Confidential Assets

Confidential Assets

Here’s my own understanding of confidential assets, as cobbled together from research papers, Blockstream press releases, and random posts. Please correct my mistakes, of which I am sure there are many. Also, big thanks to RJ Rybarczyk, who I’ve been discussing and researching CA with.

Confidential assets allow multiple assets to be traded on the same chain, alongside the chain’s native asset. Confidential assets use Pedersen commitments, which are also used in Mimblewimble, so they’re a natural fit for Grin.

Unlike, for example, ERC20 Tokens, confidential assets are no programmable, and function in exactly the same way as Grin’s native token.

How do they work?

Confidential assets replace H in the output commitment formula r*G + v*H with a distinct NUMS point for every asset type. (I’ll use A for these, and reserve H for the asset tag of Grin’s native token.) So, the output commitment formula becomes r*G + v*A, with A representing the type of asset that the output represents.

So far so good. These new asset-bearing outputs can still be verified to sum to zero, just like Grin’s current outputs.

However, in order to verify the range proof for each of these outputs, the value of A must be known. The simplest way to make this work would be to include A in the clear with each output, but this would allow an observer to see which type of asset is in every output.

Blinded Asset Tags

An asset tag A can be replaced by a blinded asset tag A + s*G, which hides the type of the asset. We can verify that these modified outputs sum to zero, and that the range proof is valid.

However, we have a problem! An attacker could choose the asset tag -A + r*G, which would essentially amount to a negative amount of the token A. They could then create an output containing negative tokens, offset with an output containing positive tokens, allowing them to silently inflate the supply of tokens.

Surjection Proofs

One way to prevent this malicious choice of blinded asset tag is to attach a surjection proof to each output. A surjection proof proves that a given blinded asset tag is one of a set of known-good blinded asset tags. I’ll call this set of known-good blinded asset tags the asset tag anonymity set.

The size of each surjection proof scales with the size of the asset tag anonymity set. This is fine in a bitcoin-like chain, since each transaction has a small number of inputs, so the natural way to construct the asset-tag anonymity set is with the asset tags of all the inputs.

Confidential Assets and Mimblewimble

This is where things get hazy!

In a mimblewimble chain, there is no discrete notion of a transaction, in the sense of a linked set of inputs and outputs. This complicates the choice of tags to include in each surjection proof’s asset-tag anonymity set.

One proposal is to construct surjection proof asset-tag anonymity sets using every asset tag in the system. Unfortunately, this means that the size of every output scales with the total number of assets in the system. This would preclude us from allowing users to issue new asset types willy nilly, likely requiring a soft fork to add new assets

I’m hoping that we can find some way to avoid this. If issuing new assets requires community coordination and a soft fork, then this process is likely to become highly politicized and contentious. Much better to allow users to issue new assets and let the market decide on which are useful or valuable, instead of requiring everyone to agree.

Edit: Why user-issued assets?

I wanted to elaborate a little bit on the different reasons I think it’s desirable to allow users to issue their own assets, and additionally why it would be desirable to support a large number of assets.

  • If Grin can only support a limited number of assets, say less than 10, then the pool of unallocated assets becomes a very precious and very scarce resource, and would require some allocation process. I imagine that there will be a lot of different ideas for potential assets, and it would fall to the devs and to the community to decide which are most worthwhile. This is definitely just speculation on my part, but I think this process would inevitably be contentious, and would divert time and energy from core protocol development. Governance is one of the most difficult things to do well, and all other things being equal, the less things that need to be governed the better!

  • Also, if each new asset increases the size of all outputs, then people who don’t want to use that asset, and don’t think that it will add value to the system might reasonably object. I sort of pessimistically suspect that it will be very hard to build consensus on new assets.

  • I can definitely see the argument that only a few assets will be useful, perhaps a Bitcoin peg, an Ethereum peg, and maybe a few others. I think people will certainly come up with some legitimately terrible ideas for assets, but I think they’ll also come up with a lot of neat ones, and I’m definitely curious to see what they are!

  • Although it wouldn’t be a good fit for Grin, the codebase could serve a basis for systems which would require a large number of assets, I’m thinking in particular of a stock exchange or liquidity pool.

  • I think that user-issuable assets make for an incredibly unique marketing point for Grin. I imagine that we’ll see a ton of attention and interest, and it would probably boost the value of the native token, since it would be the obvious currency of choice for trading between and buying into the various tokens on the chain.

Vague and Underspecified Alternative Constructions

None of these are clear winners, but here are some ideas for alternative constructions that would allow for user-issued assets:

  • Public Assets – Asset tags are included in the clear with each asset. This would be very simple, but with the downside that the asset types in each transaction would be clearly visible. This would be bad for privacy, but might be a good starting point, with the intention to add a blinding mechanism at a later date.

  • Confidential-enough assets – Each surjection proof could include a small subset of all valid asset tags, perhaps 3 or 4. In such a system an observer might be determine the asset tag in each output by observing the transaction graph and using the process of elimination. We’d need a careful analysis of the privacy properties of such a system, and an algorithm for choosing asset tag anonymity sets that would maximize privacy.

  • Accumulator-based proofs – Perhaps cryptographic accumulators could help. Each asset tag is added to a cryptographic accumulator on first issuance, and the surjection proof is replaced with a zero-knowledge proof that an output’s asset tag has already been added to the accumulator.

  • NUMS point derivation – If the NUMS points used as asset tags can be derived in some special way, perhaps that method of derivation can be leveraged to prove that blinded asset tags contain a legitimate tag. Maybe, like, I dunno, bulletproofs, or something? :thinking:

  • BLS-signatures – BLS signatures have interesting aggregation properties, and support efficient threshold and ring signatures. Perhaps there’s some clever alternative construction of surjection proofs using BLS signatures.

References

5 Likes

As marketed by WOKE coin, the third mimblewimble implementation @ http://woke.mw

Thank you for putting all of this in one place, very excited to see how these get utilized.

1 Like

Caveat: this is just the first thing that comes to mind, I haven’t thought of the problem very much yet and it may be outdated. But Oleg Andreev has done some work around CAs as well and IIRC he was working this out as part of the range proof:


Now I believe this was borromean-style range proofs back then, more research would be required to see if the same scheme would be applicable to bulletproofs.

P.S. Maybe download these, not sure how long it’ll stay online…

3 Likes

Did you mean to post two links? Added the medium post to the reading list, and also added a link to some extensive notes on confidential assets in the chain protocol

1 Like

Good catch, the 2nd link was supposed to be those notes. Fixed, although discourse renders it as some ugly markdown.

1 Like

Regarding my last question about applicability to bulletproofs, this seems to say it’s definitely possible using their constraint system. Sounds quite efficient as well.

3 Likes

Oooooo, shiny :gem:I’ll add that to the reading list. Also, here’s a link to their spec for confidential assets using bulletproofs for zkp:

Genuine question: can you elaborate on why a Bitcoin or Ethereum peg would be useful?

Since Bitcoin and Ethereum don’t have much in the way of privacy, users might like to peg-in to Grin to transact, but might not want to buy and hold Grin.

Still exploring and learning all the crypto behind bulletproofs so I apologize if this is superfluous, but have you explored Dalek Crypto’s Rust implementations, and if so, what were your thoughts?

I’ll be completely honest in that I don’t fully understand the mechanics of issuing confidential assets on top of Grin. Learning as fast I can tho :slight_smile:

That being said… in this example of the chain pegs, I think you’re referring to people who want to do an atomic swap from a blockchain to Grin, and then trade that swap as if they were trading the original blockchain token right?
If so… then what about a mechanism similar to Ethereum’s Plasma Cash (or other UTXO based L2 solutions) where tokens on the main chain (in this case one that unlocks access to the swap on another chain) don’t move but a history of tx and ownership on a second layer is created where the latest valid owner can exit and claim that token on the main chain. This might be tricky in Grin as there are no “accounts”, but if there’s a second layer state channel, then it’s all arbitrary and the only thing that needs to be submitted to the main chain is a signature that unlocks a UTXO. As in most state channels, parties sign off on a trade and then send it through the state channel (they actually already do for a regular Grin tx lol), but then rather than confirming on the main chain signatures are held and passed on again, only ever hitting the main chain when necessary to exit. This gives participants the assurance that they could settle if they wanted to, but they don’t need to. In a DEX type setting participants would just trade “paper money” all they wanted, and if the operator of the state channel is proved to be malicious they just exit with their latest signatures.

Is there a glaringly obvious reason why this isn’t possible?

Would it be possible to create more complex L2 systems that are free to conform to arbitrary scripting as long as they can produce a valid signature that “settles” on the main chain? (this is pretty much Andrew Poelstra’s scriptless scripts, but I’m curious how far you can take it)

That implementation is specific to Ed25519, a different curve than our secp256k1.

1 Like

I’m fairly new to crypto and Rust, but from what I’ve read Ed25519 is just as safe as secp256k1, but also faster and better for Schnorr signatures. It also seems to be widely used by a lot of projects that aren’t bound to a legacy codebase or are rewriting their code:

Why was secp256k1 chosen for Grin over other options?

1 Like

Check out discussion here: https://github.com/mimblewimble/grin/issues/1948

there was another discussion somewhere about making it more modular and easier to swap out crypto down the line but I can’t find it now.

1 Like

Thanks! That’s really helpful :slight_smile:

@tromp @igno.peverell @yeastplume

If the purpose of surjection proofs are to prevent an adversary from choosing a negative asset tag, maybe it’s possible to choose asset tags in such a manner that the asset tag A and it’s inverse -A always differ in some property, such that you can provide a zero-knowledge-proof that the asset tag in a blinded asset tag commitment has or doesn’t have that property.

So, for example, if asset tags were drawn from positive and negative integers, you would only choose positive asset tags, and then come up with a zero-knowledge proof that the asset tag in a blinded asset tag commitment was positive.

If points on an elliptic curve can’t be neatly divided into positive and negative points, is there some other property that might be exploited?

Presumably they would still need Grin for fees, otherwise the asset type needs to be exposed as a fee for miners to mine it.

cc @jaspervdm

They “probably” would but I wouldn’t presume that a completely off the rails chain is impossible.

Even bitcoin has miners offering off protocol transaction systems, I remember the free transaction acceleration services that were ads for bitcoin cash before it was called bitcoin cash and was the debate for forks and that’s with the healthiest fee economy coin from several years back. Or just transaction acceleration just in general.

Lets say eth or some other turning compete smart contract platform had a grin mining pool system; that would somehow generate a super transaction of extra anonymous grin confidential assets say hourly and would give a reward of some eth based coin as a reward to whoever got this super transaction on the grin chain; it would be awkward weird and insane but that sort of thing is on the table.

Absolutely, but none of what I said precludes collusion with miners which is not going to ever be the norm.

A possibly useful CA for grin, though it presents a high level problem and solution, and nothing of a technical solution. Idea is disappearing short messageboard. There are issues re whether it is possible to integrate by simply adding CAs in general, or whether it would require a universal additional field to the output, which is probably more problematic than useful. Was one of the first ideas for utilizing mimblewimble, and would benefit from being secured by grin chain if possible with CA.