Is it possible to create a new address type that uses ring signatures instead?

[dillpicklechips]

It would be very neat if we could move BTC to ring signature addresses like cryptonote and move them back to normal BTC addresses. Or is such a design completely incompatible with how Bitcoin does it?

[1714794923]

1714794923

[1714794923]

1714794923

[1714794923]

1714794923

[1714794923]

1714794923

[gmaxwell]

It would be very neat if we could move BTC to ring signature addresses like cryptonote and move them back to normal BTC addresses. Or is such a design completely incompatible with how Bitcoin does it?

It's perfectly possible, but it has some pretty severe overheads— and the tech is immature and rapidly improving. E.g. Just recently Andytoshi and I invented a way for coins of different values to partially share anonymity sets.

One challenge with all strong privacy systems is that they breaks pruning and increases transaction sizes substantially (4x+ in size for these ring signatures, typically).  Right now a full verifying node in Bitcoin requires on the order of 1GB of storage, if we'd had the bytecoin-ring-signatures from day one and the same traffic it would be more like >100GBytes.

[rapport]

What's a full verifying node?  (The blockchain is much more than 1GB)

[gmaxwell]

What's a full verifying node?  (The blockchain is much more than 1GB)

Nodes currently only store the historical blockchain for serving out to newly initializing peers and for stats queries in the rpc. Since 0.8 the software is restructured so that it never accesses it otherwise, and the next release will likely include a feature to operate with only about 1GB storage.

[Muhammed Zakir]

Nodes currently only store the historical blockchain for serving out to newly initializing peers and for stats queries in the rpc. Since 0.8 the software is restructured so that it never accesses it otherwise, and the next release will likely include a feature to operate with only about 1GB storage.

That would be great and it will solve some problems on syncing Blockchain. Is there anything new in next update other than this?
Kindly,
      MZ

[justusranvier]

I've never seen a good explanation of how ring signatures are actually useful, unless the goal is to be able to reuse pubkeys.

[gmaxwell]

I've never seen a good explanation of how ring signatures are actually useful, unless the goal is to be able to reuse pubkeys.

Huh!? ring signatures do nothing to enable pubkey reuse, and in fact— in the bytecoin ringsignature (BRS) approach all pubkey reuse must be _absolutely_ precluded.

BRS signing effectively allows users form something similar to a CoinJoin but without the other inputs owners participating.

[justusranvier]

I've never seen a good explanation of how ring signatures are actually useful, unless the goal is to be able to reuse pubkeys.

Huh!? ring signatures do nothing to enable pubkey reuse, and in fact— in the bytecoin ringsignature (BRS) approach all pubkey reuse must be _absolutely_ precluded.

BRS signing effectively allows users form something similar to a CoinJoin but without the other inputs owners participating.

I guess the missing piece for me is how they actually are implemented.

The original RSA example where a whileblower signs an email proving they are part of an organization without revealing which individual they are does not sound, at first glance, to be something useful for bitcoin.

If you start with unspent outputs for which you do not initially know the public key that will spend them, why does it matter if that pubkey is revealed at spend time if it will never be reused?

[gmaxwell]

I guess the missing piece for me is how they actually are implemented.
The original RSA example where a whileblower signs an email proving they are part of an organization without revealing which individual they are does not sound, at first glance, to be something useful for bitcoin.

It's very useful— with one addition: The BRS ring-signature also produces a key image which is a deterministic function of the signer's private key, can only be computed with knoweldge of the private key, and is provably linked to the ring signature so you know that the image you received is the image of one of the keys on the ring, though you don't know which.  You then prevent that key image from ever being reused.

[dillpicklechips]

I guess the missing piece for me is how they actually are implemented.
The original RSA example where a whileblower signs an email proving they are part of an organization without revealing which individual they are does not sound, at first glance, to be something useful for bitcoin.

It's very useful— with one addition: The BRS ring-signature also produces a key image which is a deterministic function of the signer's private key, can only be computed with knoweldge of the private key, and is provably linked to the ring signature so you know that the image you received is the image of one of the keys on the ring, though you don't know which.  You then prevent that key image from ever being reused.

What about something like https://bitcointalk.org/index.php?topic=706000.0 or using ring signatures combined with coinjoin to do trustless mixing?

[justusranvier]

The BRS ring-signature also produces a key image which is a deterministic function of the signer's private key, can only be computed with knoweldge of the private key, and is provably linked to the ring signature so you know that the image you received is the image of one of the keys on the ring, though you don't know which.  You then prevent that key image from ever being reused.

Of course that's perfectly clear.

How have we managed to get by as long as we have without the ability to create deterministic key images that can be provably linked to a ring signature?

[DeathAndTaxes]

Who is "we"?  All crypto currencies using ring signatures use a key image otherwise they would be trivial to double spend.

If Alice, Bob, and Charlie all have a 1 BTC output using ring signatures without a key image Alice could simply spend her output three times and it would validate each time as being from the group.

[justusranvier]

There's a relevant effect here akin to Amdahl's law.

Privacy attacks can draw upon quite a few sources of information leakage in a transaction, and the scripts themselves aren't even the largest source (attackers can do quite a lot by simply looking at input and output sizes, without even bothering to look at the scripts).

Fancy new script types might be able to reduce the information leaked by the scripts, but that only improves your privacy by the fraction of the total information leakage the scripts represent.

Presumably ring signatures allow for some new type of transaction structure that leaks less identity information. That's what I was originally asking about, because I haven't seen that explained very well.

[DeathAndTaxes]

They break down outputs into standardized sizes.   The ring set is then other pubkeys which have the unspent outputs of the same size.  For example if you were receiving 123 coins instead of a 123 coin output it could be a 64, 32, 16, 8, 2 and 1 coin output.   Then the 64 coin output is identical to any other unspent 64 coin output (of which there probably are thousands).

[justusranvier]

They break down outputs into standardized sizes.   The ring set is then other pubkeys which have the unspent outputs of the same size.  For example if you were receiving 123 coins instead of a 123 coin output it could be a 64, 32, 16, 8, 2 and 1 coin output.   Then the 64 coin output is identical to any other unspent 64 coin output (of which there probably are thousands).

I like this idea.

How is related to ring signatures?