mimblewimble team mailing list archive

mimblewimble team

Mailing list archive

Message #00087
defending against malicious transactors
The original whitepaper at
http://mimblewimble.cash/20160719OriginalWhitePaper.txt
proposes the following transaction creation procedure:
1. Sender and recipient agree on amount to be sent. Call this b.
2. Sender creates transaction with all inputs and change output(s), and gives
recipient the total blinding factor (rvalue of change minus rvalues of
inputs) along with this transaction. So the commitments sum to r*G  b*H.
3. Recipient chooses random rvalues for his outputs, and values that sum
to b minus fee, and adds these to transaction (including range proof).
Now the commitments sum to k*G  fee*H for some k that only recipient
knows.
4. Recipient attaches signature with k to the transaction, and the explicit
fee. It has done.
I see some problems with the sender revealing his total blinding
factor r though.
A malicious sender could spend this output himself while claiming that
the receiver took it, while a malicious receiver could spend the
outputs while claiming that they're already spent.
This malice could take place after the sender has prepared a
rangeproof for his change output, which the receiver could after all
intercept.
It therefore seems prudent to use a more involved procedure where the
sender need not reveal any blinding factors:
1. Sender and recipient agree on amount to be sent. Call this b.
2. Both sender and receiver pick a random blinding factor, rS and
rR respectively, and a random nonce, kS and kR respectively,
and share their commitments rS*G, rR*G, kS*G and kR*G
3. Both compute the Schnorr signature challenge e=H(kS*G+kR*G).
4. Sender computes sS=kS+e*(rSrI), where rI is the blinding factor
on his input.
Receiver computes sR = kR+e*rR.
sS and sR are shared and verified against step 2 commitments by
multiplication with G.
5. The final signature is computed as (s,e) where s = sS + sR.
In this case the receiver learns nothing that lets her spend the
sender's output in any other way,
so no malicious claims can be made.
The above procedure is in essence how a 2of2 multisig output would
need to constructed.
Comments/feedback welcome.
John
Follow ups