-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Protocol: Double Blinded Pedersen Commitments #15
Comments
mostly nitpicking: at input registration, multiple rangeproofs are needed, one for each why is a range proof required at output registration? why does the sum need to be a commitment? the total amount will be known anyway so it might as well be a public parameter, are the two separate edit: that's not correct, the double blinding described in the Lelantus paper uses a different generator for the 2nd blinding term |
I fixed your first two suggestions. Not sure I can say anything about your 3rd suggestion, as I'm not even sure the second random should be another |
i think the key improvement compared to #10 is that signatures are on the commitments instead of the values themselves. i arrived at essentially same approach by necessity in trying to work out how #10 can be realized using ACL signature scheme (where the amount is an attribute on the credential), so i think this all makes sense |
There are 3 key cryptographic questions to settle here:
|
Yes, this is the major insight, let's keep this in mind. |
Closing in favor of #16 |
Caution. I don't know if there is crypto for this, but I strongly suspect there is and conceptually it could be the ideal scheme we are looking for.
Amount Splitting
User has UTXO with value
v
and want to split them into outputs with valuesv1
andv2
such thatv = v1 + v2
.Input Registration
User creates
n
double blinded Pedersen Commitments:C(v1, r10, r11), C(v2, r20, r21), C(v3, r30, r31), C(v4, r40, r41), ... C(vn, rn0, rn1)
wherev3, v4, ... vn
equal to0
.User also creates a Pedersen commitment for their sums:
C(v1+v2+...vn, r10+r20...+rn0, r11+r21+...+rn1)
.User tells the coordinator the double blinded Pedersen commitments, the commitment to their sums,
v1+v2+...vn
,r10+r20...+rn0
andr11+r21+...+rn1
and rangeproofs, preferably Bulletproofs.The coordinator signs the double blinded commitments one by one and the user unblinds these signatures such that they are valid for the single blinded commitments:
C(v1, r10), C(v2, r20),... C(vn, rn0)
.Output Registration
User can register a desired output for
v1
by sending the coordinatorC(v1, r10)
, some 0 commitments, but for simplicity let's say it only sendsC(v3, r30)
, valid signatures for those commitments and their sums:v1 + v3 = v3
,r10 + r30
.Amount Merging
The protocol is the same, except instead of only registering signed zero commitments at output registration, some of those commitments aren't zero, but maybe they were coming from different inputs.
Unlinkability
Since the coordinator cannot recognize the unblinded signatures at output registration, it can only tell they are valid, unlinkability is guaranteed.
Double Spend
Since the unblinded signatures are valid for single blinded commitments only, the coordinator can make sure one signature can only be used once.
The text was updated successfully, but these errors were encountered: