1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
|
Return-Path: <mail@felixweis.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id AC9F5FCC
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 6 Jan 2016 15:19:10 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-oi0-f49.google.com (mail-oi0-f49.google.com
[209.85.218.49])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9648814C
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 6 Jan 2016 15:19:06 +0000 (UTC)
Received: by mail-oi0-f49.google.com with SMTP id l9so267238411oia.2
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 06 Jan 2016 07:19:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=felixweis-com.20150623.gappssmtp.com; s=20150623;
h=mime-version:from:date:message-id:subject:to:content-type;
bh=6XiXLyTmGuJKK+HRd+tNMOKi7r+3SlF8C+EgAuiBcew=;
b=tjvNlxEj9ieMi/Dh1tjyV5K2CymEu5Lemn+1wqM0Agk+eRkD8hOoNk987EHFfaRRwy
57Am/hzmTuwjU3rWPWBVnschzBqBaVZNzci6p4MxDQSbHwibDRwWJOpkrv+tbV4XDq9n
EJV+cbL/k0I6Q/s4Ejw7gSY8pZusQE6iiyV9tPlSdBGL2GEvR57SWskWdALcUlr7It6k
RvFrEN4CxzmtHBnx4uKmAwb34wWdXjbPNLxTUTxSXmafZrhtc60QkTvioAdSE/OmiJd5
jpliDHZtFUMLtH/rPspEUygpHGceVxOQAWaHGyvcw30+OM9Omj+djSzzhMQEfs4Dbpr4
Bt1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to
:content-type;
bh=6XiXLyTmGuJKK+HRd+tNMOKi7r+3SlF8C+EgAuiBcew=;
b=eO7z4Nl+eulr/ekYLUTzZhQpy0XAe8DDq8x8T0VIzIy5Zz4q5Vpuh0GtV8DkSq4FMr
3A7tGSeCgvwBuUd43IjdWp8cghiedKvO4DWm4N9CEKJRMnnOu8lNe7R/7HkVC/rA1PEb
AbuOIls+VrcF/xW3RYCR3Wdf7VC/8HjQ0yimSZmJSjJlftqp2vhlHYXDPyzUE/B1nOD5
rmOSZkFhjwPJWiOmmW4kzYbBTXYgPkQEwoxOHjbNjAxoCe/wy5CDt3sTRI6QRnuSg2Sw
kmX/VRyIgbGLhH1TqXMmSGL1beKnGhs31wYMyzrQouyQi14Sy3xwvFaVVRgnmbtKqjiL
PeSQ==
X-Gm-Message-State: ALoCoQn6YUO1KYQbwVDIZJdf52v7TqFpQVh/PX4dYY/VhMCT1UWLycR8rmarUp/+vVpFeQUU8zJFj0CCPDWeiN5YKzUSH62Waw==
X-Received: by 10.202.94.10 with SMTP id s10mr60967886oib.99.1452093545632;
Wed, 06 Jan 2016 07:19:05 -0800 (PST)
MIME-Version: 1.0
From: Felix Weis <mail@felixweis.com>
Date: Wed, 06 Jan 2016 15:18:56 +0000
Message-ID: <CAMnWzuVi2qK6FhML=R5M1r95i1346J5YpUuOd1=StSdAZXfG3g@mail.gmail.com>
To: bitcoin-dev@lists.linuxfoundation.org
Content-Type: multipart/alternative; boundary=001a113d5cd2f7f1650528abdfa3
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,HTML_MESSAGE,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Wed, 06 Jan 2016 15:27:14 +0000
Subject: [bitcoin-dev] Confidential Transactions as a soft fork (using
segwit)
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Development Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2016 15:19:10 -0000
--001a113d5cd2f7f1650528abdfa3
Content-Type: text/plain; charset=UTF-8
Since the release of sidechains alpha, confidential transactions[1] by Greg
Maxwell have show how they could greatly improve transaction privacy and
fungibility of bitcoin. Unfortunately without a hardfork or pegged
sidechain it was not easy to enable them in bitcoin.
The segregated witness[2] proposal by Pieter Wuille allows to reduce the
blockchain to a mere utxo changeset while putting all cryptographic proofs
(redeemscript/pubkeys/signatures) for the inputs into a witness part.
Segwit also allows upgradable scripting language. All can be done with a
soft fork.
We propose an upgrade to segwit to allow transactions to have both
witnessIns and witnessOuts.
We also propose 3 new transactions types: blinding, unblinding and
confidential. Valid blocks containing any of these new transactions MUST
also include a mandatory special output in their coinbase transaction and a
new special confidential base transaction.
The basic idea for confidential transaction is to use 0 value inputs and
outputs while having the encrypted amounts (petersen-commitment +
range-proof) in the witnessOut part. These transactions are valid under old
rules (but currently non-standard). For blinding, unblinding and miner fees
we use a single anyone-can-spend output (GCTXO) which will be updated in
every block containing confidential transactions.
Blinding transaction:
Ins:
All non-confidential inputs are valid
Outs:
- 0..N: (new confidential outputs)
amount: 0
scriptPubkey: OP_2 <0x{32-byte-hash-value}>
witnessOut: <0x{petersen-commitment}> <0x{range-proof}>
- last:
amount: 0
scriptPubkey: OP_RETURN OP_2 {blinding-fee-amount}
Fee: Sum of the all inputs value
The last output's script is also a marker of the transaction being a
blinding tx. After the soft fork, a block is invalid if the miner claims
the fees for himself instead of putting it into a special coinbase output.
Coinbase transaction:
If the block contains blinding transactions, it MUST send the sum of all
their fees to a new output: GCTXO[coinbase]
The scriptPubkey does not really matter since it will be only spendable
under strict rules in the same block's confidential base transaction. Maybe
OP_TRUE.
Unblinding transaction:
Ins:
prev: CTXO[n]
scriptSig: (empty)
witnessIn: <signature> <0x{redeemscript}>
Outs:
- 0..N:
amount: 0
scriptPubkey: OP_RETURN OP_2 {amount-to-be-unblinded} {p2sh-destination}
witnessOut: (empty)
- last:
amount: 0
scriptPubkey: OP_RETURN OP_2 {unblinding-fee-amount}
Fee: 0
This transaction remove removes the confidential outputs from the utxo set.
This outpoint itself is not spendable (it's OP_RETURN), but the same block
will contain a confidential base transaction created by the miner that will
satisfy the amount and p2sh-destination (refunded using GCTXO).
Confidential transaction:
Ins:
- 0..N:
prev: CTXO[n]
scriptSig: (empty)
witnessIn: <signature> <0x{redeemscript}>
Outs:
- 0..N:
amount: 0
scriptPubkey: OP_2 <0x{32-byte-hash-value}>
witnessOut: <0x{petersen-commitment}> <0x{range-proof}>
- last:
amount: 0
scriptPubkey: OP_RETURN OP_2 {confidential-fee-amount}
Fee: 0
All inputs and outputs and have amount 0 and are everyone can spend V2
segwit, thus valid under old rules. Transaction valid under new rules
obviously only if petersen commitment and range-proof in witnessOut valid.
Minerfee for this transaction is expressed as one extra output:
Confidential base transaction:
Ins:
GCTXO[last_block],
GCTXO[coinbase]
Outs:
0: GCTXO[current_block]
amount: {last_block + coinbase - unblindings}
scriptPubkey: OP_TRUE
1..N:
amount/scriptPubkey: as requested by unblinding transactions in this
block
Fee:
Sum of all the explicit OP_RETURN OP_2 {...} expressed fees from
confidential transactions in this block
This special transaction in last position in every block that contains at
least one of the new transaction types. Created by the miner of the block
and used to do the actual unblinding and redeeming transaction fees for all
confidential transactions.
There will always be only 1 GCTXO in the utxo set. This allows for full
accountability for 21 million bitcoin. Should a vulnerability in CT be
discovered all unconfidential bitcoins remain safe. Under these new rules,
a block is only valid if all amounts/commitments/range-proofs match. A a
miner trying use GCTXO other than allowed in the single confidential base
transaction
will be orphaned.
[1] https://people.xiph.org/~greg/confidential_values.txt
[2]
https://github.com/CodeShark/bips/blob/segwit/bip-codeshark-jl2012-segwit.mediawiki
Sorry for the form, this is just a quick draft of a thought I had today.
Please comment.
Felix Weis
--001a113d5cd2f7f1650528abdfa3
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div>Since the release of sidechains alpha, confidential t=
ransactions[1] by Greg Maxwell have show how they could greatly improve tra=
nsaction privacy and fungibility of bitcoin. Unfortunately without a hardfo=
rk or pegged sidechain it was not easy to enable them in bitcoin.</div><div=
><br></div><div>The segregated witness[2] proposal by Pieter Wuille allows =
to reduce the blockchain to a mere utxo changeset while putting all cryptog=
raphic proofs (redeemscript/pubkeys/signatures) for the inputs into a witne=
ss part. Segwit also allows upgradable scripting language. All can be done =
with a soft fork.</div><div><br></div><div>We propose an upgrade to segwit =
to allow transactions to have both witnessIns and witnessOuts.</div><div><b=
r></div><div>We also propose 3 new transactions types: blinding, unblinding=
and=C2=A0</div><div>confidential. Valid blocks containing any of these new=
transactions MUST also include a mandatory special output in their coinbas=
e transaction and a new special confidential base transaction.</div><div><b=
r></div><div>The basic idea for confidential transaction is to use 0 value =
inputs and=C2=A0</div><div>outputs while having the encrypted amounts (pete=
rsen-commitment + range-proof) in the witnessOut part. These transactions a=
re valid under old rules (but currently non-standard). For blinding, unblin=
ding and miner fees we use a single anyone-can-spend output (GCTXO) which w=
ill be updated in every block containing confidential transactions.</div><d=
iv><br></div><div>Blinding transaction:</div><div>=C2=A0 Ins:=C2=A0</div><d=
iv>=C2=A0 =C2=A0 All non-confidential inputs are valid</div><div>=C2=A0 Out=
s:=C2=A0</div><div>=C2=A0 - 0..N: (new confidential outputs)</div><div>=C2=
=A0 =C2=A0 amount: 0</div><div>=C2=A0 =C2=A0 scriptPubkey: OP_2 <0x{32-b=
yte-hash-value}></div><div>=C2=A0 =C2=A0 witnessOut: <0x{petersen-com=
mitment}> <0x{range-proof}></div><div>=C2=A0 - last:</div><div>=C2=
=A0 =C2=A0 amount: 0</div><div>=C2=A0 =C2=A0 scriptPubkey: OP_RETURN OP_2 {=
blinding-fee-amount}</div><div>=C2=A0 Fee: Sum of the all inputs value</div=
><div>The last output's script is also a marker of the transaction bein=
g a blinding tx. After the soft fork, a block is invalid if the miner claim=
s the fees for himself instead of putting it into a special coinbase output=
.</div><div><br></div><div><br></div><div>Coinbase transaction:</div><div>I=
f the block contains blinding transactions, it MUST send the sum of all the=
ir fees to a new output: GCTXO[coinbase]</div><div>The scriptPubkey does no=
t really matter since it will be only spendable under strict rules in the s=
ame block's confidential base transaction. Maybe OP_TRUE.</div><div><br=
></div><div><br></div><div>Unblinding transaction:</div><div>=C2=A0 Ins:</d=
iv><div>=C2=A0 =C2=A0 prev: CTXO[n]</div><div>=C2=A0 =C2=A0 scriptSig: (emp=
ty)</div><div>=C2=A0 =C2=A0 witnessIn: <signature> <0x{redeemscrip=
t}></div><div>=C2=A0 Outs:</div><div>=C2=A0 - 0..N:</div><div>=C2=A0 =C2=
=A0 amount: 0</div><div>=C2=A0 <span style=3D"white-space:pre-wrap"> </span=
>scriptPubkey: OP_RETURN OP_2 {amount-to-be-unblinded} {p2sh-destination}</=
div><div>=C2=A0 =C2=A0 witnessOut: (empty)</div><div>=C2=A0 - last:</div><d=
iv>=C2=A0 =C2=A0 amount: 0</div><div>=C2=A0 =C2=A0 scriptPubkey: OP_RETURN =
OP_2 {unblinding-fee-amount}</div><div>=C2=A0 Fee: 0</div><div><br></div><d=
iv>This transaction remove removes the confidential outputs from the utxo s=
et. This outpoint itself is not spendable (it's OP_RETURN), but the sam=
e block will contain a confidential base transaction created by the miner t=
hat will satisfy the amount and p2sh-destination (refunded using GCTXO).</d=
iv><div><span style=3D"white-space:pre-wrap"> </span></div><div><span style=
=3D"white-space:pre-wrap"> </span></div><div>Confidential transaction:</div=
><div>=C2=A0 Ins:</div><div>=C2=A0 - 0..N:</div><div>=C2=A0 =C2=A0 prev: CT=
XO[n]</div><div>=C2=A0 =C2=A0 scriptSig: (empty)</div><div>=C2=A0 =C2=A0 wi=
tnessIn: <signature> <0x{redeemscript}></div><div>=C2=A0 Outs:<=
/div><div>=C2=A0 - 0..N:</div><div>=C2=A0 =C2=A0 amount: 0</div><div>=C2=A0=
=C2=A0 scriptPubkey: OP_2 <0x{32-byte-hash-value}></div><div>=C2=A0 =
=C2=A0 witnessOut: <0x{petersen-commitment}> <0x{range-proof}><=
/div><div>=C2=A0 - last:</div><div>=C2=A0 =C2=A0 amount: 0</div><div>=C2=A0=
=C2=A0 scriptPubkey: OP_RETURN OP_2 {confidential-fee-amount}</div><div>=
=C2=A0 Fee: 0</div><div><br></div><div>All inputs and outputs and have amou=
nt 0 and are everyone can spend V2 segwit, thus valid under old rules. Tran=
saction valid under new rules obviously only if petersen commitment and ran=
ge-proof in witnessOut valid. Minerfee for this transaction is expressed as=
one extra output:</div><div><br></div><div><br></div><div>Confidential bas=
e transaction:</div><div>=C2=A0 Ins:=C2=A0</div><div>=C2=A0 =C2=A0 GCTXO[la=
st_block],=C2=A0</div><div>=C2=A0 =C2=A0 GCTXO[coinbase]</div><div>=C2=A0 O=
uts:=C2=A0</div><div>=C2=A0 =C2=A0 0: GCTXO[current_block]</div><div>=C2=A0=
=C2=A0 amount: {last_block + coinbase - unblindings}</div><div>=C2=A0 =C2=
=A0 scriptPubkey: OP_TRUE</div><div>=C2=A0 =C2=A0 1..N:</div><div>=C2=A0 =
=C2=A0 amount/scriptPubkey: as requested by unblinding transactions in this=
block</div><div>=C2=A0 Fee:=C2=A0</div><div>=C2=A0 =C2=A0 Sum of all the e=
xplicit OP_RETURN OP_2 {...} expressed fees from=C2=A0</div><div>=C2=A0 =C2=
=A0 confidential transactions in this block</div><div><br></div><div>This s=
pecial transaction in last position in every block that contains at=C2=A0</=
div><div>least one of the new transaction types. Created by the miner of th=
e block and used to do the actual unblinding and redeeming transaction fees=
for all confidential transactions.</div><div><br></div><div>There will alw=
ays be only 1 GCTXO in the utxo set. This allows for full=C2=A0</div><div>a=
ccountability for 21 million bitcoin. Should a vulnerability in CT be=C2=A0=
</div><div>discovered all unconfidential bitcoins remain safe. Under these =
new rules, a block is only valid if all amounts/commitments/range-proofs ma=
tch. A a miner trying use GCTXO other than allowed in the single confidenti=
al base transaction=C2=A0</div><div>will be orphaned.</div><div><br></div><=
div>[1] <a href=3D"https://people.xiph.org/~greg/confidential_values.txt" t=
arget=3D"_blank">https://people.xiph.org/~greg/confidential_values.txt</a><=
/div><div>[2] <a href=3D"https://github.com/CodeShark/bips/blob/segwit/bip-=
codeshark-jl2012-segwit.mediawiki" target=3D"_blank">https://github.com/Cod=
eShark/bips/blob/segwit/bip-codeshark-jl2012-segwit.mediawiki</a></div><div=
><br></div><div><br></div><div>Sorry for the form, this is just a quick dra=
ft of a thought I had today.=C2=A0</div><div>Please comment.</div><div dir=
=3D"ltr"><div><br></div><div>Felix Weis</div><div><br></div></div></div>
--001a113d5cd2f7f1650528abdfa3--
|
