Hello, A statechain implementation and service co-signs 'backup' (off-chain) transactions to transfer ownership of a UTXO from one owner to the next. A suggested here https://medium.com/@RubenSomsen/statechains-non-custodial-off-chain-bitcoin-transfer-1ae4845a4a39 , this service (the statechain entity or SE) can be engineered to be 'blind' to the transactions it is signing (i.e. it does not and cannot know the details of the transactions it is signing) which can give significant privacy benefits. It would enable more private off-chain coin-swaps, and make collusion more difficult.
The only downside of a blind SE is that it can no longer enforce the rules governing the sequence of backup transactions it co-signs as owners can ask the SE to cosign any transaction. So each new owner of a UTXO must receive, store and verify the full sequence of previous owner backup transactions to make sure that no previous owner has asked the SE to sign a transaction that could be used to steal the UTXO. This may end up making wallets more bloated and clunky, given that ownership of a UTXO could change hands thousands of times off-chain. In the case of a multisig, and Schnorr signatures, existing blind Schnorr protocols could be used to implement a blind SE, however we are opting to use two-party ECDSA (because there is no Schnorr yet, and in any case ECDSA will give a much bigger anonymity set). There is no current 2P ECDSA protocol that enables one of the two signers to be completely blinded, but it seems that this would require only minor modifications to an existing 2P ECDSA scheme (outlined here https://github.com/commerceblock/mercury/blob/master/doc/blind_2p_ecdsa.md based on Lindell 2017 https://eprint.iacr.org/2017/552 ). Any comments on any of this gratefully received. Tom
_______________________________________________ bitcoin-dev mailing list email@example.com https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev