Discussion: A Report on Seraphis

[UkoeHB]

@coinstudent2048

Feedback for A Report on Seraphis.

• 1.1
  • Generators in {G_0, G_1} can overlap with {H_0, H_1}. It's only within the sets that unknown DL relation is necessary. In practice, G_0 = H_0 = G.
• 2
  • Mandatory change output: This isn't 'required' by Seraphis, but I agree that in practice it is good to mandate that tx have a minimum of 2 outputs (there is also the supporting discussion in Seraphis section 4.2.1).
  • Yep this looks good. I'll just note that some potential address schemes modify the hash content for steps 4-6 to create different dependencies.
• 2.5
  • typo: nomimal -> nominal
• 3
  • I know this section is just a draft. Is a subsection for ownership/unspentness proofs missing?

Overall this report is great, I had a fun time reading it :)

[UkoeHB]

Lately I have been thinking about proof dependencies, and wonder what your thoughts are.

A proof dependency is all the 'data' that must be determined before a proof challenge is made. In the Fiat-Shamir model, it would be all the 'data' that goes into the challenge hash (e.g. the message that the proof 'signs', as in typical Schnorr signatures).

I think these points must be met:

• Goals:
  • If you spend an e-note, then you must authorize fund transfer from one e-note into a set of output e-notes. You must also authorize any 'messages' attached to that fund transfer (i.e. any memos found in the tx [with the caveat that messages embedded in proof structures don't have to be authorized]).
  • A transaction must be unmalleable once it's transaction hash has been set. A tx in the ledger should have exactly one canonical serialization.
  • A transaction must only be malleable by people who participate in tx construction (involved in making proofs, or know proof secrets).
• Dependencies:
  • membership proof: the proof's set of referenced e-notes, the proof's corresponding e-note image
  • image proof (ownership/unspentness): the relevant e-note image, all output e-notes (but not the tx fee), all arbitrary memos in the tx
  • balance proof (range proofs and balance signature if necessary): all e-note images, all output e-notes, the tx fee
  • other: any data not mentioned, but which affects the tx hash, must be made a dependency of one of the proofs

These dependencies are less strict that typically found in private crypto protocols. Usually, an ownership proof is expected to sign all transaction data. However, in Seraphis, if all tx data is signed by ownership proofs, then features like membership proof delegation and collaborative funding would become either infeasible or much less useful.

[coinstudent2048]

Thanks!

• I'll just write: "Let ... be generators in G such that elements within the sets {G_0, G_1} and {H_0, H_1} have unknown DL relation to each other. I'll check if setting G_0=H_0 affects security.
• Mandatory change output: this may actually affect my security analysis, that's why I include it for now.
• For steps 4-6, we can add another paragraph note at the end of Section 2.
• Ownership/unspentness proofs is Section 2.1. I suggest moving the membership proofs below, because Groth-Bootle proving relation seems to do C' - C and K'^o - K^o, hence requiring t_c and t_k. Also, TX chaining.

Am I right that in proof dependency, two or more players "collaborate" in making the tx? If yes, I assume that the security properties are flexible enough to allow that. I'll reply if it turns out they're not. Overall, I'll proof properties in that instance of Seraphis, then we put the "other cases" in the Discussions section.

[UkoeHB]

Am I right that in proof dependency, two or more players "collaborate" in making the tx?

Proof dependency is adjacent to multiple players collaborating. It is more exactly about 'the order of events'. If proofs are minimally co-dependent, then you can make tx components with different orderings (e.g. sign ownership/unspentness proofs before creating membership proofs, which is necessary for tx chaining).

Proof dependency also has a teleological dimension. When you authorize transfer of funds, what is your 'purpose/intent'? I am arguing your intent it to transfer funds from one e-note into a set of output e-notes, with attached messages. Your intent is not necessarily 'to construct this transaction', which is more like a composition of smaller intentions (abstractly). This means an ownership proof only needs to 'sign' or 'commit to' the single owned e-note, the full set of tx outputs, and the tx memos.

[coinstudent2048]

If proofs are minimally co-dependent, then you can make tx components with different orderings...

I think I got it. I'll indicate somewhere that producing proofs can be of any order. Also, for each proving system, I'll add a step like "If <required object> is not found, generate it.".

[jeffro256]

To be clear, can 2 signers agree to construct a transaction and commit to membership sets before knowing the others set? In other words, with the way the dependencies are currently set up, can we do interactive mixing after hiding the true spend within a ring?

[UkoeHB]

To be clear, can 2 signers agree to construct a transaction and commit to membership sets before knowing the others set?

I think so? It has now been enough months that I don't completely remember the protocol.