From tadge at lightning.network Wed Aug 10 14:52:13 2016 From: tadge at lightning.network (Tadge Dryja) Date: Wed, 10 Aug 2016 10:52:13 -0400 Subject: [Lightning-dev] Blinded channel observation In-Reply-To: <87oa50oqkp.fsf@rustcorp.com.au> References: <CAGt-sprhFi39+PbP1A8rkfQRMW78JT=r5AF-UOu+xsf64Q4Mzg@mail.gmail.com> <87a8gmpkde.fsf@rustcorp.com.au> <20160809192814.GA22477@lightning.network> <877fbpps8s.fsf@rustcorp.com.au> <20160809222938.GA25606@lightning.network> <CAGt-spocB259Z4PdzD3=LVTC3VpxbFWDk1PL3cWmU71hTqYLWQ@mail.gmail.com> <87oa50oqkp.fsf@rustcorp.com.au> Message-ID: <CAGt-spqu3=_TaEWrigrbKVY3vHsXw7ZDxA2UCaO1X4xChPUsbw@mail.gmail.com> The method of using a revocation key is compatible with shachain/elkrem so has log(n) storage; I'll describe what I developed which omits hashing in the commit script and uses only signature verification. If Laolu has made a different key revocation scheme I'm not aware, but please do post if so. The script is: DUP [Revocable Pubkey] CHECKSIG NOTIF [Timeout Pubkey] CHECKSIGVERIFY [timeout period] CHECKSEQUENCEVERIFY ENDIF This is a little ugly as the less likely checksig (the revocable one) happens first. Saves space in the script though and we don't pay any more for a checksig than any other 1 byte opcode. As an if statement, it ends up being: if (revocable sig) || (timeout sig && CSV > timeout) To build the revocable pubkey, Alice takes their elkrem sender hash from state n, which we'll call EHn. Alice multiples EHn * G, getting a point EPn. (Elkrem point n) Alice sends EPn to Bob, who adds their commitment pubkey (BP, which is never seen raw) to EPn. The result, (RPub n = BP + EPn), is the revocable pubkey for state n. At state n+1, Alice sends Bob EHn. Bob can then compute the private key for Rpub n, as it's just their commitment private key plus EHn, modulo the order of the curve. A similar procedure is used for the timeout key; Alice adds a point to their own timeout key, which seems kindof pointless because they know both scalars. It obscures the commitment script by making both pubkeys different each state, as they're all generated from the hash tree. Bob only needs to keep track of the most recent "elkrem points" and the hash tree itself. Hope this is clear and sorry if I'm describing something completely different than what you're asking about! -Tadge ? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20160810/54c17813/attachment.html>