Confidential transaction
OR proof
Say I want to prove to you that C is in the range [0, 32). Now that we
have an OR proof, imagine I send you a collection of commitments and OR
proofs for each of them:
C1 is 0 or 1 C2 is 0 or 2 C3 is 0 or 4 C4 is 0 or 8 C5 is 0 or 16.
If I pick the blinding factors for C1..5 correctly then I can arrange
it so that C1 + C2 + C3 + C4 + C5 == C. Effectively I have built up
the number in binary, and a 5-bit number can only be in the range [0,32).
C=xG + aHとした時に、C'= C - 1Hとすると、a=1の場合、C' = xGとなり秘密鍵xに対応する署名を作ることができる。
RingCTは上記の古いrange proofであるOR proofを実現するためにring signatureとCTを組み合わせたもの。
この部分がbulletproofのrange proofへ。
moneroにおけるsenderの匿名化のためのring signatureとは別物。
Sending confidential transaction amount to the receiver
bullet proof
By Adam
CT range proofs, which MW relies on, bullet proofs, AOS ring sigs, borromean rings, surjection proofs (all things related to @Blockstream liquid/elements and used by some alts) have no trap door system params, and rely on conservative ECDL, standard hardness assumptions.
SNARKs are exciting crypto building blocks developed by top academics, but have trapdoor setup, new/experimental hardness assumptions, and so crypto risk, and in Bitcoin context, scaling issue with ever growing UTXO state. Alts based on that have made that risk trade-off.
Specifically crypto schemes using trapdoor functions, which are only secure if the private key to the function is actually deleted, which creates the problem of who does one trust to delete it. There are multi-party computation setups but still hard to prove it was deleted.
references
【暗号通貨輪読会#14】confidential transaction