public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Peter Todd <pete@petertodd.org>
To: Gregory Maxwell <greg@xiph.org>,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Updates on Confidential Transactions efficiency
Date: Tue, 14 Nov 2017 04:11:23 -0500	[thread overview]
Message-ID: <20171114091123.GA29286@savin.petertodd.org> (raw)
In-Reply-To: <CAAS2fgQ0Cb2B=Ye2TnpfQqP4=kpZCxMWRXYB0CcFa71sQJaGuw@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 2736 bytes --]

On Tue, Nov 14, 2017 at 01:21:14AM +0000, Gregory Maxwell via bitcoin-dev wrote:
> Jump to "New things here" if you're already up to speed on CT and just
> want the big news.

<snip>

> This work also allows arbitrarily complex conditions to be proven in
> the values, not just simple ranges, with proofs logarithmic in the
> size of the arithmetic circuit representing the conditions being
> proved--and still with no trusted setup. As a result it potentially
> opens up many other interesting applications as well.
> 
> The pre-print on this new work is available at https://eprint.iacr.org/2017/1066

Re: section 4.6, "For cryptocurrencies, the binding property is more important
than the hiding property. An adversary that can break the binding property of
the commitment scheme or the soundness of the proof system can generate coins
out of thin air and thus create uncontrolled but undetectable inflation
rendering the currency useless.  Giving up the privacy of a transaction is much
less harmful as the sender of the transaction or the owner of an account is
harmed at worst."

I _strongly_ disagree with this statement and urge you to remove it from the
paper.

The worst-case risk of undetected inflation leading to the destruction of a
currency is an easily quantified risk: at worst any given participant loses
whatever they have invested in that currency. While unfortunate, this isn't a
unique or unexpected risk: cryptocurrencies regularly lose 50% - or even 90% -
of their value due to fickle markets alone. But cryptocurrency owners shrug
these risks off. After all, it's just money, and diversification is an easy way
to mitigate that risk.

But a privacy break? For many users _that_ threatens their very freedom,
something that's difficult to even put a price on.

Furthermore, the risk of inflation is a risk that's easily avoided: at a
personal level, sell your holdings in exchange for a less risky system; at a
system-wide level, upgrade the crypto.

But a privacy leak? Once I publish a transaction to the world, there's no easy
way to undo that act. I've committed myself to trusting the crypto
indefinitely, without even a sure knowledge of what kind of world I'll live in
ten years down the road. Sure, my donation to Planned Parenthood or the NRA
might be legal now, but will it come back to haunt me in ten years?


Fortunately, as section 4.6 goes on to note, Bulletproofs *are* perfectly
hiding. But that's a feature we should celebrate! The fact that quantum
computing may force us to give up that essential privacy is just another
example of quantum computing ruining everything, nothing more.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

  reply	other threads:[~2017-11-14  9:11 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-14  1:21 [bitcoin-dev] Updates on Confidential Transactions efficiency Gregory Maxwell
2017-11-14  9:11 ` Peter Todd [this message]
2017-11-14 10:38   ` Gregory Maxwell
2017-11-14 10:51     ` Gregory Maxwell
2017-11-14 10:07 ` Peter Todd
2017-12-04 17:17 ` Andrew Poelstra

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171114091123.GA29286@savin.petertodd.org \
    --to=pete@petertodd.org \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=greg@xiph.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox