📅 Original date posted:2020-11-19
📝 Original message:
Hey Rusty,
Good questions.
I think we could use additive tweaks, and they are indeed faster so it can
be worth doing.
We would replace `B(i) = HMAC256("blinded_node_id", ss(i)) * P(i)` by `B(i)
= HMAC256("blinded_node_id", ss(i)) * G + P(i)`.
Intuitively since the private key of the tweak comes from a hash function,
it should offer the same security.
But there may be dragons lurking there, I don't know how to properly
evaluate whether it's as secure (whereas the multiplicative
version is really just Sphinx, so we know it should be secure).
If we're able to use additive tweaks, we can probably indeed use x-only
pubkeys.
Even though we're not storing these on-chain, so the 1 byte saved isn't
worth much.
I'd say that if it's trivial to use them, let's do it, otherwise it's not
worth any additional effort.
Cheers,
Bastien
Le mer. 18 nov. 2020 à 06:18, Rusty Russell <rusty at rustcorp.com.au> a
écrit :
>
> See:
>
> https://github.com/lightningnetwork/lightning-rfc/blob/route-blinding/proposals/route-blinding.md
>
> 1. Can we use additive tweaks instead of multiplicative?
> They're slightly faster, and supported by the x-only secp API.
> 2. Can we use x-only pubkeys? It's generally trivial, and a byte
> shorter. I'm using them in offers to great effect.
>
> Thanks!
> Rusty.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20201119/90ab3153/attachment.html>;
Bastien TEINTURIER [ARCHIVE] /
npub17f…ntr0s
2023-06-09 13:01:29
in reply to nevent1q…zlsd
Author Public Key
npub17fjkngg0s0mfx4uhhz6n4puhflwvrhn2h5c78vdr5xda4mvqx89swntr0sPublished at
2023-06-09 13:01:29Event JSON
{
"id": "d2fe46a312d193b5bb39c1a48f477253585eb49f74e21333dd8ef157eac07ef6",
"pubkey": "f26569a10f83f6935797b8b53a87974fdcc1de6abd31e3b1a3a19bdaed8031cb",
"created_at": 1686315689,
"kind": 1,
"tags": [
[
"e",
"c1340c1c46d4d807babfdef2c05616535df9e94b926d2d546bf6e8aef3224aae",
"",
"root"
],
[
"e",
"04b5b35f4041579c6157de00f5b50775d8e6851685320d7e5c7f98e8bd3888ed",
"",
"reply"
],
[
"p",
"13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425"
]
],
"content": "📅 Original date posted:2020-11-19\n📝 Original message:\nHey Rusty,\n\nGood questions.\n\nI think we could use additive tweaks, and they are indeed faster so it can\nbe worth doing.\nWe would replace `B(i) = HMAC256(\"blinded_node_id\", ss(i)) * P(i)` by `B(i)\n= HMAC256(\"blinded_node_id\", ss(i)) * G + P(i)`.\nIntuitively since the private key of the tweak comes from a hash function,\nit should offer the same security.\nBut there may be dragons lurking there, I don't know how to properly\nevaluate whether it's as secure (whereas the multiplicative\nversion is really just Sphinx, so we know it should be secure).\n\nIf we're able to use additive tweaks, we can probably indeed use x-only\npubkeys.\nEven though we're not storing these on-chain, so the 1 byte saved isn't\nworth much.\nI'd say that if it's trivial to use them, let's do it, otherwise it's not\nworth any additional effort.\n\nCheers,\nBastien\n\nLe mer. 18 nov. 2020 à 06:18, Rusty Russell \u003crusty at rustcorp.com.au\u003e a\nécrit :\n\n\u003e\n\u003e See:\n\u003e\n\u003e https://github.com/lightningnetwork/lightning-rfc/blob/route-blinding/proposals/route-blinding.md\n\u003e\n\u003e 1. Can we use additive tweaks instead of multiplicative?\n\u003e They're slightly faster, and supported by the x-only secp API.\n\u003e 2. Can we use x-only pubkeys? It's generally trivial, and a byte\n\u003e shorter. I'm using them in offers to great effect.\n\u003e\n\u003e Thanks!\n\u003e Rusty.\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20201119/90ab3153/attachment.html\u003e",
"sig": "0d0066de5a1d7582f947b3a61d05d90f14715d177076d9903f6a4372a84583d0c00e2705e9dd7c13a421f1e697331926231cfc6c3abdde77da4a4aa81815ec23"
}