If we want to allow users to issue new assets such that the set of asset tags is unknown ahead of time, do we gain anything if we commit to the current set of assets in each block header? This set would grow over time as new assets were issued.
We could for example maintain asset tags themselves in an MMR and commit to the root of this MMR in each header.
Does this help in any way in terms of having a “global” set of asset tags that all nodes can and will agree on, even if they are not known ahead of time?
This way we could potentially leverage some “bulletproof type constraint thing” to verify the asset tag of a given output is an element in the set of known asset tags at that height.
asset Grin is issued every block as coinbase reward (supply is known)
asset Grin' issued at block height 2 (fixed issuance of 1.0 Grin' issued)
at block height 1 we commit to the set of asset tags [Grin]
at block height height 2 we commit to the set of asset tags [Grin, Grin']
we can verify that Grin sums to 0 and that Grin' sums to 0 accounting for known supply of both (the sums of both will sum to 0)
we can verify both asset tags Grin and Grin' are elements in the set of asset tags [Grin, Grin'] committed to in the header at height 2
any output with Grin' asset tag would not be valid at height 1 as the asset tag is not valid at that height
Unless the cost of this is nonexistent, I don’t think allowing automatic coin coloring is a good idea; the ico market is toxic and there is a grand total of 1 colored coin that arguably has value in tether.
bulletproof type constraint thing”
If you allow ico’s and grin pull a eth and there are >1000 dogshit assets started that don’t that add anything of value, doesn’t that necessarily add a handful of bits into the bulletproof for every future transaction?
Dev support of coin coloring should be rare and hyper conservative; any harm to the size of the bulletproofs needs to be well justified.
Great posts.
Having a network that is asset aware and able to facilitate confidential asset transfers would be really neat. Along the lines of Ravencoin built on a fork of the bitcoin code; a fork of the Grin code might make sense since Grin is purely focused being the best version of cash. I’m certainly keen to collaborate more research on this with anyone interested.
Sorry for reopening this old topic. I’m not familiar with the math behind ECC yet so the following are likely very basic questions with obvious answers.
I have a question regarding the blinding of the generator that represents the asset. In the section Blinded Asset Tags we blind asset generator A by doing A + s*G, this however as stated above comes with a problem that people can take -H + r*G as the generator point which allows to silently inflate asset H. I’m only starting to think about these things, but it seems that if you can prove that you have a curve point X that was “randomly generated” and you’ve adjusted it by adding r*G, then you should be safe.
What if the asset generators had a specific structure. Right now, H is generated by computing the hash of G, then we treat the hash result as the x coordinate and find the first y where (x,y) lies on the curve which gives us our NUMS point H. I’m wondering if the options below can also be considered as ways of generating a NUMS generator:
The x coordinate needs to have first 50 bytes represent zeros and the last 14 bytes can be whatever they choose. The first point on the curve that can be found with this is considered the curve point we want. Can we use this point as a NUMS generator?
I think that negating a curve point (x, y) means negating the y coordinate to get (x, -y). What happens if we fix the y coordinate to be some specific integer e.g. the same as H has? Could we say that all the points that you find on the curve that have their y coordinate the same as H are NUMS? Would this prevent any of the “negate asset generator” attacks since all the asset generators use the same y?
How hard would it be to actually come up with a point that has a relation to some asset generator point if we used the above ways to generate new asset generators?
If these were indeed ways of generating NUMS points, would it be any easier to prove with bulletproofs that we are encoding a form A + s*G? If not, which forms could be proven with bulletproofs?