1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
Return-Path: <pete@petertodd.org>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 1ED8DA86
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 14 Nov 2017 09:11:30 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from outmail148113.authsmtp.com (outmail148113.authsmtp.com
[62.13.148.113])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 3517F113
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 14 Nov 2017 09:11:28 +0000 (UTC)
Received: from mail-c247.authsmtp.com (mail-c247.authsmtp.com [62.13.128.247])
by punt24.authsmtp.com. (8.15.2/8.15.2) with ESMTP id vAE9BQHP017865;
Tue, 14 Nov 2017 09:11:26 GMT (envelope-from pete@petertodd.org)
Received: from petertodd.org (ec2-52-5-185-120.compute-1.amazonaws.com
[52.5.185.120]) (authenticated bits=0)
by mail.authsmtp.com (8.15.2/8.15.2) with ESMTPSA id vAE9BON2013129
(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
Tue, 14 Nov 2017 09:11:25 GMT (envelope-from pete@petertodd.org)
Received: from [127.0.0.1] (localhost [127.0.0.1])
by petertodd.org (Postfix) with ESMTPSA id 0ED19400BC;
Tue, 14 Nov 2017 09:11:24 +0000 (UTC)
Received: by localhost (Postfix, from userid 1000)
id 35EA723D13; Tue, 14 Nov 2017 04:11:23 -0500 (EST)
Date: Tue, 14 Nov 2017 04:11:23 -0500
From: Peter Todd <pete@petertodd.org>
To: Gregory Maxwell <greg@xiph.org>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Message-ID: <20171114091123.GA29286@savin.petertodd.org>
References: <CAAS2fgQ0Cb2B=Ye2TnpfQqP4=kpZCxMWRXYB0CcFa71sQJaGuw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature"; boundary="PNTmBPCT7hxwcZjr"
Content-Disposition: inline
In-Reply-To: <CAAS2fgQ0Cb2B=Ye2TnpfQqP4=kpZCxMWRXYB0CcFa71sQJaGuw@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Server-Quench: ca96e7b2-c91b-11e7-aebf-0015176ca198
X-AuthReport-Spam: If SPAM / abuse - report it at:
http://www.authsmtp.com/abuse
X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR
aAdMdwYUFloCAgsB AmEbW11eUVx7W2Y7 bghPaBtcak9QXgdq
T0pMXVMcUnQdCG5+ eBweUxpzdQwIcHl0 YwgxD3ldCUMod1su
S08GCGwHMGB9OTVN Bl1YdwJRcQRMLU5E Y1gxNiYHcQ5VPz4z
GA41ejw8IwAXFTxZ Sx0ANhoVRw4gGTgy RhwPGykuFElNez86
KQcvIUIdG0AKekg8 P1oqWF8eOA56
X-Authentic-SMTP: 61633532353630.1038:706
X-AuthFastPath: 0 (Was 255)
X-AuthSMTP-Origin: 52.5.185.120/25
X-AuthVirus-Status: No virus detected - but ensure you scan with your own
anti-virus system.
X-Spam-Status: No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW
autolearn=disabled version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] Updates on Confidential Transactions efficiency
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2017 09:11:30 -0000
--PNTmBPCT7hxwcZjr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Nov 14, 2017 at 01:21:14AM +0000, Gregory Maxwell via bitcoin-dev w=
rote:
> Jump to "New things here" if you're already up to speed on CT and just
> want the big news.
<snip>
> This work also allows arbitrarily complex conditions to be proven in
> the values, not just simple ranges, with proofs logarithmic in the
> size of the arithmetic circuit representing the conditions being
> proved--and still with no trusted setup. As a result it potentially
> opens up many other interesting applications as well.
>=20
> The pre-print on this new work is available at https://eprint.iacr.org/20=
17/1066
Re: section 4.6, "For cryptocurrencies, the binding property is more import=
ant
than the hiding property. An adversary that can break the binding property =
of
the commitment scheme or the soundness of the proof system can generate coi=
ns
out of thin air and thus create uncontrolled but undetectable inflation
rendering the currency useless. Giving up the privacy of a transaction is =
much
less harmful as the sender of the transaction or the owner of an account is
harmed at worst."
I _strongly_ disagree with this statement and urge you to remove it from the
paper.
The worst-case risk of undetected inflation leading to the destruction of a
currency is an easily quantified risk: at worst any given participant loses
whatever they have invested in that currency. While unfortunate, this isn't=
a
unique or unexpected risk: cryptocurrencies regularly lose 50% - or even 90=
% -
of their value due to fickle markets alone. But cryptocurrency owners shrug
these risks off. After all, it's just money, and diversification is an easy=
way
to mitigate that risk.
But a privacy break? For many users _that_ threatens their very freedom,
something that's difficult to even put a price on.
Furthermore, the risk of inflation is a risk that's easily avoided: at a
personal level, sell your holdings in exchange for a less risky system; at a
system-wide level, upgrade the crypto.
But a privacy leak? Once I publish a transaction to the world, there's no e=
asy
way to undo that act. I've committed myself to trusting the crypto
indefinitely, without even a sure knowledge of what kind of world I'll live=
in
ten years down the road. Sure, my donation to Planned Parenthood or the NRA
might be legal now, but will it come back to haunt me in ten years?
Fortunately, as section 4.6 goes on to note, Bulletproofs *are* perfectly
hiding. But that's a feature we should celebrate! The fact that quantum
computing may force us to give up that essential privacy is just another
example of quantum computing ruining everything, nothing more.
--=20
https://petertodd.org 'peter'[:-1]@petertodd.org
--PNTmBPCT7hxwcZjr
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCAAGBQJaCrM1AAoJECSBQD2l8JH7L0sH/1MbEs+DCHMuJKl+CXrGTlme
By96/GhVPHRuOyEt6/JIYG3Bpclk0JXo43tIkLGr7unMs776HW7MfcfuWR2MyF5+
W7htTefcyXauGU3l6NPWAWanG784pDDuEeBHjIjpPenko63SH+sWng3qg74JdXho
nVUYpLNk9orn2Mo+tMhpwm1IStyACj9CA0H93ErF36wkp5dFoKnt3ufjbPC0CFPN
Mkj+YArIS8vV8UZE9ynhIOiYmD41qBb/wPn7vdOKSqpEH56CXMmeB2xI1I9ZJDUz
3EkGMfNikEPEsLJEe45nqZM51JIgZUxjCinOmY/UarClma0WyR/ywp/qFMckZBM=
=s/Hx
-----END PGP SIGNATURE-----
--PNTmBPCT7hxwcZjr--
|
