mimblewimble team mailing list archive
Mailing list archive
Re: To Schnorr or not to Schnorr
On Mon, Mar 27, 2017 at 11:48:47AM -0700, Oleg Andreev wrote:
> Andy, you mention a "20% space hit" for sound commitments. Do you mean the double space required by digit commitments (2 points vs 1)? If that's so, I'm investigating a pretty neat trick to save even that space, so the total overhead is probably just one point (compared to pedersen commitments w/o your 24% optimization).
> The idea is this: all digits must share the same blinding factor and a commitment to a pure blinding factor is shared among all of them. To prevent bruteforce discovery of the digits by cancelling the blinding part via subtraction of digits, each digit would use a different generator point (precomputed).
> So instead of these digit commitments (consisting of 2 points each):
> (d_i*H + f_i*G, f_i*J)
> you'd have these:
> (d_i*H + f*G_i, f*J)
> where f*J is the same point shared by all digits. G_i can be precomputed. For 64-bit numbers and base-4 you need at most 32 such generators.
> The draft of this proposal is in our git repo, we are still working on review and a proof of correctness and security:
> 1. Pre-computed generators: https://github.com/chain/chain/blob/confidential-spec/docs/protocol/specifications/ca.md#generators (we only generated 31 of them, 32nd is the ed25519 base point).
> 2. Verifying range proofs using these generators: https://github.com/chain/chain/blob/confidential-spec/docs/protocol/specifications/ca.md#validate-value-range-proof
> Would love to hear your thoughts on that!
Sorry, just getting this now.
I need think about this, but my first impression is it works. Very cool!
Mathematics Department, Blockstream
Email: apoelstra at wpsoftware.net
"A goose alone, I suppose, can know the loneliness of geese
who can never find their peace,
whether north or south or west or east"
Description: PGP signature