For sure, CT can be done with computational soundness. The advantage of unhidden amounts (as with current bitcoin) is that you get unconditional soundness. My understanding is that there is a fundamental tradeoff between unconditional soundness and unconditional privacy. I believe Monero has taken this alternate tradeoff path with unconditional privacy but only computational soundness <https://www.reddit.com/r/Monero/comments/8erg8e/what_should_monero_do_about_the_soundness_problem/dxy59ad?utm_source=share&utm_medium=web2x&context=3> .
> old things that never move more or less naturally "fall leftward" Ah yes, something like that would definitely be interesting to basically make dust a moot point. Sounds like the tradeoff mentioned is that proofs would be twice as big? Except newer UTXOs would have substantially shorter proofs. It sounds like the kind of thing where there's some point where there would be so many old UTXOs that proofs would be smaller on average in the swap tree version vs the dead-leaf version. Maybe someone smarter than me could estimate where that point is. On Mon, Aug 9, 2021 at 10:04 PM Jeremy <jlru...@mit.edu> wrote: > You might be interested in https://eprint.iacr.org/2017/1066.pdf which > claims that you can make CT computationally hiding and binding, see section > 4.6. > > with respect to utreexo, you might review > https://github.com/mit-dci/utreexo/discussions/249?sort=new which > discusses tradeoffs between different accumulator designs. With a swap > tree, old things that never move more or less naturally "fall leftward", > although there are reasons to prefer alternative designs. > > >>>
_______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
