mimblewimble team mailing list archive

Thread
Date

Re: Scriptless scripting and deniable swaps

To: John Tromp <john.tromp@xxxxxxxxx>
From: Andrew Poelstra <apoelstra@xxxxxxxxxxxxxx>
Date: Tue, 7 Mar 2017 19:59:24 +0000
Cc: mimblewimble@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CAOU__fybHzgwcGoW4vs2c2e2XctOzpof27JHE8z6C+pTsAL3PQ@mail.gmail.com>
User-agent: Mutt/1.7.1 (2016-10-04)

On Tue, Mar 07, 2017 at 02:51:57PM -0500, John Tromp wrote:
> 
> One comparison in each case; kernel.locktime >= blockindex
> 
> So the costs are small, but better avoided altogether I agree.
> 
> Can you elaborate on how to prove that the third privkey is indeed
> equal to base^{2^largenumber} ?
>

You could use garbled circuits http://people.xiph.org/~greg/simple_verifyable_execution.txt
(the literature has more efficient constructions according to Ethan,
he said to look up "garbled gadgets"), or SNARKs, or something to
prove the statement.

In zero-knowledge of p and q you prove the following statement:

  n = p*q; pubkey = xG where x = base^(2^largenumber mod (p-1)(q-1))

which I don't think is likely to be a huge circuit.

-- 
Andrew Poelstra
Mathematics Department, Blockstream
Email: apoelstra at wpsoftware.net
Web:   https://www.wpsoftware.net/andrew

"A goose alone, I suppose, can know the loneliness of geese
 who can never find their peace,
 whether north or south or west or east"
       --Joanna Newsom

Attachment: signature.asc
Description: PGP signature

References

Scriptless scripting and deniable swaps
From: Andrew Poelstra, 2017-02-03
Re: Scriptless scripting and deniable swaps
From: Andrew Poelstra, 2017-03-07
Re: Scriptless scripting and deniable swaps
From: John Tromp, 2017-03-07
Re: Scriptless scripting and deniable swaps
From: Andrew Poelstra, 2017-03-07
Re: Scriptless scripting and deniable swaps
From: John Tromp, 2017-03-07