📅 Original date posted:2015-11-22
📝 Original message:
On Fri, Nov 20, 2015 at 05:44:15PM +1000, Anthony Towns wrote:
> Hmm, I'm not sure if you can divide QN by (r2*..*rN) to get back to Q1,
> but I think you can [...] If you can,
> you even get the original receipt/proof of payment!
Yep, this works!
> _And_ I think you could just use SHA(ECDH_SEC || 3) as the r values at
> each stage rather than needing any additional entropy, or having to add
> any significant data to the onion packets.
This doesn't quite, though: if a txn routes from Alice through Bob to
Carol, with Alice/Bob's secret being p,P and Bob/Carol's being q,Q,
with p = q*r and P = Q*r; Alice has to pass on both p and q; p as part
of the HTLC contract, and q inside the onion payload because calculating
q=p/r is infeasible unless elliptic curve crypto is broken.
So add an extra 32B of payload to each onion hop if calculating r from
the ECDH secret is fine, or 64B of payload if it's not.
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-09 12:45:03
in reply to nevent1q…l3y8
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-09 12:45:03Event JSON
{
"id": "af9784ffa03841f930fbf34aad230212394d5ef0ee23649f7c409b65bf87aaff",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686314703,
"kind": 1,
"tags": [
[
"e",
"ebf410166f334c23aa8c4463788497d09c02fc7a472b5ea556de811c6970ae8b",
"",
"root"
],
[
"e",
"718fd83f6f4d43dd38b4170a337fb1c53042a606ef9f1815387df2a6817abf26",
"",
"reply"
],
[
"p",
"f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab"
]
],
"content": "📅 Original date posted:2015-11-22\n📝 Original message:\nOn Fri, Nov 20, 2015 at 05:44:15PM +1000, Anthony Towns wrote:\n\u003e Hmm, I'm not sure if you can divide QN by (r2*..*rN) to get back to Q1,\n\u003e but I think you can [...] If you can,\n\u003e you even get the original receipt/proof of payment!\n\nYep, this works!\n\n\u003e _And_ I think you could just use SHA(ECDH_SEC || 3) as the r values at\n\u003e each stage rather than needing any additional entropy, or having to add\n\u003e any significant data to the onion packets.\n\nThis doesn't quite, though: if a txn routes from Alice through Bob to\nCarol, with Alice/Bob's secret being p,P and Bob/Carol's being q,Q,\nwith p = q*r and P = Q*r; Alice has to pass on both p and q; p as part\nof the HTLC contract, and q inside the onion payload because calculating\nq=p/r is infeasible unless elliptic curve crypto is broken.\n\nSo add an extra 32B of payload to each onion hop if calculating r from\nthe ECDH secret is fine, or 64B of payload if it's not.\n\nCheers,\naj",
"sig": "546a8ced9efce6c336a75efde425dd07ab310b564ca69e3230d71220e08cb74c3f8adbad69fcf528bc62a5ad852ee2ee270c53c5db4c2309f8692a04dbdefc35"
}