Skip to content

Instantly share code, notes, and snippets.

@phyro

phyro/etcmw_braindump.md

Created February 14, 2020 15:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save phyro/f55db6a700bcf655bfec64cc5c0fcb7b to your computer and use it in GitHub Desktop.
Save phyro/f55db6a700bcf655bfec64cc5c0fcb7b to your computer and use it in GitHub Desktop.
Download ZIP
ETC MW toilet napkin braindump
Raw
etcmw_braindump.md

ETC MW napkin braindump

Define a new type of transaction that has a form a of a Pedersen commitment v*H + r*G where v denotes the amount and r is the blinding factor for v which also serves as a proof of ownership factor. Let's say Alice holds 100 ETC and wants to create her own Pedersen commitment that holds 20 ETC. She creates a transition transaction that has a transition type addr->pc and the to part holds a Pedersen commitment of type 20*H + r*G where r is the blinding factor. To verify the v part we can expose r*G public key and sign some message with it and then add 20*H to it and check if we do in fact arrive at the 20*H + r*G public key. This Pedersen commitment does not need a zero knowledge range proof to avoid inflation attacks because the value is public.

We have 4 types of transactions:

  1. addr->addr our regular Ethereum tx
  2. addr->pc a transaction that moves some coins to a Pedersen commitment
  3. pc->addr a transaction that transfer coins from a Pedersen commitment to an address
  4. pc->pc a transaction from a Pedersen commitment to other Pedersen commitment in a Mimblewimble way (interactive, can be aggregated etc.). Each Pedersen commitment comes with a zero knowledge range proof to avoid inflation attacks. The advantage here is that a Pedersen commitment once it is spent can be thrown away (along with the range proof).

When opting out of the Pedersen commitments we would be showing the value v of the Pedersen commitments and we could confirm the move to an address by showing r*G public key and signing a message saying we want to move v coins to address A with r private key. Note that we can show the r*G public key as we are showing v at this step and hence we are no longer afraid this would allow bruteforce attack that could unblind v. We can now confirm the Pedersen commitment opens to v*H + r*G by taking the public key r*G and adding 20*H to it and checking whether we arrive at v*H + r*G.

In order to prevent inflation, we hold the sum of transitioned money K which in the case of Alice transforming her 20 ETC would increase K by 20. This way we could validate we don't transform from Pedersen commitments back to normal addresses more than would be possible and hence can't inflate.

To prove a transaction is a commitment to zero we hold kernel excess values which is the sum(outputs)-sum(inputs) of Pedersen commitments and prove this is a commitment to zero with a combination of kernel curve points x*G and their signatures.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment