I hereby claim:
- I am phyro on github.
- I am phyro (https://keybase.io/phyro) on keybase.
- I have a public key whose fingerprint is D9CD 87AE 7489 EDFB F7D3 9438 20CC E2BE 3C8F FDF3
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
Define a new type of transaction that has a form a of a Pedersen commitment v*H + r*G
where v
denotes the amount and
r
is the blinding factor for v
which also serves as a proof of ownership factor.
Let's say Alice holds 100 ETC and wants to create her own Pedersen commitment that holds 20 ETC. She creates a
transition transaction that has a transition type addr->pc
and the to
part holds a Pedersen commitment of type
20*H + r*G
where r
is the blinding factor. To verify the v
part we can expose r*G
public key and sign some
message with it and then add 20*H
to it and check if we do in fact arrive at the 20*H + r*G
public key.
This Pedersen commitment does not need a zero knowledge range proof to avoid inflation attacks because the value is
public.
Bitcoin allows a transaction to commit to a hash and hence prove existence of a data at a certain point in time.
It's not obvious how to do that in Mimblewimble. The main issue is that everything that a transaction leaves forever on
the chain is a Kernel which consists of
features (1 byte) | fee (8 bytes) | lock_height (8 bytes) | excess (32 bytes) | signature (64 bytes)
As we can see, there's no place for a hash. One solution would be to add a hash and make sure the signature also signs that hash but this would mean we are making the kernel even bigger.