Closed darioAnongba closed 6 years ago
Hi Dario,
What blinding factors are you using for the _pcTo and _pcRemaining? In my RingCT implementation, the blinding factors generated by my scripts do not add up to the sum of the input blinding factors. This is because if they did then RingCT would lose anonymity. What you are doing in your case is fine for just straight CT, but my guess is that you will need to modify my scripts for your use case.
What I have: 10000 H = (8000 H + BF1 G1) + (2000 H + BF2 * G1); where BF1 + BF2 != 0 mod Ncurve
What you need: 10000 H = (8000 H + BF G1) + (2000 H + [Ncurve-BF] * G1);
Hi,
Thanks for the quick answer! Indeed I just realized my mistake by reading through this: https://www.elementsproject.org/elements/confidential-transactions/investigation.html
C(BF1, data1) + C(BF2, data2) == C(BF1 + BF2, data1 + data2)
C(BF1, data1) - C(BF1, data1) == 0
Thank you again!
Also, I just realized that if I reuse the same addresses instead of sending amounts to empty addresses, I could run into a problem where an account that constantly receives payments is unable to create a new transaction because between the moment he creates the transaction and the moment it is broadcast on the network, he would need a new blinding factor !
What do you think of this problem?
Yes, I noticed that during development too. This is one reason CT has good synergy with Stealth Addresses. If every transaction has to be to a new and empty address they you don't run into this problem.
Perhaps another solution is to change the committedBalances mapping to (address => uint[]) and keep track of each UTXO separately. For example, each incoming transaction creates a new element in the uint[] array and each outgoing transaction removes certain elements from the array.
The problem with generating a new address for each transaction is that it is not possible to use addresses (standard Ethereum addresses) as reference (some sort of identity).
Yes the second solution is definitely what I will end up doing. It's crazy how the more we advance the more we actually need to recreate the UTXO system of Bitcoin. Satoshi had everything right.
Hi,
I'm Dario, we've exchanged messages via reddit some time ago about confidential transactions. I've now started the implementation and I'm sadly stuck with a problem I don't know how to solve. I've used your solidity contracts and Python scripts to achieve this (they are great!). I was wondering if you could help me on this.
Basically, my implementation is less complex than yours as I can reuse addresses and do not need to use stealth addresses or create a new address for every transaction.
I am currently trying to mint some tokens to some address, create Pedersen commitments (with ct.py), prove that those PCs are positive and transfer the tokens to some other address.
Everything seems to work fine until the transfer() function returns false on this line:
if ((sumInputs[0] != sumOutputs[0]) || (sumInputs[1] != sumOutputs[1])) return false;
I mint 100 tokens (with 2 decimals so 10000) and create Pedersen commitments for values 80 and 20 (with pow10 = 2). The initial blinding factor while minting is 0.
Here is my CTToken.sol contract implementation:
Of course it's no problem if you do not have time to review this. I know I am missing something obvious...
Cheers, Dario