Published on: 2017-12-04T17:17:11+00:00
Andrew Poelstra has implemented the single-output version of Bulletproofs, a cryptographic proof system that can prove statements about encrypted data. The benchmarks were performed on one core of an Intel i7-6820MQ, and reflect verification of a single 64-bit rangeproof. By using GLV endomorphism supported by the curve secp256k1, speedup was observed. It reflects a 3.47x speedup over the verification speed of the old rangeproofs without the endomorphism. Even without aggregation, two rangeproofs are verified nearly 15% faster than verifying one twice. The old rangeproofs require only 128 multiplies for a 64-bit proof, then 256 for two, and so on, while at the same time the new Bulletproofs perform significantly better. The Bulletproof verification process is a recursive process which does not appear to be expressible as a single multiproduct, and in fact it appears to require nearly twice as many multiplications as claimed. There are still a few open issues that Andrew plans to help resolve in the coming month.In an email exchange, Gregory Maxwell discussed the scalability and privacy of different transaction topologies. He noted that ring-in and tree-in approaches, used by Monero and Zcash, are more private but less scalable than CT+valueshuffle. However, he also mentioned a fourth topology that is closely related to ring-in, which involves taking N inputs and writing >= N outputs, replacing some coins with new outputs or encrypted dummies while re-encrypting others in a way that their owner can still decode. This approach avoids the spent coins list by allowing for malleation of inputs. In the past, there was no efficient way to construct this topology in a plain DL setting, but it may be possible with bulletproofs.In an email exchange, Peter Todd and Gregory Maxwell discuss the risks associated with privacy in cryptocurrency systems. Todd argues that privacy breaches threaten users' freedom, while Maxwell questions the feasibility of implementing perfectly hiding systems in practice. They also discuss the possibility of using switch commitments to retain computational-hiding-depending-on-the-hardness-of-inverting-hashes while retaining an option to upgrade or block spending via unsound mechanisms in the event of a crypto break. The conversation then shifts to the scalability of ring-in and tree-in approaches in Monero and Zcash, with Maxwell suggesting ways to extend these approaches to a traceable 1 of N input for Monero. He also proposes using a hash tree to provide tree-in style transactions with proofs that grow with the log() of the size of the tree, although he acknowledges that this would come at the cost of larger proofs and slower verification. Despite its drawbacks, Maxwell believes that the interactive-sparse-in (CJ) approach has its own attractiveness.Gregory Maxwell discusses an approach that could be constructed without new cryptographic assumptions, be high-performance compared to alternatives, have no trusted setup, and not involve the creation of any forever-growing unprunable accumulators. All major alternative schemes failed multiple criteria in comparison. In response to the issue of unprunable accumulators, it was suggested that it would be feasible to use accumulator epochs. This would either make unspent coins in a previous epoch unspendable after some expiry time is reached or make use of a merkelized key-value scheme with transaction-provided proofs to shift the costs of maintaining the accumulator to wallets. Epoch size would be a tradeoff between state size and k-anonymity set size.Gregory Maxwell announces the release of Bulletproofs, a new zero-knowledge proof system that shrinks the size of cryptographic proofs and makes them safer. Bulletproofs can be used to increase the privacy and confidentiality of cryptocurrencies such as Bitcoin, while also making them more scalable. The technology was developed by researchers at University College London (UCL), Blockstream and Stanford University, and is based on previous work by UCL's Jonathan Bootle.Adam Back proposed the use of additive homomorphic commitments in Bitcoin to improve transaction privacy. This approach, known as confidential transactions, makes transaction amounts private and complements CoinJoin by avoiding the issue of joins being decoded due to different amounts being used. Recent work has focused on reducing the range proof size further. In a recent publication on confidential assets, the size was reduced to 96*log3(2)*bits + 32. Benedikt Bünz at Stanford was able to apply and optimize the inner product argument of Jonathan Bootle to achieve an aggregate range proof for CT with size 64 * (log2(bits * num_outputs)) + 288. This scheme also has a straightforward and efficient method for multi-party computation, which means that the aggregates can be used in all-party-private coinjoins like the value shuffle work mentioned above. Verification in this new work requires computation which is more than linear in the size of the proof.
Updated on: 2023-08-01T22:08:18.215647+00:00