delvingbitcoin

Proving UTXO set inclusion in zero-knowledge

Proving UTXO set inclusion in zero-knowledge

Original Postby Adam Gibson

Posted on: September 18, 2024 19:18 UTC

The discussion highlights concerns around the potential for double-spending within the context of channel_announcement in the Lightning Network, due to the possibility of replay attacks.

It is suggested that one could exploit the system by using the same unspent transaction output (UTXO) multiple times with different blinding factors to falsely advertise multiple lightning channels. A proposed solution involves using the channel's advertised public key as the "verifier’s public key" to mitigate against selling UTXOs. This method draws on the aut-ct construction's use of key images and a flat file database to prevent such abuses, suggesting an adaptation for Lightning by attaching a sigma-protocol type proof to demonstrate a direct logarithmic equivalence (DLEQ) between a key image and the non-blinded part of the commitment.

The conversation further delves into technical comparisons, noting the limitations of taproot ring signatures, which do not require the verifier to have the full UTXO set, offering a more scalable solution through "utreexo" roots. The inefficiency of basic AOS-style ring signatures for achieving meaningful anonymity within networks akin to Lightning is also discussed, emphasizing the need for fast verification processes to avoid denial-of-service (DOS) attacks based on ownership claims. The discourse then transitions to exploring the viability of Curve Trees and STARK-based structures for improving scalability and verification speeds, particularly in facilitating lightning channel announcements without compromising on security or susceptibility to DOS attacks.

Concerns are raised about the practicality of proving UTXO ownership without exposing them to double-spending risks, especially in scenarios where a UTXO could be proven at a certain block and then spent in the subsequent block. This leads to questioning the effectiveness of publicly announcing channel UTXOs versus privately announcing them for DOS resistance. The debate includes considering mechanisms for filtering and controlling UTXO announcements based on age and value within a merkle/curve tree framework to ensure only high-quality UTXOs are utilized. This approach is compared to the current practice of announcing real channels, pondering the distinctions in security and efficiency within the evolving landscape of cryptographic solutions for the Lightning Network.