Hmm, that's pretty awesome.
A few things I am hopeful about with this new approach.
I hope that it is flexible enough to dynamically adjust the number of bits used for the value below the constant max (of 64 bits in the paper) as a way of proving tighter upper bounds. It seems reasonable to me that one could do that by reducing b and thus T, but I am not sure if there are any wider implications by doing that. With something like that and of course splitting off a portion of the value and revealing it (as the minimum bound), it should hopefully be possible to prove with this method that a value is within a particular interval while still being compatible with other blinded values that are using the same protocol.
Although dynamically reducing the interval with this method does not give us any space advantage like with the previous Confidential Transaction algorithm, it is useful for other reasons. Particularly I am imagining a future enhancement to the BitShares protocol that allows two-factor authorities to sign your transactions that have blinded amounts but only on certain conditions like if the unknown amount being transferred is less than some limit (to protect their customers from theft by hackers). So the two-factor authority would require that the transaction they sign include a range proof of the blinded amount withdrawn where the upper bound of the proved interval is less than the limit specified by the authority. This way advanced limits (that depend on the level of authentication provided to the two-factor authority) can be placed on fund transfers without revealing the actual amount to the two-factor authority.
The other thing that I am more optimistic about is increasing the 8 bits of buffer they provide (which only allows up to 255 additions of blinded amounts) to 64 bits of buffer. This would likely require a larger curve order which means it may add a few bytes to the proof (I believe it would only add 14 extra bytes to the existing 258 bytes for each output). While a transaction is unlikely to ever need more than 255 outputs, if we want blinded amounts to work with dividends (as I have outlined in
this proposal for the original Confidential Transaction algorithm), we will need the extra space to guarantee no overflows even when multiplying one plain-text amount with another blinded amount (which is an essential part of the blinded dividend algorithm). I haven't thought about the details of how it should be done yet, but I believe it is possible to modify that blinded dividend algorithm to work with this new Compact Confidential Transaction algorithm.
Topic: Updates on Compact Confidential Transactions (Read 2105 times)
