Pieter Wuille

It seems reasonable to point out that you can add dummy branches to the Merkle tree to bring all branches to the same length, or even increase it further.

@jachiang Feel like opening a PR for this?

@jachiang I don't have a very strong opinion, there is probably a lot more than can be said on the topic of constructing optimal trees (when optimal includes privacy considerations).

This makes sense to me.

I don't know. Work on segnet stopped once segwit activated on testnet.

As I've said before on #49, I really consider using midstates here a hack, and only a marginal improvement. Regarding new commitment structures, I think we should work on separate...

Going to leave it open for further comments.

> if pub isn't 32 bytes It is, making the first padding unnecessary (we don't need to commit to the negation flag if we use the private key post-negation). >...

@jonasnick That's a great find. So I think the general principles are that you should never have (unmasked) secret data together with attacker-controlled data within one input block (because expansion...

Oh, you're right. Adding that one: * `H(rand||priv||pub||msg)`: 2, 2, 1. Just as good as `H(priv||rand||pub||msg)`.