← Back to team overview

mimblewimble team mailing list archive

Re: [POLL] Perfectly hiding vs perfectly binding


Hi All,

In a world where large quantum computers exist, then only perfectly binding
chains are of any use of all.

However, if a world where large quantum computers do not exist, then it
seems like perfectly hiding chains are preferable.

Barring undisclosed advances in quantum computing, we seem to find
ourselves in the first world, although perhaps the second is just around
the corner.

In that case, then perhaps a perfectly hiding chain and a perfectly binding
chain with cross-chain pegs may be a good solution.

If John's comment is correct, and the perfectly hiding chain might
eventually permit theft, but not arbitrary money creation, then perhaps the
right arrangement is to have coins come into existence on the perfectly
binding chain, but allow users to transfer them to the perfectly hiding
chain and back.

Users can then balance their desire for privacy with their belief in the
likelihood of large quantum computers already existing or suddenly coming
into being.

If quantum computers eventually exist, then the perfectly hiding chain will
have had a good run, and hopefully everyone will have gotten out in time!

Unfortunately, my understanding of the cryptography involved is far too
weak to propose a an actually mechanism to allow such a cross-chain peg, so
I'm not sure this would even be possible at all!


On Wed, May 3, 2017 at 10:04 PM Ignotus Peverell <
igno.peverell@xxxxxxxxxxxxxx> wrote:


> You guys are too shy :-) I'm getting very well reasoned replies off-list
> that others could benefit from.
> - Igno
> -------- Original Message --------
> Subject: [Mimblewimble] [POLL] Perfectly hiding vs perfectly binding
> Local Time: May 3, 2017 5:14 PM
> UTC Time: May 4, 2017 12:14 AM
> From: igno.peverell@xxxxxxxxxxxxxx
> To: mimblewimble@xxxxxxxxxxxxxxxxxxx <mimblewimble@xxxxxxxxxxxxxxxxxxx>
> Hi all,
> I thought running a little poll could be fun and it's on a topic that may
> be more emotional than technical: in the advent of Quantum Computers, or
> even computers of infinite power, do we prefer transactions that are
> perfectly hiding (one will never be able to discover their value) or
> perfectly binding (one will never be able to steal or create money). It's
> really inconvenient, but it's been proven we can't have both.
> To vote, just reply with one of these 2 lines:
> [X] Perfectly hiding, privacy guarantees should remain true forever
> [X] Perfectly binding, one should never be able to break transaction
> integrity
> Because some arguments may be non-obvious, I'll flesh out a few.
> Why we'd really want perfectly binding transactions is straightforward:
> being able to create money out of thin air or stealing sounds pretty bad
> for any cryptocurrency. Note that most existing cryptocurrencies are
> sensitive to this right now: with a working and powerful Quantum Computer,
> you'd likely be able to steal a fair amount of bitcoins or even zcash. So
> there's a definite advantage in offering such strong integrity guarantees.
> On the other hand, QCs aren't going to happen overnight. We will likely
> have years (many experts say decades) to prepare. Also if it was to happen
> right now, we'd likely have very tangible issues in other places we're not
> anticipating. But *when* it happens, a chain that's not perfectly hiding
> will become fully clear. So all the transaction history up to the point
> where we have fully quantum safe algorithms will be analyzed. And while we
> can adjust algos, data stays forever.
> Cast your votes!
> - Igno
> P.S. I can't promise we'll do what the majority says (on the crypto side
> we have perfectly hiding, but not perfectly binding yet), but it'll
> influence the direction!
> --
> Mailing list: https://launchpad.net/~mimblewimble
> Post to     : mimblewimble@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~mimblewimble
> More help   : https://help.launchpad.net/ListHelp

Follow ups