📅 Original date posted:2017-11-14
📝 Original message:On Tue, Nov 14, 2017 at 9:11 AM, Peter Todd <pete at petertodd.org> wrote:
> I _strongly_ disagree with this statement and urge you to remove it from the
> paper.
I very strongly disagree with your strong disagreement.
> The worst-case risk of undetected inflation leading to the destruction of a
> currency is an easily quantified risk: at worst any given participant loses
> whatever they have invested in that currency. While unfortunate, this isn't a
> unique or unexpected risk: cryptocurrencies regularly lose 50% - or even 90% -
> of their value due to fickle markets alone. But cryptocurrency owners shrug
> these risks off. After all, it's just money, and diversification is an easy way
> to mitigate that risk.
>
> But a privacy break? For many users _that_ threatens their very freedom,
> something that's difficult to even put a price on.
Its important that people know and understand what properties a system has.
Perhaps one distinction you miss is that perfectly hiding systems
don't even exist in practice: I would take a bet that no software on
your system that you can use with other people actually implements a
perfectly hiding protocol (much less find on most other people's
system system :)).
In the case of practical use with CT perfect hiding is destroyed by
scalability-- the obvious construction is a stealth address like one
where a DH public key is in the address and that is used to scan for
your payments against a nonce pubkey in the transactions. The
existence of that mechanism destroys perfect hiding. No scheme that
can be scanned using an asymmetric key is going to provide perfect
hiding.
Now, perhaps what you'd like is a system which is not perfect hiding
but where the hiding rests on less "risky" assumptions. That is
something that can plausibly be constructed, but it's not itself
incompatible with unconditional soundness.
As referenced in the paper, there is also the possibility of having a
your cake and eating it too-- switch commitments for example allow
having computational-hiding-depending-on-the-hardness-of-inverting-hashes
(which I would argue is functionally as good as perfect hiding, esp
since hiding is ultimately limited by the asymmetric crypto used for
discovery) and yet it retains an option to upgrade or block spending
via unsound mechanisms in the event of a crypto break.
> Furthermore, the risk of inflation is a risk that's easily avoided:
Sounds like you are assuming that you know when there is a problem, if
you do then the switch commitments scheme works and doesn't require
any selling of anything. Selling also has the problem that everyone
would want to do it at once if there was a concern; this would not
have good effects. :) Without switch commitments though, you are just
hosed. And you cannot have something like switch commitments without
abandoning perfect hiding ( though you get hiding which is good enough
(tm), as mentioned above).
On Tue, Nov 14, 2017 at 10:07 AM, Peter Todd <pete at petertodd.org> wrote:
> Re: the unprunable accumulators, that doesn't need to be an inherent property
> of Zcash/Monero style systems.
>
> It'd be quite feasible to use accumulator epochs and either make unspent coins
> in a previous epoch unspendable after some expiry time is reached - allowing
Miners to reduce coin supply, enhancing the value of their own
holdings, by simply not letting near-expiry ones get spent...
(This can be partially mediated by constructing proofs to hide if a
coins in near expiration or not.)
> or make use of a merkelized key-value scheme with transaction provided proofs to shift the costs of
> maintaining the accumulator to wallets.
Yes, that they can do-- though with the trade-offs inherent in that.
It is worse than what you were imagining in the Bitcoin case because
you cannot use one or two time-ordered trees, the spent coins list
needs search-insertion; so maintaining it over time is harder. :( The
single time ordered tree trick doesn't work because you can't mutate
the entries without blowing anonymity.
I think it's still fair to say that ring-in and tree-in approaches
(monero, and zcash) are fundamentally less scalable than
CT+valueshuffle, but more private-- though given observations of Zcash
behavior perhaps not that much more private. With the right smart
tricks the scalablity loss might be more inconvenient than fatal, but
they're still a loss even if they're one that makes for a good
tradeoff.
As an aside, you shouldn't see Monero as entirely distinct now that
we're talking about a framework which is fully general: Extending
this to a traceable 1 of N input for monero is simple-- and will add
size log() in the number of ring inputs with good constant factors.
One could also store inputs in a hash tree, and then have a
bulletproof that verified membership in the tree. This would provide
tree-in style transactions with proofs that grow with the log() of the
size of the tree (and a spent coins accumulator); the challenge there
would be choosing a hash function that had a compact representation in
the arithmetic circuit so that the constant factors aren't terrible.
Effectively that's what bulletproofs does: It takes a general scheme
for ZKP of arbitrary computation, which could implement a range proof
by opening the commitments (e.g. a circuit for EC point scalar
multiply) and checking the value, and optimizes it to handle the
commitments more directly. If you're free to choose the hash function
there may be a way to make a hash tree check ultra efficient inside
the proof, in which case this work could implement a tree-in scheme
like zcash-- but with larger proofs and slower verification in
exchange for much better crypto assumptions and no trusted setup.
This is part of what I meant by it opening up "many other interesting
applications".
But as above, I think that the interactive-sparse-in (CJ) has its own
attractiveness, even though it is not the strongest for privacy.
Gregory Maxwell [ARCHIVE] /
npub1f2…crwet
2023-06-07 18:07:43
in reply to nevent1q…frgd
Author Public Key
npub1f2nvlx49er5c7sqa43src6ssyp6snd4qwvtkwm5avc2l84cs84esecrwetPublished at
2023-06-07 18:07:43Event JSON
{
"id": "13aa742019dc5d35cb8ab7a8ea92993206d5442ee84c877d3cb8ec3e847d4504",
"pubkey": "4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73",
"created_at": 1686161263,
"kind": 1,
"tags": [
[
"e",
"3386b029fefac35f9ef44890402a94a3105cef26370834bbf0411f61d6d33bc0",
"",
"root"
],
[
"e",
"d8886ee4ce52e2bcb122b7249b768ba7f834d8c261ee8a52392cb2165cfa35a9",
"",
"reply"
],
[
"p",
"daa2fc676a25e3b5b45644540bcbd1e1168b111427cd0e3cf19c56194fb231aa"
]
],
"content": "📅 Original date posted:2017-11-14\n📝 Original message:On Tue, Nov 14, 2017 at 9:11 AM, Peter Todd \u003cpete at petertodd.org\u003e wrote:\n\u003e I _strongly_ disagree with this statement and urge you to remove it from the\n\u003e paper.\n\nI very strongly disagree with your strong disagreement.\n\n\u003e The worst-case risk of undetected inflation leading to the destruction of a\n\u003e currency is an easily quantified risk: at worst any given participant loses\n\u003e whatever they have invested in that currency. While unfortunate, this isn't a\n\u003e unique or unexpected risk: cryptocurrencies regularly lose 50% - or even 90% -\n\u003e of their value due to fickle markets alone. But cryptocurrency owners shrug\n\u003e these risks off. After all, it's just money, and diversification is an easy way\n\u003e to mitigate that risk.\n\u003e\n\u003e But a privacy break? For many users _that_ threatens their very freedom,\n\u003e something that's difficult to even put a price on.\n\nIts important that people know and understand what properties a system has.\n\nPerhaps one distinction you miss is that perfectly hiding systems\ndon't even exist in practice: I would take a bet that no software on\nyour system that you can use with other people actually implements a\nperfectly hiding protocol (much less find on most other people's\nsystem system :)).\n\nIn the case of practical use with CT perfect hiding is destroyed by\nscalability-- the obvious construction is a stealth address like one\nwhere a DH public key is in the address and that is used to scan for\nyour payments against a nonce pubkey in the transactions. The\nexistence of that mechanism destroys perfect hiding. No scheme that\ncan be scanned using an asymmetric key is going to provide perfect\nhiding.\n\nNow, perhaps what you'd like is a system which is not perfect hiding\nbut where the hiding rests on less \"risky\" assumptions. That is\nsomething that can plausibly be constructed, but it's not itself\nincompatible with unconditional soundness.\n\nAs referenced in the paper, there is also the possibility of having a\nyour cake and eating it too-- switch commitments for example allow\nhaving computational-hiding-depending-on-the-hardness-of-inverting-hashes\n (which I would argue is functionally as good as perfect hiding, esp\nsince hiding is ultimately limited by the asymmetric crypto used for\ndiscovery) and yet it retains an option to upgrade or block spending\nvia unsound mechanisms in the event of a crypto break.\n\n\u003e Furthermore, the risk of inflation is a risk that's easily avoided:\n\nSounds like you are assuming that you know when there is a problem, if\nyou do then the switch commitments scheme works and doesn't require\nany selling of anything. Selling also has the problem that everyone\nwould want to do it at once if there was a concern; this would not\nhave good effects. :) Without switch commitments though, you are just\nhosed. And you cannot have something like switch commitments without\nabandoning perfect hiding ( though you get hiding which is good enough\n(tm), as mentioned above).\n\nOn Tue, Nov 14, 2017 at 10:07 AM, Peter Todd \u003cpete at petertodd.org\u003e wrote:\n\u003e Re: the unprunable accumulators, that doesn't need to be an inherent property\n\u003e of Zcash/Monero style systems.\n\u003e\n\u003e It'd be quite feasible to use accumulator epochs and either make unspent coins\n\u003e in a previous epoch unspendable after some expiry time is reached - allowing\n\nMiners to reduce coin supply, enhancing the value of their own\nholdings, by simply not letting near-expiry ones get spent...\n(This can be partially mediated by constructing proofs to hide if a\ncoins in near expiration or not.)\n\n\u003e or make use of a merkelized key-value scheme with transaction provided proofs to shift the costs of\n\u003e maintaining the accumulator to wallets.\n\nYes, that they can do-- though with the trade-offs inherent in that.\nIt is worse than what you were imagining in the Bitcoin case because\nyou cannot use one or two time-ordered trees, the spent coins list\nneeds search-insertion; so maintaining it over time is harder. :( The\nsingle time ordered tree trick doesn't work because you can't mutate\nthe entries without blowing anonymity.\n\nI think it's still fair to say that ring-in and tree-in approaches\n(monero, and zcash) are fundamentally less scalable than\nCT+valueshuffle, but more private-- though given observations of Zcash\nbehavior perhaps not that much more private. With the right smart\ntricks the scalablity loss might be more inconvenient than fatal, but\nthey're still a loss even if they're one that makes for a good\ntradeoff.\n\nAs an aside, you shouldn't see Monero as entirely distinct now that\nwe're talking about a framework which is fully general: Extending\nthis to a traceable 1 of N input for monero is simple-- and will add\nsize log() in the number of ring inputs with good constant factors.\nOne could also store inputs in a hash tree, and then have a\nbulletproof that verified membership in the tree. This would provide\ntree-in style transactions with proofs that grow with the log() of the\nsize of the tree (and a spent coins accumulator); the challenge there\nwould be choosing a hash function that had a compact representation in\nthe arithmetic circuit so that the constant factors aren't terrible.\nEffectively that's what bulletproofs does: It takes a general scheme\nfor ZKP of arbitrary computation, which could implement a range proof\nby opening the commitments (e.g. a circuit for EC point scalar\nmultiply) and checking the value, and optimizes it to handle the\ncommitments more directly. If you're free to choose the hash function\nthere may be a way to make a hash tree check ultra efficient inside\nthe proof, in which case this work could implement a tree-in scheme\nlike zcash-- but with larger proofs and slower verification in\nexchange for much better crypto assumptions and no trusted setup.\nThis is part of what I meant by it opening up \"many other interesting\napplications\".\n\nBut as above, I think that the interactive-sparse-in (CJ) has its own\nattractiveness, even though it is not the strongest for privacy.",
"sig": "dbc59075489e79a0eb9107401f32c576e2c5050effe2a2c667d2c701a2775492a1f188a6ef3880e5685d05514f61960a63cb34b32b587ba4d59982995da7e442"
}