Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
┌ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc┐
│ │
│ _ _ ___ _____ │
│ | |__ | |___ / __\/__ \ │
│ | '_ \| / __| / / / /\/ │
│ | |_) | \__ \/ /___ / / │
│ |_.__/|_|___/\____/ \/ │
│ │
├=========================================================================┤
│ │
│ blsCT - a private transaction protocol │
│ │
├=========================================================================┤
│ │
│ │
│ _ Confidential _ │
│ │
│ A transaction does not reveal the transacted amount. │
│ │
│ │
│ _ Untraceable _ │
│ │
│ It is hard to identify the source of the coins. │
│ │
│ │
│ _ Unlinkable _ │
│ │
│ Given two transactions are sent to the same user, it's impossible to │
│ link them by an observer. Moreover, given two public keys, an │
│ adversary cannot determine whether they belong to the same user. │
│ │
│ │
└ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc┘
~~~~ WHAT IS blsCT ~~~~
┌ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc┐
│ │
│ │
│ _ blsCT transactions are aggregatable _ │
│ │
│ two blsCT transactions can be merged in one blsCT transaction. an │
│ observer can't tell if a transaction has been aggregated! │
│ transactions can be aggregated infinite times! │
│ │
│ │
│ _ aggregated blsCT transactions are good for privacy _ │
│ │
│ blsCT hides the transaction amounts. when two transactions are │
│ aggregated and their inputs are mixed, an observer can't tell which │
│ inputs pay which outputs! │
│ │
│ │
│ _ aggregation can be passive _ │
│ │
│ transactions can be aggregated at various layers: block construction │
│ by miners, tx broadcast by nodes, aggregation market by senders! │
│ │
│ │
│ _ blsCT helps scalability _ │
│ │
│ only one signature is needed for each block, instead of needing one │
│ signature for each input! │
│ │
│ │
│ _ liquidity providers can earn money _ │
│ │
│ nodes can earn coins offering their coins for mixing │
│ participating in the aggregation market! │
│ │
│ │
└ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc┘
~~~~ AGGREGATION MARKET ~~~~
$ Hello nodes! If you give me one .───────.
$ transaction to mix with mine, I ( NODE2 )
$ .─────────. will pay you 1 NAV! `───────'
$ ╱ ╲ .───────.
$ ( MY NODE ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─▶ ( NODE3 )
$ `. ,' `───────'
$ `───────' .─────. .─────. .─────. .───────.
S $ .───────. ─( TX2 )( TX3 )( TX4 ) ─ ─ ( NODE4 )
E $ ( MY TX ) │ `─────' `─────' `─────' `───────'
N $ `───┬───'
D $ ┌ ─ ▼
E $ .─────────.
R $ │ ╱ ╲
$ ─▶( AGGREGATION )
$ `. ,'
$ `───┬───'
$ The aggregated transaction
$ .─────▼─────. ┌ ─ ─ ─ ─ is broadcasted to other
$ (AGGREGATED TX) nodes
$ `───────────' │
ß ◀ ─ ─ ─ ┘ .───────.
ß │ ─ ─ ─ ─ ─( NODE5 )
ß .───▼───. │ `───────'
ß ( NODE4 )─ ┐ ▼─ ─ ─ ─ .───────.
B ß `───────' .─────────. ─ ─ ─( NODE6 )
R ß ─ ┘ ╱ ╲ │ `───────'
O ß └ ▶ ( AGGREGATION )◀─ ─ .───────.
A ß ─ ▶. ,' ┌ ─ ─ ─( NODE7 )
D ß │ `───┬───'◀─ ─ ─ `───────'
C ß Aggregation happens
A ß again with other ─ ┘ .─────▼─────.
S ß txs (AGGREGATED TX)
T ß `───────────'
ß │
ß .───────────. .───────────.
ß (AGGREGATED TX) │ (AGGREGATED TX)
ß `───────────' ▼ `───────────'
│ .─────────. │
ß ╱ ╲
ß └ ─ ─ ─ ─ ─ ▶( AGGREGATION )◀ ─ ─ ─ ─ ┘
ß `. ,'
ß `───────'
ß And again... │
ß ▼
ß .───────────.
ß (AGGREGATED TX)
ß `───────────'
ß │
ß
ß │
ß ▼
ß .─────────────.
S ß _.───' `────.
T ß ,─' '─.
A ß ,' `.
K ß ,' `.
E ß ,' `.
R ß ╱ BLOCK ╲
ß ╱ ┌──────────────┐ ╲
/ ß ╱ │ blsCT TX │ ╲
ß ; ├──────────────┤ ;
M ß ; │ SIGNATURE │ ;
I ß ; ├───────┬──────┤ :
N ß │ │INPUT4 │OUTP1 │ │
E ß inputs and ─ ─ ─▶│INPUT2 │OUTP4 │ │
R ß outputs are │INPUT5 │OUTP2 │ ;
ß mixed, can't link │INPUT3 │OUTP3 │◀──────────┐ ;
ß them │INPUT1 │ ... │ │ ;
ß │ ... │ │
ß ╲ └───────┴──────┘
ß ╲ this transaction
ß ╲ pays 1 NAV to each
ß `. node2, node3 and
ß `. node4
ß `.
ß '─.
ß `────. _.───'
ß `───────────'
ß
ß
ß
~~~~ HOW DOES IT WORK ~~~~
┌──────────────┐ ┌──────────────┐
│ TX 1 │ │ TX 2 │
├──────────────┤ ├──────────────┤
│ SIGNATURE │ │ SIGNATURE │
├───────┬──────┤ ├───────┬──────┤
│INPUT1 │OUTP1 │ │INPUT4 │OUTP3 │
│INPUT2 │OUTP2 │ │INPUT5 │OUTP4 │
│INPUT3 │ │ │INPUT6 │ │
└───────┴──────┘ └───────┼──────┘
.─────────. │
│ ╱ ╲
─ ▶ ( AGGREGATION ) ◀ ┘
`. ,'
`───────'
┌──────────────┐
│ TX │
├──────────────┤
│ SIGNATURE │◀ ─ ─ only one signature
├───────┬──────┤
│INPUT4 │OUTP1 │
inputs and outputs ─ ─ ─▶│INPUT2 │OUTP4 │
are mixed, can't link │INPUT5 │OUTP2 │
them │INPUT3 │OUTP3 │
│INPUT1 │ │
└───────┴──────┘
~~~~ HOW DOES A TX LOOK LIKE ~~~~
┌ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc┐
│ │
│ BLS signature - aggregation of the signatures: │
│ │
│ │
│ for each input: │
│ │
│ Sign(prev output spending key, H(input)) │
│ │
│ │
│ for each output: │
│ │
│ Sign(output blinding key, H(output)) │
│ │
│ │
├────────────────────────────────────┬────────────────────────────────────┤
│ │ │
│ │ │
│ │ BLS output │
│ │ │
│ │ amount: 0xffffffff as a marker │
│ │ to show it is a bls output. │
│ │ │
│ │ scriptPub: spending script. │
│ │ <TRUE> if no spending │
│ │ conditions. │
│ │ │
│ │ blinding key: public key used to │
│ │ create a bls signature of the │
│ │ output and as ephemeral key for │
│ BLS input │ creating a shared secret. │
│ │ │
│ Same structure as a normal │ spending key: public key │
│ input. It can only point to a │ authorized to spend, derived │
│ BLS output. │ using the shared secret. │
│ │ │
│ │ encrypted data: amount, blinding │
│ │ factor and memo encrypted using │
│ │ the shared secret. │
│ │ │
│ │ amount commitment: pedersen │
│ │ commitment to the output amount │
│ │ and a blinding factor. │
│ │ │
│ │ range proof: proof that amount │
│ │ is positive. │
│ │ │
│ │ │
└ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc┘
~ CRYPTOGRAPHIC PRIMITIVES ~
┌=========================================================================┐
│ │
│ _ BLS signatures _ │
│ │
│ https://tools.ietf.org/html/draft-boneh-bls-signature-00 │
│ │
│ │
│ _ Bulletproofs _ │
│ │
└ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc┘
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment