From ZmnSCPxj at protonmail.com  Wed Jun 26 06:12:39 2019
From: ZmnSCPxj at protonmail.com (ZmnSCPxj)
Date: Wed, 26 Jun 2019 06:12:39 +0000
Subject: [Lightning-dev] Proposal: Lightning Pre-Image Encryption
	Standard
In-Reply-To: <CACL8y1t-kUEdXXY+VTusyDveBVUrvn-fcGW08jv9DDkEf16MyA@mail.gmail.com>
References: <mailman.779.1561481677.13688.lightning-dev@lists.linuxfoundation.org>
	<CACL8y1u+upcx=FbZkEP9+VJWKph8A7GcDKh4XD9a9kX1La1pzg@mail.gmail.com>
	<0u_HlmMVZWjK1afW8GB8O1JebkgPhK1fZNq7HShS1Ow6EafwkWWNX4VSjSPEddwnzkY7R9NvnVlxfGHt7JV0YYkhs5ZDJqvd_3ueT1w1ocA=@protonmail.com>
	<CACL8y1t-kUEdXXY+VTusyDveBVUrvn-fcGW08jv9DDkEf16MyA@mail.gmail.com>
Message-ID: <MeF2_JQGwtZd7eczM7eQW4M8bdzPUpW6jrivgrpDloKgRpBf3oiw6CK45JXWAUfgbjaZuuGQ7W4gUzH5kOzGCDkIxrjouqx58zIr4qkkLL4=@protonmail.com>

Thank you for your thought.

Another idea: would it be useful to split up large data (several megabytes long) and FEC-encode it in chunks (with each chunk having a separate MAC)?

That way even if some error occurs during transmission, it is possible to recover without re-downloading entire dataset.
Especially, since we need to decrypt first, before we can confirm the MAC: if the MAC fails for the chunk, it's better if we can use data from nearby chunks to recover, rather than download and re-decrypt again.
Or is this over-engineering?

Regards,
ZmnSCPxj

Sent with ProtonMail Secure Email.

??????? Original Message ???????
On Wednesday, June 26, 2019 1:41 PM, Stepan Snigirev <snigirev.stepan at gmail.com> wrote:

> Hi?ZmnSCPxj,
>
> > Does this require Bob to attempt both positive and negative sign for the y-coordinate?
> > Alternately we can force Sally to always use a scalar such that generated point has a fixed sign (or some other property to derive the sign of the missing coordinate).
>
> The best would be if Sally uses the point with a fixed sign, then Bob doesn't need to try twice and can start decrypting data from stream (for example if it's a DRM key for a movie).
> Similar approach is used for R-encoding in Schnorr signatures, so we could use the same convention here.
>
> On Tue, Jun 25, 2019 at 10:18 PM ZmnSCPxj <ZmnSCPxj at protonmail.com> wrote:
>
> > Good morning Stepan, and Nadav,
> >
> > Both additions seem good idea to me.
> >
> > > - Sally generates the invoice with the preimage `S` (i.e. x-coordinate of this point to make it 32-bytes long)
> >
> > Does this require Bob to attempt both positive and negative sign for the y-coordinate?
> > Alternately we can force Sally to always use a scalar such that generated point has a fixed sign (or some other property to derive the sign of the missing coordinate).
> >
> > Regards,
> > ZmnSCPxj