Post
Topic
Board Development & Technical Discussion
Merits 5 from 2 users
Re: [Megathread] Bitcoin Layer 1 Privacy - concepts, ideas, research, discussion
by
tromp
on 20/08/2022, 12:53:15 UTC
⭐ Merited by Welsh (3) ,n0nce (2)
we would need a way for Alice to pay Bob that is 100% private BUT at the same time provide them with a way that if needed Alice could prove to the world that she did in fact pay Bob to this address and this amount and here it is to be seen on a public block explorer. BUT and this is a big but, they both have to agree to release that info.

Mimblewimble supports payment proofs. For a payment from Alice to Bob, this is a statement signed by Bob's public key (associated with his wallet) that appearance of certain data on-chain, proves that he was paid by Alice. The statement can include amount, time, and purpose of payment.
BUT Bob's agreement is not needed to release this info. In fact, payment proofs are useful in cases where Bob promises to provide some goods or service in exchange for Alice's payment, but then fails to do so. Now Alice can submit the payment proof to some 3rd party (e.g. a court) as evidence for Bob's fraud.

Quote
Which brings up the next question, which probably needs it's own thread. Do we need L1 privacy or would an integrated into the protocol but on an L2 privacy be better?

I think amount and address privacy is best built into the base consensus layer, as these improve scalability as well in case of MW.
But hiding input-output links (obfuscating the tx graph) on the base layer comes at a large cost in either scalability or (in case of recursive snarks/starks) in trustworthiness, so perhaps that is better added on as separate service  (such as the Mimblewimble CoinSwap protocol).