π
Original date posted:2016-08-11
π Original message:
Hi, this is very interesting idea that I hadn't thought of!
> Oh, I blamed Laolu because he told me about it; sorry for misattribution.
Heh not at all, I don't know who's coming up with what either.
> > To build the revocable pubkey, Alice takes their elkrem sender hash from
> > state n, which we'll call EHn. Alice multiples EHn * G, getting a point
> > EPn. (Elkrem point n) Alice sends EPn to Bob, who adds their commitment
> > pubkey (BP, which is never seen raw) to EPn.
>
> "never seen raw on-chain" I assume, since Bob will send it to Alice in
> setup?
Right; Alice and Bob share these base points when they're funding the
channel but if never shows up on-chain.
> So, AFACIT this scheme gives us a slightly smaller script and makes
> previous commit transactions underivable.
>
> The property I was *hoping* for was the ability for Alice (and Bob) to
> independently predict each others' future revocation hashes/pubkeys.
> That would neatly allow an arbitrary number of commitment transactions
> in flight each way at once. Naively, seems like that should be
> possible.
>
That... is a very cool idea which I had not considered. Sketching it out,
it seems like you'd need some kind of bi-directional trap door function.
RSA comes to mind where repeated exponentiation to the e can be reversed by
exponentiation to the d. But in RSA "private keys" (d) and "public keys"
(e) are the same thing (scalars) but here they're different.
My gut feeling is that with secp256k1 it's not possible though. Setting up
a homomorphic relationship such that Pubkey0 lets you compute Pubkey1 seems
like it would also allow you to compute from Scalar0 to Scalar1 -- just
perform whatever additions and multiplications you did to the point on the
scalar. Definitely something to think about though, because it'd be very
cool. (In practice it doesn't really affect storage, and reduces data on
the wire a somewhat, so not a huge difference scalability-wise, but still
would be really cool if possible)
> I think changing the timeout key is harmless, but gratuitous; changing
> the revocation key is sufficient for each commitment script unguessably
> different from the last one, no?
Yeah, I didn't alter the timeout key initially, but I put it in because it
helps keep the channel private from the observer in the case where you just
send them signatures. If the timeout key is unchanging, they'd see it when
the channel close un-cooperatively and recognize the channel they were
monitoring.
For privacy, the points you add to the timeout key and revocable key also
need to be *different* points. If you add the same point to both, an
observer who knows the base points can try subtracting the timeout and
revocable base points from the observed pubkeys. If the result for both is
the same, they'll know they've found the channel they're looking for.
Thanks for the new idea to stew over on the train!
-Tadge
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20160810/5cf6e730/attachment.html>;
Tadge Dryja [ARCHIVE] /
npub1v5β¦6l74f
2023-06-09 14:46:36
in reply to nevent1qβ¦lev5
Author Public Key
npub1v5856g02zudlkawxh4ut5kc6at8z5evt77lwxeaaudekq4dlfckst6l74fPublished at
2023-06-09 14:46:36Event JSON
{
"id": "32e87b88be72e1aa5eef0c9c2c49ca62c004ba52c44b8029501ae409051d63b6",
"pubkey": "650f4d21ea171bfb75c6bd78ba5b1aeace2a658bf7bee367bde3736055bf4e2d",
"created_at": 1686314796,
"kind": 1,
"tags": [
[
"e",
"ccc2d459792b926854b04bc74e6ea324d2314fff88991806647cc195016ae9ae",
"",
"root"
],
[
"e",
"a5792a531c04fdee31cae067e57e054a18b54482bba38776ac4b89f9a0051f9c",
"",
"reply"
],
[
"p",
"13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425"
]
],
"content": "π
Original date posted:2016-08-11\nπ Original message:\nHi, this is very interesting idea that I hadn't thought of!\n\n\n\u003e Oh, I blamed Laolu because he told me about it; sorry for misattribution.\n\nHeh not at all, I don't know who's coming up with what either.\n\n\n\u003e \u003e To build the revocable pubkey, Alice takes their elkrem sender hash from\n\u003e \u003e state n, which we'll call EHn. Alice multiples EHn * G, getting a point\n\u003e \u003e EPn. (Elkrem point n) Alice sends EPn to Bob, who adds their commitment\n\u003e \u003e pubkey (BP, which is never seen raw) to EPn.\n\u003e\n\u003e \"never seen raw on-chain\" I assume, since Bob will send it to Alice in\n\u003e setup?\n\n\nRight; Alice and Bob share these base points when they're funding the\nchannel but if never shows up on-chain.\n\n\n\u003e So, AFACIT this scheme gives us a slightly smaller script and makes\n\u003e previous commit transactions underivable.\n\u003e\n\u003e The property I was *hoping* for was the ability for Alice (and Bob) to\n\u003e independently predict each others' future revocation hashes/pubkeys.\n\u003e That would neatly allow an arbitrary number of commitment transactions\n\u003e in flight each way at once. Naively, seems like that should be\n\u003e possible.\n\u003e\n\nThat... is a very cool idea which I had not considered. Sketching it out,\nit seems like you'd need some kind of bi-directional trap door function.\nRSA comes to mind where repeated exponentiation to the e can be reversed by\nexponentiation to the d. But in RSA \"private keys\" (d) and \"public keys\"\n(e) are the same thing (scalars) but here they're different.\n\nMy gut feeling is that with secp256k1 it's not possible though. Setting up\na homomorphic relationship such that Pubkey0 lets you compute Pubkey1 seems\nlike it would also allow you to compute from Scalar0 to Scalar1 -- just\nperform whatever additions and multiplications you did to the point on the\nscalar. Definitely something to think about though, because it'd be very\ncool. (In practice it doesn't really affect storage, and reduces data on\nthe wire a somewhat, so not a huge difference scalability-wise, but still\nwould be really cool if possible)\n\n\n\u003e I think changing the timeout key is harmless, but gratuitous; changing\n\u003e the revocation key is sufficient for each commitment script unguessably\n\u003e different from the last one, no?\n\n\nYeah, I didn't alter the timeout key initially, but I put it in because it\nhelps keep the channel private from the observer in the case where you just\nsend them signatures. If the timeout key is unchanging, they'd see it when\nthe channel close un-cooperatively and recognize the channel they were\nmonitoring.\n\nFor privacy, the points you add to the timeout key and revocable key also\nneed to be *different* points. If you add the same point to both, an\nobserver who knows the base points can try subtracting the timeout and\nrevocable base points from the observed pubkeys. If the result for both is\nthe same, they'll know they've found the channel they're looking for.\n\nThanks for the new idea to stew over on the train!\n-Tadge\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20160810/5cf6e730/attachment.html\u003e",
"sig": "a518932f75d51a53792b67c94847214ae81f48fa7648c401f770ddcceba5f299b2bbc0dcb6c955836ae17e1b1126de968e203ba3fda29fca78dd7631d49e9181"
}