[Bitcoin-development] blind symmetric commitment for stronger byzantine voting resilience (Re: bitcoin taint & unilateral revocability)

Gregory Maxwell gmaxwell at gmail.com
Thu May 16 01:39:58 UTC 2013

On Wed, May 15, 2013 at 6:24 PM, Gavin <gavinandresen at gmail.com> wrote:
> Busy with pre-conference stuff, not following details of this conversation...
> ... but it sounds a lot like the "guy fawkes" protocol Zooko was thinking about a year or so ago.

Sort of, but in a guy fawkes signature you use the commitment to hide
the preimage that proves you had authority to spend a coin.   Adam
proposes you do this in order to hide _which coin you're spending_.

This has obvious anti-DOS complications, but Adam deftly dodged my
initial attempts to shoot him down on these grounds by pointing out
that you could mix blinded and blinded inputs and have priority and
transaction fees come from only the unblinded ones.

Effectively,  it means that so long as you could convince the network
to let you spend some coins, you could also spend other ones along for
the ride and the network wouldn't know which ones those were until it
was too late for it to pretend it never saw them.

I think there are all kinds of weird economic implications to this— a
blinded payment would seem to have a different utility level to an
unblinded one: you can't use it for fees— except you can unblind it at
any time.  And the discontinuousness  ("two types of inputs") and that
it would enable mining gibberish (though perhaps not data storage, if
you see my preimage solution to that) seems awkward and I think I have
to spend some time internalizing it before I can really think through
the implications.

More information about the bitcoin-dev mailing list