mimblewimble team mailing list archive

Thread
Date

Re: To Schnorr or not to Schnorr

To: Oleg Andreev <oleganza@xxxxxxxxx>
From: Andrew Poelstra <apoelstra@xxxxxxxxxxxxxx>
Date: Fri, 31 Mar 2017 18:10:40 +0000
Cc: mimblewimble@xxxxxxxxxxxxxxxxxxx
In-reply-to: <46840844-0ED4-4ED4-BE6D-2DECEB318FD8@gmail.com>
User-agent: Mutt/1.7.1 (2016-10-04)

On Mon, Mar 27, 2017 at 11:48:47AM -0700, Oleg Andreev wrote:
> Andy, you mention a "20% space hit" for sound commitments. Do you mean the double space required by digit commitments (2 points vs 1)? If that's so, I'm investigating a pretty neat trick to save even that space, so the total overhead is probably just one point (compared to pedersen commitments w/o your 24% optimization).
> 
> The idea is this: all digits must share the same blinding factor and a commitment to a pure blinding factor is shared among all of them. To prevent bruteforce discovery of the digits by cancelling the blinding part via subtraction of digits, each digit would use a different generator point (precomputed).
> 
> So instead of these digit commitments (consisting of 2 points each):
> 
> (d_i*H + f_i*G, f_i*J)
> 
> you'd have these:
> 
> (d_i*H + f*G_i, f*J)
> 
> where f*J is the same point shared by all digits. G_i can be precomputed. For 64-bit numbers and base-4 you need at most 32 such generators.
> 
> The draft of this proposal is in our git repo, we are still working on review and a proof of correctness and security:
> 
> 1. Pre-computed generators: https://github.com/chain/chain/blob/confidential-spec/docs/protocol/specifications/ca.md#generators (we only generated 31 of them, 32nd is the ed25519 base point).
> 2. Verifying range proofs using these generators: https://github.com/chain/chain/blob/confidential-spec/docs/protocol/specifications/ca.md#validate-value-range-proof
> 
> Would love to hear your thoughts on that!
> Oleg.
>


Hi Oleg,

Sorry, just getting this now.

I need think about this, but my first impression is it works. Very cool! 

Cheers
Andrew


-- 
Andrew Poelstra
Mathematics Department, Blockstream
Email: apoelstra at wpsoftware.net
Web:   https://www.wpsoftware.net/andrew

"A goose alone, I suppose, can know the loneliness of geese
 who can never find their peace,
 whether north or south or west or east"
       --Joanna Newsom

Attachment: signature.asc
Description: PGP signature

References

Re: To Schnorr or not to Schnorr
From: Oleg Andreev, 2017-03-27