Minor edits for style and clarity
This commit is contained in:
parent
d1f7fbdbe4
commit
59507c2ea3
1 changed files with 7 additions and 7 deletions
14
bsip-1201.md
14
bsip-1201.md
|
@ -13,13 +13,13 @@ Confidential Assets (CA) [[2]](#see-also) extends Confidential Transactions (CT)
|
||||||
|
|
||||||
## Motivation
|
## Motivation
|
||||||
|
|
||||||
A user maintains value-blinded balances on the BitShares blockchain as a collection of Pedersen commitments, which are EC curve points that obscure their committed values by adding a secret blinding factor. By keeping the blinding factor secret, the user keeps their balance secret. Meanwhile, balances can be transferred, subdivided, or combined, provided the sum of blinding factors for all inputs to a transaction are equal to the sum of blinding factors of all outputs of a transaction. A user wishing to un-blind and "claim" a balance contained in a Pedersen commitment may do so by revealing the blinding factor for that commitment, which then allows the network to verify the committed amount.
|
A user maintains value-blinded balances on the BitShares blockchain as a collection of Pedersen commitments, which are EC curve points that obscure their committed values by adding a secret blinding factor times a generator point. By keeping the blinding factor secret, the user keeps their balance secret. Meanwhile, balances can be transferred, subdivided, or combined, provided the sum of blinding factors for all inputs to a transaction are equal to the sum of blinding factors of all outputs of a transaction. A user wishing to un-blind and "claim" a balance contained in a Pedersen commitment may do so by revealing the blinding factor for that commitment, which then allows the network to verify the committed amount and credit it to a public balance.
|
||||||
|
|
||||||
A commitment C is given mathematically by *C = value * G + blinding_factor * H*, where G and H are separate curve point generators with no known divisor between them.
|
A commitment C is given mathematically by _C = value * H + blinding_factor * G_, where H and G are separate curve point generators with no known divisor between them. Because there is no known multiple _m_ solving _H = m*G_, the _value_ and _blinding_factor_ quantities are effectively independent, which makes _C_ a firm commitment to _value_.
|
||||||
|
|
||||||
BitShares is a multi-asset chain. The Pedersen commitments implemented in Stealth Phase I commit only to a value amount, and nothing more. For the network to understand *which* asset is represented by a commitment, a plaintext metadata field is associated with the Graphene object for the commitment, containing the asset ID of the blinded asset. This means that the asset type of an individual blinded balance is publicly knowable.
|
BitShares is a multi-asset chain. The Pedersen commitments implemented in _Stealth Phase I_ commit only to a value amount, and nothing more. For the network to understand *which* asset is represented by a commitment, a plaintext metadata field is associated with the Graphene object for the commitment, containing the asset ID of the blinded asset. This means that the asset type of an individual blinded balance is publicly knowable.
|
||||||
|
|
||||||
Confidential Assets (CA) introduces a method for using a hash of the object ID as a confounding factor similar to the blinding factor, such that, unless one already knows the asset represented by a particular Pedersen commitment, one cannot determine the asset from inspection alone. Furthermore, amounts of differing assets can be combined into a single commitment, so that even by tracing the history of a given commitment, one cannot simply divine the asset type by back-tracing to the point where a public asset was blinded. When a user wishes to un-blind an asset, he may do so by providing both the blinding and asset factors for the commitment, so that the network can confirm the contents thereof.
|
Confidential Assets (CA) introduces a method for using a commitment to a hash of the asset description as a confounding factor similar to the blinding factor, such that, unless one already knows the asset represented by a particular Pedersen commitment, one cannot determine the asset from inspection alone. Furthermore, amounts of differing assets can be combined in a single transaction, so that the asset IDs of the outputs are not individually knowable. Thus, even by tracing the history of a given commitment, one cannot simply divine the asset type by back-tracing to the point where a public asset was blinded, as the history may implicate multiple asset types. When a user wishes to un-blind an asset, he may do so by providing both the value blinding factors and the asset blinding factors for the commitment, so that the network can confirm the contents thereof.
|
||||||
|
|
||||||
By allowing commitments of differing assets to be mixed together, we achieve two points for privacy: (1) we increase the available mix-in set for diffusion of transaction history, and (2) we make it more difficult for blockchain analysis to determine which assets are being operated on in any given transaction (the more assets involved in the history of a particular commitment, the greater the uncertainty of what the commitment contains).
|
By allowing commitments of differing assets to be mixed together, we achieve two points for privacy: (1) we increase the available mix-in set for diffusion of transaction history, and (2) we make it more difficult for blockchain analysis to determine which assets are being operated on in any given transaction (the more assets involved in the history of a particular commitment, the greater the uncertainty of what the commitment contains).
|
||||||
|
|
||||||
|
@ -64,11 +64,11 @@ Op-Code | Description | Op-Code | Description
|
||||||
|
|
||||||
On the left are CT operations, whose outputs are value-blinded commitments. On the right are the corresponding CA operations, whose outputs are value-and-asset-blinded commitments. Of special note is op 52, which takes value-blinded CT inputs and outputs value-and-asset-blinded outputs. (As an alternative, op 50 could be made flexible enough to accept either CT or CA inputs, if this proves feasible.) As CA is seen as an upgrade to CT, no op-code is here proposed for transfering from CA back to CT, however in the event of market demand such an operation could be coded.
|
On the left are CT operations, whose outputs are value-blinded commitments. On the right are the corresponding CA operations, whose outputs are value-and-asset-blinded commitments. Of special note is op 52, which takes value-blinded CT inputs and outputs value-and-asset-blinded outputs. (As an alternative, op 50 could be made flexible enough to accept either CT or CA inputs, if this proves feasible.) As CA is seen as an upgrade to CT, no op-code is here proposed for transfering from CA back to CT, however in the event of market demand such an operation could be coded.
|
||||||
|
|
||||||
### Proposed operation: transfer_to_ca_blind_operation (Public to Blind)
|
#### Proposed operation: transfer_to_ca_blind_operation (Public to Blind)
|
||||||
|
|
||||||
### Proposed operation: ca_blind_transfer_operation (Blinded to Blind)
|
#### Proposed operation: ca_blind_transfer_operation (Blinded to Blind)
|
||||||
|
|
||||||
### Proposed operation: transfer_from_ca_blind_operation (Blind to Public)
|
#### Proposed operation: transfer_from_ca_blind_operation (Blind to Public)
|
||||||
|
|
||||||
## Discussion
|
## Discussion
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue