Pages:
Author

Topic: Ultimate Bitcoin Privacy - Discussion (Read 1657 times)

full member
Activity: 130
Merit: 150
July 21, 2023, 07:56:25 PM
#88
I mean, isn't the answer just that some plurality of the signers have the ability to kick out and override some minority portion of the signers? I guess it would be good for the system to publish rules though about what exactly should trigger this sort of vote, like if a signer is inactive for X time period, the vote is automatically triggered. Or, it always could just be something more whimsical like whenever a supermajority feels like it, they can do it.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
July 08, 2023, 04:22:26 AM
#87
Bump: I'm still curious about the question above.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Let's assume there are multiple trusted signers, and the system is nicely decentralized.
Follow-up question: let's assume one of the signers can no longer be trusted, or disappeared (this will eventually happen): how do the other signers decide when to create a new multisig address with a new signer? Is there any centralisation involved?
legendary
Activity: 2212
Merit: 7064
There are 3 main types of privacy solutions/techniques available today on Bitcoin, each one having its own advantages/disadvantages:
There are more options available for Bitcoin privacy, some of them are available today and others are work in progress.
Maybe you could include them in your report and investigate them more and try to learn from their examples to improve whirlwind in future.
Bitcoin drivechain could be used in future but I think we need to see upgrade on Bitcoin for that to be fully possible, just wondering, if we can have stupid ordinals why can't we have this as well?  Roll Eyes

Everyone knows about Lightning Network that can partially function for improving Bitcoin privacy, but if you didn't hear until now, there is wallet called Mercury that is using Layer 2 with statechains:
https://mercurywallet.com/

EDIT:
I forgot to add confidential transactions on Liquid layer2 and others:
https://www.lopp.net/bitcoin-information/other-layers.html
copper member
Activity: 112
Merit: 338
How would you position Whirlwind regarding those position advantages/disadvantages?
It's a great question, apologies in advance for the lengthy response. We were planning to publish a detailed comparison between Whirlwind and other Bitcoin privacy solutions, but another user recommended that we look for a 3rd party to do it instead and we will follow that advice so we avoid any biases.

With that said I will do my best to answer your question only using facts, but keep in mind that you should do your own research and verify my claims independently. If anyone thinks I intentionally suppressed important details please point it out and I will edit the post and include it.

There are 3 main types of privacy solutions/techniques available today on Bitcoin, each one having its own advantages/disadvantages:

1.Decentralized (Coinjoin): Wasabi, Samourai, Joinmarket
2.Centralized 'traditional': Coinomize, YoMix, Sinbad, etc.
3.Centralized: Whirlwind

It's important to start by mentioning that you should never use a centralized solution over a decentralized alternative unless the centralized one offers exponentially better privacy or unique features that you can't get in a trustless manner. No matter how trusted the operator is what's the point in risking loss of funds when you could achieve the same goal without taking any risks?

For simplicity I will use Samourai and YoMix in my examples, but the same applies to all other alternatives from the same category.

|
Service
legendary
Activity: 2268
Merit: 16328
Fully fledged Merit Cycler - Golden Feather 22-23
I just got my first note funded.

In the meantime I wait to  lower fees ti transfer to my private address, I am enjoying a 12% APR.

https://whirlwind.money/faq#anonymityMining

Quote
n order to achieve privacy, Whirlwind uses a multi-sig that acts as a pool and consolidates all deposited Bitcoin. Once funds are withdrawn by a completely new address from this pool, the on-chain link between the source and destination is severed, thus anonymising the withdrawn Bitcoin.

The goal of this pattern is to aggregate different deposits into a single pool, such that distinguishing between them becomes unfeasible. The only factor to keep in mind is that this pattern is useless if there are not many deposits of varying sizes, such that the set of probable suspects is too small. We aim to overcome this issue by launching the Anonymity Mining campaign. The more people use Whirlwind, the more secure it becomes for everyone. We will consider the bootstrapping phase over when the Anonymity Set crosses 10,000 deposits.

Anonymity mining is an incentive to increase the level of privacy Whirlwind offers by rewarding participants with Bitcoin dependent on the deposited amount and how long they keep their assets in the pool. The campaign will run for a limited time until the Anonymity Set hits 10,000 deposits and it will be structured in the following way:

In return for increasing the Anonymity Set Whirlwind rewards all funded Notes with 1% monthly interest on their balance. The rewards will be paid out automatically on a daily basis and they are withdrawable anytime. All you need to do in order to participate in the campaign is make a deposit and wait for as long as you want to accrue rewards before withdrawing.

Example: If the multi-sig's average balance during a month is 100BTC Whirlwind will pay out 1BTC in rewards during that month on a daily basis. 1BTC/30 days = 0.03333BTC daily. If you have a Note with a balance of 1BTC every day you will receive 1% of 0.03333BTC which is 0.000333BTC.

It's important to emphasize that the rewards will be paid out from our personal reserve and only for a limited amount of time until the Anonymity set passes the 10,000 deposits threshold, at which point incentives won't be needed anymore.
legendary
Activity: 2268
Merit: 16328
Fully fledged Merit Cycler - Golden Feather 22-23
I admit I didn’t read the whole thread, so I do apologise if I am making a stupid question.

Currently, I am aware of three “mixing” techniques/wallet/software, each of them with peculiar pros and cons: Wasabi, Samurai and Joinmarket.

How would you position Whirlwind regarding those position advantages/disadvantages?
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
We could also provide a Letter of Guarantee to the receiver which would be downloadable from the 'Dashboard' page for the first x hours after the transaction. Do you think this would be useful in any way?
I don't get what it would do. Say Bob sends Alice money to a Note. Bob gets a LoG to prove it, and Alice withdraws her money to her on-chain Bitcoin address. What would Alice need a LoG for?
copper member
Activity: 112
Merit: 338
I have some doubts: if I'm expecting a Bitcoin transaction, I wouldn't appreciate being told to use a third party to collect my money. The sender could instead have withdrawn the note himself, and sent an on-chain transaction to my address.
As a sender, I also wouldn't really want to rely on a third party to send funds and provide evidence. No matter how trusted your service becomes, it's never as strong as on-chain evidence. Unless you don't want an on-chain transaction trail of course.
My intention was to make it clear that Whirlwind addresses don't need to be 'initialized' in any way. if someone sends you funds through Whirlwind without you ever entering the website before you can still access them with your private key.

The sender could make an on-chain transfer to your address, but that means he would know where you withdrew your Bitcoin. If he uses Pay to Note then you are anonymous even to the sender. of course you should always know beforehand where you will be sent the funds, I wouldn't appreciate this kind of 'surprise' either.

Nothing will ever be as strong as on-chain evidence, but for the Pay to Note feature you need to rely on the Letter of Guarantee since there are no on-chain transactions being executed. We could also provide a Letter of Guarantee to the receiver which would be downloadable from the 'Dashboard' page for the first x hours after the transaction. Do you think this would be useful in any way?
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
I'm quoting OP from another topic to bring the discussion here:
When you 'generate' a Note on the website the private key you are getting is a normal Bitcoin private key. It starts with 'ww-' so it's easier to distinguish from other bitcoin private keys you have in case you save them in the same place.

The Note Public Address is in fact the Legacy Bitcoin address corresponding to the private key you saved, the only difference is that every '1' is changed to 'ww' so again, you can easily distinguish a Whirlwind Note from a Bitcoin address.

Example:
ww-L4xK361wZYYxJg7vSwXgDTVBVXY4JfgYrUU5QZic2nNB9PUbMzbt - Note Private Key
ww8Sf8x3GBUiTxg55RQEzynf2Cdyy7F1ihh - Note Public Address

L4xK361wZYYxJg7vSwXgDTVBVXY4JfgYrUU5QZic2nNB9PUbMzbt - Bitcoin Private Key
18Sf8x3GBUiTxg55RQEzynf2Cdyy7F1ihh - Legacy Bitcoin address

If you do not want to generate the Note on the website you can simply use any other private key and it will work the same.
Example: Imagine you need to receive a payment so you generate a new address locally and send the Legacy address to the sender expecting a normal Bitcoin transfer. The sender can now pay you instantly, anonymously and for free through Whirlwind even if you didn't know we existed. You could then access the website and withdraw your funds to your desired address. (the sender can also send you the LoG for the Pay to Note transfer proving that he sent the funds)
(I've shortened the quotes a bit to focus on the relevant parts)

I have some doubts: if I'm expecting a Bitcoin transaction, I wouldn't appreciate being told to use a third party to collect my money. The sender could instead have withdrawn the note himself, and sent an on-chain transaction to my address.
As a sender, I also wouldn't really want to rely on a third party to send funds and provide evidence. No matter how trusted your service becomes, it's never as strong as on-chain evidence. Unless you don't want an on-chain transaction trail of course.
copper member
Activity: 112
Merit: 338
April 22, 2023, 11:19:33 AM
#78
Okay, but that doesn't answer on why having arbitrary fee rate. The network could be flooded with transactions such that maybe 2500 sat/addy is neither enough.
We simply do not want to add more moving parts where they are not necessarily needed in order to improve stability. The backend and signers have to validate every single action and adding more friction at the withdrawal stage by making the fees dynamic doesen't seem like a good idea. We'd prefer to eliminate them altogether if this is really an issue, we want the system to work without ever needing our intervention and we achieved this in the current form.

Apologies for my difficulty to comprehend blinded certificates, but I still don't understand what prevents you from keeping logs which would give away the activity of the users. For example, I created a note and deposited money to an address tied to that note. You could have kept that. Then, when someone sent me money to my public address, you could have known which note was spent in which public address.

Unless the front-end is coded in such manner that prevents the unveiling of that information, I don't know how provable privacy is ensured.  
It's a misunderstanding, Blinded Certificates are not implemented in the current version. I explained how it would work in Whirlwind's case in the messages I'll quote below, but we are not really in a rush to implement it as it's quite apparent most users don't care that much about this aspect so it's not yet a priority.

I hate the word "revolutionize," so I mean it when I say that blind certificates could actually revolutionize the mixer industry. They're going to be important to understand if you're in this space, so as a weekend project, I tried my best to create an easy-to-understand explanation graphic. Of course my guide simplifies the info a little, but it's meant to explain this stuff to beginners. There's more to add at a later date, but this should be a good start!

Great explanation and I'm glad you found the idea interesting enough to allocate time for this!

I want to mention that while we certainly could store logs about every transaction and we can't prove that we don't, in case you believe that we don't then I'll tell you how the current system works: we only store a Notes public key and balance in the database, when you generate a Note that is its corresponding private key. So in the database the Notes are not stored in chronological order, it's random. There is no link between a Note's public key and its corresponding deposit because we don't store anything about that. If you want to take it a step further you could withdraw a small percentage of the Note or combine 2 of them together so you alter the link between the exact deposit amount and Note public key balance in our database.

Whirlwind is built in a way that makes it possible to implement Blind Certificates, as an example our version would look like this:

There will be 5 Blind Certificates denominations, 10BTC | 1BTC | 0.1BTC | 0.01BTC | 0.001BTC

Each one will have it's own Anonymity set, which means that if there are 100 x 1BTC Blind Certificates issued, if you redeem one of them it could be any of the 100 issued certificates from Whirlwind's perspective. The only known information to anyone including us is that one of the 100 issued certificates was redeemed.

The flow looks like this: User deposits 1.1BTC using the Note method and now holds a private key. With this private key he would then issue two Blind Certificates, one of them for 1BTC, and the other for 0.1BTC. Now his deposit is provably anonymous. Whenever he wants to withdraw, he redeems the two Blind Certificates for one or more Notes, and he follows the normal Note withdrawal procedure. In this case the user would be protected by 2 Anonymity sets, the public one which is the one that is now shown on the website, and by the Blind Certificates one, which proves beyond any doubt that you indeed got complete anonymity using the service.

For the moment I'll wait until people understand how Whirlwind works in it's current form and the service starts to see some more serious usage, and if this concept generates interest until then I'll implement it in a fairly short timeframe.

And here is a more technical explanation for why Blinded Signatures are not enough in Whirlwind's case and why we would need to use zk-snarks instead:

Our implementation would have to involve zero knowledge proofs and in short here is why:

We decided to use Groth16 ZK-SNARKS for this, instead of blind signatures, because of an important security problem in our architecture with blind signatures: if the private key which is used for the blind signatures is stored on the backend server, an attacker which compromises it would be able to forge certificates which the validators will trust, and therefore draining the wallet, basically making the backend+validator architecture that I explained in a previous message useless.

With a ZK-proof, the attacker would not be able to do this, because the secret witnesses used to prove a certain withdraw is valid is generated by the user in the frontend, so not even the backend can forge these proofs. At some point, we will make the frontend open source, which will reveal all of the backend’s endpoints, so you can build/host your own frontend for this, or even create a CLI.

The architecture would look like this: we store a merkle tree of the users’s public statements in the database. When a user redeems a note for certificates, we store the user’s public statements in the tree. When a user wants to redeem the certificates for a note, the frontend, using the user’s secret witness, will be able to prove to the backend (AND the validators) that he has the secret witness of a certain leaf in the tree, without actually saying which leaf it is. This makes it totally anonymous towards us, the operators, as well.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
April 22, 2023, 10:27:09 AM
#77
Apologies for my difficulty to comprehend blinded certificates, but I still don't understand what prevents you from keeping logs which would give away the activity of the users. For example, I created a note and deposited money to an address tied to that note. You could have kept that. Then, when someone sent me money to my public address, you could have known which note was spent in which public address.

Unless the front-end is coded in such manner that prevents the unveiling of that information, I don't know how provable privacy is ensured.  

We can't let users choose the fees themselves because all transactions are sent from the same multi-sig so we can't really afford to have any of them stuck for a long time.
Okay, but that doesn't answer on why having arbitrary fee rate. The network could be flooded with transactions such that maybe 2500 sat/addy is neither enough.
copper member
Activity: 112
Merit: 338
April 22, 2023, 10:18:20 AM
#76
It looks like you're first sending all deposit to your own multisig address, and then consolidating them again into the same address. Why don't you skip a step by consolidating deposits while processing withdrawals?
So instead of:
deposit A > multisig
deposit B > multisig
multisig > multisig + withdrawal C
You'd get:
deposit A + deposit B + multisig > multisig + withdrawal C

Multiple reasons:
1)Security is our top priority so in order for the signers to be able to register and validate each deposit 100% reliably, the transaction from the intermediary address to the multi-sig needs to be broadcasted. We are sacrificing some sats paid extra in fees for an unbreakable system in regards to loss of funds for any reason other than us, the operators, acting maliciously.
2)We might not necessarily pay extra in fees since right now we can broadcast all deposit transactions deposit x > multisig on a very low fee regardless of congestion. Output transactions from the multi-sig need to be broadcasted with higher fees so they don't get stuck.
3)We want to leave some UTXO's available in case a transaction still gets stuck even with a higher fee

Other than working on other features and exploring ways to decentralize the service completely our job should now be as easy as this: pay the servers and change them once in a while just in case. Whirlwind could be considered a blockchain, the only missing piece is decentralization meaning more signers. We are considering a system where in order to be a signer you are required to deposit a certain amount of BTC, and we implement a slashing mechanism to deal with bad actors. We will give more details once we have an actual plan, until then we're patiently waiting to see if demand for something like this actually exists. From a technical point of view we are by far the superior privacy solution available for Bitcoin today, so if something like this isn't used (even when it's essentially free) then it's certainly not worth wasting time to develop it further.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
April 22, 2023, 08:28:35 AM
#75
It looks like you're first sending all deposit to your own multisig address, and then consolidating them again into the same address. Why don't you skip a step by consolidating deposits while processing withdrawals?
So instead of:
deposit A > multisig
deposit B > multisig
multisig > multisig + withdrawal C
You'd get:
deposit A + deposit B + multisig > multisig + withdrawal C
copper member
Activity: 29
Merit: 28
April 22, 2023, 07:57:07 AM
#74
blindmixer might be a nice example of this: we already utilize blind schnorr signatures, and have full non-repudiation:

every action taken by the client requires a signature that only the client can generate, as such we cannot dupe any single user with it being proveable.

A consequence of this is that it is a little more complex than a single webpage: the client needs to actively generate signatures and store them. JS will be required. Still, we believe that we packaged it as simple as possible for the average user.

A huge drawback currently is that our scheme is centralized, meaning that we can exit-scam at any point. We have looked into using a MuSig scheme with multiple signers, and it should definitely be possible. Don't think it will play very nicely with lightning as of right now, but that will undoubtedly change in the future.

copper member
Activity: 112
Merit: 338
April 22, 2023, 06:14:59 AM
#73
Tried it. I created two notes, got their public addresses, and sent bitcoin back and fourth. The inconvenience I notice is that I must withdraw fixed amounts (e.g., 0.001, 0.005, 0.01 etc.). Fixed amounts isn't the problem per se. What might annoy someone is that you enforce an arbitrary fee rate (2500 sats per address). I don't get why you don't let the users choose themselves. At the moment, I have about 800,000 sats in notes, and I'll have to mix another 200,000, so I can merge them together into 0.01, to save 7500 sats in fees.
We could let users withdraw arbitrary amounts like before too after clicking a checkbox saying something along the lines of "I understand that if I withdraw an arbitrary amount my withdrawal could be deanonymized under certain conditions", but there are not many arguments in favor of it since the privacy levels increased by multiple folds with the introduction of fungible outputs, and if you are really that concerned about the 2500 sats fee you can just keep the balance on the Note until you reach a fixed amount that you can withdraw at once. Transfers between Notes are 100% free, not subject to any 2500 sats fee.

We can't let users choose the fees themselves because all transactions are sent from the same multi-sig so we can't really afford to have any of them stuck for a long time. Assuming the user chooses 0% donation if we pay more than 10 sats/vb for his individual withdraw then we're losing money. On the other hand in a month we lowered the fee 6x from 15000 sats to 2500 so this is already some good progress and cheaper than anything else, and depending on the profitability we'll eliminate this altogether.

You're also showing in the main page how many anonymity sets there are. Is it because it's trivial for an advisory to figure that out in the chain?
Our multi-sig is always visible at this address:

https://mempool.space/address/bc1qf8h5k6sash8007vpesymxkw2xsg5d0r3j4l5vmcrwpz2pqu66fjstzgd3r

We are showing the Anonymity set on the website too so users are aware of the exact level of anonymity they are getting when using Whirlwind and to make it easier for them to figure out when new deposits were made without having to check the chain themselves. Again this is public knowledge so there is no reason not to show it.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
April 22, 2023, 04:44:56 AM
#72
Tried it. I created two notes, got their public addresses, and sent bitcoin back and fourth. The inconvenience I notice is that I must withdraw fixed amounts (e.g., 0.001, 0.005, 0.01 etc.). Fixed amounts isn't the problem per se. What might annoy someone is that you enforce an arbitrary fee rate (2500 sats per address). I don't get why you don't let the users choose themselves. At the moment, I have about 800,000 sats in notes, and I'll have to mix another 200,000, so I can merge them together into 0.01, to save 7500 sats in fees.

You're also showing in the main page how many anonymity sets there are. Is it because it's trivial for an advisory to figure that out in the chain?
copper member
Activity: 112
Merit: 338
April 21, 2023, 10:10:40 PM
#71
Crossposting this - very exciting news, please let us know what you think!


IMPORTANT UPDATE

We just completed the most important upgrade to date, the changelog is available at the end of this message. Some major changes have been made so we suggest everyone reads the FAQ again and perhaps even give the service a try with a small amount since it's essentially free now. We will also work on video tutorials now that the platform will be mostly unchanged going forward. ANN thread presentation will also be updated to reflect the latest changes.

We are most excited about the introduction of the Pay to Note feature and fungible outputs.

The Pay to Note feature enables instant, feeless and anonymous BTC transactions. Gone are the days where you want to send some Bitcoin to your friend but you worry about him checking out your past transactions so instead you are forced to use Monero. Now it's possible to do everything with Bitcoin with much more convenience and in much better conditions since all transfers are instant and free. Whirlwind is the first and only service to ever implement such a feature and we hope that our users see the value and opportunities that this brings.

Outputs are now fungible, meaning every single withdraw will look exactly the same for outside observers. This greatly increases privacy for all users since it's much harder to track what is happening behind the scenes only by looking at transactions.

We are ready to answer any questions and looking forward to read your feedback.

p.s. Clearnet is still under DDoS and offline, please use the Tor version for now. We will solve this issue too in the following days, apologies for any inconvenience caused but this was not a priority.

Changelog

04.22.2023 01:00:00 AM UTC
-Pay to Note feature implemented enabling instant, feeless and anonymous Bitcoin transactions.
-Complete compliance module - Whirlwind provides a signed Guarantee Letter for every action executed by the end user. It's the end user's responsibility to save all the guarantee letters and use them as needed.
-new UI and FAQ for better user experience
-stability issues completely fixed, all delay times will be respected to the minute
-withdraw fees are reduced to 2500 sats/address from 7500 sats/address
-fast mode is deprecated, everyone will have to use the Note system. you will still be able to withdraw instantly after your deposit is confirmed so it can be used in the same way as the fast mode
-outputs are now fungible, namely 0.001BTC, 0.005BTC, 0.01BTC, 0.05BTC, 0.1BTC, 0.5BTC, 1BTC, 10BTC. the unspent balance will remain on the Note and you can withdraw it at any time
copper member
Activity: 112
Merit: 338
April 12, 2023, 01:29:53 AM
#70
The flow looks like this: User deposits 1.1BTC using the Note method and now holds a private key. With this private key he would then issue two Blind Certificates, one of them for 1BTC, and the other for 0.1BTC. Now his deposit is provably anonymous. Whenever he wants to withdraw, he redeems the two Blind Certificates for one or more Notes, and he follows the normal Note withdrawal procedure. In this case the user would be protected by 2 Anonymity sets, the public one which is the one that is now shown on the website, and by the Blind Certificates one, which proves beyond any doubt that you indeed got complete anonymity using the service.

I don't completely understand where the two anonymity sets come from. Do you mean the coins are taken from the 1BTC and 0.1BTC anonymity sets? And in which order?

My bad, in fact in my example there are 3 Anonymity sets involved. One of them is the public Anonymity Set visible to anyone on the website (total number of deposits), the second one is the 1BTC Blind Certificate Anonymity Set, and the third one is the 0.1BTC Anonymity Set.

For an outside observer only the public Anonymity Set matters since he won't even be able to know if you used Blind Certificates or not. As long as you believe we don't store logs then the public Anonymity Set should be the only one that matters to you too. But if you are concerned that we store logs/act maliciously then the figure you should care about is the specific blind certificate's anonymity set that you are using at that time.

While discussing Bitcoin privacy and blind certificates, I think this topic (from 2016) never received the attention it deserves: Hiding entire content of on-chain transactions. The same author later implemented it as blackbytes, but it never took off. I'm not quoting the entire post, please just read the topic. I'll only post this summary:

Very interesting - I think it's important I mention that when applied to our use-case actual Blind Certificates would introduce at least one huge security issue, but thankfully we already found a solution to this in case we ever need to implement it.

You are reinventing zerocoin.

Not at all.  Zerocoin is based on zero knowledge proofs, while Byteball's private payments don't rely on any advanced crypto, just plain old hashes.

Our implementation would have to involve zero knowledge proofs and in short here is why:

We decided to use Groth16 ZK-SNARKS for this, instead of blind signatures, because of an important security problem in our architecture with blind signatures: if the private key which is used for the blind signatures is stored on the backend server, an attacker which compromises it would be able to forge certificates which the validators will trust, and therefore draining the wallet, basically making the backend+validator architecture that I explained in a previous message useless.

With a ZK-proof, the attacker would not be able to do this, because the secret witnesses used to prove a certain withdraw is valid is generated by the user in the frontend, so not even the backend can forge these proofs. At some point, we will make the frontend open source, which will reveal all of the backend’s endpoints, so you can build/host your own frontend for this, or even create a CLI.

The architecture would look like this: we store a merkle tree of the users’s public statements in the database. When a user redeems a note for certificates, we store the user’s public statements in the tree. When a user wants to redeem the certificates for a note, the frontend, using the user’s secret witness, will be able to prove to the backend (AND the validators) that he has the secret witness of a certain leaf in the tree, without actually saying which leaf it is. This makes it totally anonymous towards us, the operators, as well.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
April 11, 2023, 03:02:21 AM
#69
I tried my best to create an easy-to-understand explanation graphic.
Can you (significantly) increase the resolution? The small font doesn't do it justice.



While discussing Bitcoin privacy and blind certificates, I think this topic (from 2016) never received the attention it deserves: Hiding entire content of on-chain transactions. The same author later implemented it as blackbytes, but it never took off. I'm not quoting the entire post, please just read the topic. I'll only post this summary:
So if I understand correctly, the public block chain is just a "bag of hashes" which cannot be verified or anything by any node or miner.  It is just a block chain of "data".  These data only have meaning for the people receiving "banknote files", which allows them to check the validity of the whole "banknote".  The hashes are in fact nothing else but hashes of "signed transactions", like with bitcoin, except that only the *signature hash* goes on the public block chain, and the actual transaction data remain on the individual banknote file.  Is that the gist ?  In fact, you need, as you say, TWO signatures (or hashes of signatures): one is the transaction signature (including the new beneficiary) and the other is the "spend" signature of simply the previous output.  The first signature (spending signature) makes that you cannot do double spending any more (you have invalidated the file up to the point where you transmit it), and the second signature allows the receiver to have a valid "new address" that he can spend (and only he, because only he has the secret key that goes with it like on bitcoin).

This is indeed a very, very good idea !  Money becomes more "physical" again: it are files !
Pages:
Jump to:
© 2020, Bitcointalksearch.org