- Join over
**1.5M+ people** - Join over
**100K+ communities** - Free
**without limits** - Create
**your own community**

I propose we hire someone to wrangle all this moon math and use it to our advantage. I'd love to hear everyone's thoughts. https://www.grin-forum.org/t/request-for-funding-jrandomcryptographer/6056

https://eprint.iacr.org/2019/1076 "Fractal: Post-Quantum and Transparent Recursive Proofs from Holography"

hi. I'm trying to understand what the blocks commit to. it seems that when an output is consumed, it is removed from the index, but not from the MMR. this means that the commitment in the block is not to to the set of unspent TXOs, but to all historical TXOs *spent and unspent*. is that right?

But we also commit to the MMR root of the kernel set (never pruned). So after downloading the utxo and kernel set, you can verify the utxo set is correct because you can perform the big mimblewimble sum to make sure the supply is correct

This is an excellent intro: https://github.com/mimblewimble/grin/blob/master/doc/intro.md

@devrandom your intuition here is right - each header commits to both the root of the output MMR (spent *and* unspent outputs) and the root of the kernel MMR. The kernels verify that the sum of unspent outputs matches the total supply. So as you say we validate the sum of the UTXO, not the specific UTXO set.

@devrandom it would be statistically improbable for a malicious node to find a fake kernel set and "lie" about what UTXOs are active. Remember, these arent classical UTXOs, but Pederson commitments. To create a fake set of commitments, you would need to solve the discrete logarithm of ecc points (extremely difficult)

@jaspervdm Are you aware of anywhere that's documented?

or 3.25 days

Hello.

I am interested in using something like mimble wimble for a lottery application.

I want users to be able to spend fractions of their lottery tickets without writing anything on-chain.

Is this a reasonable application?

When someone finally wins, how much data do they need to write on-chain to claim their winnings?

What would that data look like?

I wrote about it here, but the documentation is written in the context of someone learning about that blockchain. https://github.com/zack-bitcoin/amoveo/blob/master/docs/design/sortition_chains.md

It is probably more helpful if I explain directly here.

Ethereum is currently using a patricia merkel tree to keep track of account balances.

mimble wimble is an alternative protocol to keep track of account balances.

but I want to keep almost all the mimble wimble stuff off-chain, and only publish the minimal slice of it to show who won the lottery.

not directly relevant to grin, but interesting nevertheless: https://www.chia.net/2019/11/27/chialisp.en.html

@GandalfThePink I read again your document “BLS signatures in Mimblewimble" here: https://github.com/mimblewimble/grin/issues/2504#issuecomment-467446197. I look into your non-interactive transaction proposal, but I don’t find the range proof part, how do you create the range proof for your non-ingteractive transaction output?

I think there is no need for range proof in Gandalf's proposal as the pedersen commit in the output of the tx is described in the paper as non blinded (r = 0) and hence takes the form v*L. As a consequence one could verify that 1) no money is created 2) v is positive (to verify just try all v*L' possible until you find v_0 such as v_0*L is equal to the Pedersen commit and check that this v_0 is a allowed value for the tx)

If you want to keep Confidential Tx you could make a system where the sender creates the outputs of the receiver of the tx, including the blinded factors and signs alone the kernel offset minus the receiver's address (Gandalf adds address for allowing his BLS MW system). He then gives (onchain) the blinded factors of Bob Outputs to Bob in some sort of shared secret so that Bob can spend his output later. But then the sender can steal Bob's output since it is him who created the output for Bob including and he knows Bob's blinded factor ? Not if we do a protocol where the receiver also has to sign his address on top of knowing his blinded factor to spend his output, making it not possible for the sender to steal coins (the sender does not know the private key to the receiver 's address)

@coolman_kurt_twitter

I think there is no need for range proof in Gandalf's proposal as the pedersen commit in the output of the tx is described in the paper as non blinded (r = 0) and hence takes the form vL.

I don’t think so, because the `excess`

is still needed there and Bob’s public key P_b might contain some term proportional of `H`

component.

I wrote one page of review:

the commitments are all on chain ? Nodes can try to find the preimages (with respect to multiplication by L) to each commitments that belong to the outputs of the tx. If there exists commitments such as no positive preimage is found within a predefined - reasonable - range, deem tx invalid

maybe missing stuff