mimblewimble team mailing list archive

Thread
Date

Re: Scriptless scripting and deniable swaps

To: mimblewimble@xxxxxxxxxxxxxxxxxxx
From: John Tromp <john.tromp@xxxxxxxxx>
Date: Tue, 7 Mar 2017 14:51:57 -0500
In-reply-to: <20170307193039.GU10783@boulet.lan>

> The people constructing the locktimes are depending on the security of the
> zero-knowledge proof (which could be as simple as just hashes being random
> oracles) and the security of the timelock puzzles (RSA problem being hard).
>
>> I don't see the downside of simply requiring a locktime on every kernel...
>
> Extra identifying data which miners can identify and censor,

Locktimes will generally be at or a few blocks behind the current tip.

>additional data being stored in the chain forever,

True; 4 bytes extra per kernel.

> additional validation cost for users who
> aren't involved in the contract, permanent complexity of adding specific
> contract enforcement logic to consensus code.

One comparison in each case; kernel.locktime >= blockindex

So the costs are small, but better avoided altogether I agree.

Can you elaborate on how to prove that the third privkey is indeed
equal to base^{2^largenumber} ?

Follow ups

Re: Scriptless scripting and deniable swaps
From: Andrew Poelstra, 2017-03-07

References

Scriptless scripting and deniable swaps
From: Andrew Poelstra, 2017-02-03
Re: Scriptless scripting and deniable swaps
From: Andrew Poelstra, 2017-03-07
Re: Scriptless scripting and deniable swaps
From: John Tromp, 2017-03-07
Re: Scriptless scripting and deniable swaps
From: Andrew Poelstra, 2017-03-07