Confidential Assets

rodarmor · November 18, 2018, 2:22am

Confidential Assets

Here’s my own understanding of confidential assets, as cobbled together from research papers, Blockstream press releases, and random posts. Please correct my mistakes, of which I am sure there are many. Also, big thanks to RJ Rybarczyk, who I’ve been discussing and researching CA with.

Confidential assets allow multiple assets to be traded on the same chain, alongside the chain’s native asset. Confidential assets use Pedersen commitments, which are also used in Mimblewimble, so they’re a natural fit for Grin.

Unlike, for example, ERC20 Tokens, confidential assets are no programmable, and function in exactly the same way as Grin’s native token.

How do they work?

Confidential assets replace H in the output commitment formula r*G + v*H with a distinct NUMS point for every asset type. (I’ll use A for these, and reserve H for the asset tag of Grin’s native token.) So, the output commitment formula becomes r*G + v*A, with A representing the type of asset that the output represents.

So far so good. These new asset-bearing outputs can still be verified to sum to zero, just like Grin’s current outputs.

However, in order to verify the range proof for each of these outputs, the value of A must be known. The simplest way to make this work would be to include A in the clear with each output, but this would allow an observer to see which type of asset is in every output.

Blinded Asset Tags

An asset tag A can be replaced by a blinded asset tag A + s*G, which hides the type of the asset. We can verify that these modified outputs sum to zero, and that the range proof is valid.

However, we have a problem! An attacker could choose the asset tag -A + r*G, which would essentially amount to a negative amount of the token A. They could then create an output containing negative tokens, offset with an output containing positive tokens, allowing them to silently inflate the supply of tokens.

Surjection Proofs

One way to prevent this malicious choice of blinded asset tag is to attach a surjection proof to each output. A surjection proof proves that a given blinded asset tag is one of a set of known-good blinded asset tags. I’ll call this set of known-good blinded asset tags the asset tag anonymity set.

The size of each surjection proof scales with the size of the asset tag anonymity set. This is fine in a bitcoin-like chain, since each transaction has a small number of inputs, so the natural way to construct the asset-tag anonymity set is with the asset tags of all the inputs.

Confidential Assets and Mimblewimble

This is where things get hazy!

In a mimblewimble chain, there is no discrete notion of a transaction, in the sense of a linked set of inputs and outputs. This complicates the choice of tags to include in each surjection proof’s asset-tag anonymity set.

One proposal is to construct surjection proof asset-tag anonymity sets using every asset tag in the system. Unfortunately, this means that the size of every output scales with the total number of assets in the system. This would preclude us from allowing users to issue new asset types willy nilly, likely requiring a soft fork to add new assets

I’m hoping that we can find some way to avoid this. If issuing new assets requires community coordination and a soft fork, then this process is likely to become highly politicized and contentious. Much better to allow users to issue new assets and let the market decide on which are useful or valuable, instead of requiring everyone to agree.

Edit: Why user-issued assets?

I wanted to elaborate a little bit on the different reasons I think it’s desirable to allow users to issue their own assets, and additionally why it would be desirable to support a large number of assets.

If Grin can only support a limited number of assets, say less than 10, then the pool of unallocated assets becomes a very precious and very scarce resource, and would require some allocation process. I imagine that there will be a lot of different ideas for potential assets, and it would fall to the devs and to the community to decide which are most worthwhile. This is definitely just speculation on my part, but I think this process would inevitably be contentious, and would divert time and energy from core protocol development. Governance is one of the most difficult things to do well, and all other things being equal, the less things that need to be governed the better!
Also, if each new asset increases the size of all outputs, then people who don’t want to use that asset, and don’t think that it will add value to the system might reasonably object. I sort of pessimistically suspect that it will be very hard to build consensus on new assets.
I can definitely see the argument that only a few assets will be useful, perhaps a Bitcoin peg, an Ethereum peg, and maybe a few others. I think people will certainly come up with some legitimately terrible ideas for assets, but I think they’ll also come up with a lot of neat ones, and I’m definitely curious to see what they are!
Although it wouldn’t be a good fit for Grin, the codebase could serve a basis for systems which would require a large number of assets, I’m thinking in particular of a stock exchange or liquidity pool.
I think that user-issuable assets make for an incredibly unique marketing point for Grin. I imagine that we’ll see a ton of attention and interest, and it would probably boost the value of the native token, since it would be the obvious currency of choice for trading between and buying into the various tokens on the chain.

Vague and Underspecified Alternative Constructions

None of these are clear winners, but here are some ideas for alternative constructions that would allow for user-issued assets:

Public Assets – Asset tags are included in the clear with each asset. This would be very simple, but with the downside that the asset types in each transaction would be clearly visible. This would be bad for privacy, but might be a good starting point, with the intention to add a blinding mechanism at a later date.
Confidential-enough assets – Each surjection proof could include a small subset of all valid asset tags, perhaps 3 or 4. In such a system an observer might be determine the asset tag in each output by observing the transaction graph and using the process of elimination. We’d need a careful analysis of the privacy properties of such a system, and an algorithm for choosing asset tag anonymity sets that would maximize privacy.
Accumulator-based proofs – Perhaps cryptographic accumulators could help. Each asset tag is added to a cryptographic accumulator on first issuance, and the surjection proof is replaced with a zero-knowledge proof that an output’s asset tag has already been added to the accumulator.
NUMS point derivation – If the NUMS points used as asset tags can be derived in some special way, perhaps that method of derivation can be leveraged to prove that blinded asset tags contain a legitimate tag. Maybe, like, I dunno, bulletproofs, or something?
BLS-signatures – BLS signatures have interesting aggregation properties, and support efficient threshold and ring signatures. Perhaps there’s some clever alternative construction of surjection proofs using BLS signatures.

References

0xb100d · November 18, 2018, 4:11am

As marketed by WOKE coin, the third mimblewimble implementation @ http://woke.mw

Thank you for putting all of this in one place, very excited to see how these get utilized.

igno.peverell · November 18, 2018, 5:37am

Caveat: this is just the first thing that comes to mind, I haven’t thought of the problem very much yet and it may be outdated. But Oleg Andreev has done some work around CAs as well and IIRC he was working this out as part of the range proof:

github.com

chain/chain/blob/4de676549645551d23a1b1604b21fda97f09559a/docs/protocol/specifications/confidential-assets.md

# Confidential Assets

* [Introduction](#introduction)
* [Usage](#usage)
  * [Confidential issuance](#confidential-issuance)
  * [Simple transfer](#simple-transfer)
  * [Multi-party transaction](#multi-party-transaction)
* [Definitions](#definitions)
  * [Elliptic Curve Parameters](#elliptic-curve-parameters)
  * [Ring Signature](#ring-signature)
  * [Borromean Ring Signature](#borromean-ring-signature)
  * [Asset ID Commitment](#asset-id-commitment)
  * [Encrypted Asset ID](#encrypted-asset-id)
  * [Asset ID Descriptor](#asset-id-descriptor)
  * [Asset Range Proof](#asset-range-proof)
  * [Value Commitment](#value-commitment)
  * [Encrypted Value](#encrypted-value)
  * [Value Descriptor](#value-descriptor)
  * [Excess Factor](#excess-factor)
  * [Excess Commitment](#excess-commitment)

This file has been truncated. show original

Now I believe this was borromean-style range proofs back then, more research would be required to see if the same scheme would be applicable to bulletproofs.

P.S. Maybe download these, not sure how long it’ll stay online…

rodarmor · November 18, 2018, 5:53am

Did you mean to post two links? Added the medium post to the reading list, and also added a link to some extensive notes on confidential assets in the chain protocol

igno.peverell · November 18, 2018, 7:41pm

Good catch, the 2nd link was supposed to be those notes. Fixed, although discourse renders it as some ugly markdown.

igno.peverell · November 19, 2018, 11:23pm

Regarding my last question about applicability to bulletproofs, this seems to say it’s definitely possible using their constraint system. Sounds quite efficient as well.

rodarmor · November 22, 2018, 5:43am

Oooooo, shiny I’ll add that to the reading list. Also, here’s a link to their spec for confidential assets using bulletproofs for zkp:

https://github.com/interstellar/spacesuit/blob/master/spec.md#cloak

kargakis · December 1, 2018, 2:24am

Genuine question: can you elaborate on why a Bitcoin or Ethereum peg would be useful?

rodarmor · December 1, 2018, 2:36am

Since Bitcoin and Ethereum don’t have much in the way of privacy, users might like to peg-in to Grin to transact, but might not want to buy and hold Grin.

burrrata · December 1, 2018, 2:45am

Still exploring and learning all the crypto behind bulletproofs so I apologize if this is superfluous, but have you explored Dalek Crypto’s Rust implementations, and if so, what were your thoughts?

burrrata · December 1, 2018, 3:26am

I’ll be completely honest in that I don’t fully understand the mechanics of issuing confidential assets on top of Grin. Learning as fast I can tho

That being said… in this example of the chain pegs, I think you’re referring to people who want to do an atomic swap from a blockchain to Grin, and then trade that swap as if they were trading the original blockchain token right?
If so… then what about a mechanism similar to Ethereum’s Plasma Cash (or other UTXO based L2 solutions) where tokens on the main chain (in this case one that unlocks access to the swap on another chain) don’t move but a history of tx and ownership on a second layer is created where the latest valid owner can exit and claim that token on the main chain. This might be tricky in Grin as there are no “accounts”, but if there’s a second layer state channel, then it’s all arbitrary and the only thing that needs to be submitted to the main chain is a signature that unlocks a UTXO. As in most state channels, parties sign off on a trade and then send it through the state channel (they actually already do for a regular Grin tx lol), but then rather than confirming on the main chain signatures are held and passed on again, only ever hitting the main chain when necessary to exit. This gives participants the assurance that they could settle if they wanted to, but they don’t need to. In a DEX type setting participants would just trade “paper money” all they wanted, and if the operator of the state channel is proved to be malicious they just exit with their latest signatures.

Is there a glaringly obvious reason why this isn’t possible?

Would it be possible to create more complex L2 systems that are free to conform to arbitrary scripting as long as they can produce a valid signature that “settles” on the main chain? (this is pretty much Andrew Poelstra’s scriptless scripts, but I’m curious how far you can take it)

tromp · December 1, 2018, 9:03am

That implementation is specific to Ed25519, a different curve than our secp256k1.

burrrata · December 1, 2018, 5:12pm

I’m fairly new to crypto and Rust, but from what I’ve read Ed25519 is just as safe as secp256k1, but also faster and better for Schnorr signatures. It also seems to be widely used by a lot of projects that aren’t bound to a legacy codebase or are rewriting their code:

Why was secp256k1 chosen for Grin over other options?

0xb100d · December 3, 2018, 12:29am

Check out discussion here: https://github.com/mimblewimble/grin/issues/1948

there was another discussion somewhere about making it more modular and easier to swap out crypto down the line but I can’t find it now.

burrrata · December 3, 2018, 8:06pm

Thanks! That’s really helpful

rodarmor · January 30, 2019, 11:00pm

@tromp @igno.peverell @yeastplume

If the purpose of surjection proofs are to prevent an adversary from choosing a negative asset tag, maybe it’s possible to choose asset tags in such a manner that the asset tag A and it’s inverse -A always differ in some property, such that you can provide a zero-knowledge-proof that the asset tag in a blinded asset tag commitment has or doesn’t have that property.

So, for example, if asset tags were drawn from positive and negative integers, you would only choose positive asset tags, and then come up with a zero-knowledge proof that the asset tag in a blinded asset tag commitment was positive.

If points on an elliptic curve can’t be neatly divided into positive and negative points, is there some other property that might be exploited?

kargakis · February 19, 2019, 9:48pm

Presumably they would still need Grin for fees, otherwise the asset type needs to be exposed as a fee for miners to mine it.

cc @jaspervdm

monkyyy · February 20, 2019, 12:02am

They “probably” would but I wouldn’t presume that a completely off the rails chain is impossible.

Even bitcoin has miners offering off protocol transaction systems, I remember the free transaction acceleration services that were ads for bitcoin cash before it was called bitcoin cash and was the debate for forks and that’s with the healthiest fee economy coin from several years back. Or just transaction acceleration just in general.

Lets say eth or some other turning compete smart contract platform had a grin mining pool system; that would somehow generate a super transaction of extra anonymous grin confidential assets say hourly and would give a reward of some eth based coin as a reward to whoever got this super transaction on the grin chain; it would be awkward weird and insane but that sort of thing is on the table.

kargakis · February 20, 2019, 6:30pm

Absolutely, but none of what I said precludes collusion with miners which is not going to ever be the norm.

0xb100d · February 20, 2019, 10:29pm

A possibly useful CA for grin, though it presents a high level problem and solution, and nothing of a technical solution. Idea is disappearing short messageboard. There are issues re whether it is possible to integrate by simply adding CAs in general, or whether it would require a universal additional field to the output, which is probably more problematic than useful. Was one of the first ideas for utilizing mimblewimble, and would benefit from being secured by grin chain if possible with CA.

github.com

0xb100d/nymble/blob/master/README.md

# nymble
A mimblewimble based ephemeral IM/Microblogging client

If transactions are basic text messages, a simple and extremely lightweight disappearing microblogging platform could be built using mimblewimble where messages are entirely erased from the blockchain once they have been available for a given amount of time. This period could be determined by mandatory timelocks, where all messages disappear after say, 10 days (leaving the blockchain forever after that point), variable timelocks depending on user choice, or interactively (like after n number of responses to said message, or a response from a specific person conceivably). Cost could be next to nothing, and actual storage space would be extremely small given that all messages eventually are deleted (in other words, every single Nymble transaction/message would eventually be totally cut-through).

# Problem
Other decentralized microblogging services suffer from low number of servers/message availability, and incentivizing servers to stay online requires altruism from hosts. By using a blockchain, nodes are incentivized by mining rewards. The downside of this is essentially the same issue, with extra steps; there may be rewards for running a full node, but we are left with a similar problem where there is a lack of interest/use for people to run the blockchain, and we've just created another cryptocurrency, the only value of which comes from the value of having a lightweight, decentralized microblogging client. Given the wide variety of extant centralized and decentralized microblogging/IM platforms, securing a blockchain whose only purpose is a simple message board produces a terrible uphill bootstrapping effort.

# Solution
We institute Nymble as the first parallel [Confidential Asset]([https://lists.launchpad.net/mimblewimble/msg00103.html) on the grin mainnet. Assuming the incentives to run grin continue, this means the propogation/distribution of messages on the Nymble service have an extremely high availability gurantee, given than every grin node is also a Nymble node. The parallel data required to host temporary messages would be extremely negligible since it is constantly being drawn toward the minimum required state as messages disappear. Fee to post could be paid in some parallel NYMBLE reward that would be emitted at a high rate, if this was necessary at all (it's probably possible to just pay the tx fee in grin). Node operators could choose to access these NYMBLE rewards if they wanted to, or simply ignore it with no detriment, while still contributing to the network all the same.

# More Problems
via jaspervdm: "you could encode up to 32 bytes in the private key, but how would you use that? you'd have to expose the private key through some other method, making the message board obsolete. and it would allow some other party to destroy the message (spend the output). so essentially adding an extra field to the output."

Adding an extra output to transactions could lead to issues for grin itself and would take away from the security and lightness. So research has to be done to see if there is a way to add an extra input to Nymble txs parallel to grin txs, while still not being gameable/ddos-able.

# Uses
A disappearing messageboard with plaintext (or easily encrypted text) that had high availabilty gurantees (by piggy backing on a big name chain like grin's), has an almost unlimited number of uses. Users could share disappearing links (to onion routed .txt files, slate files, images, to their keybase), random looking data that pointed to atomic swap details (conceivably there are lots of different currency-related data that would be useful to temporarily post), breaking news (such as hard/soft-fork flags, vulnerabilities, community events), geo-cache coordinates, broken-up mnemonics, and even as a medium for dead-man's switches (which would require either lots of scriptless scripting or just as a medium to post some message created by a centralized or self-hosted DMS).

Because Nymble data would be transmitted through normal grin blocks, it would be very simple to integrate Nymble messages into grin wallets, for example allowing a secure method for "official" security notifications or other important updates to be filtered and shown directly in grin wallets without any additional infrastructure. Censoring these messages should be just as difficult as censoring basic cash transactions on the grin chain, meaning there should be an identical level of security for important messages as there are grin coin-transactions themselves. This could conceivably be seen as a bad thing, but if grin gets stopped there are other means of communication that could be turned to.

This file has been truncated. show original

Topic		Replies	Views
Improvement Proposal: Confidential Assets Development and Technical Discussion	8	767	December 30, 2019
Mimblewimble Defi and Confidential assets Research	2	608	July 5, 2020
Much of the technology behind Grin Development and Technical Discussion	6	5197	December 19, 2018
Why Grin/Mimblewimble	26	1254	May 1, 2021
Questions about grin.	1	394	December 3, 2019

Confidential Assets

Confidential Assets

How do they work?

Blinded Asset Tags

Surjection Proofs

Confidential Assets and Mimblewimble

Edit: Why user-issued assets?

Vague and Underspecified Alternative Constructions

References

Related topics