-
Notifications
You must be signed in to change notification settings - Fork 216
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add commitment opening proofs #6282
Comments
Another option that does not assert minimum value, but does assert commitment spend authority, is to use a However, @stringhandler observed that there are cases where it may not be safe to execute a script to produce its public key for proof verification. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It was suggested by @stringhandler in #6240 to support an "ownership proof" that proves knowledge of the opening of a commitment. While this is what a
CommitmentSignature
is for, its API is outdated and not particularly friendly. It was also suggested that such a proof also assert a minimum value, which could be useful in cases where the prover wishes to reveal a minimal (pun intended) amount of value information about the commitment.One approach that handles both of these assertions is simply to use the Bulletproofs+ library to generate a minimum-value range proof. This will allow creation of such a proof using a transcript instantiated using a distinct label and arbitrary verifier message, which are important to avoid replay attacks.
It's very important to note that because of the structure of Tari transactions, neither the approach in #6240 nor this Bulletproofs+ suggestion actually prove control of value represented by a commitment. Depending on the structure of an output's script, it could be the case that both the sender and recipient in a transaction know the opening, but only the recipient knows the script private key required to authorize transfer of the corresponding value. Further, unless the verifier is careful to check for spend status, the commitment used in a proof may have already been spent, and is therefore no longer in the prover's control. Rather, such proofs only show visibility into the value represented by the commitment, but not necessarily anything else.
The text was updated successfully, but these errors were encountered: