📅 Original date posted:2015-11-20
📝 Original message:
On Thu, Nov 19, 2015 at 01:16:57PM +0000, Mats Jerratsch wrote:
> Interesting, thanks for the write-up Anthony!
Glad I went ahead and implemented it as a snark before posting the idea
or you would have spoiled all the fun I had playing with snarkfront!
> I feel like the way ZKPs are constructed, one has to be absolutely
> certain everything is perfectly implemented to actually work out the
> way we want it.
Yeah. I think you could have a "stop-loss" condition, where any node that
gets cheated (ie, they have a proof that R2 gives them and R1 for H1,H2,X;
but they have an R2 that doesn't give them R1) can just publish all that
evidence, and everyone can immediately stop trusting snarks and so only
a small amount of money can actually be stolen from the system. But, yeah.
> ---------------
> After a night of sleep and some reassurance with sipa, I thought about
> something similar but with EC keys, that will allow us to do the same,
> but without SNARKS.
So this is genius! And I swear I would have thought of it myself if
I could just get past my mental block on adding opcodes to bitcoin.
Honest, guv!
> Assume two keypairs, K1(Q, q) and K2(R, r). Further we have a scalar
> p, such that
> r = p * q
> and
> R = r * G = ( p * q ) * G = p * ( q * G ) = p * Q.
> You can therefore give someone Q, R and p and he is able to verify
> that above conditions indeed holds true. For a sufficiently large p it
> is not possible to derive that relationship within reasonable time
> without p. If he ever gets to know q, he is able to directly compute r
> as well.
Even better, given K1(Q,q) (q the public key provided by the merchant,
Q the merchant's secret, used to claim the payment and serving as a
receipt), you (as the consumer) can construct r2, .., rN by generating
random bits, and then generate
q1 = q
q2 = r2*q1
q3 = r3*q2
...
qN = rN*q[N-1]
and route your HTLC payable to qN at the first hop, q[N-1] at the second
all the way to q1 when it gets to the merchant. The merchant reveals
Q=Q1, and nodes calculate:
Q2 = r2*Q1
Q3 = r3*Q2
...
QN = rN*Q[N-1]
to collect their payments. So the extra burden for keeping the payment
private falls entirely on the consumer, rather than the merchant. (Okay,
you had this point in your mail already essentially)
Hmm, I'm not sure if you can divide QN by (r2*..*rN) to get back to Q1,
but I think you can (the lowercase q's are the points on the elliptic
curve where division is hard, but the capital Q's are just numbers
in Z_n where n is the order of G on the curve, I think?). If you can,
you even get the original receipt/proof of payment!
Oh, _and_ you don't even having to reveal q1/Q to any intermediate hops
-- you could just pay to q[N-1] on the final hop and provide rN in the
onion message on the final hop. If you do that, nobody but the merchant
and the end consumer can calculate the proof of payment.
_And_ I think you could just use SHA(ECDH_SEC || 3) as the r values at
each stage rather than needing any additional entropy, or having to add
any significant data to the onion packets.
> There is one caveat. We are currently unable to enforce a payment with
> a priv/pub key pair. We would need a new operator
> OP_CHECKPRIVPUBKEYPAIR or similar that pops two items from the stack
> <Private Key> <Public Key>
> and replaces them with true/false.
There are a few "generic" crypto ops that might be useful to have; two
that come to mind are:
<point> <multiplicand> <resultpoint> OP_CHECK_SECP256K1_MUL_VERIFY
(enough for this, maybe lets you do ECDH on the blockchain,
and allows you to commit to revealing a key on the blockchain)
<signature> <pubkey> <message> OP_CHECK_INLINE_SIGNATURE_VERIFY
(this would let you do atomic cross-chain swaps without knowing in
advance who you're swapping with)
Maybe it'd make sense to combine them into a soft-forkable OP_CRYPTO_OP
that pulls the crypto operation id from the stack, then if the operation
is known, pulls the operands, and fails the script if the operands
don't add up. If the operation is unknown, mark it as non-standard but
acceptable for future soft-forkability...
On Fri, Nov 20, 2015 at 12:05:46PM +1030, Rusty Russell wrote:
> With the segregated witness proposal, introducing new opcodes is easy,
> so maybe someone would find a reason to prefer open-coding it like this?
I don't follow how segregated witness makes new opcodes any easier?
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-09 12:45:03
in reply to nevent1q…8uzx
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-09 12:45:03Event JSON
{
"id": "718fd83f6f4d43dd38b4170a337fb1c53042a606ef9f1815387df2a6817abf26",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686314703,
"kind": 1,
"tags": [
[
"e",
"ebf410166f334c23aa8c4463788497d09c02fc7a472b5ea556de811c6970ae8b",
"",
"root"
],
[
"e",
"1c781d249fd4bc45a5b6243b7dba8b64428987b90507804544a52c16256ae2b8",
"",
"reply"
],
[
"p",
"13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425"
]
],
"content": "📅 Original date posted:2015-11-20\n📝 Original message:\nOn Thu, Nov 19, 2015 at 01:16:57PM +0000, Mats Jerratsch wrote:\n\u003e Interesting, thanks for the write-up Anthony!\n\nGlad I went ahead and implemented it as a snark before posting the idea\nor you would have spoiled all the fun I had playing with snarkfront!\n\n\u003e I feel like the way ZKPs are constructed, one has to be absolutely\n\u003e certain everything is perfectly implemented to actually work out the\n\u003e way we want it.\n\nYeah. I think you could have a \"stop-loss\" condition, where any node that\ngets cheated (ie, they have a proof that R2 gives them and R1 for H1,H2,X;\nbut they have an R2 that doesn't give them R1) can just publish all that\nevidence, and everyone can immediately stop trusting snarks and so only\na small amount of money can actually be stolen from the system. But, yeah.\n\n\u003e ---------------\n\u003e After a night of sleep and some reassurance with sipa, I thought about\n\u003e something similar but with EC keys, that will allow us to do the same,\n\u003e but without SNARKS.\n\nSo this is genius! And I swear I would have thought of it myself if\nI could just get past my mental block on adding opcodes to bitcoin.\nHonest, guv!\n\n\u003e Assume two keypairs, K1(Q, q) and K2(R, r). Further we have a scalar\n\u003e p, such that\n\u003e r = p * q\n\u003e and\n\u003e R = r * G = ( p * q ) * G = p * ( q * G ) = p * Q.\n\u003e You can therefore give someone Q, R and p and he is able to verify\n\u003e that above conditions indeed holds true. For a sufficiently large p it\n\u003e is not possible to derive that relationship within reasonable time\n\u003e without p. If he ever gets to know q, he is able to directly compute r\n\u003e as well.\n\nEven better, given K1(Q,q) (q the public key provided by the merchant,\nQ the merchant's secret, used to claim the payment and serving as a\nreceipt), you (as the consumer) can construct r2, .., rN by generating\nrandom bits, and then generate\n\n q1 = q\n q2 = r2*q1\n q3 = r3*q2\n ...\n qN = rN*q[N-1]\n\nand route your HTLC payable to qN at the first hop, q[N-1] at the second\nall the way to q1 when it gets to the merchant. The merchant reveals\nQ=Q1, and nodes calculate:\n\n Q2 = r2*Q1\n Q3 = r3*Q2\n ...\n QN = rN*Q[N-1]\n\nto collect their payments. So the extra burden for keeping the payment\nprivate falls entirely on the consumer, rather than the merchant. (Okay,\nyou had this point in your mail already essentially)\n\nHmm, I'm not sure if you can divide QN by (r2*..*rN) to get back to Q1,\nbut I think you can (the lowercase q's are the points on the elliptic\ncurve where division is hard, but the capital Q's are just numbers\nin Z_n where n is the order of G on the curve, I think?). If you can,\nyou even get the original receipt/proof of payment!\n\nOh, _and_ you don't even having to reveal q1/Q to any intermediate hops\n-- you could just pay to q[N-1] on the final hop and provide rN in the\nonion message on the final hop. If you do that, nobody but the merchant\nand the end consumer can calculate the proof of payment.\n\n_And_ I think you could just use SHA(ECDH_SEC || 3) as the r values at\neach stage rather than needing any additional entropy, or having to add\nany significant data to the onion packets.\n\n\u003e There is one caveat. We are currently unable to enforce a payment with\n\u003e a priv/pub key pair. We would need a new operator\n\u003e OP_CHECKPRIVPUBKEYPAIR or similar that pops two items from the stack\n\u003e \u003cPrivate Key\u003e \u003cPublic Key\u003e\n\u003e and replaces them with true/false.\n\nThere are a few \"generic\" crypto ops that might be useful to have; two\nthat come to mind are:\n\n \u003cpoint\u003e \u003cmultiplicand\u003e \u003cresultpoint\u003e OP_CHECK_SECP256K1_MUL_VERIFY\n (enough for this, maybe lets you do ECDH on the blockchain,\n and allows you to commit to revealing a key on the blockchain)\n\n \u003csignature\u003e \u003cpubkey\u003e \u003cmessage\u003e OP_CHECK_INLINE_SIGNATURE_VERIFY\n (this would let you do atomic cross-chain swaps without knowing in\n advance who you're swapping with)\n\nMaybe it'd make sense to combine them into a soft-forkable OP_CRYPTO_OP\nthat pulls the crypto operation id from the stack, then if the operation\nis known, pulls the operands, and fails the script if the operands\ndon't add up. If the operation is unknown, mark it as non-standard but\nacceptable for future soft-forkability...\n\nOn Fri, Nov 20, 2015 at 12:05:46PM +1030, Rusty Russell wrote:\n\u003e With the segregated witness proposal, introducing new opcodes is easy,\n\u003e so maybe someone would find a reason to prefer open-coding it like this?\n\nI don't follow how segregated witness makes new opcodes any easier?\n\nCheers,\naj",
"sig": "59c21858b29e9b8a9d5818c7468cc34c3b16d9f064a3d9ed55d889b5424c13ed08ee8eddd28f393f82589560c5993b36fdfeaf94412adc9ad0960087fd5f98b3"
}