On Fri, Feb 03, 2017 at 10:42:14PM +0000, Andrew Poelstra wrote: > > Pieter Wuille in particular has stressed to me what a great feature of MW it > is > that everything looks the same, and that breaking this property should be > taken > very seriously. >
In this line of thinking, I gave a presentation at MIT recently about the various things you can do just with kernel signatures. The slides are here: https://download.wpsoftware.net/bitcoin/wizardry/mw-slides/2017-03-mit-bitcoin-expo/slides.pdf Kanzure has kindly written a transcript of the talk, though the audio was a bit choppy: https://github.com/kanzure/diyhpluswiki/blob/master/transcripts/mit-bitcoin-expo-2017/mimblewimble-and-scriptless-scripts.mdwn > At the Stanford BPASE Conference [2] I gave a talk where I briefly mentioned > that > it was possible to do atomic swaps with no preimages at all. I'll explain how > to > do this in a second, but first I want to revise my proposal from my last mail. > > * Each kernel (née excess value) K signs the challenge H(K || f || L), where > K is the kernel itself, f is the fee it is attesting must exist in this > transaction, and L is an optional locktime, measured in blockheight. > > * By default L is the empty string, there needs to be a special flag to > indicate > that it is nontrivial. Hopefully the actual presence of nontrivial > locktimes > will be rare since they are only used in the adversarial backout case of > most > protocols. Since a locktime L must stay in the blockchain forever we > should > discourage their use somehow. > > So I'm removing all script support, even for just hash preimages. > At the end of my talk I mentioned that I didn't know how to do locktimes in a scriptless script way and therefore we need this explicit L. I'm happy to say that this is no longer true. Ethan Heilman pointed out that it is possible to make a "timelocked signature" that requires grinding through a sequential proof-of-work to do. This is described here: https://www.reddit.com/r/Mimblewimble/comments/5xo9ri/scriptless_scripts_in_mimblewimble_mit_bitcoin/dem9kpj/ He also suggested the locktime should be cancellable and extendable by having the would-be recipient reveal a key to the sender, but we didn't work out all the details. If this works then we should be able to get the effect of a relative lock-time, having indefinitely-open lightning channels, and so forth. Exciting times. Therefore I revise my proposal again, to remove the explicit locktime, and have only the fee. Cheers Andrew -- Andrew Poelstra Mathematics Department, Blockstream Email: apoelstra at wpsoftware.net Web: https://www.wpsoftware.net/andrew "A goose alone, I suppose, can know the loneliness of geese who can never find their peace, whether north or south or west or east" --Joanna Newsom
signature.asc
Description: PGP signature
-- Mailing list: https://launchpad.net/~mimblewimble Post to : mimblewimble@lists.launchpad.net Unsubscribe : https://launchpad.net/~mimblewimble More help : https://help.launchpad.net/ListHelp
