📅 Original date posted:2013-05-15
📝 Original message:On 05/15/2013 12:21 PM, Adam Back wrote:
> On Wed, May 15, 2013 at 08:40:59AM -0400, Caleb James DeLisle wrote:
>> If the commitment is opaque at the time of inclusion in the block then
>> I will create multiple commitments and then after revealing the
>> commitment and spend to you I will reveal the earlier commitment which
>> commits the coins to an address I control.
>
> Bit-commitments are based on deterministic one-way functions eg like SHA1(
> SHA256( public key ) ) Obviously it has to be a different one-way function
> to the coin address calculation which is RIPEMD( SHA256( public key ) ) as
> that is already public. Alternatively it can be a different serialization
> using the same hash eg RIPEMD( SHA256( 1 || public key ) ).
Ahh thanks for clearing that up, although it would limit the possibilities
of scripting it is silly of me not to think of it.
>
> There is only one commitment possible per public key - so you can only
> create one commitment that would validate to a receiver, or to the network. The network checks that there are no non-blind double spends of committed
> coins which it can do as spends require disclosure of the public key, which
> allows existing commitments to be verified, and it similarly qchecks that
> there are no blind double-commitments.
>
> Each committed coin would be:
>
> one-spend-commit = Com( spender pub ), Com( transaction )
>
> where Com is implemented as the above hash. The network just places the
> commitments in order as with conventional transactions.
>
> The committed coins are not linkable to your non-blind coin because you did
> not reveal your public key in the (largely passive) act of receiving to a
> coin address.
>
>> On the topic of reversibility, I suspect in the long term the lack of
>> chargebacks will create issues as criminals learn that for the first
>> time in history, kidnap & ransom is effective.
>
> The temporary unlinkability (until commitment reveal) is a necessary side
> effect, not a cryptographic anonymity feature like zerocoin. The
> transactions are identical to bitcoins once revealed. How long the
> committed transaction chains can be between reveals is an implementation
> choice could be 1 hop, or as long as you like. (Actually it appears to be
> up to the individual users how long the maximum chain they accept is - the
> network itself, though ordering the committed spends (if there are multiple
> spends on the same key) cant even tell how long the commitment payment
> chains are).
>
> Obviously the first coins in the network ordered committed coins on the same
> key up to the coin value are spends as verified by the recipient, the rest
> are double-spend and ignored. If someone wants to waste fees by sending
> more spends than there inputs thats up to them.
>
> Probably the typical user doesnt care about long committed chains other
> than their wallet will bloat if the chains are too long, so probably they
> would periodically compact it by revealing the long chains. Committed coins
> are probably a bit less SPV client friendly, though with correct formatting
> in the merkle trees between blocks, probably a committed coin holder can
> provide enough proof to an SPV client to verify even multi-spend committed
> coins directly (without a network feed).
>
> About privacy, up to the entire commitment chain can be opened at any time
> (to other people or to the bitcoin network in general) with the cooperation
> of any user on the chain (up to the point they saw it), so while the blind
> commitment protocol is not vulnerable to a > 50% power quorum unilaterally
> imposed policy (without even needing client updates), it is fully dependent
> on the good will of the recipients for its temporary unlinkability. Thats
> the point: it puts policy control in the users hands not in the > 50% power
> quorum.
That is indeed interesting. If I understand this properly Alice commits coins
to pay to Bob and gives Bob the transaction, Bob then commits to pay to Charlie
and gives him the related transaction. If Charlie wants to collect the bitcoin
he then reveals Alice's transaction and Bob's.
I think what you're trying to do is *almost* possible now (ab)using BIP-0016
In the output of the previous tx you put:
OP_HASH160 [20-byte-hash-value] OP_EQUAL
and in the next tx you use a new type of input which specifies it's value but
not the output which is spent. In the input script you place:
OP_DUP OP_1ADD OP_HASH160 [20-byte-hash-value] OP_EQUALVERIFY
Then a serialized script containing the normal stuff as well as the last
transaction hash and output index would be passed around out of band and the
validating nodes would execute each script with a shared stack, beginning with
the out of band one, then the input one (the OP_EQUALVERIFY) then the output.
When the serialized sigscript reaches the bottom of the stack, having been
verified twice, it will now be evaluated as per the rules of P2SH.
None of this probably works in the real world since I'm not familiar with the
actual implementation of P2SH and it probably has quite a number of things
which will break if used this way but it is interesting to see that in theory
it is possible with little change to the protocol (just a new input format).
Thanks,
Caleb
>
> If you want cryptographic anonymity its better to look to zerocoin. You may
> have noticed zero coin talked about optional fraud tracing. Its usually
> trivial to add tracing to an otherwise privay preserving protocol.
>
> The blind commitment if implemented as described (and its not obvious how to
> get more privacy from it) offers somewhat like community policing. Users on
> the chain can still themselves do fraud tracing, or any policy they choose,
> on any blind committed coins that they receive. If they dont like the
> colour of them they can refund them. The point is to enforce that this is a
> free uncoerced community choice, by individual end users, not a > 50% cpu
> power quorum choice surreptitiously imposed.
>
> Adam
>
Caleb James DeLisle [ARCHIVE] /
npub138…9dl95
2023-06-07 15:01:53
in reply to nevent1q…gt7k
Author Public Key
npub138d0km3t8jujy9duwng26dh79fwuxqhw0xmxjdw2h2t2dgwzwpxsk9dl95Published at
2023-06-07 15:01:53Event JSON
{
"id": "bb9a7448c12abfa75de3f0ab16e760e37dcb8a44ef1ea644d9d3bbf0b3822503",
"pubkey": "89dafb6e2b3cb92215bc74d0ad36fe2a5dc302ee79b66935caba96a6a1c2704d",
"created_at": 1686150113,
"kind": 1,
"tags": [
[
"e",
"052db3d87a8ddcca9322b2943b65186caaf79275f7fd59c7239cb800e064e1db",
"",
"root"
],
[
"e",
"30669da8145b814872d926f336da1edf2e819265871a2c390b1bd734916636ce",
"",
"reply"
],
[
"p",
"ee0fa66772f633411e4432e251cfb15b1c0fe8cd8befd8b0d86eb302402a8b4a"
]
],
"content": "📅 Original date posted:2013-05-15\n📝 Original message:On 05/15/2013 12:21 PM, Adam Back wrote:\n\u003e On Wed, May 15, 2013 at 08:40:59AM -0400, Caleb James DeLisle wrote:\n\u003e\u003e If the commitment is opaque at the time of inclusion in the block then\n\u003e\u003e I will create multiple commitments and then after revealing the\n\u003e\u003e commitment and spend to you I will reveal the earlier commitment which\n\u003e\u003e commits the coins to an address I control.\n\u003e \n\u003e Bit-commitments are based on deterministic one-way functions eg like SHA1(\n\u003e SHA256( public key ) ) Obviously it has to be a different one-way function\n\u003e to the coin address calculation which is RIPEMD( SHA256( public key ) ) as\n\u003e that is already public. Alternatively it can be a different serialization\n\u003e using the same hash eg RIPEMD( SHA256( 1 || public key ) ).\n\n\nAhh thanks for clearing that up, although it would limit the possibilities\nof scripting it is silly of me not to think of it.\n\n\n\u003e \n\u003e There is only one commitment possible per public key - so you can only\n\u003e create one commitment that would validate to a receiver, or to the network. The network checks that there are no non-blind double spends of committed\n\u003e coins which it can do as spends require disclosure of the public key, which\n\u003e allows existing commitments to be verified, and it similarly qchecks that\n\u003e there are no blind double-commitments.\n\u003e \n\u003e Each committed coin would be:\n\u003e \n\u003e one-spend-commit = Com( spender pub ), Com( transaction )\n\u003e \n\u003e where Com is implemented as the above hash. The network just places the\n\u003e commitments in order as with conventional transactions.\n\u003e \n\u003e The committed coins are not linkable to your non-blind coin because you did\n\u003e not reveal your public key in the (largely passive) act of receiving to a\n\u003e coin address.\n\u003e \n\u003e\u003e On the topic of reversibility, I suspect in the long term the lack of\n\u003e\u003e chargebacks will create issues as criminals learn that for the first\n\u003e\u003e time in history, kidnap \u0026 ransom is effective. \n\u003e \n\u003e The temporary unlinkability (until commitment reveal) is a necessary side\n\u003e effect, not a cryptographic anonymity feature like zerocoin. The\n\u003e transactions are identical to bitcoins once revealed. How long the\n\u003e committed transaction chains can be between reveals is an implementation\n\u003e choice could be 1 hop, or as long as you like. (Actually it appears to be\n\u003e up to the individual users how long the maximum chain they accept is - the\n\u003e network itself, though ordering the committed spends (if there are multiple\n\u003e spends on the same key) cant even tell how long the commitment payment\n\u003e chains are).\n\u003e \n\u003e Obviously the first coins in the network ordered committed coins on the same\n\u003e key up to the coin value are spends as verified by the recipient, the rest\n\u003e are double-spend and ignored. If someone wants to waste fees by sending\n\u003e more spends than there inputs thats up to them.\n\u003e \n\u003e Probably the typical user doesnt care about long committed chains other\n\u003e than their wallet will bloat if the chains are too long, so probably they\n\u003e would periodically compact it by revealing the long chains. Committed coins\n\u003e are probably a bit less SPV client friendly, though with correct formatting\n\u003e in the merkle trees between blocks, probably a committed coin holder can\n\u003e provide enough proof to an SPV client to verify even multi-spend committed\n\u003e coins directly (without a network feed).\n\u003e \n\u003e About privacy, up to the entire commitment chain can be opened at any time\n\u003e (to other people or to the bitcoin network in general) with the cooperation\n\u003e of any user on the chain (up to the point they saw it), so while the blind\n\u003e commitment protocol is not vulnerable to a \u003e 50% power quorum unilaterally\n\u003e imposed policy (without even needing client updates), it is fully dependent\n\u003e on the good will of the recipients for its temporary unlinkability. Thats\n\u003e the point: it puts policy control in the users hands not in the \u003e 50% power\n\u003e quorum.\n\n\nThat is indeed interesting. If I understand this properly Alice commits coins\nto pay to Bob and gives Bob the transaction, Bob then commits to pay to Charlie\nand gives him the related transaction. If Charlie wants to collect the bitcoin\nhe then reveals Alice's transaction and Bob's.\n\nI think what you're trying to do is *almost* possible now (ab)using BIP-0016\nIn the output of the previous tx you put:\n\nOP_HASH160 [20-byte-hash-value] OP_EQUAL\n\nand in the next tx you use a new type of input which specifies it's value but\nnot the output which is spent. In the input script you place:\n\nOP_DUP OP_1ADD OP_HASH160 [20-byte-hash-value] OP_EQUALVERIFY\n\nThen a serialized script containing the normal stuff as well as the last\ntransaction hash and output index would be passed around out of band and the\nvalidating nodes would execute each script with a shared stack, beginning with\nthe out of band one, then the input one (the OP_EQUALVERIFY) then the output.\nWhen the serialized sigscript reaches the bottom of the stack, having been\nverified twice, it will now be evaluated as per the rules of P2SH.\n\nNone of this probably works in the real world since I'm not familiar with the\nactual implementation of P2SH and it probably has quite a number of things\nwhich will break if used this way but it is interesting to see that in theory\nit is possible with little change to the protocol (just a new input format).\n\nThanks,\nCaleb\n\n\u003e \n\u003e If you want cryptographic anonymity its better to look to zerocoin. You may\n\u003e have noticed zero coin talked about optional fraud tracing. Its usually\n\u003e trivial to add tracing to an otherwise privay preserving protocol.\n\u003e \n\u003e The blind commitment if implemented as described (and its not obvious how to\n\u003e get more privacy from it) offers somewhat like community policing. Users on\n\u003e the chain can still themselves do fraud tracing, or any policy they choose,\n\u003e on any blind committed coins that they receive. If they dont like the\n\u003e colour of them they can refund them. The point is to enforce that this is a\n\u003e free uncoerced community choice, by individual end users, not a \u003e 50% cpu\n\u003e power quorum choice surreptitiously imposed.\n\u003e \n\u003e Adam\n\u003e",
"sig": "e6e532e02ef1e85922424ce9c6343447408b907e4d82e1d78032b008c2536b075a3bfc67ab90d24a28981bc7edc386437f5cfa5edf1f102e70ad333f09bcca49"
}