
Confidential Transactions from Basic Principles - baby
http://cryptoservices.github.io/cryptography/2017/07/21/Sigs.html
======
kanzure
Strange to not cite the origin of the confidential transactions scheme.

an early writeup:
[https://people.xiph.org/~greg/confidential_values.txt](https://people.xiph.org/~greg/confidential_values.txt)

[http://diyhpl.us/wiki/transcripts/gmaxwell-confidential-
tran...](http://diyhpl.us/wiki/transcripts/gmaxwell-confidential-
transactions/) which is a transcript of
[https://www.youtube.com/watch?v=LHPYNZ8i1cU](https://www.youtube.com/watch?v=LHPYNZ8i1cU)

The actual borromean ring signature paper (compiled into pdf):
[http://diyhpl.us/~bryan/papers2/bitcoin/Borromean%20ring%20s...](http://diyhpl.us/~bryan/papers2/bitcoin/Borromean%20ring%20signatures.pdf)

Confidential transactions was later extended to confidential assets:
[https://blockstream.com/bitcoin17-final41.pdf](https://blockstream.com/bitcoin17-final41.pdf)
and [https://blog.chain.com/hidden-in-plain-sight-transacting-
pri...](https://blog.chain.com/hidden-in-plain-sight-transacting-privately-on-
a-blockchain-835ab75c01cb)

~~~
doomrobo
You're right. I should have at least included this reference:
[https://elementsproject.org/elements/confidential-
transactio...](https://elementsproject.org/elements/confidential-
transactions/)

~~~
nullc
FWIW, I've found it much easier when explaining people to first explain a
pedersen commitment. Then explain how a pedersen commitment can be forged if
you know the discrete log relating the two generators.

Then I explain a chameleon hash function as a hash function where you can
generate collisions if you know a trapdoor, which is just a pedersen
forgery... then you feed the output of the chameleon into its input, and...
and the result is a schnorr signature.

So each idea builds on the last.

------
red_admiral
The version of non-interactive Schnorr presented here is called "weak Fiat-
Shamir" and it has led to things getting broken. While there are edge cases
when it's ok to use, I would strongly discourage it.

In step 2, e = H(Q || M) should be e = H(Q || M || P). That binds the
signature to the public key, if you don't have that then the scheme is not
sound in the usual models (UF-CMA +ROM etc.).

EDIT: see "How not to prove yourself", Asiacrypt 2012, eprint 2016/771.

~~~
doomrobo
Reading through the linked paper, it seems that as long as P is fixed before
the proof is attempted, wFS is secure. I probably could have made it more
explicit, but that is indeed my assumption in the setup of the blog post.

------
MichaelBurge
One thing that worried me a bit about confidential transactions: Bitcoin seems
fairly securely-designed, but even it had an integer overflow bug:
[https://en.bitcoin.it/wiki/Value_overflow_incident](https://en.bitcoin.it/wiki/Value_overflow_incident)

That particular bug seems explicitly covered by this cryptography, using the
rangeproofs. But if there were ever some other subtle bug that created money
out of thin air, would you be ever able to detect it? The schemes mentioned
all seem to sanity-check individual transactions, and not accounts or the
money supply as a whole.

The article mentions Monero and CryptoNote, for example:
[https://getmonero.org/2017/05/17/disclosure-of-a-major-
bug-i...](https://getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-
cryptonote-based-currencies.html)

And that page says: "This effectively allows someone to create an infinite
amount of coins in a way that is impossible to detect without knowing about
the exploit and explicitly writing code to check for it."

It seems like a formal correctness proof would be very important for
cryptocurrencies with such strong privacy guarantees.

~~~
kobeya
There's a trade off you have to make where you can choose either absolute
privacy and computational inflation guarantees, or vice versa. Strangely
confidential transactions chooses strong privacy over inflation guarantees.

~~~
Ar-Curunir
It's not a strange tradeoff though

~~~
kobeya
Are you sure? If you lose privacy, that sucks but it reverts back to bitcoin
of today. If you lose inflation guarantees, then it doesn't matter if you have
privacy because the whole system becomes worthless.

~~~
ewillbefull
Some people (myself included) would rather the system become worthless than
anyone's privacy being at risk.

~~~
runeks
So you’d rather lose your savings than have anyone reveal your holdings? This
seems to me like a rather extreme point of view.

I mean, you have to keep your savings somewhere, right? You need savings for
when you retire. And no alternative offers 100% anonymity, so in that case you
_would_ risk your anonymity for the security of your savings, right?

I’m not saying cryptocurrency will comprise even a minor part of your
retirement savings any time soon, but perhaps in 10/20/30 years?

~~~
ewillbefull
It depends entirely on what you're doing. There are people who "save"
cryptocurrency and depend on its long-term value, but there are also people
who are more worried about going to prison (or being murdered/extorted) than
whether their coins will be worth anything in a few years.

The problem is that non-private cryptocurrencies are permanent records of
financial activity. I would rather risk soundness now than privacy forever,
especially when there are post-quantum paths forward and our current
assumptions are reasonable.

