Here’s my own understanding of confidential assets, as cobbled together from research papers, Blockstream press releases, and random posts. Please correct my mistakes, of which I am sure there are many. Also, big thanks to RJ Rybarczyk, who I’ve been discussing and researching CA with.
Confidential assets allow multiple assets to be traded on the same chain, alongside the chain’s native asset. Confidential assets use Pedersen commitments, which are also used in Mimblewimble, so they’re a natural fit for Grin.
Unlike, for example, ERC20 Tokens, confidential assets are no programmable, and function in exactly the same way as Grin’s native token.
How do they work?
Confidential assets replace
H in the output commitment formula
r*G + v*H with a distinct NUMS point for every asset type. (I’ll use
A for these, and reserve
H for the asset tag of Grin’s native token.) So, the output commitment formula becomes
r*G + v*A, with
A representing the type of asset that the output represents.
So far so good. These new asset-bearing outputs can still be verified to sum to zero, just like Grin’s current outputs.
However, in order to verify the range proof for each of these outputs, the value of
A must be known. The simplest way to make this work would be to include
A in the clear with each output, but this would allow an observer to see which type of asset is in every output.
Blinded Asset Tags
An asset tag
A can be replaced by a blinded asset tag
A + s*G, which hides the type of the asset. We can verify that these modified outputs sum to zero, and that the range proof is valid.
However, we have a problem! An attacker could choose the asset tag
-A + r*G, which would essentially amount to a negative amount of the token
A. They could then create an output containing negative tokens, offset with an output containing positive tokens, allowing them to silently inflate the supply of tokens.
One way to prevent this malicious choice of blinded asset tag is to attach a surjection proof to each output. A surjection proof proves that a given blinded asset tag is one of a set of known-good blinded asset tags. I’ll call this set of known-good blinded asset tags the asset tag anonymity set.
The size of each surjection proof scales with the size of the asset tag anonymity set. This is fine in a bitcoin-like chain, since each transaction has a small number of inputs, so the natural way to construct the asset-tag anonymity set is with the asset tags of all the inputs.
Confidential Assets and Mimblewimble
This is where things get hazy!
In a mimblewimble chain, there is no discrete notion of a transaction, in the sense of a linked set of inputs and outputs. This complicates the choice of tags to include in each surjection proof’s asset-tag anonymity set.
One proposal is to construct surjection proof asset-tag anonymity sets using every asset tag in the system. Unfortunately, this means that the size of every output scales with the total number of assets in the system. This would preclude us from allowing users to issue new asset types willy nilly, likely requiring a soft fork to add new assets
I’m hoping that we can find some way to avoid this. If issuing new assets requires community coordination and a soft fork, then this process is likely to become highly politicized and contentious. Much better to allow users to issue new assets and let the market decide on which are useful or valuable, instead of requiring everyone to agree.
Edit: Why user-issued assets?
I wanted to elaborate a little bit on the different reasons I think it’s desirable to allow users to issue their own assets, and additionally why it would be desirable to support a large number of assets.
If Grin can only support a limited number of assets, say less than 10, then the pool of unallocated assets becomes a very precious and very scarce resource, and would require some allocation process. I imagine that there will be a lot of different ideas for potential assets, and it would fall to the devs and to the community to decide which are most worthwhile. This is definitely just speculation on my part, but I think this process would inevitably be contentious, and would divert time and energy from core protocol development. Governance is one of the most difficult things to do well, and all other things being equal, the less things that need to be governed the better!
Also, if each new asset increases the size of all outputs, then people who don’t want to use that asset, and don’t think that it will add value to the system might reasonably object. I sort of pessimistically suspect that it will be very hard to build consensus on new assets.
I can definitely see the argument that only a few assets will be useful, perhaps a Bitcoin peg, an Ethereum peg, and maybe a few others. I think people will certainly come up with some legitimately terrible ideas for assets, but I think they’ll also come up with a lot of neat ones, and I’m definitely curious to see what they are!
Although it wouldn’t be a good fit for Grin, the codebase could serve a basis for systems which would require a large number of assets, I’m thinking in particular of a stock exchange or liquidity pool.
I think that user-issuable assets make for an incredibly unique marketing point for Grin. I imagine that we’ll see a ton of attention and interest, and it would probably boost the value of the native token, since it would be the obvious currency of choice for trading between and buying into the various tokens on the chain.
Vague and Underspecified Alternative Constructions
None of these are clear winners, but here are some ideas for alternative constructions that would allow for user-issued assets:
Public Assets – Asset tags are included in the clear with each asset. This would be very simple, but with the downside that the asset types in each transaction would be clearly visible. This would be bad for privacy, but might be a good starting point, with the intention to add a blinding mechanism at a later date.
Confidential-enough assets – Each surjection proof could include a small subset of all valid asset tags, perhaps 3 or 4. In such a system an observer might be determine the asset tag in each output by observing the transaction graph and using the process of elimination. We’d need a careful analysis of the privacy properties of such a system, and an algorithm for choosing asset tag anonymity sets that would maximize privacy.
Accumulator-based proofs – Perhaps cryptographic accumulators could help. Each asset tag is added to a cryptographic accumulator on first issuance, and the surjection proof is replaced with a zero-knowledge proof that an output’s asset tag has already been added to the accumulator.
NUMS point derivation – If the NUMS points used as asset tags can be derived in some special way, perhaps that method of derivation can be leveraged to prove that blinded asset tags contain a legitimate tag. Maybe, like, I dunno, bulletproofs, or something?
BLS-signatures – BLS signatures have interesting aggregation properties, and support efficient threshold and ring signatures. Perhaps there’s some clever alternative construction of surjection proofs using BLS signatures.
- Original research paper
- Blockstream press release on confidential assets
- Description of surjection proofs as implemented in the elements project
- Proposal by Andrew Poelstra to add confidential assets to Grin
- Reddit comment by Andrew Poelstra on confidential assets and Grin
- Post on Confidential Assets in the Chain Protocol by Oleg Andreev
- Notes on Confidential Assets in the Chain Protocol
- Programmable Constraint Systems for Bulletproofs
- Cloak protocol, confidential assets using bulletproofs