Author: John Tromp 2021-08-10 21:03:11
Published on: 2021-08-10T21:03:11+00:00
The article discusses the concept of a softforkable design for Bitcoin to maintain a non-CT block and a separately-committed CT block. The transfer of funds can be done through a "burn" transaction on the legacy non-CT block, which causes the same amount to be created in the CT block. To move from the CT block back to legacy non-CT, one would match one of those "burn" TXOs and spend it with proof that the amount being removed from the CT block is exactly the same value as the "burn" TXO being spent. The "burn" TXOs would be trivial anyone-can-spend, such as `OP_EQUAL OP_NOT`, and knowledge of the scalar behind this point would allow the CT output to be spent. The total amount of funds in all CT outputs is known in the legacy non-CT block, and will have a known upper limit that cannot be higher than the supply limit of the legacy non-CT block. However, individual CT-block TXOs cannot have their values known. This design allows the CT block to use an unconditional privacy and computational soundness scheme. If the computational soundness is broken, then the first one to break it would be able to steal all the CT coins but not all Bitcoin coins, as there would not be enough "burn" TXOs on the legacy non-CT blockchain. This may be sufficient for practical privacy. The article also briefly mentions the Mimble Wimble Extension Block (MWEB) design for Litecoin, which follows a similar concept and may activate by the end of this year.
Updated on: 2023-06-15T01:05:07.207474+00:00