elements icon indicating copy to clipboard operation
elements copied to clipboard
verified publisher icon ElementsProject

pset: add optional asset blinding factor to input and output

Open LeoComandini opened this issue 1 year ago • 0 comments

In some protocols where blinding is done by different parties, the asset surjection proof for some output might be created by:

  • someone who does not own an input with the same asset, or
  • someone who does not know the asset blinding factor corresponding to the output asset commitment

This, in general, is the case of LiquiDEX v1 [1], e.g.

  • Alice wants to swap x of asset A for y of asset B
  • Alice owns a utxo with x of asset A
  • Alice creates a spending that utxo and receiving an output with y of asset B.
  • Alice draws at random the asset and value blinding factors for the output, sets the corresponding asset and value commitment. Sets the nonce commitment. Computes and sets the rangeproof.
  • Alice computes the scalar offset contribution of the input and output (combined)
  • Alice computes the value blind proofs for the input and output
  • Alice creates the LiquiDEX proposal using the data obtained above:
{
  "version": 1,
  "tx": "...",
  "inputs": [{
    "asset": "aa...",
    "satoshi": x,
    "assetblinder": "...",
    "value_blind_proof": "...",
  }],
  "outputs": [{
    "asset": "bb...",
    "satoshi": y,
    "assetblinder": "...",
    "value_blind_proof": "...",
  }],
  "scalars": ["..."],
}
  • Alice shares the proposal with Bob
  • Bob adds more inputs for the asset B and fees
  • Bob adds more outputs for the asset A, B and fees
  • Bob blinds the transaction, i.e.:
    • draws at random abf and vbf for each new output, apart from the last one for which he uses the new inputs contribution and the scalar offset from the proposal to balance the tx.
    • creates rangeproofs for each new output
    • creates surjection proofs for each (blinded) fee output
    • creates surjection proofs for each A output, note that in general the input asset blinding factor is needed.
    • creates surjection proofs for each B output, including the one from Alice, which requires the output blinding factor. Note that Alice could not have created the surjection proof since she did not know any B input when she created the tx.

Input and output asset blinding factors are the last fields needed to convert LiquiDEX v1 proposals in PSETs (and viceversa).

[1] https://leocomandini.github.io/2022/10/27/liquidexv1.html

LeoComandini avatar Apr 23 '24 14:04 LeoComandini