Bitcoin Forum
November 19, 2024, 02:05:00 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Is it possible to create a new address type that uses ring signatures instead?  (Read 1576 times)
dillpicklechips (OP)
Hero Member
*****
Offline Offline

Activity: 994
Merit: 507


View Profile
July 20, 2014, 08:21:51 PM
 #1

It would be very neat if we could move BTC to ring signature addresses like cryptonote and move them back to normal BTC addresses. Or is such a design completely incompatible with how Bitcoin does it?
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4284
Merit: 8808



View Profile WWW
July 20, 2014, 10:52:22 PM
 #2

It would be very neat if we could move BTC to ring signature addresses like cryptonote and move them back to normal BTC addresses. Or is such a design completely incompatible with how Bitcoin does it?
It's perfectly possible, but it has some pretty severe overheads— and the tech is immature and rapidly improving. E.g. Just recently Andytoshi and I invented a way for coins of different values to partially share anonymity sets.

One challenge with all strong privacy systems is that they breaks pruning and increases transaction sizes substantially (4x+ in size for these ring signatures, typically).  Right now a full verifying node in Bitcoin requires on the order of 1GB of storage, if we'd had the bytecoin-ring-signatures from day one and the same traffic it would be more like >100GBytes.
rapport
Full Member
***
Offline Offline

Activity: 157
Merit: 100


View Profile
July 21, 2014, 04:25:58 AM
 #3

What's a full verifying node?  (The blockchain is much more than 1GB)
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4284
Merit: 8808



View Profile WWW
July 21, 2014, 06:36:08 AM
 #4

What's a full verifying node?  (The blockchain is much more than 1GB)
Nodes currently only store the historical blockchain for serving out to newly initializing peers and for stats queries in the rpc. Since 0.8 the software is restructured so that it never accesses it otherwise, and the next release will likely include a feature to operate with only about 1GB storage.
Muhammed Zakir
Hero Member
*****
Offline Offline

Activity: 560
Merit: 509


I prefer Zakir over Muhammed when mentioning me!


View Profile WWW
July 22, 2014, 02:21:06 AM
 #5

Nodes currently only store the historical blockchain for serving out to newly initializing peers and for stats queries in the rpc. Since 0.8 the software is restructured so that it never accesses it otherwise, and the next release will likely include a feature to operate with only about 1GB storage.

That would be great and it will solve some problems on syncing Blockchain. Smiley Is there anything new in next update other than this?
Kindly,
      MZ

justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
July 23, 2014, 08:51:04 PM
 #6

I've never seen a good explanation of how ring signatures are actually useful, unless the goal is to be able to reuse pubkeys.
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4284
Merit: 8808



View Profile WWW
July 23, 2014, 11:04:13 PM
 #7

I've never seen a good explanation of how ring signatures are actually useful, unless the goal is to be able to reuse pubkeys.
Huh!? ring signatures do nothing to enable pubkey reuse, and in fact— in the bytecoin ringsignature (BRS) approach all pubkey reuse must be _absolutely_ precluded.

BRS signing effectively allows users form something similar to a CoinJoin but without the other inputs owners participating.
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
July 23, 2014, 11:09:44 PM
 #8

I've never seen a good explanation of how ring signatures are actually useful, unless the goal is to be able to reuse pubkeys.
Huh!? ring signatures do nothing to enable pubkey reuse, and in fact— in the bytecoin ringsignature (BRS) approach all pubkey reuse must be _absolutely_ precluded.

BRS signing effectively allows users form something similar to a CoinJoin but without the other inputs owners participating.
I guess the missing piece for me is how they actually are implemented.

The original RSA example where a whileblower signs an email proving they are part of an organization without revealing which individual they are does not sound, at first glance, to be something useful for bitcoin.

If you start with unspent outputs for which you do not initially know the public key that will spend them, why does it matter if that pubkey is revealed at spend time if it will never be reused?
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4284
Merit: 8808



View Profile WWW
July 23, 2014, 11:42:28 PM
 #9

I guess the missing piece for me is how they actually are implemented.
The original RSA example where a whileblower signs an email proving they are part of an organization without revealing which individual they are does not sound, at first glance, to be something useful for bitcoin.
It's very useful— with one addition: The BRS ring-signature also produces a key image which is a deterministic function of the signer's private key, can only be computed with knoweldge of the private key, and is provably linked to the ring signature so you know that the image you received is the image of one of the keys on the ring, though you don't know which.  You then prevent that key image from ever being reused.
dillpicklechips (OP)
Hero Member
*****
Offline Offline

Activity: 994
Merit: 507


View Profile
July 24, 2014, 12:34:30 AM
 #10

I guess the missing piece for me is how they actually are implemented.
The original RSA example where a whileblower signs an email proving they are part of an organization without revealing which individual they are does not sound, at first glance, to be something useful for bitcoin.
It's very useful— with one addition: The BRS ring-signature also produces a key image which is a deterministic function of the signer's private key, can only be computed with knoweldge of the private key, and is provably linked to the ring signature so you know that the image you received is the image of one of the keys on the ring, though you don't know which.  You then prevent that key image from ever being reused.

What about something like https://bitcointalk.org/index.php?topic=706000.0 or using ring signatures combined with coinjoin to do trustless mixing?
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
July 24, 2014, 02:29:14 AM
 #11

The BRS ring-signature also produces a key image which is a deterministic function of the signer's private key, can only be computed with knoweldge of the private key, and is provably linked to the ring signature so you know that the image you received is the image of one of the keys on the ring, though you don't know which.  You then prevent that key image from ever being reused.
Of course that's perfectly clear.

How have we managed to get by as long as we have without the ability to create deterministic key images that can be provably linked to a ring signature?
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
July 24, 2014, 03:47:24 AM
 #12

Who is "we"?  All crypto currencies using ring signatures use a key image otherwise they would be trivial to double spend.

If Alice, Bob, and Charlie all have a 1 BTC output using ring signatures without a key image Alice could simply spend her output three times and it would validate each time as being from the group.
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
July 25, 2014, 03:18:33 AM
 #13

There's a relevant effect here akin to Amdahl's law.

Privacy attacks can draw upon quite a few sources of information leakage in a transaction, and the scripts themselves aren't even the largest source (attackers can do quite a lot by simply looking at input and output sizes, without even bothering to look at the scripts).

Fancy new script types might be able to reduce the information leaked by the scripts, but that only improves your privacy by the fraction of the total information leakage the scripts represent.

Presumably ring signatures allow for some new type of transaction structure that leaks less identity information. That's what I was originally asking about, because I haven't seen that explained very well.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
July 25, 2014, 04:34:59 AM
 #14

They break down outputs into standardized sizes.   The ring set is then other pubkeys which have the unspent outputs of the same size.  For example if you were receiving 123 coins instead of a 123 coin output it could be a 64, 32, 16, 8, 2 and 1 coin output.   Then the 64 coin output is identical to any other unspent 64 coin output (of which there probably are thousands).
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
July 25, 2014, 11:53:59 AM
 #15

They break down outputs into standardized sizes.   The ring set is then other pubkeys which have the unspent outputs of the same size.  For example if you were receiving 123 coins instead of a 123 coin output it could be a 64, 32, 16, 8, 2 and 1 coin output.   Then the 64 coin output is identical to any other unspent 64 coin output (of which there probably are thousands).
I like this idea.

How is related to ring signatures?
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!