waxwing's avatar
waxwing 1 year ago
Yep, you are describing there a "blame" protocol pretty similar to what happens in coinshuffle. Basically an "open the commitment" thing. The most crucial element is as described both in coinshuffle and in your protocol.: say 10 participants, the blame kicks out the bad behaviour and the remaining 9 continue, etc. I think a linkable ring sig makes a lot of sense though, as it cleans up one form of delay of the process. To note: there is another nuance in ring sig design that's relevant (I discussed it in
waxwing's blog
Ring signatures
Outline: * Basic goal of 1-of-\(N\) ring signatures * Recap: the \(\Sigma\)-protocol * OR of \(\Sigma\)-protocols, CDS 1994 * Abe-Ohkubo-Suzuk...
 ; it's the idea of "exculpability". Some versions of ring sig have a property that, if you reveal the private key, you still do not reveal whether it was *your* private key that signed; in your description, you would need the type that do not have that (so "culpability"). The LWW LSAG, Back-LSAG and MLSAG types are indeed "culpable" so you're probably OK just with that, but: if you have linkability, I don't *think* you even need culpability.
↑ Parent

Replies (1)

Super Testnet's avatar
Super Testnet 1 year ago
I don't think I need to try as hard to place blame in round 3, which is where bitcoin signatures are shared. If anyone does not do that, everyone can detect it, so all of the honest users just remove their inputs from the transaction and their key from the ring, and they restart from step 2.