Joseph Poon [ARCHIVE] on Nostr: 📅 Original date posted:2016-08-09 📝 Original message: On Wed, Aug 10, 2016 at ...
📅 Original date posted:2016-08-09
📝 Original message:
On Wed, Aug 10, 2016 at 06:36:11AM +0930, Rusty Russell wrote:
> Yes, I think we agree some "filter hint" is needed to avoid a crazy
> amount of outsourcing work (eg. first 8/16 bytes of txid). I don't
> think an HMAC check per registered commitment is quite fast enough.
For #1, the HMAC would be pre-computed by the outsourcer. So the flow
looks like:
1. The outsourcer takes the txid, HMAC(txid+salt1) and encrypts the blob
2. The outsourcer gives the 32-byte hmac and blob to the watcher
3. The watcher adds the 32-byte hmac and the blob to a key-value store
(the watcher can optionally truncate or whatever)
4. When the watcher receives a new block, they HMAC(txid+salt1) all
transactions and compare against the key-value store
This method does not require significant computation upon receiving a
new block and checking against the datastore. I forgot to note, that the
salt2 is sort of unnecessary, it can just be the pure txid as the key
but was there for superstition and aid in understanding what's going on.
I was just making a point that there needs to be some kind of "hint"/key
to look for.
> > 2. HMAC the transaction itself (not txid) as the secret key (or anything
> > part of the transaction, as long as it isn't SHA256(tx) for obvious
> > reasons). I like something along these lines better than option #1.
> > Whatever computational cost there is will be extremely low, as the
> > operations are constrained by block size.
>
> If we include the witness in that HMAC we risk reintroducing
> malleability. If we don't, we risk txs being predictable.
I was referring to the non-witness txid when making that comment, but
there should be sufficient entropy from the revocation hash (whose P2WSH
is part of the Commitment outputs).
> I can think of a few fixes: insert some randomness in the tx (OP_RETURN?
> Different addresses each time?), or try to extract the input signature
> from the witness, which is unguessable, as our filter?
Yeah! I like this idea to use one's own input sig as the key for the
encrypted blob too. If Alice is the one outsourcing the Commitment which
Bob can broadcast, Bob can only broadcast it using the sig Alice gave
Bob as it's spending from a 2-of-2. If Alice is outsourcing Bob's
Commitment broadcasts, a hash of her input signature is a solid way to
derive a key as well without malleability concerns.
I also like that it "encourages" more nodes to download witness data;
ignoring witnesses is a concern of mine which this helps with :^)
--
Joseph Poon
Published at
2023-06-09 12:46:34Event JSON
{
"id": "57b9d8251ee8817b12d6a8ca9e3b960d0c1c922f4a2de3dfa5b3d1422972d928",
"pubkey": "ccb4cc87c455b74febaee5929cfd0726421b2eea64ad2b16440b68e8c7433211",
"created_at": 1686314794,
"kind": 1,
"tags": [
[
"e",
"ccc2d459792b926854b04bc74e6ea324d2314fff88991806647cc195016ae9ae",
"",
"root"
],
[
"e",
"b64cee7dff912638a4c186bbb2ce59e37eba200e1460782b4b78490b843c52d1",
"",
"reply"
],
[
"p",
"13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425"
]
],
"content": "📅 Original date posted:2016-08-09\n📝 Original message:\nOn Wed, Aug 10, 2016 at 06:36:11AM +0930, Rusty Russell wrote:\n\u003e Yes, I think we agree some \"filter hint\" is needed to avoid a crazy\n\u003e amount of outsourcing work (eg. first 8/16 bytes of txid). I don't\n\u003e think an HMAC check per registered commitment is quite fast enough.\n\nFor #1, the HMAC would be pre-computed by the outsourcer. So the flow\nlooks like:\n\n1. The outsourcer takes the txid, HMAC(txid+salt1) and encrypts the blob\n2. The outsourcer gives the 32-byte hmac and blob to the watcher\n3. The watcher adds the 32-byte hmac and the blob to a key-value store\n\t(the watcher can optionally truncate or whatever)\n4. When the watcher receives a new block, they HMAC(txid+salt1) all\ntransactions and compare against the key-value store\n\nThis method does not require significant computation upon receiving a\nnew block and checking against the datastore. I forgot to note, that the\nsalt2 is sort of unnecessary, it can just be the pure txid as the key\nbut was there for superstition and aid in understanding what's going on.\nI was just making a point that there needs to be some kind of \"hint\"/key\nto look for.\n\n\u003e \u003e 2. HMAC the transaction itself (not txid) as the secret key (or anything\n\u003e \u003e part of the transaction, as long as it isn't SHA256(tx) for obvious\n\u003e \u003e reasons). I like something along these lines better than option #1.\n\u003e \u003e Whatever computational cost there is will be extremely low, as the\n\u003e \u003e operations are constrained by block size.\n\u003e \n\u003e If we include the witness in that HMAC we risk reintroducing\n\u003e malleability. If we don't, we risk txs being predictable.\n\nI was referring to the non-witness txid when making that comment, but\nthere should be sufficient entropy from the revocation hash (whose P2WSH\nis part of the Commitment outputs).\n\n\u003e I can think of a few fixes: insert some randomness in the tx (OP_RETURN?\n\u003e Different addresses each time?), or try to extract the input signature\n\u003e from the witness, which is unguessable, as our filter?\n\nYeah! I like this idea to use one's own input sig as the key for the\nencrypted blob too. If Alice is the one outsourcing the Commitment which\nBob can broadcast, Bob can only broadcast it using the sig Alice gave\nBob as it's spending from a 2-of-2. If Alice is outsourcing Bob's\nCommitment broadcasts, a hash of her input signature is a solid way to\nderive a key as well without malleability concerns.\n\nI also like that it \"encourages\" more nodes to download witness data;\nignoring witnesses is a concern of mine which this helps with :^)\n\n-- \nJoseph Poon",
"sig": "ac4877a571d81eb1293e8561fd1d354cd9922490bea62ef44a238c829e49ef0eed8445e03795c64e3386caedea5071c70e83842fefa9a36d144a58ff3708e218"
}