← Back to team overview

mimblewimble team mailing list archive

Re: Scriptless scripting and deniable swaps


In the vein of "scriptless scripting", it's worth noting that the signature challenge e = `H(key || nonce || message)` can itself be considered a hash whose preimage needs to be revealed to produce a valid signature.

Two parties can produce a multisignature by having one present his pubkey/nonce half to the other, and the other replying with the hash `e` rather than her pubkey/nonce half.

In this case the first party is doing a totally blind signature, so it's critical that his key not be reused!

If the hash preimage is SNARK-proven to have certain properties you can also get ZKCP or really any script application out of this.