Topic: [Education] Bitcoin Privacy and Anonymity (Read 1264 times)
Hi there! I'm coming from the recent French translation of this topic. That was a great read.
Given what happened with Wasabi, and the reactions here, I was surprised that Whirlpool wasn't brought up by anyone in this particular thread. Because I feel like it has become more or less the de-facto Coinjoin implementation. Is there a reason not to recommend it?
6. CoinJoin
[...] JoinMarket pioneered a lot of CoinJoin science (and BTW, belcher wrote an excellent & comprehensive wiki article on privacy), while Wasabi is the first wallet that implements CoinJoin in both a highly-usable and sound way. [...]
-snip- Wasabi is not our friend any more. They joined the enemy's boat.
Given what happened with Wasabi, and the reactions here, I was surprised that Whirlpool wasn't brought up by anyone in this particular thread. Because I feel like it has become more or less the de-facto Coinjoin implementation. Is there a reason not to recommend it?
to point 6 (coinjoin) from the great education, there is now also a very interesting website called: https://www.coinjoins.org/
it’s a free and open source project to learn about the privacy of collaborative Bitcoin transactions.
https://github.com/CoinjoinsOrg/coinjoins
I found information about coinjoin.org which was launched by this wasabi contributor via Twitter and I opened it at bitcoinmagazine.comit’s a free and open source project to learn about the privacy of collaborative Bitcoin transactions.
https://github.com/CoinjoinsOrg/coinjoins
since there is mention of wasabi, I dare not share.
At first glance, from what I read, the articles published on bitcoinmagazine are very good because of privacy education.
https://bitcoinmagazine.com/business/educational-project-for-private-bitcoin-transactions-coinjoins-org-has-officially-launched
to point 6 (coinjoin) from the great education, there is now also a very interesting website called: https://www.coinjoins.org/
it’s a free and open source project to learn about the privacy of collaborative Bitcoin transactions.
https://github.com/CoinjoinsOrg/coinjoins
it’s a free and open source project to learn about the privacy of collaborative Bitcoin transactions.
https://github.com/CoinjoinsOrg/coinjoins
today i translated this complete thread with the different 16 topics into german and i noticed that at the last topic [16th Circuit of Transactions] the link to the picture of the benes network is broken.
so i post here the talkimg link, so that it will be overwritten against the old one:
so i post here the talkimg link, so that it will be overwritten against the old one:
legendary
Activity: 1680
Merit: 6524
Fully-fledged Merit Cycler|Spambuster'23|Pie Baker
Even though the wasabi wallet changed from its original purpose, it did not change the history that the Wasabi wallet was a pioneer in implementing the Coinjoin concept. Theymos also said in his post, which I also quoted above: Re: CoinJoin: Bitcoin privacy for the real world.
But I agree with you when Wasabi Wallet announced this: https://blog.wasabiwallet.io/zksnacks-blacklisting-update/. I will add your note to the Wasabi wallet. I think this is fair enough for readers to judge from both sides.
But I agree with you when Wasabi Wallet announced this: https://blog.wasabiwallet.io/zksnacks-blacklisting-update/. I will add your note to the Wasabi wallet. I think this is fair enough for readers to judge from both sides.
Thank you for this update, Husna QA, and also for the fast reply! I understand your point of view: nothing from present changes the past and in the past Wasabi was a pioneer, no matter that it turn rogue now. So the part regarding this wallet being a pioneer of CoinJoin stays, as it's a part of history, and theymos congratulated them for what they were at that moment of the past. However, considering their recent moves, your new added observation is more than welcome.
The update is also reflected inside the Romanian translation of your topic.
I am arriving on this thread from Gazeta Bitcoin's translated thread of yours. I really hope there is no hate for posting in a 2020 thread. But I think this is very important. It is important to me at least.
Wasabi is not our friend any more. They joined the enemy's boat. So I think it is important to either remove them from OP or add a very prominent note about them not supporting Privacy and Anonimity any more but the opposite. This is a very disappointing move on Wasabi side and it disgusts me but it is what it is. Hasna, could you do this?
-
Regards,
PrivacyG
Even though the wasabi wallet changed from its original purpose, it did not change the history that the Wasabi wallet was a pioneer in implementing the Coinjoin concept. Theymos also said in his post, which I also quoted above: Re: CoinJoin: Bitcoin privacy for the real world.Wasabi is not our friend any more. They joined the enemy's boat. So I think it is important to either remove them from OP or add a very prominent note about them not supporting Privacy and Anonimity any more but the opposite. This is a very disappointing move on Wasabi side and it disgusts me but it is what it is. Hasna, could you do this?
-
Regards,
PrivacyG
But I agree with you when Wasabi Wallet announced this: https://blog.wasabiwallet.io/zksnacks-blacklisting-update/. I will add your note to the Wasabi wallet. I think this is fair enough for readers to judge from both sides.
I am arriving on this thread from Gazeta Bitcoin's translated thread of yours. I really hope there is no hate for posting in a 2020 thread. But I think this is very important. It is important to me at least.
Wasabi is not our friend any more. They joined the enemy's boat. So I think it is important to either remove them from OP or add a very prominent note about them not supporting Privacy and Anonimity any more but the opposite. This is a very disappointing move on Wasabi side and it disgusts me but it is what it is. Hasna, could you do this?
-
Regards,
PrivacyG
Wasabi is not our friend any more. They joined the enemy's boat. So I think it is important to either remove them from OP or add a very prominent note about them not supporting Privacy and Anonimity any more but the opposite. This is a very disappointing move on Wasabi side and it disgusts me but it is what it is. Hasna, could you do this?
-
Regards,
PrivacyG
Olivier Coutu presented Circuit of Transactions (Decentralized Mixers for Bitcoin) at the Bitcoin conference in May 2013 while Gregory Maxwell's CoinJoin was August 2013. Other much simpler concepts emerged, such as those implemented by Taaki and Martin (but the initial idea was also inseparable from the CoinJoin concept proposed by Gregory Maxwell) [6].
Huh! I had no idea that was at the conference, I would have found it pretty interesting I had been and would have mentioned it in the coinjoin post!However, my work in that space substantially pre-dates the conference e.g. https://bitcointalksearch.org/topic/i-taint-rich-raw-txn-fun-and-disrupting-taint-analysis-51kbtc-linked-139581 which included demonstrating it on the network, as well as describing how to cryptographically blind the participants from each other. And even those posts were posted as late as they were because I had to wait until the software had the necessary functionality. I believe public discussion of this kind of approach to improve privacy goes back to mid 2011.
The purpose of the coinjoin thread was just to popularize an existing concept, driven by the reasoning that because it hadn't been given a catchy name no one was thinking much about it.
France is now looking for regulation on crypto heavily & they are likely to force the crypto users to have mandatory KYC for any kind of crypto tx to track the users. This will be a challenge for the privacy seekers as BTC tx are transparent.
https://www.theblockcrypto.com/post/87001/france-crypto-rules-mandatory-kyc-crypto-to-crypto
The reasons that are often used as a reference for requiring KYC are one of them because:https://www.theblockcrypto.com/post/87001/france-crypto-rules-mandatory-kyc-crypto-to-crypto
uniswap is taken from the idea of coinswap? Well, when you convert a coin to other coin is consider as swapping. But uniswap has better way of doing it like a complete decentralize exchange. However, I am hearing bad feedback of uniswap recently.
Please focus on the discussion about Bitcoin Privacy. The discussion about Uniswap is already in the altcoins category. To discuss more it please discuss on the following board: Altcoin Discussion.
uniswap is taken from the idea of coinswap? Well, when you convert a coin to other coin is consider as swapping. But uniswap has better way of doing it like a complete decentralize exchange. However, I am hearing bad feedback of uniswap recently.
Bitcoin is more than the coin we see and the process involved in making sending and receiving it really secured is so unique, more than I can even comprehend from the information I am seeing here.
France is now looking for regulation on crypto heavily & they are likely to force the crypto users to have mandatory KYC for any kind of crypto tx to track the users. This will be a challenge for the privacy seekers as BTC tx are transparent.
https://www.theblockcrypto.com/post/87001/france-crypto-rules-mandatory-kyc-crypto-to-crypto
https://www.theblockcrypto.com/post/87001/france-crypto-rules-mandatory-kyc-crypto-to-crypto
Bitcoin has getting a point, where it can be introduce in our educational system as case of studies across the glob, and the world are moving into technology to make a life better in future. Therefore bitcoin has a big structures and enable to solved or reduced world problem by eradicate poverty..
16. Circuit of Transactions
back to table of contents
At the 2013 Bitcoin Conference in San Jose, CA [1], Olivier Coutu from the University of Montreal Canada offered a Circuit of Transactions by leveraging network theory to structure Bitcoin transactions that form complex circuits, making it more difficult to trace the identities of the parties involved [2].
There are several network concepts used in the circuit of transactions, e.g.:
- Butterfly Network [3]
- Benes Network [4].
Benes Network from Wikimedia Commons [4]
The transaction circuit will make it challenging to analyze the identity of the Bitcoin address owners involved in these transactions, thereby increasing Bitcoin's anonymity [5].
However, the underlying mathematics is complex, and so far no easily usable implementation has been created [6].
There is nothing particularly original about the protocol;
At first glance, the concept of a transaction circuit is similar to Coinjoin.
Olivier Coutu presented Circuit of Transactions (Decentralized Mixers for Bitcoin) at the Bitcoin conference in May 2013 while Gregory Maxwell's CoinJoin was August 2013. Other much simpler concepts emerged, such as those implemented by Taaki and Martin (but the initial idea was also inseparable from the CoinJoin concept proposed by Gregory Maxwell) [6].
Reference:
[1] Bitcoin 2013 conference - Olivier Coutu - Decentralized Mixers for Bitcoin
https://www.youtube.com/watch?v=6hc8qaR_Fok
[2] Olivier Coutu, Privacy in Bitcoin through decentralized mixers
https://core.ac.uk/download/pdf/151552849.pdf
[3] Martin Collier. A systematic analysis of equivalence in multistage networks. Journal of Lightwave Technology, vol. 20, No. 9, September 2002
https://pdfs.semanticscholar.org/9c3a/5530f8492dc63d200f08080ea93c2f0cd6ac.pdf
[4] https://en.wikipedia.org/wiki/Clos_network
[5] Dimaz Ankaa Wijaya, Bitcoin Tingkat Lanjut, page 60: Puspantara, 2016.
https://play.google.com/books/reader?id=EEFgDQAAQBAJ&hl=en&pg=GBS.PA60
[6] Vitalik Buterin, Trustless Bitcoin Anonymity Here at Last, 2013
https://bitcoinmagazine.com/articles/trustless-bitcoin-anonymity-here-at-last-1377737692
- Other references look at post #1
back to table of contents
At the 2013 Bitcoin Conference in San Jose, CA [1], Olivier Coutu from the University of Montreal Canada offered a Circuit of Transactions by leveraging network theory to structure Bitcoin transactions that form complex circuits, making it more difficult to trace the identities of the parties involved [2].
There are several network concepts used in the circuit of transactions, e.g.:
- Butterfly Network [3]
- Benes Network [4].
Benes Network from Wikimedia Commons [4]
The transaction circuit will make it challenging to analyze the identity of the Bitcoin address owners involved in these transactions, thereby increasing Bitcoin's anonymity [5].
However, the underlying mathematics is complex, and so far no easily usable implementation has been created [6].
There is nothing particularly original about the protocol;
At first glance, the concept of a transaction circuit is similar to Coinjoin.
Olivier Coutu presented Circuit of Transactions (Decentralized Mixers for Bitcoin) at the Bitcoin conference in May 2013 while Gregory Maxwell's CoinJoin was August 2013. Other much simpler concepts emerged, such as those implemented by Taaki and Martin (but the initial idea was also inseparable from the CoinJoin concept proposed by Gregory Maxwell) [6].
Reference:
[1] Bitcoin 2013 conference - Olivier Coutu - Decentralized Mixers for Bitcoin
https://www.youtube.com/watch?v=6hc8qaR_Fok
[2] Olivier Coutu, Privacy in Bitcoin through decentralized mixers
https://core.ac.uk/download/pdf/151552849.pdf
[3] Martin Collier. A systematic analysis of equivalence in multistage networks. Journal of Lightwave Technology, vol. 20, No. 9, September 2002
https://pdfs.semanticscholar.org/9c3a/5530f8492dc63d200f08080ea93c2f0cd6ac.pdf
[4] https://en.wikipedia.org/wiki/Clos_network
[5] Dimaz Ankaa Wijaya, Bitcoin Tingkat Lanjut, page 60: Puspantara, 2016.
https://play.google.com/books/reader?id=EEFgDQAAQBAJ&hl=en&pg=GBS.PA60
[6] Vitalik Buterin, Trustless Bitcoin Anonymity Here at Last, 2013
https://bitcoinmagazine.com/articles/trustless-bitcoin-anonymity-here-at-last-1377737692
- Other references look at post #1
15. Coin Control
back to table of contents
Coin control feature allows you to control how you spend the coins in your HD wallet. You can choose what addresses will be the ones sending the coins and which of the coins you have received will be used.
When you send bitcoins to someone else, the bitcoin client chooses kinda randomly which of your addresses will send the coins. With coin control, you can exactly choose. More specific is which of your unspent outputs will be the sending inputs.
Image below how to enable coin control on Bitcoin core wallet
Settings > Options > Wallet > (tick) Enable coin control features.
And image below show how you spending (I am using Electrum Wallet - Bitcoin testnet for example)
How to use?
1. Click Address tab
2. Choose what address you want to spend
3. Right-click and choose spend from
The image showed, your coin control is actived.
this is Example transaction using coin control
Transaction I made look like this:[/b] https://live.blockcypher.com/btc-testnet/tx/dcfd79703dc27b32b636d10dd037e5ea53055641cbe18c558b6d89a81ccaef09/ (* don't expose tx id if you want privacy)
Source:
[1]. https://medium.com/@nopara73/coin-control-is-must-learn-if-you-care-about-your-privacy-in-bitcoin-33b9a5f224a2
[2]. https://bitcoin.stackexchange.com/questions/37486/what-does-bitcoin-cores-coin-control-features-do-and-how-do-i-use-it
[3]. https://cryptomining-blog.com/tag/what-is-coin-control/
back to table of contents
Coin control feature allows you to control how you spend the coins in your HD wallet. You can choose what addresses will be the ones sending the coins and which of the coins you have received will be used.
When you send bitcoins to someone else, the bitcoin client chooses kinda randomly which of your addresses will send the coins. With coin control, you can exactly choose. More specific is which of your unspent outputs will be the sending inputs.
Image below how to enable coin control on Bitcoin core wallet
Settings > Options > Wallet > (tick) Enable coin control features.
And image below show how you spending (I am using Electrum Wallet - Bitcoin testnet for example)
How to use?
1. Click Address tab
2. Choose what address you want to spend
3. Right-click and choose spend from
The image showed, your coin control is actived.
this is Example transaction using coin control
Transaction I made look like this:[/b] https://live.blockcypher.com/btc-testnet/tx/dcfd79703dc27b32b636d10dd037e5ea53055641cbe18c558b6d89a81ccaef09/ (* don't expose tx id if you want privacy)
Source:
[1]. https://medium.com/@nopara73/coin-control-is-must-learn-if-you-care-about-your-privacy-in-bitcoin-33b9a5f224a2
[2]. https://bitcoin.stackexchange.com/questions/37486/what-does-bitcoin-cores-coin-control-features-do-and-how-do-i-use-it
[3]. https://cryptomining-blog.com/tag/what-is-coin-control/
13. Taproot
-snip-
Thank you for your contribution.-snip-
14. Bitcoin Anonymity Analysis
back to table of contents
There are several characteristics of Bitcoin that use as the basis for Bitcoin transaction analysis and the analysis of the identity of the owner of a Bitcoin address. Analysts can dig up information through the Bitcoin blockchain that is open and accessible to anyone. Moreover, additional information can be extracted by analysts to simplify their work.
Disseminating Bitcoin address information is naturally a common thing to receive payments and donations. But analysts can directly link the Bitcoin address with the real identity of the owner of the address. Transactions related to this address also have a privacy risk-the owner of the Bitcoin address and those who deal with that address.
The characteristics of Bitcoin address information that can be collected on the internet are analyzed in research [1]. Researchers collect Bitcoin address information from stores that publish their Bitcoin addresses. After that, they grouped the address according to the geographical location of the shops. Of course, this can be concluded that customers who transact with Bitcoin addresses are in the same geographic area as these stores.
The researchers suggest providing a new address for each transaction with new customers to reduce the possibility of analysis as above and to protect customer privacy a little better.
Bitcoin users who display their Bitcoin addresses on sites, forums, and social media are also the target of analysis, including Wikileaks donation addresses [2]. The research succeeded in opening relations to Bitcoin transactions in a network graph.
Source: An Analysis of Anonymity in the Bitcoin System [2]
A Bitcoin wallet can have more than 1 Bitcoin address that manages these addresses for users. If the user tries to make a transaction that requires funds in an amount that exceeds the funds in 1 address, the wallet will automatically create a transaction with more than 1 (plural) input amounts. This concept is used by analysts with address clustering techniques and associating them with the same owner's identity.
This characteristic is exploited in research by doing clustering techniques [3]. This technique is done by collecting transactions with multiple inputs and identifying the owners of these addresses. Other research with a broader reach is also carried out using quantitative analysis to determine the general characteristics of bitcoin transactions that have occurred [4].
A change address is a Bitcoin address that is owned by the sender of Bitcoin to receive the difference between the money held in an address and the money paid. It is a common practice in Bitcoin transactions. With this practice, it can be said that the sender of Bitcoin owns the return address in a transaction. The return address is also used in clustering techniques [3], and the same owner owns identification as the address as of the plural input addresses.
The amount of Bitcoin that is in a Bitcoin transaction can be a starting point for Bitcoin analysts. For example, someone who makes a payment in a specific amount (for example, with a significant value), then someone else can guess who made a transaction with that particular value without having to do a more in-depth analysis.
Reference:
[1] E. Androulaki, G.O. Karame, M. Roeschlin,. T. Scherer, and S. Capkun,
"Evaluating user privacy in bitcoin," in Financial Crytography and Data Security, ed: Springer, 2013, pp. 34-51
https://link.springer.com/chapter/10.1007/978-3-642-39884-1_4
[2] F. Reid and M. Harrigan, An analysis of anonymity in the bitcoin system: Springer, 2013.
https://users.encs.concordia.ca/~clark/biblio/bitcoin/Reid%202011.pdf
[3] S. Meiklejohn, M. Pomarole, G. Jordan, K. Levchenko, D. McCoy, G.M. Voelker, et al.,
"A Fistful of Bitcoins: Characterizing Payment Among Men with No Names," USENIX; Login:, 2013.
https://cseweb.ucsd.edu/~smeiklejohn/files/imc13.pdf
[4] D. Ron and A. Shamir, "Quantitative analysis of the full bitcoin transaction graph,
"in Financial Cryptography and Data Security, ed: Springer, 2013, pp 6-24.
https://link.springer.com/chapter/10.1007%2F978-3-642-39884-1_2
- Dimaz A.W. & Oscar D., Blockchain dari Bitcoin untuk Dunia, pages 110-111: Jasakom, 2017.
[email protected] ; @kriptologi
- Other references look at post #1
13. Taproot
back to table of contents
the origins of the Taproot idea are from an email from Bitcoin developer Gregory Maxwell in January 2018 then continue by Pieter Wuille.
"What is taproot? Trying to make all output scripts and most spends indistinguishable," said Pieter Wuille. Taproot aims to improve privacy, efficiency, and flexibility of Bitcoin's scripting capabilities without adding new security assumptions.
Instead of having separate concepts for pay-to-pubkey and pay-to-script-hash, combine them into one and make every output both. Every output will be spendable on one key and zero or more scripts. then going to make it in such a way that spending with just a public key will be super-efficient: it will only require a single signature on-chain.
Taproot + Schnoor
Taproot is a scheme for signing transaction scripts. with Schnorr Signatures, through the Muti signature scheme, enable key aggregation.
Source:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-January/015614.html
https://en.wikipedia.org/wiki/Merkle_tree
https://github.com/sipa/bips/blob/bip-schnorr/bip-taproot.mediawiki
https://cryptonews.com/news/bitcoin-a-step-closer-to-taproot-the-biggest-upgrade-since-s-5618.htm
http://www.altnews.nu/taproot-the-new-update-that-will-revolutionize-the-bitcoin-blockchain/
https://en.bitcoin.it/wiki/Script
https://blog.bitmex.com/the-schnorr-signature-taproot-softfork-proposal/
https://www.bitcoinmedia.id/11-tahun-bitcoin-saatnya-privasi-bitcoin-dengan-taproot-dan-schnorr/
https://bitcoinist.com/schnorr-taproot-soft-fork-promises-big-things-for-bitcoin/
https://diyhpl.us/wiki/transcripts/sf-bitcoin-meetup/2019-12-16-bip-taproot-bip-tapscript/
back to table of contents
the origins of the Taproot idea are from an email from Bitcoin developer Gregory Maxwell in January 2018 then continue by Pieter Wuille.
"What is taproot? Trying to make all output scripts and most spends indistinguishable," said Pieter Wuille. Taproot aims to improve privacy, efficiency, and flexibility of Bitcoin's scripting capabilities without adding new security assumptions.
Instead of having separate concepts for pay-to-pubkey and pay-to-script-hash, combine them into one and make every output both. Every output will be spendable on one key and zero or more scripts. then going to make it in such a way that spending with just a public key will be super-efficient: it will only require a single signature on-chain.
Taproot + Schnoor
Taproot is a scheme for signing transaction scripts. with Schnorr Signatures, through the Muti signature scheme, enable key aggregation.
Source:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-January/015614.html
https://en.wikipedia.org/wiki/Merkle_tree
https://github.com/sipa/bips/blob/bip-schnorr/bip-taproot.mediawiki
https://cryptonews.com/news/bitcoin-a-step-closer-to-taproot-the-biggest-upgrade-since-s-5618.htm
http://www.altnews.nu/taproot-the-new-update-that-will-revolutionize-the-bitcoin-blockchain/
https://en.bitcoin.it/wiki/Script
https://blog.bitmex.com/the-schnorr-signature-taproot-softfork-proposal/
https://www.bitcoinmedia.id/11-tahun-bitcoin-saatnya-privasi-bitcoin-dengan-taproot-dan-schnorr/
https://bitcoinist.com/schnorr-taproot-soft-fork-promises-big-things-for-bitcoin/
https://diyhpl.us/wiki/transcripts/sf-bitcoin-meetup/2019-12-16-bip-taproot-bip-tapscript/
12. MAST (Merklized Abstract Syntax Tree)
back to table of contents
Merklized Abstract Syntax Trees (MAST) is an additional proposal proposed in the Bitcoin protocol that enables the implementation of the following:
- Smaller deal size
- More privacy
- Larger Smart contract.
Issue: Script data not used.
- Satoshi Nakamoto gives Bitcoin a feature that allows users to write programs (called scripts) that can be used as dynamic public keys and signatures.
- When you specify a script - which is the default of every wallet - Consensus on the Bitcoin Protocol will not allow anyone to spend on your bitcoin until a predetermined script justifies the process.
- Currently, all scripts must be written on the Blockchain (as a whole).
The origin of MAST
The idea of MAST comes from two pre-existing concepts, namely Abstract Syntax Trees (AST) and Merkle Trees.
- AST - is a way to describe a program by dividing it into separate parts so that it is easier to analyze and also optimize the functions of each.
- Merkle Tree - allows a node to copy some information without having to copy all transactions.
Example of Abstract Syntax Tree
Example of Merkle Tree
Example of MAST
Allice can use up BTC (left picture), or after three months, Bob and Charlie can spend BTC (right image) - you only need to save completely from encumbrance (Merkle root) to get all the subscripts.
Benefits of Implementing MAST
1. Smaller transactions
You can add as many subscripts as you want.
2. More privacy
The benefits of this MAST are likely to work more optimally in improvising privacy when combined with other methods such as generalized threshold trees (Pieter Wuille’s & Gregory Maxwell), scriptless scripts (Andrew Poelstra) and discrete log contracts (Thaddeus Dryja).
3. Larger Smart Contract
Bitcoin has three different byte sizes that apply to each script depending on the development of the encumbrance.
With MAST, you cannot exceed the limit of bytes
Ten thousand bytes limit for empty scripts, 520 bytes limit for P2SH, and 10,000 bytes limit for SegWit.
Reference:
- https://github.com/jl2012/bips/blob/mast/bip-mast.mediawiki
- https://github.com/bitcoin/bips/blob/master/bip-0114.mediawiki
- http://www.mit.edu/~jlrubin/public/pdfs/858report.pdf
- https://bitcointechtalk.com/what-is-a-bitcoin-merklized-abstract-syntax-tree-mast-33fdf2da5e2f
- https://www.youtube.com/watch?v=Phn_Im2K_PY
- https://bitcoinops.org/en/topics/mast/
- https://themoneymongers.com/merkelized-abstract-syntax-tree-mast/
- https://diyhpl.us/wiki/transcripts/bitcoin-core-dev-tech/2017-09-07-merkleized-abstract-syntax-trees/
- Bitcoin Developer Guide - https://bitcoin.org/en/developer-guide#transaction-data (D.A. Harding - 2015, 12 Januari 2016)
https://bitcoin.org/en/glossary/simplified-payment-verification
- Other references look at post #1
back to table of contents
Merklized Abstract Syntax Trees (MAST) is an additional proposal proposed in the Bitcoin protocol that enables the implementation of the following:
- Smaller deal size
- More privacy
- Larger Smart contract.
Issue: Script data not used.
- Satoshi Nakamoto gives Bitcoin a feature that allows users to write programs (called scripts) that can be used as dynamic public keys and signatures.
- When you specify a script - which is the default of every wallet - Consensus on the Bitcoin Protocol will not allow anyone to spend on your bitcoin until a predetermined script justifies the process.
- Currently, all scripts must be written on the Blockchain (as a whole).
The origin of MAST
The idea of MAST comes from two pre-existing concepts, namely Abstract Syntax Trees (AST) and Merkle Trees.
- AST - is a way to describe a program by dividing it into separate parts so that it is easier to analyze and also optimize the functions of each.
- Merkle Tree - allows a node to copy some information without having to copy all transactions.
-snip-
Images of Merkle Tree
There are advantages to using the Merkle tree in terms of verifying a block.
For example, in the Merkle tree structure in the picture above, to verify transaction D, a node does not need to copy all transactions A, B, C, D, and E, but enough to copy C, AB, and EEEE information to produce the Merkle root. It has led to the emergence of nodes that do not have a complete copy of the blockchain, which is then called simplified payment verification (SPV).
Reference: Bitcoin Developer Guide - https://bitcoin.org/en/developer-guide#transaction-data (D.A. Harding - 2015, 12 Januari 2016) - https://bitcoin.org/en/glossary/simplified-payment-verification.
Images of Merkle Tree
There are advantages to using the Merkle tree in terms of verifying a block.
For example, in the Merkle tree structure in the picture above, to verify transaction D, a node does not need to copy all transactions A, B, C, D, and E, but enough to copy C, AB, and EEEE information to produce the Merkle root. It has led to the emergence of nodes that do not have a complete copy of the blockchain, which is then called simplified payment verification (SPV).
Reference: Bitcoin Developer Guide - https://bitcoin.org/en/developer-guide#transaction-data (D.A. Harding - 2015, 12 Januari 2016) - https://bitcoin.org/en/glossary/simplified-payment-verification.
Example of Abstract Syntax Tree
Example of Merkle Tree
Example of MAST
Allice can use up BTC (left picture), or after three months, Bob and Charlie can spend BTC (right image) - you only need to save completely from encumbrance (Merkle root) to get all the subscripts.
Benefits of Implementing MAST
1. Smaller transactions
You can add as many subscripts as you want.
2. More privacy
The benefits of this MAST are likely to work more optimally in improvising privacy when combined with other methods such as generalized threshold trees (Pieter Wuille’s & Gregory Maxwell), scriptless scripts (Andrew Poelstra) and discrete log contracts (Thaddeus Dryja).
3. Larger Smart Contract
Bitcoin has three different byte sizes that apply to each script depending on the development of the encumbrance.
With MAST, you cannot exceed the limit of bytes
Ten thousand bytes limit for empty scripts, 520 bytes limit for P2SH, and 10,000 bytes limit for SegWit.
Reference:
- https://github.com/jl2012/bips/blob/mast/bip-mast.mediawiki
- https://github.com/bitcoin/bips/blob/master/bip-0114.mediawiki
- http://www.mit.edu/~jlrubin/public/pdfs/858report.pdf
- https://bitcointechtalk.com/what-is-a-bitcoin-merklized-abstract-syntax-tree-mast-33fdf2da5e2f
- https://www.youtube.com/watch?v=Phn_Im2K_PY
- https://bitcoinops.org/en/topics/mast/
- https://themoneymongers.com/merkelized-abstract-syntax-tree-mast/
- https://diyhpl.us/wiki/transcripts/bitcoin-core-dev-tech/2017-09-07-merkleized-abstract-syntax-trees/
- Bitcoin Developer Guide - https://bitcoin.org/en/developer-guide#transaction-data (D.A. Harding - 2015, 12 Januari 2016)
https://bitcoin.org/en/glossary/simplified-payment-verification
- Other references look at post #1
11. Schnorr Signature
back to table of contents
Schnorr signature is a signature scheme: a set of mathematical rules that connect private key, public key and signature.
Claus-Peter Schnorr invented this digital signature scheme, but it was not originally intended for crypto technology.
Schnorr is an alternative algorithm as a digital signature with several advantages.
Currently, Bitcoin uses the ECDSA (Elliptic Curve Digital Signature Algorithm) algorithm to generate cryptographic signatures to send/deliver secp256k1 messages and keypair.
The main reason that Bitcoin did not initially use the Schnorr signature is that Schnorr is not standardized, and is not available on crypto libraries in general.
Many cryptographers consider Schnorr signatures to be the best in their field because schnorr offers a right level of accuracy, is relatively fast in terms of verification, and most importantly, schnorr supports multi-signature. In essence, several signatures can be combined into one new signature.
Previously, schnorr was not possible to use in the bitcoin protocol. Other signature schemes, ECDSA was included in the Bitcoin protocol, so to change it requires a hard fork.
But with SegWit (Segregated Witness), all-digital signature data is moved into a separate part of the transaction: Witness is not integrated into the old Bitcoin protocol. Almost all of the rules applied to Witness can be changed through soft forks, including the scheme used in signatures.
Capacity
The most beneficial part of schnorr is the aggregation of multi signatures.
Many Bitcoin transactions include multiple inputs. All of these inputs require separate signatures, which means that all of these signatures must be entered into the transaction, all must be sent over the network, and all must include in the block.
But with Schnorr, all inputs require only one combined signature that represents all these different signatures.
Schnorr can provide the option to transact with a simple multi-user scheme.
It is one of the advantages offered by Schnorr. Because only one signature must be entered into a transaction, only one must be sent over the network, and only one must be entered in the block. It means there is more room for transactions.
The exact amount of additional space depends on the type of transaction included in the block. But rough estimates by Eric Lombrozo (Bitcoin Core Developer) show that the Schnorr signature can eventually increase the total capacity by 40 percent or more and that is an additional 60 to 100 percent previously offered by Segregated Witness.
Multisig
Capacity building, as described above, applies to regular transactions, because many transactions include more than one input. But the benefits can be more significant in terms of multisig transactions-transactions where a single data itself requires multiple signatures (usually from different people).
Size of the Bitcoin blockchain with and without multi-signatures.
Source: https://eprint.iacr.org/2018/068.pdf
Privacy
As mentioned earlier, one transaction can include many inputs. In general, this input refers to addresses that are all controlled by the same person.
But the privacy-enhancing trick discovered by Gregory Maxwell (developer of Bitcoin Core), CoinJoin, allows different users to combine all of their transactions into one transaction. That one transaction will include several inputs from various payers, which send money to several outputs, belonging to different payees.
Note: discussion about Coinjoin can be seen in the topic Bitcoin Privacy and Anonymity, point 6. CoinJoin.
If done correctly, CoinJoin is a great way to increase privacy in the Bitcoin protocol, because it is not clear which inputs are paid, which outputs are correct.
CoinJoin is not a new concept. But until now CoinJoin is usually a bit of a hassle. Because of this, most people don't care.
But the Schnorr signature can add new advantages to CoinJoin. It allows all participants in CoinJoin transactions to not only combine their transactions but also to combine their signatures. And doing so means that the actual transaction size will be smaller than all the individual transactions combined. Which, in turn, means the miner will usually charge a lower fee for processing the transaction.
Using the Schnorr signature scheme on CoinJoin will not only increase privacy but also - importantly - can reduce costs for everyone involved in the transaction.
Reference:
- Gregory Maxwell, Andrew Poelstra, Yannick Seurin, & Pieter Wuille, Simple Schnorr Multi-Signatureswith Applications to Bitcoin, https://eprint.iacr.org/2018/068.pdf
- Schnorr, https://en.bitcoin.it/wiki/Schnorr
- Schnorr signature, https://en.wikipedia.org/wiki/Schnorr_signature
- Aaron van Wirdum, The Power of Schnorr: The Signature Algorithm to Increase Bitcoin’s Scale and Privacy,
https://bitcoinmagazine.com/articles/the-power-of-schnorr-the-signature-algorithm-to-increase-bitcoin-s-scale-and-privacy-1460642496
- Alyssa Hertig, Schnorr Is Looking Poised to Become Bitcoin’s Biggest Change Since SegWit,
https://www.coindesk.com/schnorr-is-looking-poised-to-become-bitcoins-biggest-change-since-segwit
- René Pickhardt, Introduction to Schnorr Signatures for Bitcoin & Lightning Network. Schnorr Signature Tutorial Part1,
https://www.youtube.com/watch?v=n5aompcR9W0
- René Pickhardt, MuSig - Multisignature Addresses in Bitcoin. Schnorr Signature Tutorial Part 2,
https://www.youtube.com/watch?v=4v4G8Vtr3Bk
- René Pickhardt, Introduction to Adaptor Signatures via Schnorr Signatures - Schnorr Signature Tutorial Part 3,
https://www.youtube.com/watch?v=a8Pdpz_Jzok
- Yodik Prastya, Bitcoin Cash Upgrade Fitur Pemulihan Dan Keamanan, https://www.seputarforex.com/berita/bitcoin-cash-upgrade-fitur-pemulihan-dan-keamanan-288550-15
- Privacy, https://en.bitcoin.it/wiki/Privacy
- Other references look at post #1
back to table of contents
Schnorr signature is a signature scheme: a set of mathematical rules that connect private key, public key and signature.
Claus-Peter Schnorr invented this digital signature scheme, but it was not originally intended for crypto technology.
Schnorr is an alternative algorithm as a digital signature with several advantages.
Currently, Bitcoin uses the ECDSA (Elliptic Curve Digital Signature Algorithm) algorithm to generate cryptographic signatures to send/deliver secp256k1 messages and keypair.
The main reason that Bitcoin did not initially use the Schnorr signature is that Schnorr is not standardized, and is not available on crypto libraries in general.
Many cryptographers consider Schnorr signatures to be the best in their field because schnorr offers a right level of accuracy, is relatively fast in terms of verification, and most importantly, schnorr supports multi-signature. In essence, several signatures can be combined into one new signature.
Previously, schnorr was not possible to use in the bitcoin protocol. Other signature schemes, ECDSA was included in the Bitcoin protocol, so to change it requires a hard fork.
But with SegWit (Segregated Witness), all-digital signature data is moved into a separate part of the transaction: Witness is not integrated into the old Bitcoin protocol. Almost all of the rules applied to Witness can be changed through soft forks, including the scheme used in signatures.
Capacity
The most beneficial part of schnorr is the aggregation of multi signatures.
Many Bitcoin transactions include multiple inputs. All of these inputs require separate signatures, which means that all of these signatures must be entered into the transaction, all must be sent over the network, and all must include in the block.
But with Schnorr, all inputs require only one combined signature that represents all these different signatures.
Schnorr can provide the option to transact with a simple multi-user scheme.
It is one of the advantages offered by Schnorr. Because only one signature must be entered into a transaction, only one must be sent over the network, and only one must be entered in the block. It means there is more room for transactions.
The exact amount of additional space depends on the type of transaction included in the block. But rough estimates by Eric Lombrozo (Bitcoin Core Developer) show that the Schnorr signature can eventually increase the total capacity by 40 percent or more and that is an additional 60 to 100 percent previously offered by Segregated Witness.
Multisig
Capacity building, as described above, applies to regular transactions, because many transactions include more than one input. But the benefits can be more significant in terms of multisig transactions-transactions where a single data itself requires multiple signatures (usually from different people).
Size of the Bitcoin blockchain with and without multi-signatures.
Source: https://eprint.iacr.org/2018/068.pdf
Privacy
As mentioned earlier, one transaction can include many inputs. In general, this input refers to addresses that are all controlled by the same person.
But the privacy-enhancing trick discovered by Gregory Maxwell (developer of Bitcoin Core), CoinJoin, allows different users to combine all of their transactions into one transaction. That one transaction will include several inputs from various payers, which send money to several outputs, belonging to different payees.
Note: discussion about Coinjoin can be seen in the topic Bitcoin Privacy and Anonymity, point 6. CoinJoin.
If done correctly, CoinJoin is a great way to increase privacy in the Bitcoin protocol, because it is not clear which inputs are paid, which outputs are correct.
CoinJoin is not a new concept. But until now CoinJoin is usually a bit of a hassle. Because of this, most people don't care.
But the Schnorr signature can add new advantages to CoinJoin. It allows all participants in CoinJoin transactions to not only combine their transactions but also to combine their signatures. And doing so means that the actual transaction size will be smaller than all the individual transactions combined. Which, in turn, means the miner will usually charge a lower fee for processing the transaction.
Using the Schnorr signature scheme on CoinJoin will not only increase privacy but also - importantly - can reduce costs for everyone involved in the transaction.
Reference:
- Gregory Maxwell, Andrew Poelstra, Yannick Seurin, & Pieter Wuille, Simple Schnorr Multi-Signatureswith Applications to Bitcoin, https://eprint.iacr.org/2018/068.pdf
- Schnorr, https://en.bitcoin.it/wiki/Schnorr
- Schnorr signature, https://en.wikipedia.org/wiki/Schnorr_signature
- Aaron van Wirdum, The Power of Schnorr: The Signature Algorithm to Increase Bitcoin’s Scale and Privacy,
https://bitcoinmagazine.com/articles/the-power-of-schnorr-the-signature-algorithm-to-increase-bitcoin-s-scale-and-privacy-1460642496
- Alyssa Hertig, Schnorr Is Looking Poised to Become Bitcoin’s Biggest Change Since SegWit,
https://www.coindesk.com/schnorr-is-looking-poised-to-become-bitcoins-biggest-change-since-segwit
- René Pickhardt, Introduction to Schnorr Signatures for Bitcoin & Lightning Network. Schnorr Signature Tutorial Part1,
https://www.youtube.com/watch?v=n5aompcR9W0
- René Pickhardt, MuSig - Multisignature Addresses in Bitcoin. Schnorr Signature Tutorial Part 2,
https://www.youtube.com/watch?v=4v4G8Vtr3Bk
- René Pickhardt, Introduction to Adaptor Signatures via Schnorr Signatures - Schnorr Signature Tutorial Part 3,
https://www.youtube.com/watch?v=a8Pdpz_Jzok
- Yodik Prastya, Bitcoin Cash Upgrade Fitur Pemulihan Dan Keamanan, https://www.seputarforex.com/berita/bitcoin-cash-upgrade-fitur-pemulihan-dan-keamanan-288550-15
- Privacy, https://en.bitcoin.it/wiki/Privacy
- Other references look at post #1
Jump to: