Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add commitment opening proofs #6282

Open
AaronFeickert opened this issue Apr 15, 2024 · 1 comment · May be fixed by #6463
Open

Add commitment opening proofs #6282

AaronFeickert opened this issue Apr 15, 2024 · 1 comment · May be fixed by #6463

Comments

@AaronFeickert
Copy link
Collaborator

AaronFeickert commented Apr 15, 2024

It was suggested by @stringhandler in #6240 to support an "ownership proof" that proves knowledge of the opening of a commitment. While this is what a CommitmentSignature is for, its API is outdated and not particularly friendly. It was also suggested that such a proof also assert a minimum value, which could be useful in cases where the prover wishes to reveal a minimal (pun intended) amount of value information about the commitment.

One approach that handles both of these assertions is simply to use the Bulletproofs+ library to generate a minimum-value range proof. This will allow creation of such a proof using a transcript instantiated using a distinct label and arbitrary verifier message, which are important to avoid replay attacks.

It's very important to note that because of the structure of Tari transactions, neither the approach in #6240 nor this Bulletproofs+ suggestion actually prove control of value represented by a commitment. Depending on the structure of an output's script, it could be the case that both the sender and recipient in a transaction know the opening, but only the recipient knows the script private key required to authorize transfer of the corresponding value. Further, unless the verifier is careful to check for spend status, the commitment used in a proof may have already been spent, and is therefore no longer in the prover's control. Rather, such proofs only show visibility into the value represented by the commitment, but not necessarily anything else.

@AaronFeickert
Copy link
Collaborator Author

AaronFeickert commented Apr 15, 2024

Another option that does not assert minimum value, but does assert commitment spend authority, is to use a CommitmentAndPublicKeySignature, which proves knowledge of a commitment opening and script private key.

However, @stringhandler observed that there are cases where it may not be safe to execute a script to produce its public key for proof verification.

@AaronFeickert AaronFeickert linked a pull request Aug 12, 2024 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant