Pep Talk for one sided transactions

I love MW for its conceptual simplicity and elegance.

Its outputs are Pedersen commitments r*G+v*H which combine value and blinding factor into a single curve point. The blinding factor serves both to hide the value and to control ownership. Correspondingly, a single (multi-)signature serves both to prove value balance (non-inflation) and to authorize transfer of ownership. That’s kind of magic.

This allows MW to completely do away with bitcoin script, which is a language for specifying the conditions under which individual outputs can be spent, usually signatures with public keys that hash to a given value.
It’s also a huge source of complexity within Bitcoin.

MW instead requires interaction between sender and receiver to construct the signature. This incidentally removes the possibility of certain errors where funds are sent to the wrong place. (and makes it very ransom unfriendly). Note that such interaction is also required in 2nd layer networks like Bitcoin Lightning that is seeing growing adoption, and is bound to be the common form of transacting if Bitcoin is ever to see mainstream adoption. Having a similar experience between on-chain and off-chain tx building will ease the transition for Grin users.

In the one-sided tx proposal there would be two very different kinds of output. The simple MW ones that we have now, and complex ones that have several (at least four) additional fields of data attached to it.
For these complex outputs, the blinding factor no longer suffices to control ownership, as it will be known by both sender and receiver.
Rather, as in bitcoin, the spender must also prove knowledge of a specific public key. The full extent of additional data and rules is not clear, as the proposal is incomplete. It’s also not clear how transactions should deal with a mix of simple and complex inputs/outputs.

I find these complications to be detrimental to the simplicity of MW. Grin in particular aims to be a minimal and lightweight implementation of MW and this is neither.

The security problem may not be relevant in practice due to absence of week-long reorgs, but is still an ugly wart.

The main reason for the current usability problems is that exchanges don’t offer a backup mechanism for wallet connection failures, something that the deprecation of http and compact slates should improve.

10 Likes