Author: Adam Back 2013-10-07 19:01:03
Published on: 2013-10-07T19:01:03+00:00
A new update on homomorphic coins has been released, stating that some more math validation and a test implementation needs to be done. The predicted outcome for a 2.5kB homomorphic valued coin is surprisingly good so far. Coin splitting incurs the 2.5kB range proof, but coin adding, full spending, and mining are free due to the fact that adding existing range-proofed and validated coins cannot overflow by definition. Additionally, users can add a homomorphically encrypted "0" value to a few other people's coin balance to get a kind of taint mitigation.Adam Back made an error regarding an efficient version of Zerocoin-esque in size/cost. He realized that the t parameter in the proof relates to bitcoin precision and coin representation, with t=51 instead of t=2. Therefore, he will revert to the not-so-efficient version, or the more experimental Schoenmaker non-standard p, q non-EC one, or other creative ideas to simplify the proof. Mark Friedenbach provided impetus to write down the current state of the homomorphic coins. Adam Back has been researching this topic for a few months because it is an interesting construct in its own right, providing a different aspect of payment privacy (e.g., for auditable but commercial sensitive information). The result is approximately 2x the cost of the current coin size and verification cost, but it also gives some performance advantages back in a different way. Necessary changes to schnorr (EC version of Schnorr-based proofs) allow n of n multiparty sigs, or k of n multiparty sigs for the verification cost and signature size of one pair of ECS signatures. For n > 2, it is a space and efficiency improvement over current Bitcoin.
Updated on: 2023-06-07T17:18:32.094713+00:00