📅 Original date posted:2016-03-07
📝 Original message:
One way deterministic RValue Generation
My previous proposal, while saving space on chain, does not
solve the fact that we need to save offchain one signature per
commitment.
I have another proposal, so you don't need any data to store for
each commitment.
Keep the actual HTLC/Payment channel contracts, but make
the "RValues" backward deterministic.
Choose RValue such that:
RValue(n+1) = PreImage(RValue(n))
Where n is the commitment index.
Imagine Alice cheats Bob at commitment 100, by sending revocated
commitment 50.
Bob only have to remember RValue(99) from the 99th revocation, and
then hash this value 49 times to find out RValue(50)
However, Bob does not know RValue(100) because
RValue(100) = PreImage(99)
For Alice, she only have to generate a random number, then generate let's
say, 1000 hashes. Then she use hashes 1000 for RValue(0), hashes 999 for
RValue(1)
etc...
Commitment Revocation is only accepted by the party if RValue(n+1) =
PreImage(RValue(n))
The only downside is that Alice need to regenerate all hashes everytimes
she need
a new commitment. This can be mitigated by her storing some pre computed
values
along the path.
Nicolas,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20160307/92040252/attachment.html>;
Nicolas Dorier [ARCHIVE] /
npub1hu…9q4u3
2023-06-09 12:45:54
in reply to nevent1q…zwgu
Author Public Key
npub1huz53hq26gu7nc0qhw3uj6tr9hk5q2ngpywduxep5zy4ay9unftsm9q4u3Published at
2023-06-09 12:45:54Event JSON
{
"id": "a3ca828595441d656ecda0088c985e7f7139d2ea47f2a5bf4ecc8b77e6004ddd",
"pubkey": "bf0548dc0ad239e9e1e0bba3c969632ded402a68091cde1b21a0895e90bc9a57",
"created_at": 1686314754,
"kind": 1,
"tags": [
[
"e",
"55548f25f3655672eaf8683c73cc07ea4cd473c9f5d4c202e312a7b35566c018",
"",
"reply"
],
[
"p",
"9456f7acb763eaab2e02bd8e60cf17df74f352c2ae579dce1f1dd25c95dd611c"
]
],
"content": "📅 Original date posted:2016-03-07\n📝 Original message:\nOne way deterministic RValue Generation\n\nMy previous proposal, while saving space on chain, does not\nsolve the fact that we need to save offchain one signature per\ncommitment.\n\nI have another proposal, so you don't need any data to store for\neach commitment.\nKeep the actual HTLC/Payment channel contracts, but make\nthe \"RValues\" backward deterministic.\n\nChoose RValue such that:\n\nRValue(n+1) = PreImage(RValue(n))\nWhere n is the commitment index.\n\nImagine Alice cheats Bob at commitment 100, by sending revocated\ncommitment 50.\n\nBob only have to remember RValue(99) from the 99th revocation, and\nthen hash this value 49 times to find out RValue(50)\n\nHowever, Bob does not know RValue(100) because\nRValue(100) = PreImage(99)\n\nFor Alice, she only have to generate a random number, then generate let's\nsay, 1000 hashes. Then she use hashes 1000 for RValue(0), hashes 999 for\nRValue(1)\netc...\n\nCommitment Revocation is only accepted by the party if RValue(n+1) =\nPreImage(RValue(n))\n\nThe only downside is that Alice need to regenerate all hashes everytimes\nshe need\na new commitment. This can be mitigated by her storing some pre computed\nvalues\nalong the path.\n\nNicolas,\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20160307/92040252/attachment.html\u003e",
"sig": "3cc186f156fafaafee12ad42ceb875050f51b4079ea960d5a3a9c6392d08f6c8929636c9ce0889cf4072463b05769b8618169765f28e1e2174470277ac8346f2"
}