[Bitcoin-development] Proposal for a new opcode

Gregory Maxwell gmaxwell at gmail.com
Thu Mar 22 00:49:20 UTC 2012

On Wed, Mar 21, 2012 at 6:02 PM, Watson Ladd <wbl at uchicago.edu> wrote:
> -My protocol works, your's doesn't. It's not enough to have a mix, the
> mix needs to be verifiable to avoid
> one of the mixers inserting their own key and removing a key that
> should be in there. That doesn't mean you can't make your protocol
> work with some more magic, but magic is required.

If the final step fails (someone says their address is missing) you
challenge the mixes to disclose half of their correspondences. You can
then prove which (if any) mixes defected.

Why I didn't bother elaborating is ... I think you can even avoid the
fancy protocol where you must take care to only disclose alternating
halves at each mix because the addresses are throwaway: If the it
fails in the final stage everyone publishes _everything_ and the
cheater is instantly and provably identified and can be excluded from
the next attempt which is then performed using totally new addresses
and the disclosed addresses are never used.  Care would need to be
taken to avoid fake-failures (e.g. the exchange says 'it fails'
triggering disclosure then sending anyways— but the participants could
prove this cheating and stop using the exchange), I think there isn't
much risk there if the participants are themselves the mixes.  I need
to think this through a bit more.

> On a related note, private keys and signatures have better proofs of
> knowledge then hashes. Has this been considered in the P2SH
> conversation? There might be ways to use this to make even better
> methods for enhancing anonymity.

It's not something I thought about— In general the P2SH tends to be
a superset of other schemes, e.g. you can do a signature to prove you
access to a private key, then you can show someone a script using that
key to show control of a P2SH address.

There are lot of interesting things you can do with bitcoin if you can
construct (potentially interactive) proofs for knowing the preimages of hashes.

More information about the bitcoin-dev mailing list