mimblewimble team mailing list archive
Mailing list archive
Re: A ransomware attack on MimbleWimble with Schnorr signatures
> Each output has a rangeproof consisting of several ring signatures
> corresponding to different denominations that sum to the hidden value
> (see  ).
> For binary denominations, each such ring signature is of the form
> (e0,s0,s1) satisfying, for some P0,P1 differing by 2^i * G,
> e1 = H(s0*G-e0*P0)
> e0 = H(s1*G-e1*P1)
Nice try, but as I was just informed on #bitcoin-wizards,
these hashes commit to the original xG as well:
e1 = H(xG | s0*G-e0*P0)
e0 = H(xG | s1*G-e1*P1)
So we cannot fix the rangeproof to account for changing xG to xG'.
Sorry for the false alarm...