Ecash and lightning via ZKCP

Ecash and lightning via ZKCP

Original Postby ajtowns

Posted on: February 20, 2024 01:47 UTC

The email discusses a critical aspect of constructing a privacy-preserving token transfer system, specifically emphasizing the challenge of maintaining ecash privacy during the transfer of tokens between users.

It points out that the current construction lacks the capability for tokens to be transferred without enabling the mint to trace these transactions back to the Lightning invoice, thereby compromising user privacy. The process described involves users generating new blinded values and paying the mint to sign them by spending existing coins, with only the blinded values being revealed to the mint. This ensures that when tokens are transferred, the mint remains unaware of the key (K) involved in the transaction, making it difficult to maintain the integrity of token ownership across transfers.

Additionally, the email highlights potential issues that may arise within this framework, such as the possibility of a user attempting to re-mint a token with a new blinding factor (r) after transferring it to another user. This would theoretically allow the original issuer to commit to the same invoice multiple times using different r values, though the mint's tracking of spent coins would prevent the same token from being spent more than once. This scenario underscores a fundamental flaw where, despite additional efforts and payments to re-mint tokens, the limitation on spending would result in the mint accumulating more Bitcoin than the actual number of redeemable coins, indicating an imbalance in the system.

The correspondence concludes on a positive note by mentioning the implementation of a Zero-Knowledge Proof (ZKP) as a solution. Specifically, it references a proof of knowledge of m as a Discrete Logarithm Equality (DLEQ) proof. This development is presented as a promising advancement towards addressing the outlined challenges, suggesting that incorporating ZKP could enhance the security and privacy of token transfers by providing a way to prove knowledge of certain information without revealing the information itself.