For some reason this message was sent to spam in Protonmail. May be why there
are so few replies.
Sums are not sufficient to validate the UTXO set. Anybody who owns two outputs
summing to a commitment `C` can give a peer any pair of commitments `C1` and
`C2` with valid rangeproofs such that `C1
From: moaningmyr...@protonmail.com
It should be sufficient for the output and its rangeproof to be separately
committed to the chain to prevent ambiguity. Committing to rangeproofs, which
are witness data and can be ignored (at a trust tradeoff), will reduce
flexibility.
This is a good point.
Myrtle Warren said:
> As far as I can tell, the specific construction of the output hash's preimage
> has not been determined. If we move forward with this mechanism, it becomes
> critically important that the hash covers the range proof itself. A situation
> where the hash resolves ambiguously
In the vein of "scriptless scripting", it's worth noting that the signature
challenge e = `H(key || nonce || message)` can itself be considered a hash
whose preimage needs to be revealed to produce a valid signature.
Two parties can produce a multisignature by having one present his pubkey/nonce
4 matches
Mail list logo