tari-project / tari

The Tari protocol
https://tari.com
BSD 3-Clause "New" or "Revised" License
357 stars 220 forks source link

Add commitment opening proofs #6282

Open AaronFeickert opened 7 months ago

AaronFeickert commented 7 months ago

It was suggested by @stringhandler in #6240 to support an "ownership proof" that proves knowledge of the opening of a commitment. While this is what a CommitmentSignature is for, its API is outdated and not particularly friendly. It was also suggested that such a proof also assert a minimum value, which could be useful in cases where the prover wishes to reveal a minimal (pun intended) amount of value information about the commitment.

One approach that handles both of these assertions is simply to use the Bulletproofs+ library to generate a minimum-value range proof. This will allow creation of such a proof using a transcript instantiated using a distinct label and arbitrary verifier message, which are important to avoid replay attacks.

It's very important to note that because of the structure of Tari transactions, neither the approach in #6240 nor this Bulletproofs+ suggestion actually prove control of value represented by a commitment. Depending on the structure of an output's script, it could be the case that both the sender and recipient in a transaction know the opening, but only the recipient knows the script private key required to authorize transfer of the corresponding value. Further, unless the verifier is careful to check for spend status, the commitment used in a proof may have already been spent, and is therefore no longer in the prover's control. Rather, such proofs only show visibility into the value represented by the commitment, but not necessarily anything else.

AaronFeickert commented 7 months ago

Another option that does not assert minimum value, but does assert commitment spend authority, is to use a CommitmentAndPublicKeySignature, which proves knowledge of a commitment opening and script private key.

However, @stringhandler observed that there are cases where it may not be safe to execute a script to produce its public key for proof verification.