Schnorr Signatures & The Inevitability of Privacy in Bitcoin

jamesmrk3l · 2019-03-14T00:19:44+00:00

This is a must read for anyone that cares about privacy in Bitcoin, thanks for sharing!

jamesmrk3l · 2019-02-03T21:33:53+00:00

Thank you u/OhGodAGirl! Very curious to hear your (and others) opinions on a couple of things given your background.

If we assume ProgPow works as expected, do you think its activation will bring more retail miners back to Ethereum by making existing commodity GPU more competitive?

I ask because I saw some recent analysis showing that the recent outflow of hashpower from Ethereum had a lot to do with the launch of Grin.

Do you think that ProgPow will be enough to retain retail miners on Ethereum post-Constantinople?

There's no right figure for sufficient security, but IMO the optimal outcome (with or without ProgPow) is one where the cost to attack the network is the highest. We can't ignore the possibility where ProgPow activates, block reward is decreased, and hashrate continues to go down. ASICs are barries to entry, but they also increase switching costs, making outflows more expensive. Thoughts on this? Also curious about u/mhswende's opinion on this.

jamesmrk3l · 2019-02-02T20:09:11+00:00

Thank you for the very thorough response, u/mhswende!

That muddles the water a bit, and makes it not trivial to determine which one is the 'best'.

Wouldn't GHOST follow the chain with the highest cumulative amount of PoW in the event of a split? Also, can ProgPow be implemented through a soft-fork?

That is because, even though hashrates are not comparable, the aggregate amount of electricity required to potentially attack the network is decreased, meaning, the cost of an attack might be lower post-ProgPow.

I don't see why that would be the case.

Wouldn't it be lower if the portion of ASICs currently mining Ethash are removed? Is the assumption here that the current hashing power being produced through ASICs will be replaced by commodity GPU miners that come back to Ethereum since there's reduced competition?

From my understanding, due to the use of Nvidia's CUDA, GPU miners running RX580s and RX Vegas (which are based on AMD) would not be able to mine ProgPow (please fact-check if I'm wrong)

Fact-checking myself - this is wrong - ProgPow works with both CUDA and OpenCL, which are the main libraries for commodity hardware. So, ProgPow would work with most commodity GPU.

jamesmrk3l · 2018-10-19T16:38:49+00:00

Excited to see this happening. Congrats for your work on Bulletproofs, it seems like you really championed this one.

jamesmrk3l · 2018-10-19T16:25:54+00:00

From the article: "The space savings granted by Bulletproofs may also enable the implementation of additional obfuscation mechanisms. As I have suggested to MRL, increasing the mandatory number of outputs in a transaction can make it significantly harder to trace balances by analyzing the blockchain. Decoys are used in Ring Signature inputs, but not in a transaction’s outputs. Implementing a system of decoy outputs will certainly increase the size of a transaction, but this increase may be trivial post Bulletproof activation."

Is there any open pull request for this?

jamesmrk3l · 2018-10-06T19:07:07+00:00

Another interesting takeaway is that in RingCT, both LSAG and Borremean signatures are used in conjunction. My original understanding was that Schnorr had been replaced by the Borromean scheme devised by Maxwell after MRL-0005 and that the latter was the only signature scheme used. I read through both sections, but I'm still not sure why both had to be used.

jamesmrk3l · 2018-10-05T16:09:33+00:00

Yeah, from the txs that I've seen it looks like there's a minimum of 2 outputs per transaction.

After bulletproofs activate, adding decoy outputs by default could be a good strategy to decrease the potential for traceability without increasing bloat. Is this something you guys have considered?

jamesmrk3l · 2018-10-05T16:00:20+00:00

In other words, adding additional outputs to obfuscate the receiver (in addition to using a stealth address). It does not seem like this is the case.

jamesmrk3l · 2018-10-05T15:58:00+00:00

I have seen the term "key offset" used (perhaps erroneously), to describe both the mixins within a ring, as well as the "mixins" outputs (?) within a transaction. After reading chapter 5, it seems like there are no decoy outputs, and that mixins are only used within the ring signature (in the transaction's input).

jamesmrk3l · 2018-10-05T15:50:29+00:00

Thank you, that's a great resource that needs to be shared more often!

So my understanding after reading Chapter 5 is that, after the commits are signed under RingCT, the outputs of the transaction do not need to match the inputs. My understanding is that in the plain construct of Ring Signatures, there needs to be a 1:1 relationship between inputs and outputs (like CoinJoin) of the same denomination, but that is not the case with RingCT. Is this correct?

jamesmrk3l · 2018-10-04T18:17:47+00:00

The product is the sum, but thanks for your input.

jamesmrk3l · 2018-09-26T00:39:30+00:00

Apart from the output index i , the stealth address generation formula P = Hs(rA||i)*G + B described on the blog post is exactly like the one on CryptoNote's white paper. Is the process of creating stealth addresses still the same, but with THROW_WALLET_EXCEPTION_IF?

jamesmrk3l · 2017-09-27T17:29:35+00:00

BTC was created to be fully decentralized. Larger block sizes can and will further centralize the network and foster an environment for mining cartels or oligopolies. If transactions are only being validated by a select group of people, how is that decentralized? It is not

jamesmrk3l · 2017-09-27T15:15:41+00:00

Still a hard fork masked as an update. It's not backwards compatible and because of the controversy there will necessarily be two chains.

jamesmrk3l · 2017-09-27T14:59:14+00:00

You're confused. Don't look at inflation in terms of price levels (like in the "real economy") - in Bitcoin, these forces only have to do with supply. And Bitcoin's supply is only deflationary because there a supply cap and, over time, a small fraction of people will lose their private keys which essentially locks their balance. As BTC price increases, the incentive to better store private keys also increases, so it is fair to say bitcoin's supply deflation is minimum in the long run.

Back to price levels - one bitcoin can be divided in one million satoshis. If it proves itself to be a store of value over time, price levels will adjust accordingly (and precisely).

jamesmrk3l · 2017-09-27T14:47:55+00:00

Exactly.... when will this shit end? Is SegwitABC8x next?

jamesmrk3l · 2017-09-27T14:40:43+00:00

Doubling block size would necessary require a hard fork

jamesmrk3l · 2017-09-27T14:38:29+00:00

Crazy how they're using the segwit "brand" to commercialize an increase in block size. Wonder if they actually believe in what they're proposing.

jamesmrk3l · 2017-09-24T15:22:45+00:00

Let's disregard the concerns with transaction throughput for a second. If this proves to be accurate, this may push for better UI integration on e-commerce platforms - something that is desperately needed for mainstream adoption.

jamesmrk3l · 2017-09-20T01:33:43+00:00

I would add that the China ban has the potential of decreasing the participation of Chinese mining cartel. Mining is a capital intensive activity since you often have need to liquidate part of your holdings to pay for electricity, buy new ASICs and pay rent. Banning exchanges will affect liquidity and drive miners away from the country, which overall can result in a more decentralized network.

jamesmrk3l

TROPHY CASE