Daira-Emma Hopwood
Daira-Emma Hopwood
We need to think about the interaction of this idea with scaling approaches such as transaction aggregation: #4946. Quoting from that issue: > #### On-chain bandwidth [updated] > > The...
It would be possible to support both Cyber-Orchard and plain Orchard addresses at the same time; in that case you would get post-quantum privacy for payments to the Cyber-Orchard ones...
> It's surprising how a major change like this is introduced without discussing the pros/cons. I filed this PR to run the change through CI to make sure tests pass....
I would *strongly* prefer #6081.
The [current design of variable-base scalar mul](https://zcash.github.io/orchard/design/circuit/gadgets/ecc/var-base-scalar-mul.html) assumes that the scalar is given as a base field element (because it is only used for [ivk] gd where ivk is in...
Reminder that any upstream P2P network changes that were defined in BIPs (such as BIP 130 which I believe is included here) need to be called out so that they...
We've been very busy with the 2.1.2 release, but I intend to look at this soon :-)
Note that MiMC is a cipher (or permutation). MiMChash (section 2.3 of the [original paper](http://eprint.iacr.org/2016/492)) is what we want; probably a prime-field variation on MiMCHash-256b (which is a sponge hash...
Also note that the ~255-bit field Fp (for the BLS12-381 p, or the BN128 one for that matter) is not big enough for MiMC(Fp)-p/p to have comparable security to MiMC(F2n)-769/769....
The disadvantage of doing bignum arithmetic is that then you have to implement modular reduction, which would significantly increase the cost.