As requested by /u/estradata here: https://old.reddit.com/r/Bitcoin/comments/iylou9/what_are_some_of_the_latest_innovations_in_the/g6heez1/
It is a general issue that crops up at the extremes of cryptography, with quantum breaks being just one of the extremes of (classical) cryptography.
Computational vs Information-Theoretic
The dichotomy is between computationally infeasible vs informationally-theoretic infeasible. Basically:
- Something is computationally infeasible if it could in theory be done, but you would not be able to build a practical computer to do it within the age of the universe and using only the power available in just one galaxy or thereabouts.
- Something is informationally-theoretic infeasible if even if you had any arbitrarily large amount of time, space, and energy, you cannot do it.
Quantum breaks represent a possible reduction in computational infeasibility of certain things, but not information-theoretic infeasibility.
For example, suppose you want to know what 256-bit preimages map to 256-bit hashes. In theory, you just need to build a table with 2256 entries and start from 0x0000000000000000000000000000000000000000000000000000000000000000 and so on. This is computationally infeasible, but not information-theoretic infeasible.
However, suppose you want to know what preimages, of any size, map to 256-bit hashes. Since the preimages can be of any size, after finishing with 256-bit preimages, you have to proceed to 257-bit preimages. And so on. And there is no size limit, so you will literally never finish. Even if you lived forever, you would not complete it. This is information-theoretic infeasible.
Commitments
How does this relate to confidential transactions? Basically, every confidential transaction simply hides the value behind a homomorphic commitment. What is a homomorphic commitment? Okay, let's start with commitments. A commitment is something which lets you hide something, and later reveal what you hid. Until you reveal it, even if somebody has access to the commitment, they cannot reverse it to find out what you hid. This is called the "hiding property" of commitments. However, when you do reveal it (or "open the commitment"), then you cannot replace what you hid with some other thing. This is called the "binding property" of commitments.
For example, a hash of a preimage is a commitment. Suppose I want to commit to something. For example, I want to show that I can predict the future using the energy of a spare galaxy I have in my pocket. I can hide that something by hashing a description of the future. Then I can give the hash to you. You still cannot learn the future, because it's just a hash, and you can't reverse the hash ("hiding"). But suppose the future event occurs. I can reveal that I did, in fact, know the future. So I give you the description, and you hash it and compare it to the hash I gave earlier. Because of preimage resistance, I cannot retroactively change what I hid in the hash, so what I gave must have been known to me at the time that I gave you the commitment i..e. hash ("binding").
Homomorphic Commitments
A homomorphic commitment simply means that if I can do certain operations on preimages of the commitment scheme, there are certain operations on the commitments that would create similar ("homo") changes ("morphic") to the commitments. For example, suppose I have a magical function h()
which is a homomorphic commitment scheme. It can hide very large (near 256-bit) numbers. Then if h()
is homomorphic, there may be certain operations on numbers behind the h()
that have homomorphisms after the h()
. For example, I might have an operation <+>
that is homomorphic in h()
on +
, or in other words, if I have two large numbers a
and b
, then h(a + b) = h(a) <+> h(b)
. +
and <+>
are different operations, but they are homomorphic to each other.
For example, elliptic curve scalars and points have homomorphic operations. Scalars (private keys) are "just" very large near-256-bit numbers, while points are a scalar times a standard generator point G
. Elliptic curve operations exist where there is a <+>
between points that is homomorphic on standard +
on scalars, and a <*>
between a scalar and a point that is homomorphic on standard *
multiplication on scalars.
For example, suppose I have two large scalars a
and b
. I can use elliptic curve points as a commitment scheme: I can take a <*> G
to generate a point A
. It is hiding since nobody can learn what a
is unless I reveal it (a
and A
can be used in standard ECDSA private-public key cryptography, with the scalar a
as the private key and the point A
as the public key, and the a
cannot be derived even if somebody else knows A
). Thus, it is hiding. At the same time, for a particular point A
and standard generator point G
, there is only one possible scalar a
which when "multiplied" with G
yields A
. So scalars and elliptic curve points are a commitment scheme, with both hiding and binding properties.
Now, as mentioned there is a <+>
operation on points that is homomorphic to the +
operation on corresponding scalars. For example, suppose there are two scalars a
and b
. I can compute (a + b) <*> G
to generate a particular point. But even if I don't know scalars a
and b
, but I do know points A = a <*> G
and B = b <*> G
, then I can use A <+> B
to derive (a + b) <*> G
(or equivalently, (a <*> G) <+> (b <*> G) == (a + b) <*> G
). This makes points a homomorphic commitment scheme on scalars.
Confidential Transactions: A Sketch
This is useful since we can easily use the near-256-bit scalars in SECP256K1 elliptic curves to easily represent values in a monetary system, and hide those values by using a homomorphic commitment scheme. We can use the hiding property to prevent people from learning the values of the money we are sending and receiving.
Now, in a proper cryptocurrency, a normal, non-coinbase transaction does not create or destroy coins: the values of the input coins are equal to the value of the output coins. We can use a homomorphic commitment scheme. Suppose I have a transaction that consumes an input value a
and creates two output values b
and c
. That is, a = b + c
, i.e. the sum of all inputs a
equals the sum of all outputs b
and c
. But remember, with a homomorphic commitment scheme like elliptic curve points, there exists a <+>
operation on points that is homomorphic to the ordinary school-arithmetic +
addition on large numbers. So, confidential transactions can use points a <*> G
as input, and points b <*> G
and c <*> G
as output, and we can easily prove that a <*> G = (b <*> G) <+> (c <*> G)
if a = b + c
, without revealing a
, b
, or c
to anyone.
Pedersen Commitments
Actually, we cannot just use a <*> G
as a commitment scheme in practice. Remember, Bitcoin has a cap on the number of satoshis ever to be created, and it's less than 253 satoshis, which is fairly trivial. I can easily compute all values of a <*> G
for all values of a
from 0 to 253 and know which a <*> G
corresponds to which actual amount a
. So in confidential transactions, we cannot naively use a <*> G
commitments, we need Pedersen commitments.
If you know what a "salt" is, then Pedersen commitments are fairly obvious. A "salt" is something you add to e.g. a password so that the hash of the password is much harder to attack. Humans are idiots and when asked to generate passwords, will output a password that takes less than 230 possibilities, which is fairly easy to grind. So what you do is that you "salt" a password by prepending a random string to it. You then hash the random string + password, and store the random string --- the salt --- together with the hash in your database. Then when somebody logs in, you take the password, prepend the salt, hash, and check if the hash matches with the in-database hash, and you let them log in. Now, with a hash, even if somebody copies your password database, the can't get the password. They're hashed. But with a salt, even techniques like rainbow tables make a hacker's life even harder. They can't hash a possible password and check every hash in your db for something that matches. Instead, if they get a possible password, they have to prepend each salt, hash, then compare. That greatly increases the computational needs of a hacker, which is why salts are good.
What a Pedersen commitment is, is a point a <*> H
, where a
is the actual value you commit to, plus <+>
another point r <*> G
. H
here is a second standard generator point, different from G
. The r
is the salt in the Pedersen commitment. It makes it so that even if you show (a <*> H) <+> (r <*> G)
to somebody, they can't grind all possible values of a
and try to match it with your point --- they also have to grind r
(just as with the password-salt example above). And r
is much larger, it can be a true near-256-bit number that is the range of scalars in SECP256K1, whereas a
is constrained to "reasonable" numbers of satoshi, which cannot exceed 21 million Bitcoins.
Now, in order to validate a transaction with input a
and outputs b
and c
, you only have to prove a = b + c
. Suppose we are hiding those amounts using Pedersen commitments. You have an input of amount a
, and you know a
and r
. The blockchain has an amount (a <*> H) <+> (r <*> G)
. In order to create the two outputs b
and c
, you just have to create two new r
scalars such that r = r[0] + r[1]
. This is trivial, you just select a new random r[0]
and then compute r[1] = r - r[0]
, it's just basic algebra.
Then you create a transaction consuming the input (a <*> H) <+> (r <*> G)
and outputs (b <*> H) <+> (r[0] <*> G)
and (c <*> H) <+> (r[1] <*> G)
. You know that a = b + c
, and r = r[0] + r[1]
, while fullnodes around the world, who don't know any of the amounts or scalars involved, can just take the points (a <*> H) <+> (r <*> G)
and see if it equals (b <*> H) <+> (r[0] <*> G) <+> (c <*> H) <+> (r[1] <*> G)
. That is all that fullnodes have to validate, they just need to perform <+>
operations on points and comparison on points, and from there they validate transactions, all without knowing the actual values involved.
Computational Binding, Information-Theoretic Hiding
Like all commitments, Pedersen Commitments are binding and hiding.
However, there are really two kinds of commitments:
- computationally binding, information-theoretic hiding
- information-theoretic binding, computationally hiding
What does this mean? It's just a measure of how "impossible" binding vs hiding is. Pedersen commitments are computationally binding, meaning that in theory, a user of this commitment with arbitrary time and space and energy can, in theory, replace the amount with something else. However, it is information-theoretic hiding, meaning an attacker with arbitrary time and space and energy cannot figure out exactly what got hidden behind the commitment.
But why?
Now, we have been using a
and a <*> G
as private keys and public keys in ECDSA and Schnorr. There is an operation <*>
on a scalar and a point that generates another point, but we cannot "revrese" this operation. For example, even if I know A
, and know that A = a <*> G
, but do not know a
, I cannot derive a
--- there is no </>
operation between A </> G
that lets me know a
.
Actually there is: I "just" need to have so much time, space, and energy that I just start counting a
from 0 to 2256 and find which a
results in A = a <*> G
. This is a computational limit: I don't have a spare universe in my back pocket I can use to do all those computations.
Now, replace a
with h
and A
with H
. Remember that Pedersen commitments use a "second" standard generator point. The generator points G
and H
are "not really special" --- they are just random points on the curve that we selected and standardized. There is no operation H </> G
such that I can learn h
where H = h <*> G
, though if I happen to have a spare universe in my back pocket I can "just" brute force it.
Suppose I do have a spare universe in my back pocket, and learn h = H </> G
such that H = h <*> G
. What can I do in Pedersen commitments?
Well, I have an amount a
that is committed to by (a <*> H) <+> (r <*> G)
. But I happen to know h
! Suppose I want to double my money a
without involving Elon Musk. Then:
(a <*> H) <+> (r <*> G)
- ==
(a <*> (h <*> G)) <+> (r <*> G)
- ==
((a * h) <*> G) <+> (r <*> G)
; remember,<*>
is also homomorphic on multiplication*
. - ==
((a * h + a * h - a * h) <*> G) <+> (r <*> G)
; just add 0. - ==
((a * h + a * h) <*> G) <+> ((-a * h) <*> G) <+> (r <*> G)
- ==
((2 * a * h) <*> G) <+> ((r - a * h) <*> G)
- ==
((2 * a) <*> (h <*> G)) <+> ((r - a * h) <*> G)
- ==
((2 * a) <*> H) <+> ((r - a * h) <*> G)
; TADA!! I doubled my money!
That is what we mean by computationally binding: if I can compute h
such that H = h <*> G
, then I can find another number which opens the same commitment. And of course I'd make sure that number is much larger than what I originally had in that address!
Now, the reason why it is "only" computationally binding is that it is information-theoretically hiding. Suppose somebody knows h
, but has no money in the cryptocurrency. All they see are points. They can try to find what the original amounts are, but because any amount can be mapped to "the same" point with knowledge of h
(e.g. in the above, a
and 2 * a
got mapped to the same point by "just" replacing the salt r
with r - a * h
; this can be done for 3 * a
, 4 * a
etc.), they cannot learn historical amounts --- the a
in historical amounts could be anything.
The drawback, though, is that --- as seen above --- arbitrary inflation is now introduced once somebody knows h
. They can multiply their money by any arbitrary factor with knowledge of h
.
It is impossible to have both perfect hiding (i.e. historical amounts remain hidden even after a computational break) and perfect binding (i.e. you can't later open the commitment to a different, much larger, amount).
Pedersen commitments just happen to have perfect hiding, but only computationally-infeasible binding. This means they allow hiding historical values, but in case of anything that allows better computational power --- including but not limited to quantum breaks --- they allow arbitrary inflation.
Changing The Tradeoffs with ElGamal Commitments
An ElGamal commitment is just a Pedersen commitment, but with the point r <*> G
also stored in a separate section of the transaction.
This commits the r
, and fixes it to a specific value. This prevents me from opening my (a <*> H) <+> (r <*> G)
as ((2 * a) <*> H) <+> ((r - a * h) <*> G)
, because the (r - a * h)
would not match the r <*> G
sitting in a separate section of the transaction. This forces me to be bound to that specific value, and no amount of computation power will let me escape --- it is information-theoretically binding i.e. perfectly binding.
But that is now computationally hiding. An evil surveillor with arbitrary time and space can focus on the r <*> G
sitting in a separate section of the transaction, and grind r
from 0 to 2256 to determine what r
matches that point. Then from there, they can negate r
to get (-r) <*> G
and add it to the (a <*> H) <+> (r <*> G)
to get a <*> H
, and then grind that to determine the value a
. With massive increases in computational ability --- including but not limited to quantum breaks --- an evil surveillor can see all the historical amounts of confidential transactions.
Conclusion
This is the source of the tradeoff: either you design confidential transactions so in case of a quantum break, historical transactions continue to hide their amounts, but inflation of the money is now unavoidable, OR you make the money supply sacrosanct, but you potentially sacrifice amount hiding in case of some break, including but not limited to quantum breaks.
No comments:
Post a Comment