mimblewimble team mailing list archive

mimblewimble team

Mailing list archive

Message #00584
Idea: Sequence commitment as chain state
We introduce a sequence of elements x at position i, such that:
S(x_i) = H(x_i  i) * G
With G a generator point on an ECC curve and H a hash function. This sequence has a unique "root":
R(S) = Sum S(x_i) = Sum H(x_i  i) * G = (Sum H(x_i  i)) * G
We posit that membership in R(S) can be proven by just providing the triple <i, x_i, Sum_{j != i} H(x_j  j)>.
Does that seem sound? This seems too simple for someone not to have thought about before, would anyone on this list have a reference?
We're thinking this could be used as a close alternative to our current MMRs, the advantages would be:
* A very succinct membership proof (Merkle proof equivalent).
* A root that's easy and efficient to compute.
* Intermediate summing (equivalent to pruning a MMR).
I'd be happy to see someone come up with a reason why this wouldn't work (or why it would).
 Igno
Follow ups