Define a new type of transaction that has a form a of a Pedersen commitment v*H + r*G
where v
denotes the amount and
r
is the blinding factor for v
which also serves as a proof of ownership factor.
Let's say Alice holds 100 ETC and wants to create her own Pedersen commitment that holds 20 ETC. She creates a
transition transaction that has a transition type addr->pc
and the to
part holds a Pedersen commitment of type
20*H + r*G
where r
is the blinding factor. To verify the v
part we can expose r*G
public key and sign some
message with it and then add 20*H
to it and check if we do in fact arrive at the 20*H + r*G
public key.
This Pedersen commitment does not need a zero knowledge range proof to avoid inflation attacks because the value is
public.
addr->addr
our regular Ethereum txaddr->pc
a transaction that moves some coins to a Pedersen commitmentpc->addr
a transaction that transfer coins from a Pedersen commitment to an addresspc->pc
a transaction from a Pedersen commitment to other Pedersen commitment in a Mimblewimble way (interactive, can be aggregated etc.). Each Pedersen commitment comes with a zero knowledge range proof to avoid inflation attacks. The advantage here is that a Pedersen commitment once it is spent can be thrown away (along with the range proof).
When opting out of the Pedersen commitments we would be showing the value v
of the Pedersen commitments and we
could confirm the move to an address by showing r*G
public key and signing a message saying we want to move v
coins to address A
with r
private key. Note that we can show the r*G
public key as we are showing v
at this step
and hence we are no longer afraid this would allow bruteforce attack that could unblind v
. We can now confirm the
Pedersen commitment opens to v*H + r*G
by taking the public key r*G
and adding 20*H
to it and checking whether
we arrive at v*H + r*G
.
In order to prevent inflation, we hold the sum of transitioned money K
which in the case of Alice transforming her
20 ETC would increase K
by 20. This way we could validate we don't transform from Pedersen commitments back to normal
addresses more than would be possible and hence can't inflate.
To prove a transaction is a commitment to zero we hold kernel excess values which is the sum(outputs)-sum(inputs)
of Pedersen commitments and prove this is a commitment to zero with a combination of kernel curve points x*G
and
their signatures.