← Back to team overview

mimblewimble team mailing list archive

Re: A ransomware attack on MimbleWimble with Schnorr signatures


dear imblers,

> Each output has a rangeproof consisting of several ring signatures
> corresponding to different denominations that sum to the hidden value
> (see [1] [2]).
> For binary denominations, each such ring signature is of the form
> (e0,s0,s1) satisfying, for some P0,P1 differing by 2^i * G,
> e1 = H(s0*G-e0*P0)
> e0 = H(s1*G-e1*P1)

Nice try, but as I was just informed on #bitcoin-wizards,
these hashes commit to the original xG as well:
e1 = H(xG | s0*G-e0*P0)
e0 = H(xG | s1*G-e1*P1)
So we cannot fix the rangeproof to account for changing xG to xG'.
Sorry for the false alarm...