From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 1ED8DA86 for ; Tue, 14 Nov 2017 09:11:30 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from outmail148113.authsmtp.com (outmail148113.authsmtp.com [62.13.148.113]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 3517F113 for ; Tue, 14 Nov 2017 09:11:28 +0000 (UTC) Received: from mail-c247.authsmtp.com (mail-c247.authsmtp.com [62.13.128.247]) by punt24.authsmtp.com. (8.15.2/8.15.2) with ESMTP id vAE9BQHP017865; Tue, 14 Nov 2017 09:11:26 GMT (envelope-from pete@petertodd.org) Received: from petertodd.org (ec2-52-5-185-120.compute-1.amazonaws.com [52.5.185.120]) (authenticated bits=0) by mail.authsmtp.com (8.15.2/8.15.2) with ESMTPSA id vAE9BON2013129 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 14 Nov 2017 09:11:25 GMT (envelope-from pete@petertodd.org) Received: from [127.0.0.1] (localhost [127.0.0.1]) by petertodd.org (Postfix) with ESMTPSA id 0ED19400BC; Tue, 14 Nov 2017 09:11:24 +0000 (UTC) Received: by localhost (Postfix, from userid 1000) id 35EA723D13; Tue, 14 Nov 2017 04:11:23 -0500 (EST) Date: Tue, 14 Nov 2017 04:11:23 -0500 From: Peter Todd To: Gregory Maxwell , Bitcoin Protocol Discussion Message-ID: <20171114091123.GA29286@savin.petertodd.org> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="PNTmBPCT7hxwcZjr" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-Server-Quench: ca96e7b2-c91b-11e7-aebf-0015176ca198 X-AuthReport-Spam: If SPAM / abuse - report it at: http://www.authsmtp.com/abuse X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR aAdMdwYUFloCAgsB AmEbW11eUVx7W2Y7 bghPaBtcak9QXgdq T0pMXVMcUnQdCG5+ eBweUxpzdQwIcHl0 YwgxD3ldCUMod1su S08GCGwHMGB9OTVN Bl1YdwJRcQRMLU5E Y1gxNiYHcQ5VPz4z GA41ejw8IwAXFTxZ Sx0ANhoVRw4gGTgy RhwPGykuFElNez86 KQcvIUIdG0AKekg8 P1oqWF8eOA56 X-Authentic-SMTP: 61633532353630.1038:706 X-AuthFastPath: 0 (Was 255) X-AuthSMTP-Origin: 52.5.185.120/25 X-AuthVirus-Status: No virus detected - but ensure you scan with your own anti-virus system. X-Spam-Status: No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] Updates on Confidential Transactions efficiency X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Nov 2017 09:11:30 -0000 --PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 14, 2017 at 01:21:14AM +0000, Gregory Maxwell via bitcoin-dev w= rote: > Jump to "New things here" if you're already up to speed on CT and just > want the big news. > This work also allows arbitrarily complex conditions to be proven in > the values, not just simple ranges, with proofs logarithmic in the > size of the arithmetic circuit representing the conditions being > proved--and still with no trusted setup. As a result it potentially > opens up many other interesting applications as well. >=20 > The pre-print on this new work is available at https://eprint.iacr.org/20= 17/1066 Re: section 4.6, "For cryptocurrencies, the binding property is more import= ant than the hiding property. An adversary that can break the binding property = of the commitment scheme or the soundness of the proof system can generate coi= ns out of thin air and thus create uncontrolled but undetectable inflation rendering the currency useless. Giving up the privacy of a transaction is = much less harmful as the sender of the transaction or the owner of an account is harmed at worst." I _strongly_ disagree with this statement and urge you to remove it from the paper. The worst-case risk of undetected inflation leading to the destruction of a currency is an easily quantified risk: at worst any given participant loses whatever they have invested in that currency. While unfortunate, this isn't= a unique or unexpected risk: cryptocurrencies regularly lose 50% - or even 90= % - of their value due to fickle markets alone. But cryptocurrency owners shrug these risks off. After all, it's just money, and diversification is an easy= way to mitigate that risk. But a privacy break? For many users _that_ threatens their very freedom, something that's difficult to even put a price on. Furthermore, the risk of inflation is a risk that's easily avoided: at a personal level, sell your holdings in exchange for a less risky system; at a system-wide level, upgrade the crypto. But a privacy leak? Once I publish a transaction to the world, there's no e= asy way to undo that act. I've committed myself to trusting the crypto indefinitely, without even a sure knowledge of what kind of world I'll live= in ten years down the road. Sure, my donation to Planned Parenthood or the NRA might be legal now, but will it come back to haunt me in ten years? Fortunately, as section 4.6 goes on to note, Bulletproofs *are* perfectly hiding. But that's a feature we should celebrate! The fact that quantum computing may force us to give up that essential privacy is just another example of quantum computing ruining everything, nothing more. --=20 https://petertodd.org 'peter'[:-1]@petertodd.org --PNTmBPCT7hxwcZjr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJaCrM1AAoJECSBQD2l8JH7L0sH/1MbEs+DCHMuJKl+CXrGTlme By96/GhVPHRuOyEt6/JIYG3Bpclk0JXo43tIkLGr7unMs776HW7MfcfuWR2MyF5+ W7htTefcyXauGU3l6NPWAWanG784pDDuEeBHjIjpPenko63SH+sWng3qg74JdXho nVUYpLNk9orn2Mo+tMhpwm1IStyACj9CA0H93ErF36wkp5dFoKnt3ufjbPC0CFPN Mkj+YArIS8vV8UZE9ynhIOiYmD41qBb/wPn7vdOKSqpEH56CXMmeB2xI1I9ZJDUz 3EkGMfNikEPEsLJEe45nqZM51JIgZUxjCinOmY/UarClma0WyR/ywp/qFMckZBM= =s/Hx -----END PGP SIGNATURE----- --PNTmBPCT7hxwcZjr--