ZmnSCPxj [ARCHIVE] on Nostr: 📅 Original date posted:2022-07-19 📝 Original message:Good morning Ruben, > Good ...
📅 Original date posted:2022-07-19
📝 Original message:Good morning Ruben,
> Good evening ZmnSCPxj,
> Interesting attempt.
>
> >a * G + b * G + k * G
>
> Unfortunately I don't think this qualifies as a commitment, since one could trivially open the "commitment" to some uncommitted value x (e.g. a is set to x and b is set to a+b-x). Perhaps you were thinking of Pedersen commitments (a * G + b * H + k * J)?
I believe this is only possible for somebody who knows `k`?
As mentioned, an opening here includes a signature using `b + k` as the private key, so the signature can only be generated with knowledge of both `b` and `k`.
I suppose that means that the knower of `k` is a trusted party; it is trusted to only issue commitments and not generate fake ones.
> Even if we fixed the above with some clever cryptography, the crucial merkle sum tree property is missing, so "double spending" a burn becomes possible.
I do not understand what this property is and how it is relevant, can you please explain this to a non-mathematician?
> You also still run into the same atomicity issue, except the risk is moved to the seller side, as the buyer could refuse to finalize the purchase after the on-chain commitment was made by the seller. Arguably this is worse, since generally only the seller has a reputation to lose, not the buyer.
A buyer can indeed impose this cost on the seller, though the buyer then is unable to get a valid opening of its commitment, as it does not know `k`.
Assuming the opening of the commitment is actually what has value (since the lack of such an opening means the buyer cannot prove the commitment) then the buyer has every incentive to actually pay for the opening.
Regards,
ZmnSCPxj
📝 Original message:Good morning Ruben,
> Good evening ZmnSCPxj,
> Interesting attempt.
>
> >a * G + b * G + k * G
>
> Unfortunately I don't think this qualifies as a commitment, since one could trivially open the "commitment" to some uncommitted value x (e.g. a is set to x and b is set to a+b-x). Perhaps you were thinking of Pedersen commitments (a * G + b * H + k * J)?
I believe this is only possible for somebody who knows `k`?
As mentioned, an opening here includes a signature using `b + k` as the private key, so the signature can only be generated with knowledge of both `b` and `k`.
I suppose that means that the knower of `k` is a trusted party; it is trusted to only issue commitments and not generate fake ones.
> Even if we fixed the above with some clever cryptography, the crucial merkle sum tree property is missing, so "double spending" a burn becomes possible.
I do not understand what this property is and how it is relevant, can you please explain this to a non-mathematician?
> You also still run into the same atomicity issue, except the risk is moved to the seller side, as the buyer could refuse to finalize the purchase after the on-chain commitment was made by the seller. Arguably this is worse, since generally only the seller has a reputation to lose, not the buyer.
A buyer can indeed impose this cost on the seller, though the buyer then is unable to get a valid opening of its commitment, as it does not know `k`.
Assuming the opening of the commitment is actually what has value (since the lack of such an opening means the buyer cannot prove the commitment) then the buyer has every incentive to actually pay for the opening.
Regards,
ZmnSCPxj