mimblewimble team mailing list archive
Mailing list archive
Re: [POLL] Perfectly hiding vs perfectly binding
On Fri, Aug 18, 2017 at 07:37:33PM -0400, Ignotus Peverell wrote:
> I think it makes sense. It's a reasonable price to pay and I like that it makes it a lot easier to scan your unspent outputs. One question: switch commitments reuse H and compute SHA256(rH). Any particular reason why we'd want yet another generator?
If I remember right, the crypto for unconditionally-sound rangeproofs  is simpler if we have a separate and dedicated generator for the second point. But I can't recall the details now, I'm feeling unwell and my head is foggy. Will need to revisit it.
> And we'd likely use blake2 again instead of SHA256 but that's a detail.
Mathematics Department, Blockstream
Email: apoelstra at wpsoftware.net
"A goose alone, I suppose, can know the loneliness of geese
who can never find their peace,
whether north or south or west or east"
Description: PGP signature