Oleg Andreev submitted by
on Apr 13 2017:
(This is a sketch, not a fully-formed proposal, just to kick off the discussion.)
Confidential Transactions (by GMaxwell & Poelstra) require a new accounting model,
new representation of numbers (EC points as Pedersen commitments) and range proofs
per number. Setting aside performance and bandwidth concerns (3-4Kb per output,
50x more signature checks), how would we deploy that feature on Bitcoin network
in the most compatible manner?
I'll try to present a sketch of the proposal. I apologize if this discussion already
happened somewhere, although I couldn't find anything on this subject, apart from Elements
sidechain proposal, of course.
At first glance we could create a new extblock and transaction format, add a protocol to
"convert" money into and from such extblock, and commit to that extblock from the
outer block's coinbase transaction. Unfortunately, this opens gates to a flood of
debates such as what should be the block size limit in such block, should we
take opportunity to fix over 9000 of pet-peeve issues with existing transactions
and blocks, should we adjust inflation schedule, insert additional PoW, what would
Satoshi say etc. Federated sidechain suffers from the same issues, plus adds
concerns regarding governance, although it would be more decoupled, which is useful.
I tried to look at a possibility to make the change as compatible as possible,
sticking confidential values right into the existing transaction structure and
see how that would look like. As a nice bonus, confidential transactions would have
to fit into the hard-coded 1 Mb limit, preserving the drama around it :-P
We start with a segwit-enabled script versioning and introduce 2 new script versions:
version A has an actual program concatenated with the commitment, while version B
has only the commitment and allows mimblewimble usage (no signatures, non-interactive
cut-through etc). Legacy cleartext amount can nicely act as "min value" to minimize
the range proof size, and range proofs themselves are provided separately in the
segregated witness payload.
Then, we soft fork additional rules:
- In non-coinbase tx, sum of commitments on inputs must balance with sum of commitments
on the outputs plus the cleartext mining fee in the witness.
- Range proof can be confidential, based on borromean ring signature.
- Range proof can be non-confidential, consisting of an amount and raw blinding factor.
- Tx witness can have an excess value (cf. MW) and cleartext amount for a miner's fee.
- In coinbase tx, total plaintext reward + commitments must balance with subsidy,
legacy fees and new fees in the witness.
- Extra fees in the witness must be signed with the excess value's key.
The confidential transactions use the same UTXO set, can be co-authored with plaintext inputs/outputs
using legacy software and maybe even improve scalability by compressing on-chain transactions
using mimblewimble cut-through.
The rules above could have been made more complicated with export/import logic to allow users
converting their coins to and from confidential ones, but that would require
more complex support from miners to respect and merge outputs representing "plaintext value bank",
mutate export transactions, which in turn requires introduction of a non-malleable TxID
that excludes miner-adjustable export/import outputs.
The rules above have a nice side effect that miners, being the minters of confidential coins,
can sell them at a premium, which creates an incentive for them to actually support
that feature and work on improving performance of rangeproof validation (e.g. in GPUs).
Would love to hear comments and criticism of that approach.
Oleg. original: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-April/014144.html
A Response to Oleg Andreev's Bitcoin Maximalism. Let me begin by saying that I have great respect to Oleg, and that he undoubtedly knows vastly more about the technical details of Bitcoin and software development than I do. So, I don't take challenging his views on Bitcoin lightly. At the same time, I think that I understand network effects, the history of disruptive technologies and human ... Oleg Andreev. Bitcoin Isn’t Evil, and Here’s What Gives it Value . American economist Paul Krugman recently asked a valid question that is on the minds of many other bitcoin sceptics: where ... Oleg Andreev . Software designer with focus on user experience and security. New blog is here: oleganza.com. about @oleganza [email protected] reddit archive rss. May 8. Bitcoin is like… Bitcoin is like physical cash: it is not reversible and you are responsible for handling it. If you lose your wallet, you lose your money. You can give bitcoins to someone to hold them for you, but it will ... My name is Oleg Andreev. I am into UI design, software architecture, information security and crypto-anarchy. Contacts. Email: [email protected]; Twitter: @oleganza; Github: @oleganza; PGP key: 6456 F1F5 C543 2530; Work. Author of Gitbox, a 5-star version control app for OS X. Author of CoreBitcoin, a Bitcoin toolkit for Objective-C and Swift. Bitcoin is going to need an obvious utility moving forward (and that will primarily be its use as a payment network). ..but the network effect that bitcoin has achieved was conceived in, and continues to be primarily driven by long-term speculation on its value as a fully actualized money . . .it's value as a new unit of account to partially or fully replace existing monies. To disconnect the ...
Bitcoin 2014's Bitcoin Technology: Present and Future's Panel: The Wish List took place on Friday, May 16, 2014 at the Movenpick Hotel - Zurich 2 from 3:30pm-4:30pm. The development of Bitcoin ... E779: Brian Armstrong Coinbase &Tim Draper: crypto matures, ICO v VC, fiat end, bitcoin resiliency - Duration: 53:12. This Week In Startups 15,092 views Oleg Andreev's article "Proof that Proof-of-Work is the only solution to Byzantine Generals' problem" https://gist.github.com/oleganza/8cc921e48f396515c6d6 New revenue stream for mobile operators on value-added services from multiple providers. It's easy to create aggregated offers and premium monthly packages for subscribers, without agreements ... Master P & Romeo Miller Talk Leaving ‘Growing Up Hip Hop’, Self Wealth, Family Values + More - Duration: 38:28. Breakfast Club Power 105.1 FM Recommended for you New