From bastien at acinq.fr Thu Nov 19 13:57:11 2020 From: bastien at acinq.fr (Bastien TEINTURIER) Date: Thu, 19 Nov 2020 14:57:11 +0100 Subject: [Lightning-dev] Minor tweaks to blinded path proposal In-Reply-To: <87k0uj8cqh.fsf@rustcorp.com.au> References: <87k0uj8cqh.fsf@rustcorp.com.au> Message-ID: Hey Rusty, Good questions. I think we could use additive tweaks, and they are indeed faster so it can be worth doing. We would replace `B(i) = HMAC256("blinded_node_id", ss(i)) * P(i)` by `B(i) = HMAC256("blinded_node_id", ss(i)) * G + P(i)`. Intuitively since the private key of the tweak comes from a hash function, it should offer the same security. But there may be dragons lurking there, I don't know how to properly evaluate whether it's as secure (whereas the multiplicative version is really just Sphinx, so we know it should be secure). If we're able to use additive tweaks, we can probably indeed use x-only pubkeys. Even though we're not storing these on-chain, so the 1 byte saved isn't worth much. I'd say that if it's trivial to use them, let's do it, otherwise it's not worth any additional effort. Cheers, Bastien Le mer. 18 nov. 2020 ? 06:18, Rusty Russell a ?crit : > > See: > > https://github.com/lightningnetwork/lightning-rfc/blob/route-blinding/proposals/route-blinding.md > > 1. Can we use additive tweaks instead of multiplicative? > They're slightly faster, and supported by the x-only secp API. > 2. Can we use x-only pubkeys? It's generally trivial, and a byte > shorter. I'm using them in offers to great effect. > > Thanks! > Rusty. > -------------- next part -------------- An HTML attachment was scrubbed... URL: