mimblewimble team mailing list archive
Mailing list archive
Re: Scriptless scripting and deniable swaps
In the vein of "scriptless scripting", it's worth noting that the signature challenge e = `H(key || nonce || message)` can itself be considered a hash whose preimage needs to be revealed to produce a valid signature.
Two parties can produce a multisignature by having one present his pubkey/nonce half to the other, and the other replying with the hash `e` rather than her pubkey/nonce half.
In this case the first party is doing a totally blind signature, so it's critical that his key not be reused!
If the hash preimage is SNARK-proven to have certain properties you can also get ZKCP or really any script application out of this.