mimblewimble team mailing list archive
Mailing list archive
Re: Hashed switch commitments
On Thu, 2017-09-07 at 18:12 +0000, Andrew Poelstra wrote:
> It's true that people can put non-random things here which would be
> bad for privacy. I don't think there's any efficiently-verifiable way
> prevent that. Maybe requiring the data be a hash and requiring the
> be exposed during spending, even in the pre-switch era?
That is worse for privacy then. As soon as someone gets a QC, he can
break the privacy of already spent outputs then.
In general, I think being able to recognize outputs is a very
convincing argument for the hash.
Also, as I argued in the other thread, the hash gives users a lot of
flexibility, because they can decide later if they would like to reveal
the preimage or not. Letting users decide on an individual basis avoids
almost the entire discussion of hiding vs binding.