📅 Original date posted:2016-08-10
📝 Original message:
Tadge Dryja <tadge at lightning.network> writes:
> The method of using a revocation key is compatible with shachain/elkrem so
> has log(n) storage; I'll describe what I developed which omits hashing in
> the commit script and uses only signature verification. If Laolu has made
> a different key revocation scheme I'm not aware, but please do post if so.
Oh, I blamed Laolu because he told me about it; sorry for misattribution.
> The script is:
>
> DUP
> [Revocable Pubkey]
> CHECKSIG
> NOTIF
> [Timeout Pubkey]
> CHECKSIGVERIFY
> [timeout period]
> CHECKSEQUENCEVERIFY
> ENDIF
OK, so far so good.
> To build the revocable pubkey, Alice takes their elkrem sender hash from
> state n, which we'll call EHn. Alice multiples EHn * G, getting a point
> EPn. (Elkrem point n) Alice sends EPn to Bob, who adds their commitment
> pubkey (BP, which is never seen raw) to EPn.
"never seen raw on-chain" I assume, since Bob will send it to Alice in
setup?
> The result, (RPub n = BP + EPn), is the revocable pubkey for state n.
> At state n+1, Alice sends Bob EHn. Bob can then compute the private
> key for Rpub n, as it's just their commitment private key plus EHn,
> modulo the order of the curve.
So, AFACIT this scheme gives us a slightly smaller script and makes
previous commit transactions underivable.
The property I was *hoping* for was the ability for Alice (and Bob) to
independently predict each others' future revocation hashes/pubkeys.
That would neatly allow an arbitrary number of commitment transactions
in flight each way at once. Naively, seems like that should be
possible.
> A similar procedure is used for the timeout key; Alice adds a point to
> their own timeout key, which seems kindof pointless because they know both
> scalars. It obscures the commitment script by making both pubkeys
> different each state, as they're all generated from the hash tree. Bob
> only needs to keep track of the most recent "elkrem points" and the hash
> tree itself.
I think changing the timeout key is harmless, but gratuitous; changing
the revocation key is sufficient for each commitment script unguessably
different from the last one, no?
> Hope this is clear and sorry if I'm describing something completely
> different than what you're asking about!
It's all good; this is a big space and sometimes I don't even know what
I don't know...
Thanks!
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:46:35
in reply to nevent1q…mcw3
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:46:35Event JSON
{
"id": "a5792a531c04fdee31cae067e57e054a18b54482bba38776ac4b89f9a0051f9c",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314795,
"kind": 1,
"tags": [
[
"e",
"ccc2d459792b926854b04bc74e6ea324d2314fff88991806647cc195016ae9ae",
"",
"root"
],
[
"e",
"b10d51f4eefcc801eec1b1cf15f3bd12c1687724ec1f8967d7959426c5021621",
"",
"reply"
],
[
"p",
"650f4d21ea171bfb75c6bd78ba5b1aeace2a658bf7bee367bde3736055bf4e2d"
]
],
"content": "📅 Original date posted:2016-08-10\n📝 Original message:\nTadge Dryja \u003ctadge at lightning.network\u003e writes:\n\u003e The method of using a revocation key is compatible with shachain/elkrem so\n\u003e has log(n) storage; I'll describe what I developed which omits hashing in\n\u003e the commit script and uses only signature verification. If Laolu has made\n\u003e a different key revocation scheme I'm not aware, but please do post if so.\n\nOh, I blamed Laolu because he told me about it; sorry for misattribution.\n\n\u003e The script is:\n\u003e\n\u003e DUP\n\u003e [Revocable Pubkey]\n\u003e CHECKSIG\n\u003e NOTIF\n\u003e [Timeout Pubkey]\n\u003e CHECKSIGVERIFY\n\u003e [timeout period]\n\u003e CHECKSEQUENCEVERIFY\n\u003e ENDIF\n\nOK, so far so good.\n\n\u003e To build the revocable pubkey, Alice takes their elkrem sender hash from\n\u003e state n, which we'll call EHn. Alice multiples EHn * G, getting a point\n\u003e EPn. (Elkrem point n) Alice sends EPn to Bob, who adds their commitment\n\u003e pubkey (BP, which is never seen raw) to EPn.\n\n\"never seen raw on-chain\" I assume, since Bob will send it to Alice in\nsetup?\n\n\u003e The result, (RPub n = BP + EPn), is the revocable pubkey for state n.\n\u003e At state n+1, Alice sends Bob EHn. Bob can then compute the private\n\u003e key for Rpub n, as it's just their commitment private key plus EHn,\n\u003e modulo the order of the curve.\n\nSo, AFACIT this scheme gives us a slightly smaller script and makes\nprevious commit transactions underivable.\n\nThe property I was *hoping* for was the ability for Alice (and Bob) to\nindependently predict each others' future revocation hashes/pubkeys.\nThat would neatly allow an arbitrary number of commitment transactions\nin flight each way at once. Naively, seems like that should be\npossible.\n\n\u003e A similar procedure is used for the timeout key; Alice adds a point to\n\u003e their own timeout key, which seems kindof pointless because they know both\n\u003e scalars. It obscures the commitment script by making both pubkeys\n\u003e different each state, as they're all generated from the hash tree. Bob\n\u003e only needs to keep track of the most recent \"elkrem points\" and the hash\n\u003e tree itself.\n\nI think changing the timeout key is harmless, but gratuitous; changing\nthe revocation key is sufficient for each commitment script unguessably\ndifferent from the last one, no?\n\n\u003e Hope this is clear and sorry if I'm describing something completely\n\u003e different than what you're asking about!\n\nIt's all good; this is a big space and sometimes I don't even know what\nI don't know...\n\nThanks!\nRusty.",
"sig": "0b0d4f56c46adef3ddea89414862d9239ac997df9dba8515f6b5fcb92b5dc505810dd7eeb9855c6fcb46b712793a2b95b7af88eb2dae2c25ac042dfe550f03ae"
}