From ZmnSCPxj at protonmail.com  Mon Jan  7 12:11:14 2019
From: ZmnSCPxj at protonmail.com (ZmnSCPxj)
Date: Mon, 07 Jan 2019 12:11:14 +0000
Subject: [Lightning-dev] An Argument For Single-Asset Lightning Network
In-Reply-To: <xDOXO2THyPVlQcB5KNyF3dKeJKiXYwf3E96j00Vj1bEV3dkHrxmkcWd56qyhPYU5MlueDj7dVHfz0XGDBnZY3zl8fKmgD-DOsp5fqFP89dQ=@protonmail.com>
References: <LHGlDfSzQ88JmUdHdx1E5aMkDfMrxQO1HZQ4fVWvMk16tSV60idZMqzf-rPUxYKlCF0pYsqq-H1kCyCKe5ax8luWlkmvEheJuny2lFSdKFM=@protonmail.com>
	<20190104210505.t3ou2rpmgsmo2ku4@email>
	<NvtY9eDDuW8h7qG-E8m7AhPNXQhTXWTNL14ekFpV5RNfJFjdvbctu6XLkGVlj0CJaO1sWTCkrV11EVdxlKfurIZEsXzj6JBoGM4ERxQ3RG8=@protonmail.com>
	<20190105163102.gaikxjxoxbufeijc@email>
	<xDOXO2THyPVlQcB5KNyF3dKeJKiXYwf3E96j00Vj1bEV3dkHrxmkcWd56qyhPYU5MlueDj7dVHfz0XGDBnZY3zl8fKmgD-DOsp5fqFP89dQ=@protonmail.com>
Message-ID: <ROSzJz9P0SJnRqFhDeLphdsgkRtMkYspmPvZ4Y5bwj9P8KHZMhEjbo3QcDyYnYOBRkeb2eZ0r8zyTJRX-ltM2ttgokXTgAgxGSmWAnhCyKk=@protonmail.com>

Good morning all,

> 6.  In addition, F adds to the OM onion hop packet the below information:
>     1.  `payment_point`
>     2.  `exchange_rate_point`
>     3.  The point sum of `(om_to_s_scalar + s_to_om_scalar) * G`
>     4.  A signature using the point `(om_to_s_scalar + s_to_om_scalar) * G` of the serialization of the `payment_point` and `exchange_rate_point`.
> 7.  The OM verifies:
>     1.  That `exchange_rate_point` is a point corresponding to some exchange rate quotation it issued before.
>     2.  That the exchange rate is still economically viable for it.
>     3.  That the sum of the `payment_point`, `exchange_rate_point`, and `(om_to_s_scalar + s_to_om_scalar) * G` correspond to the point that OM will need to learn the scalar of.

Of course, this is susceptible to a key cancellation attack; `payment_point` may be `secret * G - exchange_rate_point`, which removes the exchange from controlling when the payment completes.

A simple, naive mitigation would be for invoices to include a signature using the `payment_point` of an empty string.
Then this signature also needs to be provided to OM in order to assure it that `payment_point` does not cancel its point.

This is a simple proof-by-example that you should not trust your money to cryptosystems created by random people on the Internet.

Regards,
ZmnSCPxj