Before going into the rest of the post, as there is some ambiguity between what to call our different versions of Lelantus I would be referring it as follows to avoid confusion:
Lelantus v1: As currently implemented in FIRO. Only change amounts hidden. No separate private address.
Lelantus v2: The original protocol we were planning to deploy after Lelantus v1 and described in our preprint. Has its own private addressing system, all amounts hidden. No stealth addressing. Lelantus v2 hasn’t actually been named officially.
New Privacy Protocol (NPP): The new protocol that we have been researching below whose name we are still trying to decide. This is a placeholder reference.
As per my previous research update we’ve been hard at work on a new privacy protocol that supports stealth addressing. The reason for this research is that while Lelantus v2 has very nice properties like high anon sets and good performance it has a few drawbacks:
- No stealth addressing. Meaning for ideal privacy, users need to keep generating new addresses. If new addresses aren’t generated, third parties can know that the address received something but not how much or where it came from or when it spends from it. This is however an important piece of metadata which can be a problem with recurring payments. RAP addresses only work on the transparent layer which is what Lelantus v1 uses.
- No multisig (might be possible to work one out but we haven’t put work into it).
- Balance proof security is difficult to prove formally. While we have found no obvious way to exploit it, it is quite challenging to formally prove it. The existing security proof does not conclusively prove its security and while there are alternate ways to prove it, it still doesn’t address all concerns.
As such, I had tasked our research team to work on addressing these concerns. Aram has come up with quite a clever solution which we hope solves this while Aaron has been doing security analysis on it. The building blocks of it have been worked out and are in the process of writing the paper and security proofs for it. Note this is very much a work in progress and things may be subject to change. However, the purpose of this thread is we need a new name for it.
What this new protocol does (if we are right) on top of all the goodness that is Lelantus v2:
- Supports stealth addressing meaning you don’t have to generate new addresses when sharing your address.
- Simplified balance proof meaning we have greater security and confidence that the balance proof is sound.
- Supports multi-sig
- Supports view keys both incoming and outgoing. This means you can optionally reveal to your auditor or useful for donations where you can view amounts that come in or go out. This is important as we move to mandatory privacy.
- Would have faster verification and proving performance than Triptych for large anonymity sets though Triptych can be modified to get similar speedups at the cost of size.
The above is what we think the protocol can achieve but the security needs to be tested and formally proven to ensure everything holds.
The new scheme uses almost a completely different structure than Lelantus but still uses a modified Groth-Bootle (one-out-of-many) proofs to prove membership. How NPP differs from Lelantus v2:
- Uses a modified address format
- Separates output keys from value commitments (sort of like how Triptych/RingCT do it)
- Uses a parallel modification to Groth/Bootle for membership proof (and a related requirement for value commitment offsets)
- Uses a modified Chaum-Pedersen proof to show linking tag validity
- Uses RingCT-style balance assertion via value commitment offsets
It does sacrifice some performance compared to Lelantus v2 but we believe that having a complete stealth addressing system offers more practical privacy and a better balance proof for security.
NPP is also nice in that if there’s a more efficient proof besides Groth/Bootle, it can be replaced.
The coding work for moving to Lelantus v2 vs NPP we estimate to be about equal however the paper does need to be published and re-audited but on a development standpoint doesn’t delay things too much. If our research goes well and we should have a better idea by August-ish, I would be minded to skip Lelantus v2 and just go for NPP.
But what should we call it? Aram is of the opinion we should retain the Lelantus branding and call it either v2 or v3 despite it being pretty different so as to cement the Lelantus/Firo branding.
I am of the opinion that we should call it something different (maybe some variant of Aura) to reflect that it’s a significantly different scheme that shares only minimal shared plumbing with Lelantus v2 though it can be described as ‘spiritually’ the same in its use of trustless Groth-Bootle proofs and the way it approaches anonymity sets. I think we shouldn’t downplay how different these schemes are.
This poll is just as a sentiment check and to see if we can find good solutions.
- Lelantus v2 or v3
- Aura or some variant (as per our roadmap)
- Something else (please state)
Ideally the name is easy to say, good for SEO (for e.g. Aura is not good for SEO just like how Halo, Halo 2 keeps leading to the game) and yet sounds cool.