mimblewimble team mailing list archive

Thread
Date

Re: [POLL] Perfectly hiding vs perfectly binding

To: Ignotus Peverell <igno.peverell@xxxxxxxxxxxxxx>
From: Andrew Poelstra <apoelstra@xxxxxxxxxxxxxx>
Date: Sat, 19 Aug 2017 21:46:56 +0000
Cc: "mimblewimble@xxxxxxxxxxxxxxxxxxx" <mimblewimble@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <aqRsQtYTYp3p0qB4CGwnVLda2FeDnTMMxIsnYnOR3MZH3rZ2B7TN4teklaqDVS0KgduFEKnIMITwAgfiqzetmLfdS9-BnwGQ_X6ffIMFMNs=@protonmail.com>
User-agent: Mutt/1.7.1 (2016-10-04)

On Fri, Aug 18, 2017 at 07:37:33PM -0400, Ignotus Peverell wrote:
> I think it makes sense. It's a reasonable price to pay and I like that it makes it a lot easier to scan your unspent outputs. One question: switch commitments reuse H and compute SHA256(rH). Any particular reason why we'd want yet another generator?
>

If I remember right, the crypto for unconditionally-sound rangeproofs [1] is simpler if we have a separate and dedicated generator for the second point. But I can't recall the details now, I'm feeling unwell and my head is foggy. Will need to revisit it.
 
> And we'd likely use blake2 again instead of SHA256 but that's a detail.
>

Sure :)


[1] https://github.com/apoelstra/secp256k1-mw/pull/1

-- 
Andrew Poelstra
Mathematics Department, Blockstream
Email: apoelstra at wpsoftware.net
Web:   https://www.wpsoftware.net/andrew

"A goose alone, I suppose, can know the loneliness of geese
 who can never find their peace,
 whether north or south or west or east"
       --Joanna Newsom

Attachment: signature.asc
Description: PGP signature

Follow ups

Re: [POLL] Perfectly hiding vs perfectly binding
From: 0xb100d, 2017-09-07

References

[POLL] Perfectly hiding vs perfectly binding
From: Ignotus Peverell, 2017-05-04
Re: [POLL] Perfectly hiding vs perfectly binding
From: Andrew Poelstra, 2017-08-16
Re: [POLL] Perfectly hiding vs perfectly binding
From: Ignotus Peverell, 2017-08-18