Is it possible to create a new address type that uses ring signatures instead?

justusranvier

legendary

Activity: 1400

Merit: 1009

Quote from: DeathAndTaxes on July 25, 2014, 12:34:59 AM

They break down outputs into standardized sizes. The ring set is then other pubkeys which have the unspent outputs of the same size. For example if you were receiving 123 coins instead of a 123 coin output it could be a 64, 32, 16, 8, 2 and 1 coin output. Then the 64 coin output is identical to any other unspent 64 coin output (of which there probably are thousands).

I like this idea.

How is related to ring signatures?

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

They break down outputs into standardized sizes. The ring set is then other pubkeys which have the unspent outputs of the same size. For example if you were receiving 123 coins instead of a 123 coin output it could be a 64, 32, 16, 8, 2 and 1 coin output. Then the 64 coin output is identical to any other unspent 64 coin output (of which there probably are thousands).

justusranvier

legendary

Activity: 1400

Merit: 1009

There's a relevant effect here akin to Amdahl's law.

Privacy attacks can draw upon quite a few sources of information leakage in a transaction, and the scripts themselves aren't even the largest source (attackers can do quite a lot by simply looking at input and output sizes, without even bothering to look at the scripts).

Fancy new script types might be able to reduce the information leaked by the scripts, but that only improves your privacy by the fraction of the total information leakage the scripts represent.

Presumably ring signatures allow for some new type of transaction structure that leaks less identity information. That's what I was originally asking about, because I haven't seen that explained very well.

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

Who is "we"? All crypto currencies using ring signatures use a key image otherwise they would be trivial to double spend.

If Alice, Bob, and Charlie all have a 1 BTC output using ring signatures without a key image Alice could simply spend her output three times and it would validate each time as being from the group.

justusranvier

legendary

Activity: 1400

Merit: 1009

Quote from: gmaxwell on July 23, 2014, 07:42:28 PM

The BRS ring-signature also produces a key image which is a deterministic function of the signer's private key, can only be computed with knoweldge of the private key, and is provably linked to the ring signature so you know that the image you received is the image of one of the keys on the ring, though you don't know which. You then prevent that key image from ever being reused.

Of course that's perfectly clear.

How have we managed to get by as long as we have without the ability to create deterministic key images that can be provably linked to a ring signature?

dillpicklechips

hero member

Activity: 994

Merit: 507

Quote from: gmaxwell on July 23, 2014, 07:42:28 PM

Quote from: justusranvier on July 23, 2014, 07:09:44 PM

I guess the missing piece for me is how they actually are implemented.
The original RSA example where a whileblower signs an email proving they are part of an organization without revealing which individual they are does not sound, at first glance, to be something useful for bitcoin.

It's very useful— with one addition: The BRS ring-signature also produces a key image which is a deterministic function of the signer's private key, can only be computed with knoweldge of the private key, and is provably linked to the ring signature so you know that the image you received is the image of one of the keys on the ring, though you don't know which. You then prevent that key image from ever being reused.

What about something like https://bitcointalksearch.org/topic/fungible-shuffler-decentralized-and-secure-mixing-workable-706000 or using ring signatures combined with coinjoin to do trustless mixing?

gmaxwell

staff

Activity: 4172

Merit: 8419

Quote from: justusranvier on July 23, 2014, 07:09:44 PM

I guess the missing piece for me is how they actually are implemented.
The original RSA example where a whileblower signs an email proving they are part of an organization without revealing which individual they are does not sound, at first glance, to be something useful for bitcoin.

It's very useful— with one addition: The BRS ring-signature also produces a key image which is a deterministic function of the signer's private key, can only be computed with knoweldge of the private key, and is provably linked to the ring signature so you know that the image you received is the image of one of the keys on the ring, though you don't know which. You then prevent that key image from ever being reused.

justusranvier

legendary

Activity: 1400

Merit: 1009

Quote from: gmaxwell on July 23, 2014, 07:04:13 PM

Quote from: justusranvier on July 23, 2014, 04:51:04 PM

I've never seen a good explanation of how ring signatures are actually useful, unless the goal is to be able to reuse pubkeys.

Huh!? ring signatures do nothing to enable pubkey reuse, and in fact— in the bytecoin ringsignature (BRS) approach all pubkey reuse must be _absolutely_ precluded.

BRS signing effectively allows users form something similar to a CoinJoin but without the other inputs owners participating.

I guess the missing piece for me is how they actually are implemented.

The original RSA example where a whileblower signs an email proving they are part of an organization without revealing which individual they are does not sound, at first glance, to be something useful for bitcoin.

If you start with unspent outputs for which you do not initially know the public key that will spend them, why does it matter if that pubkey is revealed at spend time if it will never be reused?

gmaxwell

staff

Activity: 4172

Merit: 8419

Quote from: justusranvier on July 23, 2014, 04:51:04 PM

I've never seen a good explanation of how ring signatures are actually useful, unless the goal is to be able to reuse pubkeys.

Huh!? ring signatures do nothing to enable pubkey reuse, and in fact— in the bytecoin ringsignature (BRS) approach all pubkey reuse must be _absolutely_ precluded.

BRS signing effectively allows users form something similar to a CoinJoin but without the other inputs owners participating.

justusranvier

legendary

Activity: 1400

Merit: 1009

I've never seen a good explanation of how ring signatures are actually useful, unless the goal is to be able to reuse pubkeys.

Muhammed Zakir

hero member

Activity: 560

Merit: 506

I prefer Zakir over Muhammed when mentioning me!

Quote from: gmaxwell on July 21, 2014, 02:36:08 AM

Nodes currently only store the historical blockchain for serving out to newly initializing peers and for stats queries in the rpc. Since 0.8 the software is restructured so that it never accesses it otherwise, and the next release will likely include a feature to operate with only about 1GB storage.

That would be great and it will solve some problems on syncing Blockchain.

Is there anything new in next update other than this?
Kindly,
MZ

gmaxwell

staff

Activity: 4172

Merit: 8419

Quote from: rapport on July 21, 2014, 12:25:58 AM

What's a full verifying node? (The blockchain is much more than 1GB)

Nodes currently only store the historical blockchain for serving out to newly initializing peers and for stats queries in the rpc. Since 0.8 the software is restructured so that it never accesses it otherwise, and the next release will likely include a feature to operate with only about 1GB storage.

rapport

full member

Activity: 157

Merit: 100

What's a full verifying node? (The blockchain is much more than 1GB)

gmaxwell

staff

Activity: 4172

Merit: 8419

Quote from: dillpicklechips on July 20, 2014, 04:21:51 PM

It would be very neat if we could move BTC to ring signature addresses like cryptonote and move them back to normal BTC addresses. Or is such a design completely incompatible with how Bitcoin does it?

It's perfectly possible, but it has some pretty severe overheads— and the tech is immature and rapidly improving. E.g. Just recently Andytoshi and I invented a way for coins of different values to partially share anonymity sets.

One challenge with all strong privacy systems is that they breaks pruning and increases transaction sizes substantially (4x+ in size for these ring signatures, typically). Right now a full verifying node in Bitcoin requires on the order of 1GB of storage, if we'd had the bytecoin-ring-signatures from day one and the same traffic it would be more like >100GBytes.

dillpicklechips

hero member

Activity: 994

Merit: 507

It would be very neat if we could move BTC to ring signature addresses like cryptonote and move them back to normal BTC addresses. Or is such a design completely incompatible with how Bitcoin does it?

Topic: Is it possible to create a new address type that uses ring signatures instead? (Read 1555 times)