Improvement Proposal: Confidential Assets

zhengyi · December 17, 2019, 2:07am

Hi guys.

Recently we published a paper “Confidential Assets on MimbleWimble” to share our ideas about how to implement multiple CAs on MW.

We have been working on privacy-preserving solutions for the Qtum blockchain before. When reading the paper “Confidential Assets”, we were attracted by this idea. So we studied it in-depth and also studied the source code of the corresponding “Elements project”. Although there is some other research exploring the solution of CAs on MW, we designed a solution based on our own understanding and wrote this paper.

There is still room for further optimization of the proposed solution as we know. But we’d like to know more about your guys’ opinions on it.

Thanks.

Chronos · December 17, 2019, 3:20am

Thank you for sharing this paper.

Compared with MimbleWimble, each output for Confidential Assets on MimbleWimble have three more fields, A, β, and σ, to be recorded on the blockchain.
Suppose in the elliptic curve, the size of a point is X, and the size of a scalar is
Y . Then 2X + (J + 1)Y more space is needed for storing an output.

Would it be possible to preserve anonymity between base token transactions and asset transactions, by also allocating this space for non-asset outputs?

antioch · December 17, 2019, 11:57am

You propose using a Bloom filter to select a random subset of the dynamic global set of assets for the ASP. If the global asset set is large and the asset subset is small then how will you prevent leakage of asset information?

Example: A transaction produces an output with an asset tag in the subset [BEAM, USD, EUR].
This output is then subsequently spent, producing an output with an asset tag in [BEAM, BTC, ETH].
The unique asset tag is leaked.

It might take multiple “hops” to narrow the intersection of these subsets down but every subsequent transaction risks identifying the asset tag.

Maybe it takes three outputs over three transactions to identify the unique asset tag -

[BEAM, USD, BTC] -> [BEAM, USD, ETH] -> [BEAM, BTC, ETH]

This problem is compounded once you take multiple transaction inputs into consideration, each with its own random subset of asset tags.

This is going to be an issue for any random selection mechanism for subsets of asset tags even if the size of each subset approaches the size of the full global set of assets.

zhengyi · December 17, 2019, 10:51pm

Yeah, we have noticed this problem. We are looking for other solutions for the ring signature which can work on large asset subsets with relatively low space costs. More research is needed for this part. Thx.

zhengyi · December 17, 2019, 10:56pm

In my mind it’s impossible. Because the base token acts as the issuance & transaction fee of other tokens. So it must be distinguishable from other tokens.

david · December 18, 2019, 9:43am

Yea, bloom filters were never meant to be used for preserving privacy in the way they’re being used in crypto today. You should be able to just use something like one-out-of-many Sigma proofs https://eprint.iacr.org/2014/764.pdf

zhengyi · December 18, 2019, 2:33pm

Agree with one-out-of-many Sigma proofs.
The Bloom filter is actually used to obtain the ring, aka a list of assets, to blind the target asset. Do you think there is a better way to do it?

david · December 18, 2019, 2:56pm

Right, but the sigma proofs can be batched such that it’s feasible to just use the whole anonymity set (every asset) as the ring.

zhengyi · December 30, 2019, 3:10pm

I made some mistakes before. The base token transactions can also be ported to this new form. The blinded asset tag and the surjection proof work for every asset on the MW blockchain including the base one.