From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 55F20C000A for ; Tue, 16 Mar 2021 15:15:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 3550283D41 for ; Tue, 16 Mar 2021 15:15:27 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: 1.595 X-Spam-Level: * X-Spam-Status: No, score=1.595 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dzXEZ75slRt1 for ; Tue, 16 Mar 2021 15:15:23 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.8.0 Received: from mail.wpsoftware.net (unknown [66.183.0.205]) by smtp1.osuosl.org (Postfix) with ESMTP id 60C0B83D2B for ; Tue, 16 Mar 2021 15:15:23 +0000 (UTC) Received: from camus (camus-andrew.lan [192.168.0.190]) by mail.wpsoftware.net (Postfix) with ESMTPSA id D678F400CD; Tue, 16 Mar 2021 15:10:15 +0000 (UTC) Date: Tue, 16 Mar 2021 15:15:21 +0000 From: Andrew Poelstra To: Andrea , Bitcoin Protocol Discussion Message-ID: References: <202103152148.15477.luke@dashjr.org> <3d6d308f-3d9f-588a-5b8f-3ab14560974c@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="7leejtRQM5NgM6WJ" Content-Disposition: inline In-Reply-To: <3d6d308f-3d9f-588a-5b8f-3ab14560974c@gmail.com> Subject: Re: [bitcoin-dev] Provisions (was: PSA: Taproot loss of quantum protections) X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Mar 2021 15:15:27 -0000 --7leejtRQM5NgM6WJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 16, 2021 at 03:10:21PM +0100, Andrea via bitcoin-dev wrote: >=20 > Hi! Sorry for the OT, could you provide some references to ring signatures > over/for/via taproot (I mean the schema or something like that)? And what= is > "Provisions" (the capital letter makes me think it's a product/technology= )? > I'm a rookie following this mailing since just a few months... > Thanks for posting such a positive message in an otherwise tense thread :) Provisions is a scheme for providing proof of ownership of funds, developed by Dagher et al in 2015 at https://eprint.iacr.org/2015/1008 . The way it works is to collect all of the Bitcoin outputs which have exposed/known public keys then associate to these keys a Pedersen commitment which commits to the outputs' amounts in a homomorphic way. Homomorphic means that even though the commitments hide what the original amounts are, anyone can add them together (in some sense) to get a new commitment to the sum of the original amounts. So Provisions is essentially a zero-knowledge proof of the following statem= ent 1. I have a commitment to >100BTC (or whatever)... 2. ...which is a sum of commitments of actual UTXO values... 3. ...where these UTXOs come from the set of known-public-key UTXOs... 4. ...and I am able to sign with the public keys associated to them. which proves ownership of some amount of BTC, without revealing which speci= fic UTXOs were involved. This zero-knowledge proof can be done fairly efficient= ly by exploiting the structure of EC public keys and Pedersen commitments. Unfortunately, most unspent Bitcoin outputs do not have known public keys, which means that you can only do a Provisions proof using a small anonymity set. However, all Taproot outputs, by virtue of having exposed public keys (which is the point under contention in this thread), will be in the set of exposed-public-key UTXOs, allowing people to do Provisions proofs where their anonymity set consists of a large proportion of active coins. BTW, even without Provisions, there are some similar and simpler things you can do with Taproot keys along these lines. See for example https://twitter.com/n1ckler/status/1334240709814136833 --=20 Andrew Poelstra Director of Research, Blockstream Email: apoelstra at wpsoftware.net Web: https://www.wpsoftware.net/andrew The sun is always shining in space -Justin Lewis-Webster --7leejtRQM5NgM6WJ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEkPnKPD7Je+ki35VexYjWPOQbl8EFAmBQy4cACgkQxYjWPOQb l8FRIgf+JVhhy/Xc8jhX9zPvOSv4WinJEDT6JfJ4doQnzUm6lQP0KfDDtB4mLAOc viPNAslSrvT9vVtgt/ha3vkLHmhwDx25bbpaYOWO3IVx+X7K2NRXSz6w9JDQ6G1l gWbBXG2fffRunvxd3G9XvrTBNCYsi5cS1FDjYhVz43U8DhEaOuHXp1ENeAfDEL5B +tui7ss8uvclnTi5oak6zGiZkKOAO/2VXdcL4UD+IVLOoSxQHwHmuQYi70I+CH1A hiNUejJetM8S0KZv9TDVg2KPpXK3QXKFATB9bfQWZuARxfEtAtHMC55O/R5DmPyZ T79IFzawAcnSQlE1+NDvRGXvLvSELQ== =HA/w -----END PGP SIGNATURE----- --7leejtRQM5NgM6WJ--