mimblewimble team mailing list archive

[John Tromp <john.tromp@xxxxxxxxx>]

dear Andrew,

>> Pieter Wuille in particular has stressed to me what a great feature of MW it is
>> that everything looks the same, and that breaking this property should be taken
>> very seriously.

But with every kernel having both a fee and a locktime (which defaults
to the last confirmed block at the time of signing), things are pretty
uniform already.

> He also suggested the locktime should be cancellable and extendable by having
> the would-be recipient reveal a key to the sender, but we didn't work out all
> the details. If this works then we should be able to get the effect of a
> relative lock-time, having indefinitely-open lightning channels, and so forth.
> Exciting times.
>
> Therefore I revise my proposal again, to remove the explicit locktime, and
> have only the fee.

"I send the coins to a 3-of-3 multisig: my key, his key, and a third
key that I generate with some RSA timelock puzzle. Then I give him the
corresponding pubkey and SNARK-prove to him that the privkey is a
solution to the timelock puzzle."

This seems like quite a bit of complexity. What extra security
assumptions are we relying on here?
I don't see the downside of simply requiring a locktime on every kernel...

regards,
-John