Introduce Confidential Asset to Incognito

What privacy problem are you solving?

Incognito is a platform that offers privacy for other chains (e.g., Bitcoin, Ethereum, etc.). Interoperability is achieved through the use of bridges, used to send native coins from public blockchains to Incognito, or vice versa. Applying techniques similar to Monero, all transactions that occur within Incognito have the following privacy properties:

  • Shielded sender via ring signature.
  • Shielded receiver via one-time address.
  • Shielded amount via confidential transactions (including Pedersen commitment and Bulletproofs).

Incognito supports multiple asset types. However, these types are currently visible to the public. Poelstra et al. [1] proposed a new primitive called confidential assets, in which asset types must be blinded in conjunction with the output amount in a transaction. We define:

confidential asset transaction = blinded asset tag + confidential transaction

To our knowledge, with the addition of confidential assets, Incognito will be the first private blockchain that provides full privacy features. We are in a race with Beam [2] and Cloak [3].

What is the solution?

The basic idea of confidential asset transactions is as follows: Each asset type has a unique identifier. In each transaction, the sender generates a one-time asset tag for an asset type such that it is only visible to the receiver. The following are two approaches relevant to this problem.

  • Poelstra et al. [1] proposed a solution based on asset commitment and surjection proof techniques. To prove that the input and output one-time asset tags are represented to the same original asset tag, they use the ring signature to show that the sender knows one of the private keys of the list of subtractions between output and input one-time asset tags.
  • Interstellar research group [3] proposed the Cloak protocol based on Bulletproofs. They built a constraint system using a collection of functions such as shuffle, merge, split, and range proof to shield the amount and asset type in each transaction. The bulletproof is used to verify the correctness of the result of the above functions.

In the case of Incognito, we propose a new confidential asset transaction protocol based on Poelstra et al.’s protocol [1] and ring signature. We reuse the current construction for confidential transactions, combined with the one-time asset tag scheme.

We do not construct the surjection proof between input and output one-time asset tags. We compute the column of subtraction between input and output one-time asset tags for each row in the ring. Then that column is added to the ring before the sender signs on it.

In addition, the Diffie-Helman key exchange protocol is used to generate a shared secret that allows the receiver to be able to recover and use the output coin later.

Compared to the above approaches, our solution is more simple than [1], more efficient than [3], and builds upon Incognito’s existing work.

The detail of the construct is described in this topic

References:
[1] https://blockstream.com/bitcoin17-final41.pdf
[2] https://beam.mw/beampedia-item/confidential-assets
[3] https://interstellar.com/protocol

What are the key results?

Deployed confidential asset transactions on Mainnet. Combined with the result of Privacy version 2, the new estimation for performance improvement is as follows:

  • Decrease a transaction size by 10-30%
  • Increase transaction throughput by 10-20%

Who are you?

The project will be implemented by @hieutran and @anpham from the core team.

  • @hieutran is a cryptography researcher. His research topics are applied cryptography, privacy preservation for outsourced data, and privacy blockchains.

  • @anpham is a cryptography engineer. He is currently completing his degree at the University of Science, Ho Chi Minh City. His research topics are applied cryptography and searchable encrypted data. He also has experience as a Software Engineer.

What are the key results?

Deployed confidential asset transactions on Mainnet. Combined with the result of Privacy version 2, the new estimation for performance improvement is as follows:

  • Decrease a transaction size by 10-50%
  • Increase transaction throughput by 10-20%

Why do you care?

We, as idealist cryptographers, will continue to refine our products till they reach the highest standards.

What’s your plan? What’s your schedule?

The project duration will be merged with the privacy version 2 proposal. Due to a lot of changes in the flow of creating and verifying transactions, we need one more month to implement and testing. Therefore, the new schedule is updated as follows:

Timeline Task Status Delivery
Mar 30 Implement core cryptographic functions Done Local
Apr 30 Implement privacy transaction version 2 + Design the confidential asset transaction protocol Done Local
May 30 Implement building blocks for confidential asset and then do unit tests for all features Doing Local
Jun 30 Implement the adapter to switch transactions from version 1 to version 2 then deploy to Devnet Devnet
Jul 30 Test and Deploy Testnet Testnet
Aug 30 Test and Deploy Mainnet Mainnet

What’s your budget?

Resource Cost Quantity Monthly Cost
Cryptography reseacher 2,000 PRV 1 2,000 PRV
Cryptography engineer 1,000 PRV 1 1,000 PRV
Subtotal 3,000 PRV
TOTAL (x 3 months) 9,000 PRV

Is there an existing conversation around this idea?

This proposal will be implemented along with privacy version 2. You can check the previous detail and progress here

Is there anything else you would like the community to know?

Let us know what you think!

11 Likes

love it @hieutran @anpham!

1 Like