In Bitcoin, it’s quite an intuition to prove how many coins an owner has, since the value is transparent there in an UTXO (Unspent Transaction Output). The validator only need verify it’s a true UTXO on the chain and buried with enough block confirmations. Also in ETH, and more easier because of the user account system.
In Mimblewimble privacy coin system, sometimes a fund proof is also needed. For example, a custodian system must have the proof of assets (a typical example as https://wbtc.network/dashboard/audit), a contract could require the parties prove the fund existence before going to formal stage, etc.
Instead of disclosing the coin/s amount directly, it will be much better (or mandatory) to keep the built-in privacy feature in a privacy coin system. Obviously opening the Pedersen Commitment
x*G+a*H by disclosed
a value and
x*G with an attached signature by private blinding factore
x is NOT an acceptable solution here.
A possible method could be a new designed range proof to prove
v is a disclosed value, instead of the existing cryptographic primitive of a range proof for
Another method is using current Mimblewimble implementation to provide a quick proof of
a>v. The idea is to create a fake transaction, which can be validated on the chain but can NOT be packed in any block.
A typical native interactive transaction in Mimblewimble looks like:
(xi*G +ai*H) + (E’ + s*G) = (xc*G +ac*H) + (xr*G +ar*H) + f*H
- (xi*G +ai*H) is the Input coin.
- (xc*G +ac*H) is the change Output coin.
- (xr*G +ar*H) is the payment Output coin.
- xi, xc, xr are blinding factors.
- ai, ac, ar are transaction values.
- E’ is the public excess, for kernel signature. ‘s’ is the transaction offset.
- f is the transaction fee.
To create a fund proof of ai > v, where v is a disclosed value, we just need let ar = v and f = 0, then sending this fake transaction to the receiver/validator with an attached signature of xr*G.
This fake transaction can pass validation on the chain if without fee checking, and it can not be packed by any miner because of fee checking consensus. Or even quite safe to be mined (impossible of course) since the owner will not have any lose.
The attached signature of xr*G is used to prove the “coin” (xr*G +ar*H) has the said disclosed amount
Welcome your comments.