Firstly, don’t worry about it, I believe nobody know this magic “h”, for now and perhaps for a long time.

But perhaps not very long! read how close are we really to building a quantum computer and timeline of quantum computing.

And even before a powerful quantum computer to break ECDLP, perhaps one day one lucky people just find a random “h” which happens to make * h*G=H*, who knows? a probability close to zero doesn’t means impossible.

So, for now, we MUST know what will happen in Mimblewimble if this magic “h” is known by somebody.

**What will happen if I know the magic** **"h"****which makes** * h*G = H* ?

Let’s take a look for the Pedersen Commitment form: * r*G + v*H*. The simple arithmetic equation

*can be expressed as commitment form:*

**a + b = c**

, with(x*G + a*H) + (y*G + b*H) = (z*G + c*H)x + y = z

This is the most important pillar of MimbleWimble.

Now if I know the magic * "h"* which makes

*, then I can change the output value freely:*

**h*G = H**

z*G + c*H = (z’ *G + c’ *H)

=> (z’-z)*G = (c-c’)*h*G

=> z’ = z + (c-c’)*h

This means I can create money out of thin air in the transaction, without breaking the balance of the commitments which sum to zero. The pillar of MimbleWimble is gone and the whole house falls.

And even worse, when this happen, there’s no one else know it’s happening! thanks to the excellent privacy of Mimblewimble protocol.

**A Proposal by Tim Ruffing to Secure this Pillar**

Thanks to * Tim Ruffing* and

*'s research on Switch Commitment [1] and*

**Giulio Malavolta***'s good proposal to Mimblewimble [2], we can modify the blinding factor as the following form:*

**Tim Ruffing**

r’ = r + Hash(rG+vH || rJ)

and the base pointis chosen to be orthogonal toJ.G

so the Pedersen Commitment * r*G + v*H* becomes:

r’ *G + v*H

= (r + Hash(rG+vH || rJ))*G + v*H

= (r*G+v*H) + Hash(rG+vH || rJ)*G

And we need add an additional ** rule** to spend an UTXO, revealing the

*and*

**rG+vH***to spend output*

**rJ***.*

**r’*G+v*H****Why** this enhanced design can avoid me creating money out of thin air in the transaction? even I know the magic * "h"* .

Let me try it.

We already know that I can change the Pedersen Commitment components freely, with the known magic * "h"* :

*

z*G + c*H = (z’ *G + c’H)

=>z’ = z + (c-c’)*h

With the new form of Pedersen Commitment:

r’ *G + v*H = (r*G+v*H) + Hash(rG+vH || rJ)*G

Now let me freely change the value from * v* to

*:*

**v"**

r*G + v*H = r" *G + v"*H

andr" = r + (v-v")*h

Then,

r’ *G + v*H

= (r*G+v*H) + Hash(rG+vH || rJ)*G

!= (r" *G + v"*H) + Hash(r"G+v"H || r"J)*G

So, the result is I can’t change this commitment and I fail to create money out of thin air! even I know the magic * "h"* .

This is mainly because of * r*J != r"*J*. The

*works like a locker to forbid the change of*

**r*J***, and we can’t change the value*

**r***without changing*

**v***, to keep the balance of*

**r***.*

**r*G + v*H = r" *G + v"*H****The Related Status in Grin**

Thanks to @jaspervdm, we have an opening PR for this enhancement solution: https://github.com/mimblewimble/grin/pull/2007, and 2 related PRs in secp library: https://github.com/mimblewimble/secp256k1-zkp/pull/34 and https://github.com/mimblewimble/rust-secp256k1-zkp/pull/38.

And please note that we still need further research about how to gracefully integrate that additional ** rule**:

To spend an UTXO

, require to reveal ther’*G+v*HandrG+vH.rJ

But IMO, complete PR #2007 and switch the Pedersen Commitment to this enhanced design should be a MUST for Grin mainnet, and now we don’t have much time left before 15th Jan. 2019.

Any comments/feedback welcome.

[1] https://eprint.iacr.org/2017/237.pdf

[2] https://lists.launchpad.net/mimblewimble/msg00479.html

[3] https://github.com/mimblewimble/grin/issues/998