Skip to content

Instantly share code, notes, and snippets.

@visvirial

visvirial/pairing-confidential-tx.mediawiki

Last active April 12, 2020 04:23
Show Gist options
  • Save visvirial/386b1d4d3bc5a40b4c7cb01671c6e31e to your computer and use it in GitHub Desktop.
Save visvirial/386b1d4d3bc5a40b4c7cb01671c6e31e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
pairing-confidential-tx.mediawiki

Idea memo: Pairing-based confidential transactions

We propose a pairing-based confidential transactions.

Table of Contents

Preliminaries

Confidential transaction

Confidential transactions are technologies that hides the amount of bitcoins (or any other cryptocurrencies) transacted from third parties. Confidential transactions utilize Pedersen commitments which is defined as follows. Let G be a base point of a elliptic curve, and H be a point at the same curve whose discrete logarithm to G is not known. Such H can be computed by just hashing the base point G. The Pedersen commitment for a value a, with a blinding factor b is 

  C(a, b) := bG + aH

Intersting fact is that the Pedersen commitment is additive: 

  C(a1, b1) + C(a2, b2) = C(a1+a2, b1+b2)

We ommit now and on the blinding factor b for clarity. If one encodes his amount of bitcoins with the Pedersen commitments, because the sum of the all inputs of a transaction is identical to the sum of all outputs of a transaction, it immediately follows that 

  C(in1) + ... C(inN) = C(out1) + ... C(outN)

So one can prove the total sum of a bitcoins in UTXO set by just showing only the above equation, not the values transactted itself. In this construction, one can set out1 < 0 to mint new coins, which is not allowed by principal. To prevent issue, one should add extra proof named "range proof". Range proofs are key technology of confidential transactions but we do not describe in detail because that will beyond our scope.

Pairing-based cryptography

Pairing is a bilinear function that maps two elliptic curve point to another Group. By bilinearity, the following formula is always holds. 

  e(pG, qG) = e(G, G)^pq

Here, we denote addtively in the input for the Pairing and multiplicative for the output Group.

Pairing-based confidential transactions

In pairing-based confidential transactions, we map the amount as 

  D_r(a) := r^a G

where r is a random number. We here assume that the transaction has just two inputs and outputs. This assumption is not too special, because any transaction can be translated in to this 2-of-to form. Then, 

  e( D_r(a1) + D_r(a2) ) = e( D_r'(a1') + D_r'(a2') )

holds iff a1+a2 = a1'+a2'. So one encodes the amount as D_r, he can prove the sum of inputs and outputs are identical by showing the above pairing.

Remarks

Is range proof needed?

Yes, as ordinally confidential transactions do.

Does this improve something in Bitcoin?

I have no idea. I thought it improves the speed but pairing is too slow generally :( If you find some positive insight, just let me know ⇩⇩⇩.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment