Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 8D64728D4 for ; Mon, 11 Feb 2019 10:19:19 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-oln040092070099.outbound.protection.outlook.com [40.92.70.99]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 30585FE for ; Mon, 11 Feb 2019 10:19:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ge2XTZqEgEbizjMI0RkHY+KpdSgLSTX3E7lxS95I2pw=; b=M2BOWez5KJsq2leag36hEU1F2Ko5xXCW6Y824J9D+ubV2GnmMhs2roFP2cI95RL3FDGmEERu1VQuGB82Rn7zhIMTGOJhq7lIh9wKxZ31mkoMOoID0kMPi5ej/zXIWE88DZr9C0bdhnp3KFIX07K9uddr24zkG3Vuu0N8TOKhGEPcq62knoPDQGQunLF4W1wKebmeG0oJKNZl04bwJ4KGSirEfdo2WnXhy7Luc7o3Y+hnLfTawxjj8Ek5oLtCpdHUfOadUO/9OhW659xLCsYgI5me+U/cS3qVvvkusFBPCirBsfpFR56YgTndBhPUPRc5gtRJCwyNlx+R680wCx5/vg== Received: from AM5EUR03FT031.eop-EUR03.prod.protection.outlook.com (10.152.16.54) by AM5EUR03HT239.eop-EUR03.prod.protection.outlook.com (10.152.16.209) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1580.17; Mon, 11 Feb 2019 10:19:15 +0000 Received: from DB6PR10MB1832.EURPRD10.PROD.OUTLOOK.COM (10.152.16.59) by AM5EUR03FT031.mail.protection.outlook.com (10.152.16.111) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1580.17 via Frontend Transport; Mon, 11 Feb 2019 10:19:15 +0000 Received: from DB6PR10MB1832.EURPRD10.PROD.OUTLOOK.COM ([fe80::85e1:a698:7b7c:a02c]) by DB6PR10MB1832.EURPRD10.PROD.OUTLOOK.COM ([fe80::85e1:a698:7b7c:a02c%6]) with mapi id 15.20.1601.023; Mon, 11 Feb 2019 10:19:15 +0000 From: "Kenshiro []" To: Bitcoin Protocol Discussion , ZmnSCPxj Thread-Topic: [bitcoin-dev] Implementing Confidential Transactions in extension blocks Thread-Index: AQHUv5aqK9doshwpj0CV+ZeZH4q9cqXaBaMAgABbNRg= Date: Mon, 11 Feb 2019 10:19:15 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-US, es-ES Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-incomingtopheadermarker: OriginalChecksum:E7B62B4448A7C5D76BFD97A8DA28C4EE84E1C9C63954FA187FDF6865F7DF3342; UpperCasedChecksum:50E378A055AB9291BA7430B5509388E705D7A9F00682C96AB9CA9F919B315B6F; SizeAsReceived:7262; Count:44 x-tmn: [PZ2UL74uHk/JwJ815c2FhL0U6Vir3NSy] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; AM5EUR03HT239; 6:ID8WyGQDYM72C4bNh5IfTRU+VAMZ99UCmfgT376MX0TL2Sf8G+G9uU6RBV0DD08dWUsDL80b2mfk/9e/ta/Ql/1uY1kxMCgNcUXxz2sK4NU/UCZG8DBWVtwN5kq+sdZb/IVCK3Yg+Y6Jq37iqJcKwT8CZ+p9zBlg64dYF2NqJ+7J7HL8EO/jgcfvTEoN4KuO3CLFG91DFe2bBkxmoGAGSKB5o0t7kNef3LJiyy7NVeNICkEM58GApcxlNil6GFGze6E9RLtx35QxWyYY15KLtubKDQ+pmbbIQ8T5O8AR/UDr0qrTIQ/kSvmQAQqB7q3Dx/UpZM2z2W/VwzObWQZI34ylst7pI9JMqEUyNz78Ht8i9bhBCNNyWGPI2eFRjUnib0KmkDna5oh9UqR1JjNgJvtaKEkVohmzZwgG9/0E7niMUTb1oo9NF4sVAxoUL5a1CCvHyfa+bkwHeU+TrRpYhQ==; 5:lM1+l3MIl5scQ9mU40afC2IcjW58l/l4LvdKhxq0sru5uQtU7quXoOluHkbB39rW/I+BKvYn+WruLgI0RoAvR2fUBLLHs1TmINm+sE75fGuVVDPlpSJSIYocTO6ih61rZ2xun8Sxn5R2fw296JtgbCbW1Pbbd6HyZ2G3Toyn6V7p/atfQzf+UI1ehEtKehhm4YW6WTqYUoPTKqwGkOXIyQ==; 7:Sb86qwyov33oJKvL9hKVuCLo89haBBcNC8Z5lzx0wL5gGhfykbHqzdgXsylGL0DZw/xJ+IPy/qCmnT5mpJGiYukt5hMBrd3d8Z5lRxczvKCaZB6LT1kAWOoIUcsmwFA420pbSLr3RZyfakxxc7hbOQ== x-incomingheadercount: 44 x-eopattributedmessage: 0 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(20181119070)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031323274)(2017031324274)(2017031322404)(1601125500)(1603101475)(1701031045); SRVR:AM5EUR03HT239; x-ms-traffictypediagnostic: AM5EUR03HT239: x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(4566010)(82015058); SRVR:AM5EUR03HT239; BCL:0; PCL:0; RULEID:; SRVR:AM5EUR03HT239; x-microsoft-antispam-message-info: geeRTyEvkuNX4F9XkaN75wWIuSs+c++Cf0JSgKbhHOmVhDc6U+qGBOC2lK65KfCX Content-Type: multipart/alternative; boundary="_000_DB6PR10MB1832F0E339FD9B76E87BC64FA6640DB6PR10MB1832EURP_" MIME-Version: 1.0 X-OriginatorOrg: hotmail.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: d4d70346-2c10-4f39-8c00-e767963926d9 X-MS-Exchange-CrossTenant-Network-Message-Id: c1118d47-4dc8-45f4-e816-08d6900a5fd7 X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: d4d70346-2c10-4f39-8c00-e767963926d9 X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Feb 2019 10:19:15.0971 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5EUR03HT239 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Tue, 12 Feb 2019 12:46:54 +0000 Subject: Re: [bitcoin-dev] Implementing Confidential Transactions in extension blocks X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Feb 2019 10:19:19 -0000 --_000_DB6PR10MB1832F0E339FD9B76E87BC64FA6640DB6PR10MB1832EURP_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Good morning ZmnSCPxj, Thank you for your answer. There is a position that fullnodes must be able to get a view of the UTXO s= et, and extension blocks (which are invisible to pre-extension-block fullno= des) means that fullnodes no longer have an accurate view of the UTXO set. I think old nodes don't need to know the CT part of the UTXO set. It would = be possible to move coins from normal address to CT address and the opposit= e, it would be written as "anyone-can-spend" transactions in the main block= so old nodes are fully aware of these transactions. Miners would enforce t= hat "anyone-can-spend" transactions are true. The full details of the trans= actions involving CT would be in the extension block. CT to CT transactions= don't need to be written in the main block. Maybe I'm missing some technic= al detail here but it looks good for me. > - Capacity increase: the CT signature is stored in the extension block, s= o CT transactions increase the maximum number of transactions per block This is not an unalloyed positive: block size increase, even via extension = block, translates to greater network capacity usage globally on all fullnod= es. Yes, there is an increase in block size and network usage but I think it wo= uld still be possible for people with regular computers to run a full node,= an people in developing countries could use light wallets. Regards ________________________________ From: ZmnSCPxj Sent: Monday, February 11, 2019 5:29 To: Kenshiro \[\]; Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Implementing Confidential Transactions in extens= ion blocks Good morning Kenshiro, > - Soft fork: old nodes see CT transactions as "sendtoany" transactions There is a position that fullnodes must be able to get a view of the UTXO s= et, and extension blocks (which are invisible to pre-extension-block fullno= des) means that fullnodes no longer have an accurate view of the UTXO set. SegWit still provides pre-SegWit fullnodes with a view of the UTXO set, alt= hough pre-SegWit fullnodes could be convinced that a particular UTXO is any= one-can-spend even though they are no longer anyone-can-spend. Under this point-of-view, then, extension block is "not" soft fork. It is "evil" soft fork since older nodes are forced to upgrade as their int= ended functionality becomes impossible. In this point-of-view, it is no better than a hard fork, which at least is = very noisy about how older fullnode versions will simply stop working. > - Safe: if there is a software bug in CT it's impossible to create new co= ins because the coins move from normal block to normal block as public tran= sactions I think more relevant here is the issue of a future quantum computing breac= h of the algorithms used to implement confidentiality. I believe this is also achievable with a non-extension-block approach by im= plementing a globally-verified publicly-visible counter of the total amount= in all confidential transaction outputs. Then it becomes impossible to move from confidential to public transactions= with a value more than this counter, thus preventing inflation even if a f= uture QC breach allows confidential transaction value commitments to be ope= ned to any value. (do note that a non-extension-block approach is a definite hardfork) > - Capacity increase: the CT signature is stored in the extension block, s= o CT transactions increase the maximum number of transactions per block This is not an unalloyed positive: block size increase, even via extension = block, translates to greater network capacity usage globally on all fullnod= es. Regards, ZmnSCPxj --_000_DB6PR10MB1832F0E339FD9B76E87BC64FA6640DB6PR10MB1832EURP_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Good morning ZmnSCPxj,

Thank you for your answer.

There is a position that fullnodes must be able to get a view of the UTX= O set, and extension blocks (which are invisible to pre-extension-block ful= lnodes) means that fullnodes no longer have an accurate view of the UTXO se= t.

I think old nodes don't need to know the CT part of the UTXO set. It would = be possible to move coins from normal address to CT address and the opposit= e, it would be written as "anyone-can-spend" transactions in the = main block so old nodes are fully aware of these transactions. Miners would enforce that "anyone-can-spend"= transactions are true. The full details of the transactions involving CT w= ould be in the extension block. CT to CT transactions don't need to be writ= ten in the main block. Maybe I'm missing some technical detail here but it looks good for me.


> - Capacity increase: the CT signature is stored in the extens= ion block, so CT transactions  increase the maximum number of transact= ions per block

This is not an unalloyed positive: block size increase, even via e= xtension block, translates to greater network capacity usage globally on al= l fullnodes.

Yes, there is an increase in block size and network usage but I think it wo= uld still be possible for people with regular computers to run a full node,= an people in developing countries could use light wallets.

Regards



From: ZmnSCPxj <ZmnSCPxj= @protonmail.com>
Sent: Monday, February 11, 2019 5:29
To: Kenshiro \[\]; Bitcoin Protocol Discussion
Subject: Re: [bitcoin-dev] Implementing Confidential Transactions in= extension blocks
 
Good morning Kenshiro,

> - Soft fork: old nodes see CT transactions as "sendtoany" tr= ansactions

There is a position that fullnodes must be able to get a view of the UTXO s= et, and extension blocks (which are invisible to pre-extension-block fullno= des) means that fullnodes no longer have an accurate view of the UTXO set.<= br> SegWit still provides pre-SegWit fullnodes with a view of the UTXO set, alt= hough pre-SegWit fullnodes could be convinced that a particular UTXO is any= one-can-spend even though they are no longer anyone-can-spend.

Under this point-of-view, then, extension block is "not" soft for= k.
It is "evil" soft fork since older nodes are forced to upgrade as= their intended functionality becomes impossible.
In this point-of-view, it is no better than a hard fork, which at least is = very noisy about how older fullnode versions will simply stop working.

> - Safe: if there is a software bug in CT it's impossible to create new= coins because the coins move from normal block to normal block as public t= ransactions

I think more relevant here is the issue of a future quantum computing breac= h of the algorithms used to implement confidentiality.

I believe this is also achievable with a non-extension-block approach by im= plementing a globally-verified publicly-visible counter of the total amount= in all confidential transaction outputs.
Then it becomes impossible to move from confidential to public transactions= with a value more than this counter, thus preventing inflation even if a f= uture QC breach allows confidential transaction value commitments to be ope= ned to any value.

(do note that a non-extension-block approach is a definite hardfork)

> - Capacity increase: the CT signature is stored in the extension block= , so CT transactions increase the maximum number of transactions per block<= br>
This is not an unalloyed positive: block size increase, even via extension = block, translates to greater network capacity usage globally on all fullnod= es.

Regards,
ZmnSCPxj
--_000_DB6PR10MB1832F0E339FD9B76E87BC64FA6640DB6PR10MB1832EURP_--