mimblewimble team mailing list archive

Thread
Date

Re: Scriptless scripting and deniable swaps

To: "mimblewimble@xxxxxxxxxxxxxxxxxxx" <mimblewimble@xxxxxxxxxxxxxxxxxxx>
From: Merope Riddle <merope07@xxxxxxxxxxxxxx>
Date: Fri, 03 Feb 2017 18:30:44 -0500
Feedback-id: XAPoGc9z-Sx8Gs_73KQmjWrMmkVk7J-jsZvPxClegrEG_drDnUhFE0ZE67nPBzmTmPF0Ee7x_FNt1UQdMBn8JQ==:Ext:ProtonMail
In-reply-to: <20170203224214.GE22948@boulet.lan>
Reply-to: Merope Riddle <merope07@xxxxxxxxxxxxxx>

In the vein of "scriptless scripting", it's worth noting that the signature challenge e = `H(key || nonce || message)` can itself be considered a hash whose preimage needs to be revealed to produce a valid signature.

Two parties can produce a multisignature by having one present his pubkey/nonce half to the other, and the other replying with the hash `e` rather than her pubkey/nonce half.

In this case the first party is doing a totally blind signature, so it's critical that his key not be reused!

If the hash preimage is SNARK-proven to have certain properties you can also get ZKCP or really any script application out of this.

~M

References

Scriptless scripting and deniable swaps
From: Andrew Poelstra, 2017-02-03