mimblewimble team mailing list archive

Thread
Date

Idea: Sequence commitment as chain state

To: "mimblewimble@xxxxxxxxxxxxxxxxxxx" <mimblewimble@xxxxxxxxxxxxxxxxxxx>
From: Ignotus Peverell <igno.peverell@xxxxxxxxxxxxxx>
Date: Tue, 18 Sep 2018 17:23:39 +0000
Feedback-id: G8oYroY5d92pDGib9ZSQuAzn8O3JuHnC9BYqk1_LZGLiD5_Mc-EkTbswwpCLUOpi1Q3pbIzgCwewBVSqDCwbaw==:Ext:ProtonMail
Reply-to: Ignotus Peverell <igno.peverell@xxxxxxxxxxxxxx>

We introduce a sequence of elements x at position i, such that:

S(x_i) = H(x_i | i) * G

With G a generator point on an ECC curve and H a hash function. This sequence has a unique "root":

R(S) = Sum S(x_i) = Sum H(x_i | i) * G = (Sum H(x_i | i)) * G

We posit that membership in R(S) can be proven by just providing the triple <i, x_i, Sum_{j != i} H(x_j | j)>.

Does that seem sound? This seems too simple for someone not to have thought about before, would anyone on this list have a reference?

We're thinking this could be used as a close alternative to our current MMRs, the advantages would be:

* A very succinct membership proof (Merkle proof equivalent).
* A root that's easy and efficient to compute.
* Intermediate summing (equivalent to pruning a MMR).

I'd be happy to see someone come up with a reason why this wouldn't work (or why it would).

- Igno

Follow ups

Re: Idea: Sequence commitment as chain state
From: Ignotus Peverell, 2018-09-18