Eliminating finalize step

Kurt · August 25, 2020, 2:35pm

I don’t see what you mean? The sender, in this order:

Calculates his partial nonce R_a.
Calculates x = Hash(c||B||R_a||tx_amount||timestamp) . (c is the Diffie-Hellman secret, useful to make x not recoverable by others, plus to be sure the recipient is the intended recipient, and the sender the expected sender).
Calculates the receiver’s nonce R_b = x.G + B, where B is the receiver’s permanent address.
Calculates the message of the signature m = Hash(R_a + R_b||fees).
Calculates s_a = r_a + Hash(m).x_a, his partial signature.
Sends R_a, s_a, X_a = x_a.G, and m to the receiver.

Then, the receiver, in this order:

Computes x.
Computes m and verifies that it matches with the m sent by the sender.
Generates randomly his private excess x_b.
Calculates s_b = x + b + Hash(m).x_b (where b is the secret key to B)
Broadcasts the kernel, kernel = (R = R_a + R_b, X = X_a + X_b, s = s_a + s_b).

So, first the sender needs to compute R, and then he needs to compute the message m in order to compute his s_a. Only then, can he send the data to the receiver.

I don’t see why “Sharing the public nonce prior to committing to the message” is true at all.

Topic		Replies	Views
Eliminating finalize step ReLoAdEd Research	13	1670	July 8, 2023
Eliminating finalize step revisited Research	47	1084	July 25, 2023
Integrated Payment Proofs and Round Minimization Development and Technical Discussion	17	1969	September 12, 2020
Grin-Bitcoin Adaptor Signature Atomic Swap update thread Development and Technical Discussion	41	5704	September 25, 2021
Should Grin implement 2-step TXs Development and Technical Discussion	18	603	July 14, 2023

Eliminating finalize step

Related topics