Skip to content

Instantly share code, notes, and snippets.

@phyro

phyro/obscuro_join2.md Secret

Last active May 10, 2020 08:42
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save phyro/85b8614c9b9621d3ba4c114411f7cee4 to your computer and use it in GitHub Desktop.
Save phyro/85b8614c9b9621d3ba4c114411f7cee4 to your computer and use it in GitHub Desktop.
Download ZIP
obscuro_join2.md
Raw
obscuro_join2.md

Bloat free decoy system

This is an updated version of https://gist.github.com/phyro/5e46af67b696c331b58af9dfa3517740 based on John Tromp's incentive system which is better. The improvement over original is that the system is simpler and it no longer incentivizes hoarding of outputs and creating payment outputs which is much healthier for the network.

ObscuroDance

Obscuro dance is an action where someone buys an input->output pair (or many) by paying for its fee. The peer from which the pair is bought can be anyone that wants to make a transaction. When we ask for an input->output pair we don't ask them to return a kernel, instead we just ask them to provide us also the private key P that is the difference of their inputs-outputs. The property we want to have is that the obscuro dance peer can't abuse this that we can't steal their input->output pair. The dance peer can't gain anything because they didn't really get any information that could be taken advantage of. Similarly, the person asking for an input->output pair can only use it if they pay for its fee.

ObscuroJoin

The ObscuroJoin flow then goes like this:

Alice wants to send 4 grins to Bob. She communicates with Bob that he can create an output with 4 grin and they sign the transaction which creates a simple regular MW transaction. Bob has not seen Alice's input or change output.

We now have a transaction that consists of:

inputs = [AliceInput]
outputs = [AliceChangeOutput, BobOutput]
kernel_point = K  # along with its sig
kernel_offset = O

Alice does not publish the transaction on the chain, instead she now communicates with a dance peer to obtain a new input->output pair from them. Once she received their private key P, she adds P to the kernel offset O. She can do that with as many dance peers as she wants which contributes to transaction obfuscation.

We end up with a transaction where:

  1. Bob does not know from which output he received the money
  2. A dance peer only knows about his contributed input->output

This means that only Alice has information about the inputs and outputs, everyone else have no information about anything apart from their own inputs and outputs.

Alice can now broadcast her transaction.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment