1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
|
Return-Path: <charlesblee@gmail.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])
by lists.linuxfoundation.org (Postfix) with ESMTP id 8CC99C000E;
Tue, 10 Aug 2021 18:39:55 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp1.osuosl.org (Postfix) with ESMTP id 68A1A81DCA;
Tue, 10 Aug 2021 18:39:55 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.402
X-Spam-Level:
X-Spam-Status: No, score=-1.402 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001,
HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001,
RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
autolearn=no autolearn_force=no
Authentication-Results: smtp1.osuosl.org (amavisd-new);
dkim=pass (2048-bit key) header.d=litecoin-org.20150623.gappssmtp.com
Received: from smtp1.osuosl.org ([127.0.0.1])
by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id nqrw58oeCdPC; Tue, 10 Aug 2021 18:39:51 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-ot1-x32e.google.com (mail-ot1-x32e.google.com
[IPv6:2607:f8b0:4864:20::32e])
by smtp1.osuosl.org (Postfix) with ESMTPS id 50E4E81D34;
Tue, 10 Aug 2021 18:39:51 +0000 (UTC)
Received: by mail-ot1-x32e.google.com with SMTP id
d10-20020a9d4f0a0000b02904f51c5004e3so190993otl.9;
Tue, 10 Aug 2021 11:39:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=litecoin-org.20150623.gappssmtp.com; s=20150623;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=xUvVXKVBYt/M5Y9Ry1oYUGNDRziAI8XsgMz6YWyamzk=;
b=jBMcoIW/6MbD4z2KAAOqOnxuh5u12VtplyHeEkuGD/YIsFQ8UkEfyQNSFX71skmTQh
oCNKeoNPHw716/Xu1oTBUSxYjyvF/MReIPPxK+xhCUzDU0wBfWLeiq7HoEPfocHW3duS
n3VbXiMraE5Ak3jZ6qAkw+fN53mqV+w+YPe63znywtQVlKQzdqrzdKenlQL//WVSZ1/7
qUnjTPEkmWnHamcdOmSTf6P9OO3YBt6DXBZPpnhGkaykbKbgwwI7beWCwdnR0r7Iy/Hd
fLufBT3Cs4tQD0+Nvdybzn2WhfHF34nNRqpk5gunTLy0foTo1OvBTpiTudYPChf79Zn6
DjkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=xUvVXKVBYt/M5Y9Ry1oYUGNDRziAI8XsgMz6YWyamzk=;
b=Udm259mnjCETDLy7e/qMNjzpBiioT+Gd98z96u5WKFcCtgC7jiT+4l+0z2WtXKuz8N
5WrISli8j+TMH5FVeC8rfgEuED3D8HSzv9DxwUjyPmFg4w3ALgqxAXd1ryTqptIAiIDL
Xb0fXD6+U4bMLJrdIYc9oLpV8r3xlKkY5etl5c2faCS8D4nY1bIKIKX8idxAiYVVdiY4
RdJOuA/yed37FPmqzoxWS/Gv6LTOLHQNXDqB+NrtU8us7nhcZOJUivPwveLPMYiBNbXk
/GoNkGZY9GJTCyhnV44VRqfe12jiMvlSI66TB4SGtZbM14+T1y614s+Nu+wnR7OnAhof
KvSw==
X-Gm-Message-State: AOAM533j+tfbfVCKfEt2FxA4Yrb9tQcZ9VEsNCR/eeDkrs+JYUQuNJW5
9a9Vx1HIwvab043DhQIfkUp/l+3Kb0EFhFEH9is=
X-Google-Smtp-Source: ABdhPJziGljWkOHmWHPeNQeLtnX/mgvlDd5FfHwDQUvc5985eNvZ2wGCGRESb14u3imMCm1dbGg3y/QUFWkNvNq6O2E=
X-Received: by 2002:a05:6830:2102:: with SMTP id
i2mr8320477otc.51.1628620790193;
Tue, 10 Aug 2021 11:39:50 -0700 (PDT)
MIME-Version: 1.0
References: <CAD5xwhjFBjvkMKev_6HFRuRGcZUi7WjO5d963GNXWN4n-06Pqg@mail.gmail.com>
<CALZpt+F9FScaLsvXUozdBL4Ss8r71-gtUS_Fh9i53cK_rSGBeA@mail.gmail.com>
<CAGpPWDZn6dcuEJXRjUP4VYvJbL9u4mmVoS9xTVzBrGWOM5CeZw@mail.gmail.com>
<CAD5xwhi_Sf1NRPBSAcWWFiAjyFsnmWbtowBF96j=EM4NXxfOKw@mail.gmail.com>
<CAGpPWDYsRSv0Teiq5JD1iHJnAbRdCmr+e6UGvV5JDpoXL-7M0w@mail.gmail.com>
<JaAZipQkFFuBwE0ZQoFpmBe3K2WAOEUSNiGqQTx8ak5FqCPXSOZzjvjFAhaUX9e5i-TLnT8LmdzrUsLXi_RE3R3WsFEhybXiCJrg2YEyHdM=@protonmail.com>
In-Reply-To: <JaAZipQkFFuBwE0ZQoFpmBe3K2WAOEUSNiGqQTx8ak5FqCPXSOZzjvjFAhaUX9e5i-TLnT8LmdzrUsLXi_RE3R3WsFEhybXiCJrg2YEyHdM=@protonmail.com>
From: Charlie Lee <coblee@litecoin.org>
Date: Tue, 10 Aug 2021 12:39:39 -0600
Message-ID: <CA+Xj7Rxi2ouGk=qxB2nrEem58wutdoQ+aL=Z8egpSwotMMKHKg@mail.gmail.com>
To: ZmnSCPxj <ZmnSCPxj@protonmail.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="000000000000acaff405c938d359"
X-Mailman-Approved-At: Wed, 11 Aug 2021 20:26:36 +0000
Cc: lightning-dev <lightning-dev@lists.linuxfoundation.org>,
Billy Tetrud <billy.tetrud@gmail.com>
Subject: Re: [bitcoin-dev] [Lightning-dev] Removing the Dust Limit
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Aug 2021 18:39:55 -0000
--000000000000acaff405c938d359
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
ZmnSCPxj, what you are describing is pretty much what Litecoin is doing
with MWEB. Basically MimbleWimble (which has CT) with extension blocks. If
you are interested:
https://github.com/litecoin-project/lips/blob/master/lip-0002.mediawiki
https://github.com/litecoin-project/lips/blob/master/lip-0003.mediawiki
Sorry to derail the conversation with non-Bitcoin stuff. =F0=9F=98=80
- Charlie
On Tue, Aug 10, 2021 at 5:38 AM ZmnSCPxj via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Good morning Billy, et al.,
>
> > For sure, CT can be done with computational soundness. The advantage of
> unhidden amounts (as with current bitcoin) is that you get unconditional
> soundness.
>
> My understanding is that it should be possible to have unconditional
> soundness with the use of El-Gamal commitment scheme, am I wrong?
>
> Alternately, one possible softforkable design would be for Bitcoin to
> maintain a non-CT block (the current scheme) and a separately-committed C=
T
> block (i.e. similar to how SegWit has a "separate" "block"/Merkle tree th=
at
> includes witnesses).
> When transferring funds from the legacy non-CT block, on the legacy block
> you put it into a "burn" transaction that magically causes the same amoun=
t
> to be created (with a trivial/publicly known salt) in the CT block.
> Then to move from the CT block back to legacy non-CT you would match one
> of those "burn" TXOs and spend it, with a proof that the amount you are
> removing from the CT block is exactly the same value as the "burn" TXO yo=
u
> are now spending.
>
> (for additional privacy, the values of the "burn" TXOs might be made into
> some fixed single allowed value, so that transfers passing through the CT
> portion would have fewer identifying features)
>
> The "burn" TXOs would be some trivial anyone-can-spend, such as
> `<saltpoint> <0> OP_EQUAL OP_NOT` with `<saltpoint>` being what is used i=
n
> the CT to cover the value, and knowledge of the scalar behind this point
> would allow the CT output to be spent (assuming something very much like
> MimbleWimble is used; otherwise it could be the hash of some P2WSH or
> similar analogue on the CT side).
>
> Basically, this is "CT as a 'sidechainlike' that every fullnode runs".
>
> In the legacy non-CT block, the total amount of funds that are in all CT
> outputs is known (it would be the sum total of all the "burn" TXOs) and
> will have a known upper limit, that cannot be higher than the supply limi=
t
> of the legacy non-CT block, i.e. 21 million BTC.
> At the same time, *individual* CT-block TXOs cannot have their values
> known; what is learnable is only how many BTC are in all CT block TXOs,
> which should be sufficient privacy if there are a large enough number of
> users of the CT block.
>
> This allows the CT block to use an unconditional privacy and computationa=
l
> soundness scheme, and if somehow the computational soundness is broken th=
en
> the first one to break it would be able to steal all the CT coins, but no=
t
> *all* Bitcoin coins, as there would not be enough "burn" TXOs on the lega=
cy
> non-CT blockchain.
>
> This may be sufficient for practical privacy.
>
>
> On the other hand, I think the dust limit still makes sense to keep for
> now, though.
>
> Regards,
> ZmnSCPxj
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--000000000000acaff405c938d359
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">ZmnSCPxj, what you are describing is pretty much what Lite=
coin is doing with MWEB. Basically MimbleWimble (which has CT) with extensi=
on blocks. If you are interested:<div><a href=3D"https://github.com/litecoi=
n-project/lips/blob/master/lip-0002.mediawiki">https://github.com/litecoin-=
project/lips/blob/master/lip-0002.mediawiki</a><br></div><div><a href=3D"ht=
tps://github.com/litecoin-project/lips/blob/master/lip-0003.mediawiki">http=
s://github.com/litecoin-project/lips/blob/master/lip-0003.mediawiki</a><br>=
</div><div><br></div><div>Sorry to derail the conversation with non-Bitcoin=
stuff.=C2=A0=F0=9F=98=80</div><div><br clear=3D"all"><div><div dir=3D"ltr"=
class=3D"gmail_signature" data-smartmail=3D"gmail_signature"><div dir=3D"l=
tr">- Charlie<br></div></div></div><br></div></div><br><div class=3D"gmail_=
quote"><div dir=3D"ltr" class=3D"gmail_attr">On Tue, Aug 10, 2021 at 5:38 A=
M ZmnSCPxj via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@lists.linuxfou=
ndation.org">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br></div>=
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left:1px solid rgb(204,204,204);padding-left:1ex">Good morning Billy, et al=
.,<br>
<br>
> For sure, CT can be done with computational soundness. The advantage o=
f unhidden amounts (as with current bitcoin) is that you get unconditional =
soundness.<br>
<br>
My understanding is that it should be possible to have unconditional soundn=
ess with the use of El-Gamal commitment scheme, am I wrong?<br>
<br>
Alternately, one possible softforkable design would be for Bitcoin to maint=
ain a non-CT block (the current scheme) and a separately-committed CT block=
(i.e. similar to how SegWit has a "separate" "block"/M=
erkle tree that includes witnesses).<br>
When transferring funds from the legacy non-CT block, on the legacy block y=
ou put it into a "burn" transaction that magically causes the sam=
e amount to be created (with a trivial/publicly known salt) in the CT block=
.<br>
Then to move from the CT block back to legacy non-CT you would match one of=
those "burn" TXOs and spend it, with a proof that the amount you=
are removing from the CT block is exactly the same value as the "burn=
" TXO you are now spending.<br>
<br>
(for additional privacy, the values of the "burn" TXOs might be m=
ade into some fixed single allowed value, so that transfers passing through=
the CT portion would have fewer identifying features)<br>
<br>
The "burn" TXOs would be some trivial anyone-can-spend, such as `=
<saltpoint> <0> OP_EQUAL OP_NOT` with `<saltpoint>` being=
what is used in the CT to cover the value, and knowledge of the scalar beh=
ind this point would allow the CT output to be spent (assuming something ve=
ry much like MimbleWimble is used; otherwise it could be the hash of some P=
2WSH or similar analogue on the CT side).<br>
<br>
Basically, this is "CT as a 'sidechainlike' that every fullnod=
e runs".<br>
<br>
In the legacy non-CT block, the total amount of funds that are in all CT ou=
tputs is known (it would be the sum total of all the "burn" TXOs)=
and will have a known upper limit, that cannot be higher than the supply l=
imit of the legacy non-CT block, i.e. 21 million BTC.<br>
At the same time, *individual* CT-block TXOs cannot have their values known=
; what is learnable is only how many BTC are in all CT block TXOs, which sh=
ould be sufficient privacy if there are a large enough number of users of t=
he CT block.<br>
<br>
This allows the CT block to use an unconditional privacy and computational =
soundness scheme, and if somehow the computational soundness is broken then=
the first one to break it would be able to steal all the CT coins, but not=
*all* Bitcoin coins, as there would not be enough "burn" TXOs on=
the legacy non-CT blockchain.<br>
<br>
This may be sufficient for practical privacy.<br>
<br>
<br>
On the other hand, I think the dust limit still makes sense to keep for now=
, though.<br>
<br>
Regards,<br>
ZmnSCPxj<br>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
--000000000000acaff405c938d359--
|
