Created
February 25, 2020 21:10
-
-
Save 0x2830/22095f3bc4a44f3675f27f993586e2cd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ┌ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc┐ | |
| │ │ | |
| │ _ _ ___ _____ │ | |
| │ | |__ | |___ / __\/__ \ │ | |
| │ | '_ \| / __| / / / /\/ │ | |
| │ | |_) | \__ \/ /___ / / │ | |
| │ |_.__/|_|___/\____/ \/ │ | |
| │ │ | |
| ├=========================================================================┤ | |
| │ │ | |
| │ blsCT - a private transaction protocol │ | |
| │ │ | |
| ├=========================================================================┤ | |
| │ │ | |
| │ │ | |
| │ _ Confidential _ │ | |
| │ │ | |
| │ A transaction does not reveal the transacted amount. │ | |
| │ │ | |
| │ │ | |
| │ _ Untraceable _ │ | |
| │ │ | |
| │ It is hard to identify the source of the coins. │ | |
| │ │ | |
| │ │ | |
| │ _ Unlinkable _ │ | |
| │ │ | |
| │ Given two transactions are sent to the same user, it's impossible to │ | |
| │ link them by an observer. Moreover, given two public keys, an │ | |
| │ adversary cannot determine whether they belong to the same user. │ | |
| │ │ | |
| │ │ | |
| └ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc┘ | |
| ~~~~ WHAT IS blsCT ~~~~ | |
| ┌ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc┐ | |
| │ │ | |
| │ │ | |
| │ _ blsCT transactions are aggregatable _ │ | |
| │ │ | |
| │ two blsCT transactions can be merged in one blsCT transaction. an │ | |
| │ observer can't tell if a transaction has been aggregated! │ | |
| │ transactions can be aggregated infinite times! │ | |
| │ │ | |
| │ │ | |
| │ _ aggregated blsCT transactions are good for privacy _ │ | |
| │ │ | |
| │ blsCT hides the transaction amounts. when two transactions are │ | |
| │ aggregated and their inputs are mixed, an observer can't tell which │ | |
| │ inputs pay which outputs! │ | |
| │ │ | |
| │ │ | |
| │ _ aggregation can be passive _ │ | |
| │ │ | |
| │ transactions can be aggregated at various layers: block construction │ | |
| │ by miners, tx broadcast by nodes, aggregation market by senders! │ | |
| │ │ | |
| │ │ | |
| │ _ blsCT helps scalability _ │ | |
| │ │ | |
| │ only one signature is needed for each block, instead of needing one │ | |
| │ signature for each input! │ | |
| │ │ | |
| │ │ | |
| │ _ liquidity providers can earn money _ │ | |
| │ │ | |
| │ nodes can earn coins offering their coins for mixing │ | |
| │ participating in the aggregation market! │ | |
| │ │ | |
| │ │ | |
| └ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc┘ | |
| ~~~~ AGGREGATION MARKET ~~~~ | |
| $ Hello nodes! If you give me one .───────. | |
| $ transaction to mix with mine, I ( NODE2 ) | |
| $ .─────────. will pay you 1 NAV! `───────' | |
| $ ╱ ╲ .───────. | |
| $ ( MY NODE ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─▶ ( NODE3 ) | |
| $ `. ,' `───────' | |
| $ `───────' .─────. .─────. .─────. .───────. | |
| S $ .───────. ─( TX2 )( TX3 )( TX4 ) ─ ─ ( NODE4 ) | |
| E $ ( MY TX ) │ `─────' `─────' `─────' `───────' | |
| N $ `───┬───' | |
| D $ ┌ ─ ▼ | |
| E $ .─────────. | |
| R $ │ ╱ ╲ | |
| $ ─▶( AGGREGATION ) | |
| $ `. ,' | |
| $ `───┬───' | |
| $ The aggregated transaction | |
| $ .─────▼─────. ┌ ─ ─ ─ ─ is broadcasted to other | |
| $ (AGGREGATED TX) nodes | |
| $ `───────────' │ | |
| │ | |
| ß ◀ ─ ─ ─ ┘ .───────. | |
| ß │ ─ ─ ─ ─ ─( NODE5 ) | |
| ß .───▼───. │ `───────' | |
| ß ( NODE4 )─ ┐ ▼─ ─ ─ ─ .───────. | |
| B ß `───────' .─────────. ─ ─ ─( NODE6 ) | |
| R ß ─ ┘ ╱ ╲ │ `───────' | |
| O ß └ ▶ ( AGGREGATION )◀─ ─ .───────. | |
| A ß ─ ▶. ,' ┌ ─ ─ ─( NODE7 ) | |
| D ß │ `───┬───'◀─ ─ ─ `───────' | |
| C ß Aggregation happens | |
| A ß again with other ─ ┘ .─────▼─────. | |
| S ß txs (AGGREGATED TX) | |
| T ß `───────────' | |
| ß │ | |
| ß .───────────. .───────────. | |
| ß (AGGREGATED TX) │ (AGGREGATED TX) | |
| ß `───────────' ▼ `───────────' | |
| │ .─────────. │ | |
| ß ╱ ╲ | |
| ß └ ─ ─ ─ ─ ─ ▶( AGGREGATION )◀ ─ ─ ─ ─ ┘ | |
| ß `. ,' | |
| ß `───────' | |
| ß And again... │ | |
| ß ▼ | |
| ß .───────────. | |
| ß (AGGREGATED TX) | |
| ß `───────────' | |
| ß │ | |
| ß | |
| ß │ | |
| ß ▼ | |
| ß .─────────────. | |
| S ß _.───' `────. | |
| T ß ,─' '─. | |
| A ß ,' `. | |
| K ß ,' `. | |
| E ß ,' `. | |
| R ß ╱ BLOCK ╲ | |
| ß ╱ ┌──────────────┐ ╲ | |
| / ß ╱ │ blsCT TX │ ╲ | |
| ß ; ├──────────────┤ ; | |
| M ß ; │ SIGNATURE │ ; | |
| I ß ; ├───────┬──────┤ : | |
| N ß │ │INPUT4 │OUTP1 │ │ | |
| E ß inputs and ─ ─ ─▶│INPUT2 │OUTP4 │ │ | |
| R ß outputs are │INPUT5 │OUTP2 │ ; | |
| ß mixed, can't link │INPUT3 │OUTP3 │◀──────────┐ ; | |
| ß them │INPUT1 │ ... │ │ ; | |
| ß │ ... │ │ | |
| ß ╲ └───────┴──────┘ | |
| ß ╲ this transaction | |
| ß ╲ pays 1 NAV to each | |
| ß `. node2, node3 and | |
| ß `. node4 | |
| ß `. | |
| ß '─. | |
| ß `────. _.───' | |
| ß `───────────' | |
| ß | |
| ß | |
| ß | |
| ~~~~ HOW DOES IT WORK ~~~~ | |
| ┌──────────────┐ ┌──────────────┐ | |
| │ TX 1 │ │ TX 2 │ | |
| ├──────────────┤ ├──────────────┤ | |
| │ SIGNATURE │ │ SIGNATURE │ | |
| ├───────┬──────┤ ├───────┬──────┤ | |
| │INPUT1 │OUTP1 │ │INPUT4 │OUTP3 │ | |
| │INPUT2 │OUTP2 │ │INPUT5 │OUTP4 │ | |
| │INPUT3 │ │ │INPUT6 │ │ | |
| └───────┴──────┘ └───────┼──────┘ | |
| │ | |
| .─────────. │ | |
| │ ╱ ╲ | |
| ─ ▶ ( AGGREGATION ) ◀ ┘ | |
| `. ,' | |
| `───────' | |
| │ | |
| ▼ | |
| ┌──────────────┐ | |
| │ TX │ | |
| ├──────────────┤ | |
| │ SIGNATURE │◀ ─ ─ only one signature | |
| ├───────┬──────┤ | |
| │INPUT4 │OUTP1 │ | |
| inputs and outputs ─ ─ ─▶│INPUT2 │OUTP4 │ | |
| are mixed, can't link │INPUT5 │OUTP2 │ | |
| them │INPUT3 │OUTP3 │ | |
| │INPUT1 │ │ | |
| └───────┴──────┘ | |
| ~~~~ HOW DOES A TX LOOK LIKE ~~~~ | |
| ┌ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc┐ | |
| │ │ | |
| │ BLS signature - aggregation of the signatures: │ | |
| │ │ | |
| │ │ | |
| │ for each input: │ | |
| │ │ | |
| │ Sign(prev output spending key, H(input)) │ | |
| │ │ | |
| │ │ | |
| │ for each output: │ | |
| │ │ | |
| │ Sign(output blinding key, H(output)) │ | |
| │ │ | |
| │ │ | |
| ├────────────────────────────────────┬────────────────────────────────────┤ | |
| │ │ │ | |
| │ │ │ | |
| │ │ BLS output │ | |
| │ │ │ | |
| │ │ amount: 0xffffffff as a marker │ | |
| │ │ to show it is a bls output. │ | |
| │ │ │ | |
| │ │ scriptPub: spending script. │ | |
| │ │ <TRUE> if no spending │ | |
| │ │ conditions. │ | |
| │ │ │ | |
| │ │ blinding key: public key used to │ | |
| │ │ create a bls signature of the │ | |
| │ │ output and as ephemeral key for │ | |
| │ BLS input │ creating a shared secret. │ | |
| │ │ │ | |
| │ Same structure as a normal │ spending key: public key │ | |
| │ input. It can only point to a │ authorized to spend, derived │ | |
| │ BLS output. │ using the shared secret. │ | |
| │ │ │ | |
| │ │ encrypted data: amount, blinding │ | |
| │ │ factor and memo encrypted using │ | |
| │ │ the shared secret. │ | |
| │ │ │ | |
| │ │ amount commitment: pedersen │ | |
| │ │ commitment to the output amount │ | |
| │ │ and a blinding factor. │ | |
| │ │ │ | |
| │ │ range proof: proof that amount │ | |
| │ │ is positive. │ | |
| │ │ │ | |
| │ │ │ | |
| └ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc┘ | |
| ~ CRYPTOGRAPHIC PRIMITIVES ~ | |
| ┌=========================================================================┐ | |
| │ │ | |
| │ _ BLS signatures _ │ | |
| │ │ | |
| │ https://tools.ietf.org/html/draft-boneh-bls-signature-00 │ | |
| │ │ | |
| │ │ | |
| │ _ Bulletproofs _ │ | |
| │ │ | |
| └ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc┘ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment