delvingbitcoin
Unilateral Exit
Posted on: March 14, 2024 06:07 UTC
Cryptographic accumulators with constant O(1) witness sizes typically necessitate the existence of a trapdoor mechanism, which allows a specific party with knowledge of the trapdoor to forge commitments.
This contrasts with accumulators that do not use a trapdoor and consequently have to manage larger O(log N) witness sizes, especially evident in scenarios that involve unilateral exits by all participants, leading to significantly increased data management requirements. Specifically, it has been highlighted that while structures like CTV
-trees inherently possess O(N) total data, their utilization in contexts where all participants decide to exit unilaterally results in an efficient O(N) process, thanks to the efficiency of mipmaps.
The concept of a single trusted party holding the knowledge of the trapdoor is not a necessity; through the application of multiparty computation techniques, it's feasible to distribute the trapdoor knowledge among all participants. This distribution ensures no single participant can access the complete trapdoor, thereby mitigating the risk of misuse. An implementation of this approach can be seen in the OP_EVICT
operation, which illustrates how a collective of participants can function as a singular party-with-trapdoor through the aggregation of their inputs, without any individual having comprehensive trapdoor knowledge.
In practical terms, for a system designed around unilateral exit strategies (as opposed to eviction mechanisms like those found in OP_EVICT
), the trapdoor might consist of a sum of public keys from all participants. This setup guards against key cancellation attacks by requiring each participant to prove they hold the private key corresponding to their public key fragment. Within this framework, commitments to specific data points are secured using MuSig2 signatures from all participants except the one associated with the data point being committed. This method of commitment leverages the strengths of multiparty computation to mitigate some drawbacks of trapdoored O(1) accumulators.
However, the major challenge in employing a trapdoored, yet non-custodial or trust-minimized accumulator lies in the initial setup process. It requires the simultaneous online presence of all participants to establish a consensus-based N-of-N "trusted" party, essentially reflecting the collective agreement of all involved entities. In contrast, CTV
-trees and other non-trapdoored accumulators offer the advantage of not necessitating a foundational trust layer or the establishment of a unanimous consensus among participants for their setup, presenting a more straightforward approach to managing accumulators without compromising on security or integrity.