📅 Original date posted:2017-11-14
📝 Original message:On Tue, Nov 14, 2017 at 10:38 AM, Gregory Maxwell <greg at xiph.org> wrote:
> I think it's still fair to say that ring-in and tree-in approaches
> (monero, and zcash) are fundamentally less scalable than
> CT+valueshuffle, but more private-- though given observations of Zcash
While I'm enumerating private transaction topologies there is fourth
one I'm aware of (most closely related to ring-in):
take N inputs, write >= N outputs, where some coins are spent and
replaced with a new output, or an encrypted dummy... and other coins
are simply reencrypted in a way that their owner can still decode.
Provide a proof that shows you did this faithfully. So this one avoids
the spent coins list by being able to malleiate the inputs.
We never previously found an efficient way to construct that one in a
plain DL setting, but it's probably possible w/ bulletproofs, at least
for some definition of efficient.
Gregory Maxwell [ARCHIVE] /
npub1f2…crwet
2023-06-07 18:07:44
in reply to nevent1q…06md
Author Public Key
npub1f2nvlx49er5c7sqa43src6ssyp6snd4qwvtkwm5avc2l84cs84esecrwetPublished at
2023-06-07 18:07:44Event JSON
{
"id": "02ee466726cddc89bc3c2019717ee6a143ba22507a4441ddf1de3b1f5520d81d",
"pubkey": "4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73",
"created_at": 1686161264,
"kind": 1,
"tags": [
[
"e",
"3386b029fefac35f9ef44890402a94a3105cef26370834bbf0411f61d6d33bc0",
"",
"root"
],
[
"e",
"13aa742019dc5d35cb8ab7a8ea92993206d5442ee84c877d3cb8ec3e847d4504",
"",
"reply"
],
[
"p",
"4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73"
]
],
"content": "📅 Original date posted:2017-11-14\n📝 Original message:On Tue, Nov 14, 2017 at 10:38 AM, Gregory Maxwell \u003cgreg at xiph.org\u003e wrote:\n\u003e I think it's still fair to say that ring-in and tree-in approaches\n\u003e (monero, and zcash) are fundamentally less scalable than\n\u003e CT+valueshuffle, but more private-- though given observations of Zcash\n\nWhile I'm enumerating private transaction topologies there is fourth\none I'm aware of (most closely related to ring-in):\n\ntake N inputs, write \u003e= N outputs, where some coins are spent and\nreplaced with a new output, or an encrypted dummy... and other coins\nare simply reencrypted in a way that their owner can still decode.\nProvide a proof that shows you did this faithfully. So this one avoids\nthe spent coins list by being able to malleiate the inputs.\n\nWe never previously found an efficient way to construct that one in a\nplain DL setting, but it's probably possible w/ bulletproofs, at least\nfor some definition of efficient.",
"sig": "fca1e0b305a0fad47480ee2efaf7bf4b679ff6ab51e78f945f9fd734299733f0912ba6b9a7bd6ff8ffdfb1d525c4ccda28dd09bf494018480699326c3db416fe"
}