From 5ab1257b0bbdb7994677bd6146e107fa47cddd0b Mon Sep 17 00:00:00 2001 From: christophersanborn <23085117+christophersanborn@users.noreply.github.com> Date: Mon, 16 Jul 2018 22:58:59 -0400 Subject: [PATCH] range proof blurb --- bsip-1201.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/bsip-1201.md b/bsip-1201.md index 82d3738..d25ad83 100644 --- a/bsip-1201.md +++ b/bsip-1201.md @@ -27,7 +27,7 @@ By allowing commitments of differing assets to be mixed together, we achieve two ### _Asset Tags_ and _Asset Commitments_ -The existing value-blinded CT transaction capability includes an explicit **asset ID** in the transaction format, and unspent commitments are associated with an explicit clear-text asset ID in the database. For example, querrying the blockchain for commitment "024449...8073" returns a structure containing three defining fields: +The existing value-blinded CT transaction capability includes an explicit **asset ID** in the transaction format, and unspent commitments are associated with an explicit clear-text asset ID in the database. For example, querying the blockchain for commitment "024449...8073" returns a structure containing three defining fields: Field: | Data (Meaning) :----------:|---------- @@ -43,13 +43,13 @@ commitment: | "0244492ceafc9c3d6fab34b4e2912b360a3276560651451580325f754705758 asset_commit: | "022b607af588386028a97d6bc4be5caddb432340329bc808ba587c0b92ffb1087c" owner: | (Authority struct specifying public key that must sign) -As can be seen, casual inspection of the blockchain does not reveal the unerlying asset, nor even asset tag, since it is comingled with a blinding factor. The only way to know the asset id would be if the commitment were a direct descendent of an asset-issuance transcation (where a public balance was blinded into a value-asset blind CA commitment). However, once a commitment is involved in a transaction involving inputs of multiple asset types, then uncertainty is introduced in the descendent commitments: the asset type will be _one_ of the parent asset types, but which one is unknowable except to parties that know the blinding factors. +As can be seen, casual inspection of the blockchain does not reveal the underlying asset, nor even asset tag, since it is commingled with a blinding factor. The only way to know the asset id would be if the commitment were a direct descendent of an asset-issuance transaction (where a public balance was blinded into a value-asset blind CA commitment). However, once a commitment is involved in a transaction involving inputs of multiple asset types, then uncertainty is introduced in the descendent commitments: the asset type will be _one_ of the parent asset types, but which one is unknowable except to parties that know the blinding factors. _(TODO: QUESTION: How is it ensured that HA is a valid curve point? There must be some kind of nonce increment in the hash procedure to reject non-curve points. Find out.)_ ### _Range Proofs_ and _Surjection Proofs_ -(describe) +Since the committed values in the Pedersen commitments are unknowable to parties not privy to the blinding factors, there exists the possibility for a transaction resulting in two or more outputs to encode a negative value in one output and an excess positive value in the others, resulting in inflated (i.e., counterfeit) asset supply. To prevent this, transactions with more than a single output are required to provide a **range proof** for each output, which is a zero-knowledge proof that the committed value is in a finite range between zero and an upper bound that won't risk overflow into negative values. (Values are encoded as 256-bit unsigned integers such that very-large integers "wrap around" and behave as negatives. Range proofs typically prove that a committed amount can be represented in 64-bits or less, affording no risk of overflow.) Under CA, the requirement to provide a range proof remains the same as under CT. ## Specifications @@ -62,7 +62,7 @@ Op-Code | Description | Op-Code | Description 41 | transfer_from_blind_operation | 51 (placeholder) | transfer_from_ca_blind_operation | | | 52 (placeholder) | ct_to_ca_blind_transfer_operation -On the left are CT operations, whose outputs are value-blinded commitments. On the right are the corresponding CA operations, whose outputs are value-and-asset-blinded commitments. Of special note is op 52, which takes value-blinded CT inputs and outputs value-and-asset-blinded outputs. (As an alternative, op 50 could be made flexible enough to accept either CT or CA inputs, if this proves feasible.) As CA is seen as an upgrade to CT, no op-code is here proposed for transfering from CA back to CT, however in the event of market demand such an operation could be coded. +On the left are CT operations, whose outputs are value-blinded commitments. On the right are the corresponding CA operations, whose outputs are value-and-asset-blinded commitments. Of special note is op 52, which takes value-blinded CT inputs and outputs value-and-asset-blinded outputs. (As an alternative, op 50 could be made flexible enough to accept either CT or CA inputs, if this proves feasible.) As CA is seen as an upgrade to CT, no op-code is here proposed for transferring from CA back to CT, however in the event of market demand such an operation could be coded. #### Proposed operation: transfer_to_ca_blind_operation (Public to Blind) @@ -92,3 +92,5 @@ This document is placed in the public domain. [1] Confidential Transactions (Greg Maxwell) - https://people.xiph.org/~greg/confidential_values.txt [2] Confidential Assets (Poelstra, et. al.) - https://blockstream.com/bitcoin17-final41.pdf + +