee via a private message,\n\u003e and\n\u003e \u003e never goes into the blockchain. The payee then calculates the hash and\n\u003e \u003e looks it up in the blockchain to verify that the hash was indeed\n\u003e published\n\u003e \u003e by the payer.\n\u003e \u003e\n\u003e \u003e Since the plaintext of the transaction is not published to the public\n\u003e \u003e blockchain, all validation work has to be done only by the user who\n\u003e \u003e receives the payment.\n\u003e \u003e\n\u003e \u003e To protect against double-spends, the payer also has to publish another\n\u003e \u003e hash, which is the hash of the output being spent. We’ll call this hash\n\u003e *spend\n\u003e \u003e proof*. Since the spend proof depends solely on the output being spent,\n\u003e \u003e any attempt to spend the same output again will produce exactly the same\n\u003e \u003e spend proof, and the payee will be able to see that, and will reject the\n\u003e \u003e payment. If there are several outputs consumed by the same transaction,\n\u003e \u003e the payer has to publish several spend proofs.\n\u003e \u003e\n\u003e \u003e To prove that the outputs being spent are valid, the payer also has to\n\u003e send\n\u003e \u003e the plaintexts of the earlier transaction(s) that produced them, then the\n\u003e \u003e plaintexts of even earlier transactions that produced the outputs spent\n\u003e in\n\u003e \u003e those transactions, and so on, up until the issue (similar to coinbase)\n\u003e \u003e transactions that created the initial private coins. Each new owner of\n\u003e the\n\u003e \u003e coin will have to store its entire history, and when he spends the coin,\n\u003e he\n\u003e \u003e forwards the entire history to the next owner and extends it with his own\n\u003e \u003e transaction.\n\u003e \u003e\n\u003e \u003e If we apply the existing bitcoin design that allows multiple inputs and\n\u003e \u003e multiple outputs per transaction, the history of ownership transfers\n\u003e would\n\u003e \u003e grow exponentially. Indeed, if we take any regular bitcoin output and\n\u003e try\n\u003e \u003e to track its history back to coinbase, our history will branch every time\n\u003e \u003e we see a transaction that has more than one input (which is not\n\u003e uncommon).\n\u003e \u003e After such a transaction (remember, we are traveling back in time), we’ll\n\u003e \u003e have to track two or more histories, for each respective input. Those\n\u003e \u003e histories will branch again, and the total number of history entries\n\u003e grows\n\u003e \u003e exponentially. For example, if every transaction had exactly two inputs,\n\u003e \u003e the size of history would grow as 2^N where N is the number of steps back\n\u003e \u003e in history.\n\u003e \u003e\n\u003e \u003e To avoid such rapid growth of ownership history (which is not only\n\u003e \u003e inconvenient to move, but also exposes too much private information about\n\u003e \u003e previous owners of all the contributing coins), we will require each\n\u003e \u003e private transaction to have exactly one input (i.e. to consume exactly\n\u003e one\n\u003e \u003e previous output). This means that when we track a coin’s history back in\n\u003e \u003e time, it will no longer branch. It will grow linearly with the number of\n\u003e \u003e transfers of ownership. If a user wants to combine several inputs, he\n\u003e will\n\u003e \u003e have to send them as separate private transactions (technically, several\n\u003e \u003e OP_RETURNs, which can be included in a single regular bitcoin\n\u003e transaction).\n\u003e \u003e\n\u003e \u003e Thus, we are now forbidding any coin merges but still allowing coin\n\u003e \u003e splits. To avoid ultimate splitting into the dust, we will also require\n\u003e \u003e that all private coins be issued in one of a small number of\n\u003e \u003e denominations. Only integer number of “banknotes” can be transferred,\n\u003e the\n\u003e \u003e input and output amounts must therefore be divisible by the denomination.\n\u003e \u003e For example, an input of amount 700, denomination 100, can be split into\n\u003e \u003e outputs 400 and 300, but not into 450 and 250. To send a payment, the\n\u003e \u003e payer has to pick the unspent outputs of the highest denomination first,\n\u003e \u003e then the second highest, and so on, like we already do when we pay in\n\u003e cash.\n\u003e \u003e\n\u003e \u003e With fixed denominations and one input per transaction, coin histories\n\u003e \u003e still grow, but only linearly, which should not be a concern in regard to\n\u003e \u003e scalability given that all relevant computing resources still grow\n\u003e \u003e exponentially. The histories need to be stored only by the current owner\n\u003e \u003e of the coin, not every bitcoin node. This is a fairer allocation of\n\u003e \u003e costs. Regarding privacy, coin histories do expose private transactions\n\u003e \u003e (or rather parts thereof, since a typical payment will likely consist of\n\u003e \u003e several transactions due to one-input-per-transaction rule) of past coin\n\u003e \u003e owners to the future ones, and that exposure grows linearly with time,\n\u003e but\n\u003e \u003e it is still much much better than having every transaction immediately on\n\u003e \u003e the public blockchain. Also, the value of this information for potential\n\u003e \u003e adversaries arguably decreases with time.\n\u003e \u003e\n\u003e \u003e There is one technical nuance that I omitted above to avoid distraction.\n\u003e \u003e Unlike regular bitcoin transactions, every output in a private payment\n\u003e \u003e must also include a blinding factor, which is just a random string. When\n\u003e \u003e the output is spent, the corresponding spend proof will therefore depend\n\u003e on\n\u003e \u003e this blinding factor (remember that spend proof is just a hash of the\n\u003e \u003e output). Without a blinding factor, it would be feasible to pre-image\n\u003e the\n\u003e \u003e spend proof and reveal the output being spent as the search space of all\n\u003e \u003e possible outputs is rather small.\n\u003e \u003e\n\u003e \u003e To issue the new private coin, one can burn regular BTC by sending it to\n\u003e \u003e one of several unspendable bitcoin addresses, one address per\n\u003e denomination.\n\u003e \u003e Burning BTC would entitle one to an equal amount of the new private\n\u003e coin,\n\u003e \u003e let’s call it *black bitcoin*, or *BBC*.\n\u003e \u003e\n\u003e \u003e Then BBC would be transferred from user to user by:\n\u003e \u003e 1. creating a private transaction, which consists of one input and\n\u003e several\n\u003e \u003e outputs;\n\u003e \u003e 2. storing the hash of the transaction and the spend proof of the\n\u003e consumed\n\u003e \u003e output into the blockchain in an OP_RETURN (the sender pays the\n\u003e \u003e corresponding fees in regular BTC)\n\u003e \u003e 3. sending the transaction, together with the history leading to its\n\u003e input,\n\u003e \u003e directly to the payee over a private communication channel. The first\n\u003e \u003e entry of the history must be a bitcoin transaction that burned BTC to\n\u003e issue\n\u003e \u003e an equal amount of BCC.\n\u003e \u003e\n\u003e \u003e To verify the payment, the payee:\n\u003e \u003e 1. makes sure that the amount of the input matches the sum of outputs,\n\u003e and\n\u003e \u003e all are divisible by the denomination\n\u003e \u003e 2. calculates the hash of the private transaction\n\u003e \u003e 3. looks up an OP_RETURN that includes this hash and is signed by the\n\u003e \u003e payee. If there is more than one, the one that comes in the earlier\n\u003e block\n\u003e \u003e prevails.\n\u003e \u003e 4. calculates the spend proof and makes sure that it is included in the\n\u003e \u003e same OP_RETURN\n\u003e \u003e 5. makes sure the same spend proof is not included anywhere in the same\n\u003e or\n\u003e \u003e earlier blocks (that is, the coin was not spent before). Only\n\u003e transactions\n\u003e \u003e by the same author are searched.\n\u003e \u003e 6. repeats the same steps for every entry in the history, except the\n\u003e first\n\u003e \u003e entry, which should be a valid burning transaction.\n\u003e \u003e\n\u003e \u003e To facilitate exchange of private transaction data, the bitcoin network\n\u003e \u003e protocol can be extended with a new message type. Unfortunately, it\n\u003e lacks\n\u003e \u003e encryption, hence private payments are really private only when bitcoin\n\u003e is\n\u003e \u003e used over tor.\n\u003e \u003e\n\u003e \u003e There are a few limitations that ought to be mentioned:\n\u003e \u003e 1. After user A sends a private payment to user B, user A will know what\n\u003e \u003e the spend proof is going to be when B decides to spend the coin.\n\u003e \u003e Therefore, A will know when the coin was spent by B, but nothing more.\n\u003e \u003e Neither the new owner of the coin, nor its future movements will be\n\u003e known\n\u003e \u003e to A.\n\u003e \u003e 2. Over time, larger outputs will likely be split into many smaller\n\u003e \u003e outputs, whose amounts are not much greater than their denominations.\n\u003e \u003e You’ll have to combine more inputs to send the same amount. When you\n\u003e want\n\u003e \u003e to send a very large amount that is much greater than the highest\n\u003e available\n\u003e \u003e denomination, you’ll have to send a lot of private transactions, your\n\u003e \u003e bitcoin transaction with so many OP_RETURNs will stand out, and their\n\u003e \u003e number will roughly indicate the total amount. This kind of privacy\n\u003e \u003e leakage, however it applies to a small number of users, is easy to avoid\n\u003e by\n\u003e \u003e using multiple addresses and storing a relatively small amount on each\n\u003e \u003e address.\n\u003e \u003e 3. Exchanges and large merchants will likely accumulate large coin\n\u003e \u003e histories. Although fragmented, far from complete, and likely outdated,\n\u003e it\n\u003e \u003e is still something to bear in mind.\n\u003e \u003e\n\u003e \u003e No hard or soft fork is required, BBC is just a separate privacy\n\u003e preserving\n\u003e \u003e currency on top of bitcoin blockchain, and the same private keys and\n\u003e \u003e addresses are used for both BBC and the base currency BTC. Every BCC\n\u003e \u003e transaction must be enclosed into by a small BTC transaction that stores\n\u003e \u003e the OP_RETURNs and pays for the fees.\n\u003e \u003e\n\u003e \u003e Are there any flaws in this design?\n\u003e \u003e\n\u003e \u003e Originally posted to BCT https://bitcointalk.org/index.\n\u003e php?topic=1574508.0,\n\u003e \u003e but got no feedback so far, apparently everybody was consumed with\n\u003e bitfinex\n\u003e \u003e drama and now mimblewimble.\n\u003e \u003e\n\u003e \u003e Tony\n\u003e\n\u003e \u003e _______________________________________________\n\u003e \u003e bitcoin-dev mailing list\n\u003e \u003e bitcoin-dev at lists.linuxfoundation.org\n\u003e \u003e https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev\n\u003e\n\u003e\n\u003e --\n\u003e Henning Kopp\n\u003e Institute of Distributed Systems\n\u003e Ulm University, Germany\n\u003e\n\u003e Office: O27 - 3402\n\u003e Phone: +49 731 50-24138\n\u003e Web: http://www.uni-ulm.de/in/vs/~kopp\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160808/1ce6b828/attachment.html\u003e",
"sig": "031b9c1c04839b75b4e34646b910adee3ef6a45df70cb626979345338dabdee0a5805e6d34b64f3b46344e0922323cab0e2bb81bc4e88e3397f6f13305952714"
}