[Cryptography] Bear Bonds - a new crytpocurrency
allen at bearbonds.org
allen at bearbonds.org
Sat Nov 14 18:20:41 EST 2015
> Why not include a well-tested algorithm, such as SHA-512, in the
> hash chain? And assuming one would trust a novel hash algorithm
> before years of analysis have taken place, why is "a modest memory
> requirement of 85 KB per input” a good thing? It seems to me such a
> tiny memory retirement quickly leads to control of mining by the
> custom chip crowd.
The hash algorithm is not used for mining, it is used in the zero
knowledge proof.
The creator of a transaction has to include a proof that the values in
the transaction satisfy the transaction constraints. The most time
consuming constraint is to prove membership in the Merkle tree. This
requires from 48 to 64 hashes (depending on the capacity of the tree).
The hash we use consists of two knapsacks mixed together by a
Diophantine polynomial of order 256 computed in the prime field, and
then finished by another knapsack. These computations are much more
efficient to verify in a zero knowledge constraint system than the
bit-oriented operations in SHA-256 and all other commonly used hash
algorithms. Using SHA-256 would require at least 10 times the
processing time. For example, on a midrange laptop, our algorithm
requires about 8 seconds to prove a transaction with 2 inputs and 2
outputs. Using SHA-256 would take at least 80 seconds.
We believe our hash algorithm is just as secure (i.e., one-way and
collision resistant) as any other hash with a 256 bit output, and we
invite anyone to analyze it to confirm this. The details of the
algorithm can be found in the "Transaction Protocol" document posted
on our website at https://www.bearbonds.org under the "Technology" tab.
Existing hash algorithms are not designed for efficient verification
by a zero knowledge proof, and that is why we created a new one. We
believe it is well-suited for that purpose, and just as secure.
Thanks,
Allen
More information about the cryptography
mailing list