dear imblers, > Each output has a rangeproof consisting of several ring signatures > corresponding to different denominations that sum to the hidden value > (see [1] [2]). > For binary denominations, each such ring signature is of the form > (e0,s0,s1) satisfying, for some P0,P1 differing by 2^i * G, > e1 = H(s0*G-e0*P0) > e0 = H(s1*G-e1*P1)
Nice try, but as I was just informed on #bitcoin-wizards, these hashes commit to the original xG as well: e1 = H(xG | s0*G-e0*P0) e0 = H(xG | s1*G-e1*P1) So we cannot fix the rangeproof to account for changing xG to xG'. Sorry for the false alarm... regards, -John -- Mailing list: https://launchpad.net/~mimblewimble Post to : mimblewimble@lists.launchpad.net Unsubscribe : https://launchpad.net/~mimblewimble More help : https://help.launchpad.net/ListHelp
