Oddbean new post about | logout
â–² â–¼
waxwing | 3 months ago (raw) | root | parent | reply | flag +19 
 After several weeks of work, I think I have a working implementation (very basic so far, and lots of caveats..) of something that solves this problem. To recap:

you want to prove that you own a total of T BTC, but privately. But revealing exact amount may make it too easy to deanon. So I have a proof of this statement: "I own N utxos, whose total value is between k and k + 2^n, for some k and n that I announce, but I am not revealing which N utxos they are, or what their individual values is, out of a given list of 300k utxos". The code at https://github.com/AdamISZ/aut-ct/tree/auditing now does this.

See the latest commit note. In brief you need 3 or 4 components to the proof: 1/ a proof that each blinded commitment is part of that 300k set, 2/a proof that each committed value, when summed together, lies in the given range (using bulletproofs), and 3/ key images per utxo to ensure you dont' cheat by just claiming the same utxo multiple times.

nostr:nevent1qqsqc8wgf8w74sh2sjfpjgw4lpp7sp08vfvgpc7dvljewn3cq4grscgpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsygr8twz0ua0zz64eglr58rh9r898wafhdh0stkklhf3830gp9cwh9qpsgqqqqqqsxpc8jd
â–² â–¼
SUPERMAX | 3 months ago (raw) | root | parent | reply | flag 
 Amazing we need this 👇💜
nostr:nevent1qqsx2rz74lcr2hklujx85ntu0a0gmuzx5r7nw6v84s5892rkktln7wcpz9mhxue69uhkummnw3ezuamfdejj7q3qvadcfln4ugt2h9ruwsuwu5vu5am4xaka7pw6m7axy79aqyhp6u5qxpqqqqqqzqeg7r0
â–² â–¼
SUPERMAX | 3 months ago (raw) | root | parent | reply | flag +1 
 I'd âš¡zap you for making this
â–² â–¼
waxwing | 3 months ago (raw) | root | parent | reply | flag +3 
 Practical considerations:

1/ only taproot utxos

2/ address reuse is not supported (though it could be with a trivial algo change

3/ notice the anon set is not "all utxos in the keyset provided" (say it was "all taproot utxos above 0.1 btc" for example). if you specify 5 utxos and you prove "total is between 10 and 12 btc", then obviously not all combinations of 4 utxos add up to something in that range. So if you started with e.g. 300k, your actual anon set might be more like 5000 (guess!). (but even more confusing - 5k utxos might be *part* of a set of 4 that adds up to that range, but the number of actual combinations of 4 could be astronomically larger). Due to nonlinear distribution of utxos, it will therefore be better, if you have a large treasury, to split your coins into a lot more small values, and then build proofs of sums with larger utxo numbers.

4/ proofs in the current code are not aggregated, which makes proving for say 50 utxos, not 4, impractically slow. But this is an implementation detail: aggregation of these bulletproofs is a well established algorithm, and removes this problem. The verification here is very fast, as with aut-ct.

By the way if you're wondering where any documentation of this algorithm is, yet, don't, I haven't written it yet, it's on the way.
â–² â–¼
Max Hillebrand | 3 months ago (raw) | root | parent | reply | flag +1 
 This is beautiful Adam, thanks!
â–² â–¼
waxwing | 2 months ago (raw) | root | parent | reply | flag +4 
 Here's the paper:

https://github.com/AdamISZ/aut-ct/blob/auditing/auditor-docs/privacy-preserving-proof-of-assets.pdf

First half is quite discursive with no mathematics ... it's important to give the context of why (at least according to me) this is an interesting alternative way to do proof of assets compared to other approaches.

Feel free to share anywhere you think people might be interested. I will add a bit more to the doc later, but the actual algo is there.

nostr:nevent1qqsx2rz74lcr2hklujx85ntu0a0gmuzx5r7nw6v84s5892rkktln7wcpr4mhxue69uhkummnw3ezucnfw33k76twv4ezuum0vd5kzmp0qgsxwkuyle67y94tj378gw8w2xw2wa6nwmwlqhddlwnz0z7sztsaw2qrqsqqqqqpv55779