From rusty at rustcorp.com.au Sat Nov 21 23:26:10 2020 From: rusty at rustcorp.com.au (Rusty Russell) Date: Sun, 22 Nov 2020 09:56:10 +1030 Subject: [Lightning-dev] Minor tweaks to blinded path proposal In-Reply-To: References: <87k0uj8cqh.fsf@rustcorp.com.au> Message-ID: <878sau8f71.fsf@rustcorp.com.au> Bastien TEINTURIER writes: > Hey Rusty, > > Good questions. > > I think we could use additive tweaks, and they are indeed faster so it can > be worth doing. > We would replace `B(i) = HMAC256("blinded_node_id", ss(i)) * P(i)` by `B(i) > = HMAC256("blinded_node_id", ss(i)) * G + P(i)`. > Intuitively since the private key of the tweak comes from a hash function, > it should offer the same security. > But there may be dragons lurking there, I don't know how to properly > evaluate whether it's as secure (whereas the multiplicative > version is really just Sphinx, so we know it should be secure). I agree. I'll ask a real crypto person to review it, though. > If we're able to use additive tweaks, we can probably indeed use x-only > pubkeys. > Even though we're not storing these on-chain, so the 1 byte saved isn't > worth much. > I'd say that if it's trivial to use them, let's do it, otherwise it's not > worth any additional effort. I'll try and report back; I think it's trivial (I converted offers, and indeed it was trivial except needing a way to lookup a x-only node_id, which simply required two lookups). Cheers, Rusty.