📅 Original date posted:2016-08-12
📝 Original message:
Joseph Poon <joseph at lightning.network> writes:
> On Thu, Aug 11, 2016 at 11:25:36AM +0930, Rusty Russell wrote:
>> Tadge Dryja <tadge at lightning.network> writes:
>> > The method of using a revocation key is compatible with shachain/elkrem so
>> > has log(n) storage; I'll describe what I developed which omits hashing in
>> > the commit script and uses only signature verification. If Laolu has made
>> > a different key revocation scheme I'm not aware, but please do post if so.
>>
>> Oh, I blamed Laolu because he told me about it; sorry for misattribution.
>
> I came up with it a long time ago, and worked out the
> details/optimizations /w Laolu more recently (I think he told you that
> night when everything was finalized). I mentioned the general
> construction to you a LONG time ago too when you were in the Bay Area,
> but I probably didn't explain it properly (I was comparing with
> Vanitygen, if that helps). I think Tadge was the first to implement it
> though, not sure.
>
>> The property I was *hoping* for was the ability for Alice (and Bob) to
>> independently predict each others' future revocation hashes/pubkeys.
>> That would neatly allow an arbitrary number of commitment transactions
>> in flight each way at once. Naively, seems like that should be
>> possible.
>
> I'm not inclined to think an increase in complexity is helpful (if this
> is necessary), but there are probably some things you can do if you're
> looking down these paths.
>
> It's possible to get the same *bandwidth* optimization you want, except
> opposite. The idea with "predicting the future revocation
> hashes/pubkeys" is you only need to send revocations. Instead, it's
> possible to only send revocation hashes/pubkeys and not send
> revocations. In other words, instead of predicting each others' future
> revocation hashes/pubkeys, it's possible to revoke as *part of* giving
> the next revocation hash/pubkey.
Yeah, I do that already. We give the N+1th hash when we send the
revocation for N:
// Complete the update.
message update_revocation {
// Hash preimage which revokes old commitment tx.
required sha256_hash revocation_preimage = 1;
// Revocation hash for my next commit transaction
required sha256_hash next_revocation_hash = 2;
}
The trivial extension is to make in the N+Mth revocation hash, and
instead of sending the first two revocation hashes on establishment,
send the first M+1.
I just wanted to make sure there wasn't some clever alternative I was
missing. Greg Maxwell and Pieter Wuille tell me there isn't an obvious
one.
> Not sure how useful this is, though. Seems a lot of complexity for some
> small bandwidth savings, not really that interested in doing all that,
> but it's the closest I can get to what you want. This is off the top of
> my head/memory, I didn't write any notes on this, so parts of this (or
> entirety) might be wrong...
Yeah, agreed. Hash trees are nice and simple, so unless we get a
signficiant win, let's stick with that?
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:46:36
in reply to nevent1q…7akw
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:46:36Event JSON
{
"id": "d613779a47ee7d0a4fd06ba0be634e302cf533eebd659f20efe933d40b4c9993",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314796,
"kind": 1,
"tags": [
[
"e",
"ccc2d459792b926854b04bc74e6ea324d2314fff88991806647cc195016ae9ae",
"",
"root"
],
[
"e",
"4ca59cd3cc3894a4fc508181f53982bc0314c7461e383bacb7aa0a025a420e03",
"",
"reply"
],
[
"p",
"ccb4cc87c455b74febaee5929cfd0726421b2eea64ad2b16440b68e8c7433211"
]
],
"content": "📅 Original date posted:2016-08-12\n📝 Original message:\nJoseph Poon \u003cjoseph at lightning.network\u003e writes:\n\u003e On Thu, Aug 11, 2016 at 11:25:36AM +0930, Rusty Russell wrote:\n\u003e\u003e Tadge Dryja \u003ctadge at lightning.network\u003e writes:\n\u003e\u003e \u003e The method of using a revocation key is compatible with shachain/elkrem so\n\u003e\u003e \u003e has log(n) storage; I'll describe what I developed which omits hashing in\n\u003e\u003e \u003e the commit script and uses only signature verification. If Laolu has made\n\u003e\u003e \u003e a different key revocation scheme I'm not aware, but please do post if so.\n\u003e\u003e \n\u003e\u003e Oh, I blamed Laolu because he told me about it; sorry for misattribution.\n\u003e\n\u003e I came up with it a long time ago, and worked out the\n\u003e details/optimizations /w Laolu more recently (I think he told you that\n\u003e night when everything was finalized). I mentioned the general\n\u003e construction to you a LONG time ago too when you were in the Bay Area,\n\u003e but I probably didn't explain it properly (I was comparing with\n\u003e Vanitygen, if that helps). I think Tadge was the first to implement it\n\u003e though, not sure.\n\u003e\n\u003e\u003e The property I was *hoping* for was the ability for Alice (and Bob) to\n\u003e\u003e independently predict each others' future revocation hashes/pubkeys.\n\u003e\u003e That would neatly allow an arbitrary number of commitment transactions\n\u003e\u003e in flight each way at once. Naively, seems like that should be\n\u003e\u003e possible.\n\u003e\n\u003e I'm not inclined to think an increase in complexity is helpful (if this\n\u003e is necessary), but there are probably some things you can do if you're\n\u003e looking down these paths.\n\u003e\n\u003e It's possible to get the same *bandwidth* optimization you want, except\n\u003e opposite. The idea with \"predicting the future revocation\n\u003e hashes/pubkeys\" is you only need to send revocations. Instead, it's\n\u003e possible to only send revocation hashes/pubkeys and not send\n\u003e revocations. In other words, instead of predicting each others' future\n\u003e revocation hashes/pubkeys, it's possible to revoke as *part of* giving\n\u003e the next revocation hash/pubkey.\n\nYeah, I do that already. We give the N+1th hash when we send the\nrevocation for N:\n\n // Complete the update.\n message update_revocation {\n // Hash preimage which revokes old commitment tx.\n required sha256_hash revocation_preimage = 1;\n // Revocation hash for my next commit transaction\n required sha256_hash next_revocation_hash = 2;\n }\n\nThe trivial extension is to make in the N+Mth revocation hash, and\ninstead of sending the first two revocation hashes on establishment,\nsend the first M+1.\n\nI just wanted to make sure there wasn't some clever alternative I was\nmissing. Greg Maxwell and Pieter Wuille tell me there isn't an obvious\none.\n\n\u003e Not sure how useful this is, though. Seems a lot of complexity for some\n\u003e small bandwidth savings, not really that interested in doing all that,\n\u003e but it's the closest I can get to what you want. This is off the top of\n\u003e my head/memory, I didn't write any notes on this, so parts of this (or\n\u003e entirety) might be wrong...\n\nYeah, agreed. Hash trees are nice and simple, so unless we get a\nsignficiant win, let's stick with that?\n\nCheers,\nRusty.",
"sig": "0b56f33bece7f0b59c920a453aab968c35cbf77d4eb84f2618c676df3c228b44e5a00333383c97ccdf77ffb666f39b16041bf280d6638ad6fb9eda61679fb4d0"
}