mimblewimble team mailing list archive

Thread
Date

Re: [POLL] Perfectly hiding vs perfectly binding

To: Ignotus Peverell <igno.peverell@xxxxxxxxxxxxxx>
From: John Tromp <john.tromp@xxxxxxxxx>
Date: Wed, 3 May 2017 21:45:49 -0400
Cc: "mimblewimble@xxxxxxxxxxxxxxxxxxx" <mimblewimble@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <ixOoAMTZ-VoQIUoevi30fjSlCJE30uxSW8WtVV6Zo7pu7tKAGKzu4P3QlWitwg_ulohg6fGSX_-ErXKBdkWGryOfpFBrfGQaORSY94-8I7Q=@protonmail.com>

dear Igno,

This is a tough decision! If scalable quantum computers are our
only worry, then there's a lot to be said for Pedersen. I love its
simplicity and efficiency. And it seems likely that such quantum
computers will make their presence known in some way or other.

But we still cannot take classical hardness of ECDL or factoring
for granted either. Or even, for that matter, of P != NP (or BPP != NP).
Where QC development is spearheaded by big publicly visible research
projects, it's more likely that discovery of a classical breakthrough remains
hidden from public.

And that for me swings the balance against Pedersen:

[X] Perfectly binding, one should never be able to break transaction integrity

> Why we'd really want perfectly binding transactions is straightforward:
> being able to create money out of thin air or stealing sounds pretty bad
> for any cryptocurrency. Note that most existing cryptocurrencies are sensitive
> to this right now:

Sensitive to stealing, yes. But not so much for creating money out of thin air.
Only Zcash (and its clones like Komodo), Zcoin, and Monero are at
this particular risk, as far as i can tell.

-John

References

[POLL] Perfectly hiding vs perfectly binding
From: Ignotus Peverell, 2017-05-04