From joseph at lightning.network Thu Aug 11 04:16:26 2016 From: joseph at lightning.network (Joseph Poon) Date: Wed, 10 Aug 2016 21:16:26 -0700 Subject: [Lightning-dev] Blinded channel observation In-Reply-To: <87wpjpnzwd.fsf@rustcorp.com.au> References: <87a8gmpkde.fsf@rustcorp.com.au> <20160809192814.GA22477@lightning.network> <877fbpps8s.fsf@rustcorp.com.au> <20160809222938.GA25606@lightning.network> <87wpjpnzwd.fsf@rustcorp.com.au> Message-ID: <20160811041626.GA8114@lightning.network> On Wed, Aug 10, 2016 at 11:33:46AM +0930, Rusty Russell wrote: > Unfortunately, watcher knows revocation preimage N, so it can figure out > some or all previous revocation preimages (and thus hashes). If you take the results then HMAC it as the final step in shachain/elkrem (to establish a single leaf), should be fine even if revocation hashes are used in lieu of a revocation pubkey. > But it rests on the assumption that there are no unknown malleability > issues on signatures, which I believe makes crypto people nervous. I've > asked some, though, as that's above my pay grade! > > It also assumes they can't set up the witness such that our sig is not > 2nd or 3rd in the witness element. I think that's true... Yeah, good point. Perhaps it could be better to keep it simple and just use an HMAC of the non-witness transaction. There shouldn't be stuff that's easily mutatable, and the exposure is not expanded (since that would break LN's child transactions anyway). -- Joseph Poon