On Thu, Sep 07, 2017 at 01:23:45PM -0400, Ignotus Peverell wrote: > Hi, > > I wanted to pick that back up. I think it comes down to yet another tradeoff > between privacy, security and convenience. To give back some context from > Andrew's email: > > > Basically our outputs should consist of the pair > > vH + rG, sha256(rJ) > > where J is a new NUMS generator, G the standard generator, and H is our > > asset > > ID as always. We set this up so that we can softfork a rule that only allows > >outputs to be spent by revealing rJ and an unconditional rangeproof, but > >prior > > to the softfork we only require ordinary rangeproofs. > > I'll let you refer to Andrew's email for a bigger list of benefits [1]. Now > the drawbacks: to store the hash, we need an extra 32 bytes field in outputs. > We could likely make that even a little smaller but the size isn't my bigger > worry. With an additional free-form field people and wallets implementations > will: > > - Compromise their privacy by inserting data that make their transactions > look different from the others.
A weak form of this is intentional -- that wallets will recognize their hopefully-uniformly-random data to be able to identify their own outputs. It's hard to do this with only the Pedersen commitment because it's tangled up with the output value. It's true that people can put non-random things here which would be really bad for privacy. I don't think there's any efficiently-verifiable way to prevent that. Maybe requiring the data be a hash and requiring the preimage be exposed during spending, even in the pre-switch era? > - Insert hashes of documents, identity, images, etc. and likely never allow > pruning of these outputs. Yeah. > - Use it as plain storage and demand the field to be larger. > They can already use the rangeproof to encrypt tons of data to themselves, if they want to do this...so I think that's a simple response to any demands to increase the size of the field, without even needing to argue about whether this is a sensible use of blockchain space. > So I'd be happy to hear others' arguments. The benefits would be tangible, > but so would be the drawbacks. > > - Igno > > [1] https://lists.launchpad.net/mimblewimble/msg00165.html -- Andrew Poelstra Mathematics Department, Blockstream Email: apoelstra at wpsoftware.net Web: https://www.wpsoftware.net/andrew "A goose alone, I suppose, can know the loneliness of geese who can never find their peace, whether north or south or west or east" --Joanna Newsom
signature.asc
Description: PGP signature
-- Mailing list: https://launchpad.net/~mimblewimble Post to : mimblewimble@lists.launchpad.net Unsubscribe : https://launchpad.net/~mimblewimble More help : https://help.launchpad.net/ListHelp
