Lava LV
基于容量证明(Proof-of-Capacity, PoC)的数字加密基础设施。
【科普】机密资产Confidential Asset白皮书(1)
Lava社区

-2020年的第212天-

文章来源:LAVA(中国)

 官网:http://lavatech.org/


// 前言

/// 

Confidential Asset

【机密资产(Confidential Assets)】是由Blockstream于2017年公布的前沿比特币隐私保护技术。Blockstream发布了一份白皮书,由其开发员Andrew Poelstra、Adam Back、Mark Friedenbach、Greg Maxwell、Pieter Wuille联合署名。


利用机密资产技术,区块链浏览者可以看到交易发送方和接收方,但无法看到交易资产类型,例如也许是比特币、股票、黄金或其他类型,保护了链上交易内容的隐私性。同时,机密资产也是2020年Lava的重要技术发展之一。


Lava作为首个运用机密资产技术的PoC共识项目,有责任也有义务对其概念在国内进行推广和科普。因此,Lava将对机密资产的英文白皮书进行翻译和整理发布,成为国内机密资产技术的布道者。


*白皮书内容将分为多期在公众号及各平台内进行翻译,欢迎大家转发及推广,最终会在官网上传一份完整中文文档以供所有人查看。





Confidential Assets

机密资产

原文作者:Andrew Poelstra, Adam Back, Mark Friedenbach, Gregory Maxwell, and Pieter Wuille from Blockstream


摘要:


比特币是一种在线分布式账本,其中代币根据未用完的交易输出(UTXO)集进行分配,而交易的信息也在集中变更。每个UTXO都关联有一个数量和签名的验证密钥,分别代表可以消费的数量和授权这样做的实体。由于账本是分布式的并且可以公开验证,因此每个UTXO(以及所有更改的历史记录)都是公开可用的,并且可以用于分析所有用户的付款历史记录。尽管此历史记录没有以任何方式直接链接到用户,但在该结构中即使少量的个人身份信息被暴露也可能会完全破坏用户的隐私。此外,追踪代币历史记录的能力为“干净”的代币创造了市场,从而损害了基础资产的可替代性。


在本文中,我们描述了一种加密交易方案,该方案隐藏了所有UTXO的金额,同时保留了公开可验证性,即没有一笔交易会增加或减少代币。它从交易流程图中删除了大量信息,从而提高了隐私性和可替代性,而无需进行可信的设置或特殊的加密假设。


我们将其进一步扩展到加密资产,一种基于单个区块链账本可以跟踪多种资产类型的方案。我们将加密交易扩展到不仅可以隐藏输出金额,还可以隐藏资产类型,从而提高所有资产的隐私性和非特异性(fungibility)。


1、介绍



比特币于2009年部署,是一种不需要可信赖的发行者或交易处理者的网络货币,通过称为区块链的可公开验证的分布式账本来工作。 区块链包含自成立以来的每一笔交易,最终状态为未用完的交易输出集(UTXO集),该输出集描述了所有代币的数量和所有者。


每个UTXO都包含一个金额和一个验证密钥; 交易会销毁现有的UTXO,并创建新的相等或更少的总金额,并且必须使用与每个销毁的UTXO关联的密钥进行签名。 该模型允许所有用户验证交易的正确性,而无需依靠任何交易处理者的诚实或可靠。 但是,这种模型对用户的隐私造成了巨大的损失,因为每笔交易都将被永久保存,从而直接或间接地暴露了大量的信息。


有一种掩盖交易结构的建议是CoinJoin,它允许用户交互地组合交易,从而使哪些输入映射到哪些输出变得模糊。 但是由于交易金额是公开的,因此虽然在统计学意义上,这些映射是不能恢复的,但是仍然很难使用CoinJoi来掩盖交易结构。除非所有输出量都相同,否则它们是可区分的并且可以被分组。


我们提出了一种方案可以部分解决暴露交易数据的问题,该方案隐藏了所有输出的金额,同时保留了对总输出金额等于总输入金额这一事实的公开可验证性。Maxwell 非正式地描述了这种称为加密交易的解决方案,并将其部署在Elements Alpha侧链上超过一年。 简而言之,每个显式UTXO量都由对该量的同态承诺代替。 由于这些数量在有限环而不是整数集合上是同态的,因此我们还为每个输出附加了范围证明,以防止与溢出相关的攻击


首先,我们对加密交易进行形式化和改进,描述为在Elements Alpha中使用的基础环状签名的空间优化。 然后,我们将加密交易扩展到一个新的方案,即加密资产,该方案进一步支持单个交易中的多种资产类型。 我们保留公开的可验证性,即没有资产被增加或减少,同时隐藏了输出金额和输出资产类型。


相关工作:


2013年,Friedenbach和Tiḿon的Freimarkets 描述了多资产区块链,尽管所支持的资产不是加密的;也就是说,所有交易输入和输出的金额和资产标签都是公开可见的。


在比特币之上支持资产发行的方案通过“染色币”被提出来,该方案是对单个代币进行标记,以使它们可被识别为代表不同资产类型的方式。 实际上,它是通过利用比特币的不完美的非特异性来工作的。


以太坊使用其智能合约语言直接支持资产发行,并用一种标准的方式来确保与支持软件的互操作性。 与上述方案一样,并不会尝试混淆资产类型或其金额。


ZCash是最近公布的一个加密货币项目,它支持隐藏金额以及有关交易输入和输出的任何其他标识信息。 尽管它使用zk-SNARKs(它们是通用的零知识参数),但它不支持多种资产,这意味着很难扩展其他资产支持。


但是,ZCash的隐私要付出高昂的代价:底层的SNARKs使用受信任的设置(trusted setup),这意味着它是由多方共同发起的,能够共同悄悄地对货币进行通货膨胀; 它依赖于新颖的密码学假设并且它的零知识证明计算起来很慢。 相比之下,本文描述的方案仅依赖于复杂的椭圆曲线离散对数(ECDL)和随机预言模型,并且所有计算都涉及少量和标准的椭圆曲线运算(例如,不存在配对)。


致谢:


我们感谢本·戈里克(Ben Gorlick)对机密资产系统的实际要求,技术审查以及对系统设计反馈的投入。


英文原文







Confidential Assets

Andrew Poelstra, Adam Back, Mark Friedenbach, Gregory Maxwell, and Pieter Wuille


Blockstream


{apoelstra, adam, mark, gmaxwell,pwuille}@blockstream.com


Abstract


Bitcoin is an online distributed ledger in which coins are distributed according to the unspent transaction output (UTXO) set, and transactions describe changes to this set. Every UTXO has associated to it an amount and signature verification key, representing the quantity that can be spent and the entity authorized to do so, respectively.


Because the ledger is distributed and publicly verifiable, every UTXO (and the history of all changes) is publicly available and may be used for analysis of all users payment history. Although this history is not directly linked to users in any way, it exposes enough structure that even small amounts of personally identifiable information may completely break users  privacy. Further, the ability to trace coin history creates a market for clean  coins, harming the fungibility of the underlying asset.  


In this paper we describe a scheme, confidential transactions, which blinds the amounts of all UTXOs, while preserving public verifiability that no transaction creates or destroys coins. This removes a significant amount of information from the transaction graph, improving privacy and fungibility without a trusted setup or exotic cryptographic assump- tions.


We further extend this to confidential assets, a scheme in which a single blockchain-based ledger may track multiple asset types. We extend con- fidential transactions to blind not only output amounts, but also their asset type, improving the privacy and fungibility of all assets.


i.Introduction


Deployed in 2009, Bitcoin is an online currency with no trusted issuer or transaction processor, which works by means of a publicly verifiable distributed ledger called a blockchain. The blockchain contains every transaction since its inception, resulting in a final state, the unspent transaction output set (UTXO set), which describes the amounts and owners of all coins.


Each UTXO contains an amount and a verification key; transactions destroy UTXOs and create new ones of equal or lesser total amount, and must be signed with the keys associated to each destroyed UTXO. This model allows all users to verify transaction correctness without trusting any payment processor to be honest or reliable. However, this model has a serious cost to user privacy, since every transaction is preserved forever, exposing significant amounts of informa- tion directly and indirectly.


One suggestion to obscure to obscure transaction structure is CoinJoin,which allows users to interactively combine transactions, obscuring which inputs map to which outputs. However, because transaction amounts are exposed, it is difficult to use CoinJoin in such a way that these mappings cannot be recovered, at least in a statistical sense. In particular, unless all output amounts are the same, they are distinguishable and may be grouped.


We propose a partial solution to the exposure of transaction data, which blinds the amounts of all outputs, while preserving public verifiability of the fact that the total output amount is equal to the total input amount. This solution, termed confidential transactions, has been described informally by Maxwell and deployed on the Elements Alpha sidechain for over a year. In brief, each explicit UTXO amount is replaced by a homomorphic commitment to the amount. Since these amounts are homomorphic over a finite ring rather than the set of integers, we also attach a rangeproof to each output to prevent attacks related to overflow.


First, we formalize and improve confidential transactions, describing a space optimization of the underlying ring signature used in Elements Alpha. Then we extend confidential transactions to a new scheme, confidential assets, which further supports multiple asset types within single transactions. We retain public verifiability that no assets are created or destroyed, while hiding both the output amount(s) and the output asset type(s).


Related Work


Multi-asset blockchains were described in 2013 in Friedenbach and Tim´on’s Freimarkets, though the supported assets were not confidential; that is, the amounts and asset tags of all inputs and outputs of transactions are publicly visible.


Support for asset issuance on top of Bitcoin has been proposed by means of colored coins, a scheme in which individual coins are marked in such a way that they are identifiable as representing distinct asset types by exploiting Bitcoin’s imperfect fungibility.


Ethereum directly supports asset issuance using its smart contracting language, and has a standard means to do so which ensures interoperability with supporting software. Like the above schemes, no attempt is made to obfuscating either the asset types or their amounts. 



ZCash is a recently announced cryptocurrency project which supports blinding of amounts, as well as any other identifying information about transaction inputs and outputs. It does not support multiple assets, though its use of zk-SNARKs, which are general-purpose zero-knowledge arguments, mean that asset support would not be a difficult extension.


However, ZCash’s privacy comes at a significant cost: the underlying SNARKs use a trusted setup, meaning it is initialized by multiple parties who are able to collude to silently inflate the currency; it relies on novel cryptographic assumptions; its zero-knowledge proofs are very slow to compute. 


To contrast, the scheme described in this paper relies only on elliptic curve discrete logarithm(ECDL) being hard and the random oracle model, and all computations involve few and standard elliptic curve operations (e.g. no pairings).


Acknowledgements


We thank Ben Gorlick for his input on the practical re- quirements of a confidential assets-based system, and his technical review, and feedback on the systems design.




原文链接

https://blockstream.com/bitcoin17-final41.pdf



了解更多

【科普】CA方案能为Lava带来什么好处?

【科普】CA方案有哪些应用场景?

【剖析】为什么Lava选择Confidential Asset作为STO解决方案?

【科普】一文读懂零知识证明(一)

【科普】一文读懂零知识证明(二)

【科普】一文读懂零知识证明(三)





加入我们 

LAVA的去中心化金融生态


Twitter

https://twitter.com/LavaConsortium


Facebook

https://www.facebook.com/LavaStorage/


Medium

https://medium.com/@Lavatech


Github

https://www.github.com/lavaio


Telegram 

https://t.me/lavatech


Weibo

https://weibo.com/p/1005055334107726


Wechat

LAVA_Community




#隐私交易##PoC##比特币#



2020年07月31日 17:58图文分享