Hi ZmnSCPxj, > > Just a quick note: I think there is a way to commit to a point properly > > with Pedersen commitments. Consider the following: > > COM(X) = (y*G + z*H, y*G + X) where y and z are random and the opening is > > (y,z,X). This seems to be a unconditionally hiding and computationally > > binding homomorphic commitment scheme to a point based on the DL problem > > rather than DDH. > > So the Pedersen commitment commits to a tweak on `X`, which is revealed later > so we can un-tweak `X`. > Am I correct in assuming that you propose to use `X` for the contribution to > `R` for a participant? > How is it different from using ElGamal commitments?
Yes. It's not significantly different. It is unconditionally hiding rather than binding (ElGamal is unconditionally binding). I just thought of it while reading your post so I mentioned it. The real question is what properties does the commitment scheme need to be appropriate for MuSig R coin tossing? In the security proof, the commitment hash is modelled as a random oracle rather than as an abstract commitment scheme. I wonder if any MuSig author has an opinion on whether the H_com interaction can be generalised to a commitment scheme with certain properties (e.g equivocal, extractable). By the looks of it, the random oracle is never explicitly programmed except with randomly generated values so maybe there is hope that a non ROM commitment scheme can do the job. I guess the reduction would then be to either breaking the discrete logarithm problem OR some property of the commitment scheme. Cheers, LL _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev