Re: [bitcoin-dev] Provisions (was: PSA: Taproot loss of quantum protections)

2021-03-20 Thread Andrea Barontini via bitcoin-dev 

Hi again Andrew and ZmnSCPxj,

I have dealt with the resources you provided me

Regarding Provisions I have concentrated my attention to Proof of assets 
and I have to say it has been a good "exercise" for my ZKP learning


Regarding Jonas Nick code I'm not sure I would call it "a use of 
Taproot" since -as far as I have understood (perhaps not enough)- the 
Taproot's role there is just to provide public keys for the anonimity 
set, so no Taproot core specificities applied to Rings


Always a pleasure to discover something new and feel a (humble) part of 
a community!


See ya
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Provisions (was: PSA: Taproot loss of quantum protections)

2021-03-17 Thread Andrea via bitcoin-dev 

Thanks for your time Andrew and ZmnSCPxj,

Jonas contrib was also referenced in twitter post provided by Andrew, 
but the repetion is an effective underlining of its importance :)


I'm busy-at-work for a couple of days, but I'm planning my weekend spare 
time to deal with infos from both of you... I guess I'll have further 
questions :)



Il 17/03/21 05:24, ZmnSCPxj ha scritto:

Good morning Andrew and Andrea,

Further afield: https://en.bitcoin.it/wiki/Taproot_Uses

Taproot ring signatures was also asked by Andrea, above page contains this link 
(have not actually read it myself): https://github.com/jonasnick/taproot-ringsig

Regards,
ZmnSCPxj


___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Provisions (was: PSA: Taproot loss of quantum protections)

2021-03-16 Thread ZmnSCPxj via bitcoin-dev 
Good morning Andrew and Andrea,

Further afield: https://en.bitcoin.it/wiki/Taproot_Uses

Taproot ring signatures was also asked by Andrea, above page contains this link 
(have not actually read it myself): https://github.com/jonasnick/taproot-ringsig

Regards,
ZmnSCPxj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Provisions (was: PSA: Taproot loss of quantum protections)

2021-03-16 Thread Andrew Poelstra via bitcoin-dev 
On Tue, Mar 16, 2021 at 03:10:21PM +0100, Andrea via bitcoin-dev wrote:
> 
> Hi! Sorry for the OT, could you provide some references to ring signatures
> over/for/via taproot (I mean the schema or something like that)? And what is
> "Provisions" (the capital letter makes me think it's a product/technology)?
> I'm a rookie following this mailing since just a few months...
>

Thanks for posting such a positive message in an otherwise tense thread :)

Provisions is a scheme for providing proof of ownership of funds, developed
by Dagher et al in 2015 at https://eprint.iacr.org/2015/1008 . The way it
works is to collect all of the Bitcoin outputs which have exposed/known
public keys then associate to these keys a Pedersen commitment which commits
to the outputs' amounts in a homomorphic way.

Homomorphic means that even though the commitments hide what the original
amounts are, anyone can add them together (in some sense) to get a new
commitment to the sum of the original amounts.

So Provisions is essentially a zero-knowledge proof of the following statement

1. I have a commitment to >100BTC (or whatever)...
2. ...which is a sum of commitments of actual UTXO values...
3. ...where these UTXOs come from the set of known-public-key UTXOs...
4. ...and I am able to sign with the public keys associated to them.

which proves ownership of some amount of BTC, without revealing which specific
UTXOs were involved. This zero-knowledge proof can be done fairly efficiently
by exploiting the structure of EC public keys and Pedersen commitments.


Unfortunately, most unspent Bitcoin outputs do not have known public keys,
which means that you can only do a Provisions proof using a small anonymity
set. However, all Taproot outputs, by virtue of having exposed public keys
(which is the point under contention in this thread), will be in the set of
exposed-public-key UTXOs, allowing people to do Provisions proofs where
their anonymity set consists of a large proportion of active coins.


BTW, even without Provisions, there are some similar and simpler things you
can do with Taproot keys along these lines. See for example
https://twitter.com/n1ckler/status/1334240709814136833



-- 
Andrew Poelstra
Director of Research, Blockstream
Email: apoelstra at wpsoftware.net
Web:   https://www.wpsoftware.net/andrew

The sun is always shining in space
-Justin Lewis-Webster



signature.asc
Description: PGP signature
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev