Daira-Emma Hopwood

icon location R&D Engineering Manager at Electric Coin Company

Results 725 comments of Daira-Emma Hopwood

payment disclosure

@jackgavigan The recipient doesn't initially know the ephemeral secret key (esk). It does know its own viewing key skenc which would be sufficient to decrypt the ciphertext, but that is...

payment disclosure

There's a problem I hadn't thought of (documented in the [draft zip here](https://github.com/bitcartel/zips/blob/9d0ff728d900d8dbb1c7e36cfcda72e411a98c80/drafts/bitcartel-payment-disclosure/draft.rst#known-issues)): in some cases (such as for t -> multiple z transactions), both outputs of each JoinSplit will...

payment disclosure

Actually in case 2., revealing Kenci would then allow the recipient to spend the funds (provided that the commitment is correct). So the issue is that the recipient would not...

payment disclosure

Here's the original paper on Chaum-Pedersen: http://www.cs.elte.hu/~rfid/chaum_pedersen.pdf (see section 3.2). It adapts straightforwardly to Curve25519. It's presented as a signature scheme, but one that is constructed from a proof-of-DH-tuple. There...

payment disclosure

A possible refinement of 3. is to use a Chaum-Pedersen signature to sign the information that should be nonmalleable (e.g. refund address). This is similar to @zmanian's idea of using...

payment disclosure

In https://github.com/zcash/zcash/issues/1360#issuecomment-282460362 I point out that using both outputs of a JoinSplit entails an information leak. So there is a privacy-performance trade-off which, if we resolved it in favour of...

payment disclosure

In the next circuit change, we can eliminate this privacy-performance tension by implementing #647, as I pointed out in https://github.com/zcash/zcash/issues/647#issuecomment-246174077 .

payment disclosure

I think we should exclude using an unconventional signature scheme. We have the joinSplitSig private Ed25519 key available to sign the associated nonmalleable information. Ed25519 is pleasantly boring, and this...

payment disclosure

The worse performance is only when there are many output notes (and fewer than twice as many input notes than output notes). The better privacy is whenever either vpubin or...

payment disclosure

@arielgabizon wrote: > Can someone link here to a description of this new multi join-split algorithm? https://github.com/zcash/zcash/issues/1360#issuecomment-274644332 The relevance to payment disclosure is that if we didn't implement the new...