Compact Confidential Transactions

in technology •  3 years ago 

An enhancement is suggested to make Bitcoin transaction amounts hidden to all but the sender and receiver.

In each transaction, the output amounts are encrypted with the public keys of the respective receivers.
Only the transaction fee is publicly revealed, to allow miners to prioritise
transactions. A homomorphic commitment for each transaction proves
that the sum of the transaction inputs matches the sum of its outputs.
A short Non-Interactive Zero-Knowledge Proof (NIZKP) for each output
also convinces all verifiers that the sum does not overflow. Address
construction includes an additional public view key to allow senders to
encrypt output values. This approach practically resolves a core privacy
issue in Bitcoin, but without overwhelming implementation complexity.
The required commitments are an order of magnitude smaller than those
proposed for Confidential Transactions, and do not depend on ring signatures.

http://www.voxelsoft.com/dev/cct.html

Does anyone have a link to a working implementation?

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

According to this bitcointalk thread as of Feb. 3rd, 2016:

Unfortunately, Andrew Poelstra was able to break the cryptosystem for this scheme's range-proofs. The author is working on fixing it, and I'm hopeful for progress there. This may take a bit of time, so if you're looking for something to test right now the CT feature in the Elements/Alpha is the best that is out there at the moment.

"Andrew Poelstra was able to break the cryptosystem for this scheme's range-proofs"

  • How can we prove that is true, and not "Poloniex Matthew" (a btctalk newbie) just spreading fud because of his knowledge of a competing tech perhaps..?

Well anything is possible, but the tone of the post seems legitimate. It would be good to verify the statement from multiple sources.

Disappointing to hear that the Compact CT's range-proofs were broken. But even if that is fixed, what I want to know is if Compact CT is compatible with RingCT. I hope so, but if not, I would still prefer the heavier-weight CT that is compatible with RingCT. I think something like RingCT is highly desirable because it could allow for decentralized spontaneous coin-mixing with no trusted third-parties, which would enable a much better stealth implementation than what currently exists in BitShares (even ignoring current GUI limitations).

  ·  3 years ago (edited)

Can you explain how stealth works in BitShares? An issue with RingCT (or any ring signatures) is that it only mixes between a small number of potential senders, limited by the transaction size. In a TXO-based blockchain without address reuse, this is not really an issue because no one knows who owns most of the TXOs, so the effective anonymity set is much larger. In Steem where most account ownership is transparent and tied to public posting/commenting identities, the anonymity set would be very small. But maybe BitShares-style stealth changes this in a manner I don't understand given my lack of familiarity with it.

  ·  3 years ago (edited)

Can you explain how stealth works in BitShares?

That feature is not really even used in practice as far as I know right now. So you might as well think that it basically doesn't exist it. But basically it is just using stealth addresses (in other words the best practices for Bitcoin of using new unique addresses for each transaction automatically) along with blinding the amounts using CT. There are two problems with it. One, it is vulnerable to blockchain analysis (joins of TXOs tell you that those outputs had belonged to the same user) just like Bitcoin. Two, signalling for the existence of received funds needs to occur out-of-band (it isn't scalable to force users to scan the entire blockchain) which means that improper backup after receiving funds could mean the loss of those funds.

An issue with RingCT (or any ring signatures) is that it only mixes between a small number of potential senders, limited by the transaction size.

I don't really view that as a huge problem. Coin mixing services limit the number of inputs too, but they can still be very useful. You can wait longer and do more rounds of mixing if you want greater anonymity.

In a TXO-based blockchain without address reuse, this is not really an issue because no one knows who owns most of the TXOs, so the effective anonymity set is much larger.

Reasoning about the privacy protection with stealth addresses is much harder than coin mixing because of blockchain analysis. All the future transactions one does that are forced to join their previous TXOs in order to have a large enough balance to pay someone can reveal their metadata of transactions of the distant past. The privacy protection against blockchain analysis is also very dependent on who the privacy attacker is and whether they have done a lot of transactions with you and the people you have done transactions with. I find it much easier to reason about privacy with a on-blockchain coin mixing system (using something like RingCT), and therefore have more confidence in using such a system to protect my privacy. And that's before even considering the other practical benefits like not requiring out-of-band signaling of received funds or risking loss of funds if you don't backup after receiving funds.

  ·  3 years ago (edited)

Reasoning about the privacy protection with stealth addresses is much harder than coin mixing because of blockchain analysis.

In case this was not clear I was referring to the use of stealth addresses along with RingCT. Yes, some care is necessary with joining, but you do have mixing, and without the issues of accounts being tied to visible identities as in an account-based system (at least one like Steem).

Can you give a specific example of how RingCT would work in order for you to privately send me funds (for example with multiple rounds of mixing) without that being traceable on the blockchain? And how does the CT part of RingCT work with accounts having visible balances? Are the account balances blinded?