Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Re: bitcoins with homomorphic value (validatable but encrypted)
by
adam3us
on 08/10/2013, 09:52:36 UTC
Lets call the homomorphic coin for short morphcoin (and not homocoin;)  Or ringcoin from the additional implication of the below extended protocol.

One more proof which allows a ringcoin (ring signature analog of Greg Maxwell's coinjoin) is to create a ring input R=g^v'*h^x' and change C' and then prove that with respect to someone else's coin where it can be publicly audited that C=R*C' (ie the coin adds up) and C' is the change left for the original owner.  The proof you need to make that an acceptable proposition for the original owner (subtracting random amounts from his coin!) is that either R=g^(v'=0)*h^x' OR  RP(C') and RP(R) such that C=R*C') where RP is the range proof construction from parent post.  

That proves either you have a coin with 0 value (so its safe to subtract it without someone else's permission or cooperation from their coin) OR that you know the coin private key, so you can subtract whatever you want because you're its owner.  The way the subtraction is proven not to underflow, is you split the coin into two or more outputs range proofs that add up to the original coin, proving you are the owner.  The coin private keys for C is x, for R is x' and C' is x" and x' is random and x"=x-x' mod n, so final validation is simply EC addition of the split proceeds (which could be spent to other person and change address eg.)

The OR construction is standard and the same technique as in parent post to allow to prove v_i=0 or v_i=1 (namely you intentionally allow a maximum of one forgery, by adding one degree of freedom to the choice of the challenge).

Now a ringcoin is like coinjoin, but more powerful because you dont need the cooperation of the other coins!  That makes sense because you are provably not removing any value from them (as you dont know their private keys).   The additional cost for the "v'=0 OR "clause should be small, about 3 or 4 values (96-128bytes) on top of the two range-proof encrypted values.

[EDIT: sorry about that its more like 2x ie 2*(2+3+2m) 5.6kB approximately for the ring coin because you need enough degrees of freedom to forge any 2 of the 3 statements v'=0 or v_i=0 or
v_i=1, so you need m independent proofs of knowledge involving R=g^v'*h^x'.]

You could in theory mix coinjoin multiple cooperative inputs with ringcoin appropriated inputs in one combined spend however it is only plausible to the extent that an adversary would find it plausible that one person controlled both private keys.

Or I suppose you could state that differently that you could combine coinjoin and ringcoin to mix real inputs, real outputs, and additional ring-inputs (0-value inputs for people not in the coinjoin set) all for the same cost of <1+r+o range proofs.  Where i is the number of real inputs, r the number of ring inputs and o is the number of outputs (including change and fees).  Its a bit artificial as it will be thereby obvious the ring inputs are fake (as they are combined into a single multi-ownership proof unless they are used in limited numbers so that its plausible there is one owner for the multiple ring inputs) and the coinjoin inputs are real.  So to do it properly you would need to prove separately < i+r+o range proofs.

You can also do coinjoin more efficiently on morphcoin (homomorphic values), which is not so much to do with the homomorphic encrypted values as that multi-sig is compact on schnorr signtures because it supports after-the fact multisig on the addition of the coin private keys.  So coinjoin only (no ringcoin) would cost 1+o range proofs in space, though each input i would have a private message as they built up the single combined rangeproof for their i respective inputs being a combined proof of C1+...+Ci.

Generically n of n multisig (with one owner or a single owner with pre-split private key) is compact with schnorr.  Shnorr is a better sig than DSA, NSA reduced its flexibility when they tweaked it to avoid Prof Schnorr's patent.

Schnorr also supports efficient threshold signatures (k of n multisig) so you can also do k of n multisig in the space of one signature on the validation side.

Again to summarize:

Ringcoin is like coinjoin except you the spender choose who to mix your inputs with, and you take 0 from each input, but because the value is homorphically encrypted no one but you can tell that, and you dont need to mix other people's outputs.

Ringcoin seems likely to outperform zerocoin in anonymity, certainly in performance (coins can have flexible value unlike zerocoin which is one denomination, or dilutes the anonymity set if you have multiple denominations and 2 output coins are 10x smaller and much CPU cheaper to create and verify).  You can mix with 10 ringcoin inputs per 40kB zerocoin proof, and you dont have the competing anonymity-set issues from having to balance number of denominations (for efficiency of payments eg $1000 coins = 1000x $1 coin payment) against anonymity set (introduce $1, $10, $100, $1000 coins and now you can infer possible sources from handling of coins of required value and so reduces the anonymity-set).  Unlike zerocoin there is no unwanted trapdoor (the n=p*q issue where p, q is a global trap door allowing coin forgery that you cant prove you destroyed).

It seems plausible that you might be able to combine ringcoin with zerocoin because coincidentally they also use pederson commitments though in a different group (subgroup prime field orer q, not EC prime-field order n.)  I haven't tried to look at that but if turns out to be possible it might solve their anonymity set/denomination number trade-off issue.

Taken together the two factors (single ZC denomination and CPU/storage cost) it seems likely ringcoin could provide better anonymity set size, CPU performance, storage and bandwidth and solid security margin (256-bit EC throughout) in most if not all plausible use-cases.

[EDIT: I should clarify that this ringcoin/zerocoin claim is efficiency/practical biased not theory based: with the argument that inefficiency reduces the anonymity set as people wont use it as heavily in its proposed plugin to bitcoin model where zerecoin mixing is optional and explicit on the part of users.  Your anonymity set in that zerocoin deployment is only as large as the number of ZC users between when you put your coins in and when you took them out.  So really it serves as a distributed intentional mix in that deployment model.

A hypothetical all zerocoin alt-coin could have full system anonymity set which is appealing an categorically stronger claim,  however the single denomination or anonymity set reductions for multi denomination still impair the theoretical anonymity in practice.  And the zerocoins are CPU an bandwidth expensive.]

Adam