Open UkoeHB opened 2 years ago
Lately I have been thinking about proof dependencies, and wonder what your thoughts are.
A proof dependency is all the 'data' that must be determined before a proof challenge is made. In the Fiat-Shamir model, it would be all the 'data' that goes into the challenge hash (e.g. the message that the proof 'signs', as in typical Schnorr signatures).
I think these points must be met:
These dependencies are less strict that typically found in private crypto protocols. Usually, an ownership proof is expected to sign all transaction data. However, in Seraphis, if all tx data is signed by ownership proofs, then features like membership proof delegation and collaborative funding would become either infeasible or much less useful.
Thanks!
{G_0, G_1}
and {H_0, H_1}
have unknown DL relation to each other. I'll check if setting G_0=H_0 affects security.C' - C
and K'^o - K^o
, hence requiring t_c
and t_k
. Also, TX chaining.Am I right that in proof dependency, two or more players "collaborate" in making the tx? If yes, I assume that the security properties are flexible enough to allow that. I'll reply if it turns out they're not. Overall, I'll proof properties in that instance of Seraphis, then we put the "other cases" in the Discussions section.
Am I right that in proof dependency, two or more players "collaborate" in making the tx?
Proof dependency is adjacent to multiple players collaborating. It is more exactly about 'the order of events'. If proofs are minimally co-dependent, then you can make tx components with different orderings (e.g. sign ownership/unspentness proofs before creating membership proofs, which is necessary for tx chaining).
Proof dependency also has a teleological dimension. When you authorize transfer of funds, what is your 'purpose/intent'? I am arguing your intent it to transfer funds from one e-note into a set of output e-notes, with attached messages. Your intent is not necessarily 'to construct this transaction', which is more like a composition of smaller intentions (abstractly). This means an ownership proof only needs to 'sign' or 'commit to' the single owned e-note, the full set of tx outputs, and the tx memos.
If proofs are minimally co-dependent, then you can make tx components with different orderings...
I think I got it. I'll indicate somewhere that producing proofs can be of any order. Also, for each proving system, I'll add a step like "If <required object> is not found, generate it.".
To be clear, can 2 signers agree to construct a transaction and commit to membership sets before knowing the others set? In other words, with the way the dependencies are currently set up, can we do interactive mixing after hiding the true spend within a ring?
To be clear, can 2 signers agree to construct a transaction and commit to membership sets before knowing the others set?
I think so? It has now been enough months that I don't completely remember the protocol.
@coinstudent2048
Feedback for A Report on Seraphis.
{G_0, G_1}
can overlap with{H_0, H_1}
. It's only within the sets that unknown DL relation is necessary. In practice,G_0 = H_0 = G
.Overall this report is great, I had a fun time reading it :)