Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add commitment opening proofs #6282

Open
AaronFeickert opened this issue Apr 15, 2024 · 1 comment
Open

Add commitment opening proofs #6282

AaronFeickert opened this issue Apr 15, 2024 · 1 comment

Comments

@AaronFeickert
Copy link
Collaborator

AaronFeickert commented Apr 15, 2024
edited

It was suggested by @stringhandler in #6240 to support an "ownership proof" that proves knowledge of the opening of a commitment. While this is what a CommitmentSignature is for, its API is outdated and not particularly friendly. It was also suggested that such a proof also assert a minimum value, which could be useful in cases where the prover wishes to reveal a minimal (pun intended) amount of value information about the commitment.

One approach that handles both of these assertions is simply to use the Bulletproofs+ library to generate a minimum-value range proof. Once a new library version is tagged, its API will directly support arbitrary transcripts. This will allow creation of such a proof using a transcript instantiated using a distinct label and arbitrary verifier message, which are important to avoid replay attacks. (The library currently only supports supplying a message that is internally bound to the transcript, which is less flexible and idiomatic.)

It's very important to note that because of the structure of Tari transactions, neither the approach in #6240 nor this Bulletproofs+ suggestion actually prove control of value represented by a commitment. Depending on the structure of an output's script, it could be the case that both the sender and recipient in a transaction know the opening, but only the recipient knows the script private key required to authorize transfer of the corresponding value. Further, unless the verifier is careful to check for spend status, the commitment used in a proof may have already been spent, and is therefore no longer in the prover's control. Rather, such proofs only show visibility into the value represented by the commitment, but not necessarily anything else.
@AaronFeickert
Copy link
Collaborator Author

AaronFeickert commented Apr 15, 2024
edited

Another option that does not assert minimum value, but does assert commitment spend authority, is to use a CommitmentAndPublicKeySignature, which proves knowledge of a commitment opening and script private key.

However, @stringhandler observed that there are cases where it may not be safe to execute a script to produce its public key for proof verification.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AaronFeickert