-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure that vpub_in and vpub_out are not both nonzero #466
Comments
As with many other possible restrictions to transaction semantics, we have these choices: consensus rule, soft-fork later to a consensus rule, define a default policy, don't do anything. In discussion, we agree to postpone this to post-1.0 (although I'm not certain it's a problem yet). |
It's a potential distinguisher between clients, so a client should only generate Pours with either voldpub = 0 or vnewpub = 0 or both, to maximise indistinguishability. If there is such an implicit rule, then Pours that don't follow it will stick out, so I think we should reconsider enforcing it as a consensus rule for 1.0. I can't see any harm in doing so, and it is very simple. |
Note that the Mint/Pour unification could alternatively have been expressed in terms of allowing negative vnewpub. I think the only reasons we didn't do that were avoiding signed arithmetic in the circuit (this was when we weren't as confident about circuit changes; it would actually have been quite simple), and some aesthetic symmetry between Pour inputs and outputs. |
You're right @daira. I wish we could go back and fix that. I do think analysis of the code surrounding pours was simpler when all the values were positive, though. |
This is in the current spec. |
Oh wait, is this ticket supposed to be for implementing the restriction, not just specifying it? Note that it doesn't need to be enforced in the circuit, because voldpub and vnewpub are public. |
Closed by #897 |
Pour A values:
Pour B values:
Do these pours have the same semantics? They both validate and both affect the "value pool" in the exact same way. One of them just requires the value pool has more value in it than is really necessary.
Perhaps this should be a well-formedness check on pours if it has anonymity implications? If not, we can add this constraint later in a softfork.
The text was updated successfully, but these errors were encountered: