Topic: Hiding entire content of on-chain transactions (Read 7086 times)

The recipient receives the entire history of the coin and can verify that it is valid, as well as verify that the payload does hash to the correct value.

this only works if the payload hash stays the same for each anonymous partner does it not? Otherwise, it would just be a chain of nonsense hashes that could claim to contain anything. A user could collude with themselves and spread fake funds over many accounts with data that is apparently okay as the new recipient can't confirm or deny the validity of previous transactions. It doesn't seem like it would be easy to hide data because the spending transaction needs to get change as well which would have to be public to know quantity.

If the payload hash is always the same i guess it makes sense however it would not allow coins to be subdivided would it not be similar to minting a coin? Also when the data becomes non-private it would be easy to expose everyone involved.

and how can you get fungibility with this ?

Hashing is so coool.. 

Confidential Hash Based TXN Chains does something similar..

https://bitcointalksearch.org/topic/hash-based-confidential-txn-chains-1298588

It only hashes the values.. not the whole TXN, BUT does not need to grow indefinitely (pruneable).

make sense the theory. I am excited to see a life real world test if its working. I am pretty sure there will be some flows to be corrected. Simple solutions are almost never working in complex systems.

I think you are missing that both hashes that represent the private transaction are already enclosed into a regular public transaction that is signed as usual:

private_transaction: {
  regular_public_inputs: [...],
  regular_public_outputs: [...],
  hash_of_private_payload: ".....",
  spend_proof: "....",
  signature_of_all_the_above: "...."
}

The bolded part is what makes a private transaction different from a regular one.  It is covered by the signature and we know who signed it.

Still seems unlikely that it is possible, but if you find a way, I'll be glad to know.

Well, then I missed something, exactly for the attack I previously mentioned, and your answer.  If the "spend proof" is just a hash which everybody can calculate, then my earlier proposed attack is valid.  Your mentioning of "it can only be send from the right owner", in this language, means a cryptographic *signature* (that's what "send" means here).  Otherwise, if I pay you, I KNOW the transaction and hence the output that you are going to spend, and I CAN calculate the hash of that and post it on the block chain.  If, however, this is not a hash, but a signature with *your private key* (corresponding to the address I'm sending it to), then I cannot post this signature as I know your address, but I don't know your private key.

I see it this way:

The private coin file consists of:
(signature of proof of burn of bitcoin with bitcoin private key that burned it ; transaction containing Joe's address ; transaction containing Jack's address signed with Joe's secret key ; transaction containing Alice's address, signed with Jack's secret key ; ... transaction containing MY address ; transaction containing YOUR address signed with MY key)

On the public block chain, there is the actual burning of the bitcoin  ; .... there must be a spend proof SIGNED BY JOE of of the transaction to Joe so that Jack can verify the spending, but that ONLY JOE can produce.  There must be the hash of the transaction from Jack to Joe.

But now, the spend proof by Jack must be signed with Jack's private key, or otherwise, JOE CAN POST THIS TOO.  However, only Jack can SIGN it.  Alice can verify it, because she has Jack's public key (his address) ; Joe can verify this too, but he doesn't care.  But ONLY JACK MUST BE ABLE TO PRODUCE THE SPEND PROOF.  As such, everybody that Jack would like to take with a double-spend can verify that it was spend (as all of them get the file, and get his public key, and can verify the signature on the block of the previous transaction Joe->Jack).  

A hash is good enough for the new transaction, as this only needs to render the transaction that goes with the spending unique.  
But a hash is not good enough for the spend proof, because otherwise, the previous owner can post it too (with a fake hash of a transaction, rendering the coin unspendable).


The thing is, one could think of a cryptographic way to redeem the bitcoin, instead of burning it, style Lightning network, so that in the end, only one transaction needs to be broadcast, to the final owner.  I don't know exactly how to do this, but it must be possible in some way.

No, spend proof and burning transaction are not the same.  Burning transaction happens only once to convert bitcoins to BBC, while spend proof is sent with every subsequent transfer of the private currency.


Wow, you made a good job of explaining the concept in a clearer way!  Anyone who didn't understand the OP should jump here and read your post.  Except for one correction: in the below paragraph, where you say "signature" you are actually referring to "hash" rather than a cryptographic signature.

We are talking about two similar but distinct designs here:
1) BBC proposed in the OP is a parasite on top of the bitcoin blockchain.  It was never implemented.
2) Blackbytes in Byteball, the coin I launched earlier this week https://bitcointalksearch.org/topic/obyte-totally-new-consensus-algorithm-private-untraceable-payments-1608859, there is no mining at all, the coin is in testnet phase, and you can already play with blackbytes.

You can't redeem BBC back to bitcoin.  "Unburning" would mean dumping the entire history of the coin to the public, which is clearly against its purpose.  But you can exchange it.

As far as I understood it, no.  The public block chain only contains hashes of transactions that are never made public themselves on the chain, but are simply transmitted as a file from payer to payee as a growing individual private chain.  But if you're not in the list of payer-payee along a coin, you normally never get to see this list.  Only nonsense-like hashes from pieces of this growing chain are publicly published on the common block chain.
These hashes are meaningless, and cannot be verified, by people apart from those having access to the private file that is only transmitted from payer to payee.  Once you've given out the file, as payer, to a payee, you can't understand the future of that file either.

Of course, nothing stops a future payee to publish somewhere, say, on a bulletin board, the whole file he got up to that point, which would render the entire history of that particular coin public and would make the relevant hashes on the block chain verifiable.  But then, as it is a single list, the pseudonymous addresses occurring there - as far as one uses unique addresses - cannot be linked to any identity elsewhere either.  In the case of a linear list, pseudonymity is in fact anonymity.

In short, you delay the moment when transaction data are published but they are still published, right?

I would agree with you that in a free society, having payments "in the open" is better than allowing for secrecy.  However, we do not live in a free society: there are states everywhere.  States are criminal syndicates that have the monopoly of violence over a territory, and their prime action is to extort people of their production of value, mostly to use that extorted value to buy them more power of violence and extortion.  In most countries, this extortion amounts to grossly half of the value that is created by the people.   You cannot allow to have a new system of payment that is transparent, as this would kill all hopes to hide it from the state syndicate.

Ah, essentially, you mean that the spend proof is in fact nothing else but a "burning transaction".

Ok, it took some time to start understanding it, but I'm starting to see now what you mean (I think).

Correct me if I'm wrong.  The problem that Satoshi faced was to
1) avoid double spending, and for that, it is necessary to have a common, distributed ledger of spending proofs and
2) prove that you have an "original" coin, and not a newly invented one
and the way that Satoshi proposed to solve this was to put *the entire transaction* on the common ledger: you can see when the previous spend happened, and you can trace back each coin to its legit creation.

Indeed is there no way to "transmit a file" where the file is the money, like a bank note, because files can be copied.

What you propose, essentially, is to go back partially to "files are bank notes", and these files are individual transaction histories of the coin.  On the common ledger only needs to be registered the hash of a spending signature.  The "bank note file" itself needs to carry a proof of legit creation (in your proposal, a burning of bitcoin).

That is indeed not a bad idea !   It is of course not very private, in the sense that each individual "bank note" carries with it its entire spending history, but on the other hand, only the people receiving it get that file (and not the entire planet), and because of the linear nature of it, if one uses different signatures for each bank note, there's no "network analysis" that can be performed, so the pseudonymous nature is perfectly anonymous in this case, because no "joins and splits" can happen.

So if I understand correctly, the public block chain is just a "bag of hashes" which cannot be verified or anything by any node or miner.  It is just a block chain of "data".  These data only have meaning for the people receiving "banknote files", which allows them to check the validity of the whole "banknote".  The hashes are in fact nothing else but hashes of "signed transactions", like with bitcoin, except that only the *signature hash* goes on the public block chain, and the actual transaction data remain on the individual banknote file.  Is that the gist ?  In fact, you need, as you say, TWO signatures (or hashes of signatures): one is the transaction signature (including the new beneficiary) and the other is the "spend" signature of simply the previous output.  The first signature (spending signature) makes that you cannot do double spending any more (you have invalidated the file up to the point where you transmit it), and the second signature allows the receiver to have a valid "new address" that he can spend (and only he, because only he has the secret key that goes with it like on bitcoin).

This is indeed a very, very good idea !  Money becomes more "physical" again: it are files !

Now, the question is: how does the mining work ?  Or is this meant as a parasite on top of the bitcoin block chain ?

The thing is, you need to burn a bitcoin to obtain something, irreversibly, that is not a bitcoin at all.  Nobody is going to burn a bitcoin to have a new altcoin.  You would automatically give that altcoin the value of a bitcoin, if you could redeem the whole payment history against a bitcoin again.  But then, what you have constructed, is a *private sidechain* on top of bitcoin.

You "lock up a bitcoin" in the side chain.  The side chain is not public, but is just the private "money file". Any legit owner along the chain can transmit the chain to the next one (as you describe more or less), OR can redeem the bitcoin from the original transaction, and as such, end the side chain.  It is not *entirely* what you propose, but close. 
The redeeming of the bitcoin at the end of the chain is probably somewhat more tricky.

Just use an exchange if you don't want your transactions on the blockchain. A public ledger is kind of the whole point; anything else enables too much fuckery

In the simplest case, address is a hash of the public key, or something similar.
The validators need to check one simple thing: if there are two transactions that (1) embed the same spend proof and (2) are signed by the same address (roughly equivalent to private key), it is a double-spend.  Everything else is fine.

What is an address ?  e-mail or so ?
How do others checking the block chain know that this private transaction belongs to an address and how do they find out who had send what from which address ?  I think I'm missing something.  If you mean an address on a P2P networks, Kademlia style, then you've undone the anonymity.  Because if the address of the sender is included in the block chain, then, eh, the spending history is just as pseudonymous as bitcoin (your address is associated with all you do).  And it would also mean that your coins are attached to your P2P address private key.

Of course, I thought about it
The attack won't work because the spend proof must be sent from the owner's address, not from any address.

Ok, I didn't quite get what you are proposing then.

Look at the following attack:

I pay you amount X.  Hence I also can calculate the spend proof YOU would have to provide to show that you spent X to someone else.

I can hence post the hash of spending YOUR output to the block chain, which will make it impossible for YOU to spend the money further.

Why would I do that ?  Because if I'm holding still a large amount of BBC coin, the less of it is in circulation, the scarcer it will be and in principle, the higher its price.  In reality, of course, if it is possible for the previous payer to destroy your ownership at any moment, the value will rather plummet.   There may also be another reason why I destroy the money I give you when it is yours: I may not like that our history is transmitted further.  If I kill your money, you won't be spending it and this history will not be transmitted further in principle.

Is my attack valid ?

Not at all.  Zerocoin is based on zero knowledge proofs, while Byteball's private payments don't rely on any advanced crypto, just plain old hashes.

You are reinventing zerocoin.

The first coin to implement this idea: https://bitcointalksearch.org/topic/obyte-totally-new-consensus-algorithm-private-untraceable-payments-1608859