[Bitcoin-development] homomorphic coin value (validatable but encrypted) (Re: smart contracts -- possible use case? yes or no?)

Adam Back adam at cypherspace.org
Tue Oct 1 19:11:43 UTC 2013


Err actually not (efficient) I made a mistake that came out when I started
writing it up about how the t parameter in the proof relates to bitcoin
precision and coin representation (I thought t=2, but t=51).  Damn!  Back to
the not so efficient version (which is more zerocoin-esque in size/cost), or
the more experimental Schoenmaker non-standard p, q non EC one, or other
creative ideas to change the coin representation to simplify the proof (of
which this was a failed attempt).  See the bitcointalk thread for details.

https://bitcointalk.org/index.php?topic=305791.new#new

Adam

On Tue, Oct 01, 2013 at 04:26:03PM +0200, Adam Back wrote:
>On Sun, Sep 29, 2013 at 10:49:00AM -0700, Mark Friedenbach wrote:
>>This kind of thing - providing external audits of customer accounts
>>without revealing private data - would be generally useful beyond
>>taxation. If you have any solutions, I'd be interested to hear them
>>(although bitcoin-dev is probably not the right place yet).
>
>Thanks for providing the impetus to write down the current state, the
>efficient version of which I only figured out a few days ago :)
>
>I have been researching this for a few months on and off, because it seems
>like an interesting construct in its own right, a different aspect of
>payment privacy (eg for auditable but commercial sensistive information) but
>also that other than its direct use it may enable some features that we have
>not thought of yet.
>
>I moved it to bitcointalk:
>
>https://bitcointalk.org/index.php?topic=305791.new#new
>
>Its efficient finally (after many dead ends): approximately 2x cost of
>current in terms of coin size and coin verification cost, however it also
>gives some perf advantages back in a different way - necessary changes to
>schnorr (EC version of Schnorr based proofs) allow n of n multiparty sigs,
>or k of n multiparty sigs for the verification cost and signature size of
>one pair of ECS signatures, for n > 2 its a space and efficiency improvement
>over current bitcoin.
>
>Adam




More information about the bitcoin-dev mailing list