← Back to team overview

mimblewimble team mailing list archive

Re: Scriptless scripting and deniable swaps


On Tue, Mar 07, 2017 at 02:51:57PM -0500, John Tromp wrote:
> One comparison in each case; kernel.locktime >= blockindex
> So the costs are small, but better avoided altogether I agree.
> Can you elaborate on how to prove that the third privkey is indeed
> equal to base^{2^largenumber} ?

You could use garbled circuits http://people.xiph.org/~greg/simple_verifyable_execution.txt
(the literature has more efficient constructions according to Ethan,
he said to look up "garbled gadgets"), or SNARKs, or something to
prove the statement.

In zero-knowledge of p and q you prove the following statement:

  n = p*q; pubkey = xG where x = base^(2^largenumber mod (p-1)(q-1))

which I don't think is likely to be a huge circuit.

Andrew Poelstra
Mathematics Department, Blockstream
Email: apoelstra at wpsoftware.net
Web:   https://www.wpsoftware.net/andrew

"A goose alone, I suppose, can know the loneliness of geese
 who can never find their peace,
 whether north or south or west or east"
       --Joanna Newsom

Attachment: signature.asc
Description: PGP signature