From rusty at rustcorp.com.au Sat Jul 14 00:48:15 2018 From: rusty at rustcorp.com.au (Rusty Russell) Date: Sat, 14 Jul 2018 10:18:15 +0930 Subject: [Lightning-dev] Lightning-dev Digest, Vol 35, Issue 13 (sighash_noinput & watchtowers) In-Reply-To: References: Message-ID: <87r2k6wskw.fsf@rustcorp.com.au> James Chiang writes: > Hello everyone, > I understand sighash_noinput allows us to reduce the number of stored > signatures, as it can spend any uxto with the respective one-use pub key > script. > In the case of watchtowers, are we not trading off privacy, as we are > revealing which states are related, right? Indeed. Eltoo (which needs SIGHASH_NOINPUT) means you only need the latest transaction, not a penalty tx for every state change. > I'm trying to catch up my understanding on the various models here. The > txid_half + encrypted blob guarantees nothing is learned about each state > and how they relate unless a revocation must happen (but doesn't scale, one > blob per outsourced state). Once signatures are reused for multiple states > with sighash_noinput, how do we minimise information being disclosed to 3rd > party? I don't think anyone's done the full design, but my guess would be that we'd use the same trick of encrypting using the txid. The twist is that the watchtower may need to consider txs which already have been spent by one (or a chain of) SIGHASH_NOINPUT transactions. That's pretty easy though. Cheers, Rusty.