← Back to team overview

mimblewimble team mailing list archive

Re: [POLL] Perfectly hiding vs perfectly binding


On Fri, Aug 18, 2017 at 07:37:33PM -0400, Ignotus Peverell wrote:
> I think it makes sense. It's a reasonable price to pay and I like that it makes it a lot easier to scan your unspent outputs. One question: switch commitments reuse H and compute SHA256(rH). Any particular reason why we'd want yet another generator?

If I remember right, the crypto for unconditionally-sound rangeproofs [1] is simpler if we have a separate and dedicated generator for the second point. But I can't recall the details now, I'm feeling unwell and my head is foggy. Will need to revisit it.
> And we'd likely use blake2 again instead of SHA256 but that's a detail.

Sure :)

[1] https://github.com/apoelstra/secp256k1-mw/pull/1

Andrew Poelstra
Mathematics Department, Blockstream
Email: apoelstra at wpsoftware.net
Web:   https://www.wpsoftware.net/andrew

"A goose alone, I suppose, can know the loneliness of geese
 who can never find their peace,
 whether north or south or west or east"
       --Joanna Newsom

Attachment: signature.asc
Description: PGP signature

Follow ups