You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It was suggested by @stringhandler in #6240 to support an "ownership proof" that proves knowledge of the opening of a commitment. While this is what a CommitmentSignature is for, its API is outdated and not particularly friendly. It was also suggested that such a proof also assert a minimum value, which could be useful in cases where the prover wishes to reveal a minimal (pun intended) amount of value information about the commitment.
One approach that handles both of these assertions is simply to use the Bulletproofs+ library to generate a minimum-value range proof. This will allow creation of such a proof using a transcript instantiated using a distinct label and arbitrary verifier message, which are important to avoid replay attacks.
It's very important to note that because of the structure of Tari transactions, neither the approach in #6240 nor this Bulletproofs+ suggestion actually prove control of value represented by a commitment. Depending on the structure of an output's script, it could be the case that both the sender and recipient in a transaction know the opening, but only the recipient knows the script private key required to authorize transfer of the corresponding value. Further, unless the verifier is careful to check for spend status, the commitment used in a proof may have already been spent, and is therefore no longer in the prover's control. Rather, such proofs only show visibility into the value represented by the commitment, but not necessarily anything else.
The text was updated successfully, but these errors were encountered:
Another option that does not assert minimum value, but does assert commitment spend authority, is to use a CommitmentAndPublicKeySignature, which proves knowledge of a commitment opening and script private key.
However, @stringhandler observed that there are cases where it may not be safe to execute a script to produce its public key for proof verification.
It was suggested by @stringhandler in #6240 to support an "ownership proof" that proves knowledge of the opening of a commitment. While this is what a
CommitmentSignature
is for, its API is outdated and not particularly friendly. It was also suggested that such a proof also assert a minimum value, which could be useful in cases where the prover wishes to reveal a minimal (pun intended) amount of value information about the commitment.One approach that handles both of these assertions is simply to use the Bulletproofs+ library to generate a minimum-value range proof. This will allow creation of such a proof using a transcript instantiated using a distinct label and arbitrary verifier message, which are important to avoid replay attacks.
It's very important to note that because of the structure of Tari transactions, neither the approach in #6240 nor this Bulletproofs+ suggestion actually prove control of value represented by a commitment. Depending on the structure of an output's script, it could be the case that both the sender and recipient in a transaction know the opening, but only the recipient knows the script private key required to authorize transfer of the corresponding value. Further, unless the verifier is careful to check for spend status, the commitment used in a proof may have already been spent, and is therefore no longer in the prover's control. Rather, such proofs only show visibility into the value represented by the commitment, but not necessarily anything else.
The text was updated successfully, but these errors were encountered: