đź“… Original date posted:2015-12-02
đź“ť Original message:
So, it turns out that a SNARK is overkill for the application in this
thread. It was just a one-off experiment. But the performance estimates
seemed pretty far off compared to what’s reported in in the snark science
papers. So, Sean (a Zcash engineer, in his “20% fun time”) replicated the
experiment from the original post, in libsnark (not snarklib).
First, as a recap, this is the specification of the original post’s SNARK,
summarized in Camenisch-Stadler notation:
ZkPoK{ (R1, R2): H1 = sha256(R1) and H2 = sha256(R2) and R1 = R2 xor X }
In other words: given a statement H1, H2, and X, you can prove that you
know a secret witness R1, and R2, such that the predicate holds (i.e., R1
and R2 are preimages of H1,H2 and are related by X)
This is almost a complete specification of the SNARK: all that’s left is to
choose a representation size for R1 and R2…. here these are forced to be
32-byte strings.
Here are the results for a libsnark implementation of this, ordered up to
the above spec:
https://github.com/ebfull/lightning_circuit/
Most relevant benchmarks:
key generation time: 11.6270s
proof generation time: 3.0968s
verification time: 0.0270s
proof size: ~287 bytes
proving key size: ~12.85 megabytes
verifying key size: ~573 bytes
R1CS constraints: 56612 (mostly sha256-related)
The difference in proof time and proving key size (this is ~3x faster to
prove, with ~10x less key size) might be explained by libsnark having a
more efficient SHA256 implementation. The libsnark one is hand-optimized.
But I don’t have any idea why the OP and snarklib reported such large
verification keys or memory consumption during verification. The verifier
should only have to think of about a kilobyte.
On Tue, Nov 17, 2015 at 4:14 PM, Anthony Towns <aj at erisian.com.au> wrote:
> Hi all,
>
> An obvious privacy limitation with lightning is that even with onion
> routing, differents hops can be associated as being part of the same
> transaction due to sharing a common R value. So if you see a HTLC from
> Alice to Bob, paying $5 to Bob on receipt of R where SHA(R)=12345..;
> and you see another HTLC from Carol to Dave, paying $4.95 to Bob on
> receipt of R under the same condition, SHA(R)=12345..., then you know
> it's part of the same transaction.
>
> If you could change R at each step in the route, this would go away,
> improving payment anonymity and making it harder to attack the system in
> general.
>
> That's hard, because as a forwarding node, if you receive a HTLC payable
> on R1, then to send a HTLC payable on R2, you need to be able to
> calculate R1 from R2 or you'll be out of pocket. But you also can't be
> able to calculate R1 *without* R2, or you could just rip off whoever's
> making the payment. And, of course you have to know SHA(R2) to forward the
> payment at all. And if you only know SHA(R1) and SHA(R2) it's hard to
> say anything at all about R1 and R2 because cryptographic hash functions
> are designed to make any structural relationships go away.
>
> BUT! I think the magic of SNARKs [0] lets you do this!
>
> With a SNARK, you can "prove" that you have some secrets (ie, R1 and R2)
> that satisfy some programmable condition (ie, SHA(R1)=H1 and SHA(R2)=H2
> and R1=R2 XOR X), based on public inputs (H1, H2 and X), without revealing
> those secrets.
>
> I think that's pretty safe, because if you receive an HTLC asking for a
> preimage for H1, along with instructions in the onion saying ask Bob for
> a preimage for H2, and here's X and a proof, then either:
>
> - your forwarded HTLC will fail, and everything's fine
>
> - you'll receive R2, calculate R1=R2 XOR X and see SHA(R1)=H1 as
> expected, and everything's fine
>
> - you'll receive R2, calculate R1=R2 XOR X and see SHA(R1) != H1,
> which is only possible if the cryptography behind SNARKs are broken
>
> - you'll receive RX, such that H2=SHA(RX) but RX being too
> long or too short. If SNARKs aren't broken, this means that you know
> R2alt and someone else knows R2 that are different but hash to the
> same value, meaning SHA has been broken.
>
> It seems like there are research-level tools out there that actually
> make this practical to try out. I've had a go at implementing this using
> snarkfront [1]. Using it looks like:
>
> 1) initial setup of proof/verification keys
>
> $ ./test_lightning -m keygen > keygen.txt # global setup
>
> 2) generate a proof, using a 32 byte secret, and XOR key (64 hex digits)
>
> $ SECRET="the quick brown fox jumps lazily"
> $ XOR=$(echo "she sells sea shells" | sha256sum | head -c64)
> $ cat keygen.txt |
> ./test_lightning -m proof -s "$SECRET" -x "$XOR" > proof.txt
> m: proof.
> f: .
> b: .
> x: 5677d356ccd6ff29b296a697791d109a1703557ecbbcf52b4f38d4b680858912.
> F: 74686520717569636b2062726f776e20666f78206a756d7073206c617a696c79
> B: 221fb676bda3964ad9b6c4e5166a7eba716c2d5ea1c9985b3c18b8d7faece56b
> #F: ae4d48f71fdb6f74149fab591e88f2cc07d4e696968def1aa7ca1e07096c5b85
> #B: 166e4f9b8ec5895e870f0f0508327d73ba9ad9af4e9841599bafb1bf55c8a245
> generate proof
> (6) ..................................................
> (5) ..................................................
> (4) ..................................................
> (3) ..................................................
> (2) ..................................................
> (1) ..................................................
>
> 3) Verify the proof:
>
> $ F=ae4d48f71fdb6f74149fab591e88f2cc07d4e696968def1aa7ca1e07096c5b85
> $ B=166e4f9b8ec5895e870f0f0508327d73ba9ad9af4e9841599bafb1bf55c8a245
> $ cat keygen.txt proof.txt |
> ./test_lightning -m verify -h "$F" -b "$B" -x "$XOR"
> m: verify.
> f: ae4d48f71fdb6f74149fab591e88f2cc07d4e696968def1aa7ca1e07096c5b85.
> b: 166e4f9b8ec5895e870f0f0508327d73ba9ad9af4e9841599bafb1bf55c8a245.
> x: 5677d356ccd6ff29b296a697791d109a1703557ecbbcf52b4f38d4b680858912.
> verify proof (6) (5) (4) (3) (2) (1)
> proof is verified
>
> 4) Verify it doesn't report a valid proof with different inputs:
>
> $ cat keygen.txt proof.txt |
> ./test_lightning -m verify -h "$B" -b "$F" -x "$XOR"
> m: verify.
> f: 166e4f9b8ec5895e870f0f0508327d73ba9ad9af4e9841599bafb1bf55c8a245.
> b: ae4d48f71fdb6f74149fab591e88f2cc07d4e696968def1aa7ca1e07096c5b85.
> x: 5677d356ccd6ff29b296a697791d109a1703557ecbbcf52b4f38d4b680858912.
> verify proof (6) (5) (4) (3) (2)
> proof is rejected
>
> Some results:
>
> * the proof/verification key data take up about 100MB -- in theory
> one set of this data can be used by everyone; the only catch is
> that everyone has to trust that nobody has kept the original random
> numbers used to generate it.
>
> * proof/verification key data takes about a minute to generate,
> and about 650MB of RAM.
>
> * the proof data itself (which would need to be sent to the node that's
> going to switch R's) is just 864 bytes; so it'd use up about 5 hops
> worth of onion routing at 192B per hop -- in a 4096 byte packet eg,
> you could have four hops, changing R each time; or you could have 9
> hops, changing R only three times.
>
> * generating the proof data for a given R1,X pair takes about 10
> seconds, and 260MB of RAM
>
> * verifying the proof is quick-ish -- it takes 0.5s on my laptop,
> and uses about 150MB of RAM.
>
> For comparison, that last point makes a SNARK verification 500+ times
> more expensive than an ECDH operation. If I got my maths right, you
> can translate 3c for a linode CPU-hour into 2.5 satoshi for a linode
> CPU-second (at $338/BTC), so you're probably looking at a minimum fee
> of a few satoshi per SNARK verification, but that's still pretty okay
> for transactions of 500 satoshi or more, ie anything more than about a
> fifth of a US cent.
>
> The 10s proof generation time is probably more of a limitation -- though
> you could generate them in advance easily enough and just store them until
> you need to use them, which would avoid lag being a problem at least. But
> even then it's still essentially adding up to 30c of additional costs to
> your transaction (ie 10s cpu time valued at up to 3c/s), which probably
> isn't worthwhile for transactions smaller than a dollar or two.
>
> A drawback is that you'd either (a) have to do all this on the merchant's
> side (not just sending SHA(R) to whoever wants to pay you, but sending
> SHA(R1), SHA(R2), SHA(R3), SHA(R4), X12, X23, X34, and three proofs,
> which would be pretty painful; or (b) you'd have to generate all the
> R secrets as a consumer, and you wouldn't get to use the fact that you
> know R as evidence that you paid the merchant.
>
> Anyway, it's obviously not ready for prime time today: SNARKs are still
> pretty new as a concept; I'm definitely not familiar enough with SNARK
> theory to be sure I'm not misusing the concept somehow; snarkfront may not
> have implemented the theory fully correctly; and I might not have captured
> everything I needed to in order for my "proof" to actually say what I
> want it to. So not a great idea to use this to protect real money today.
>
> But still, this seems like it's not all /that/ far from being practical,
> and if the crypto's not fundamentally broken, seems like it goes a long
> way to filling in the biggest privacy hole in lightning today [3]...
>
> Code is at https://github.com/ajtowns/snarkfront/ or more directly at:
> https://github.com/ajtowns/snarkfront/blob/lightning-sha/test_lightning.cpp
>
> Cheers,
> aj
>
> [0] https://tahoe-lafs.org/trac/tahoe-lafs/wiki/SNARKs
>
> [1] https://github.com/jancarlsson/snarkfront
>
> [2] This would also improve privacy/anonymity for other applications of
> HTLCs, such as atomic swaps across chains:
>
> 1 bitcoin, payable on R1 + Alice's sig or timeout + Bob's sig
> 100 litecoin, payable on R2 + Robert's sig or timeout + Ally's sig
>
> Alice and Bob communicate privately, agreeing to trade 1 BTC for 100
> litecoin and revealing their aliases Robert and Ally; Alice generates
> R1, R2, and reveals SHA(R1), SHA(R2), R1^R2 and the SNARK proof and
> publishes the litecoin payment. Bob verifies the proof, and publishes
> the bitcoin payment. Alice claims the bitcoin payment, revealing R1;
> Bob calculates R2 and claims the litecoin payment. The swap can take
> place trustlessly because Bob knows the only way Alice can claim his
> bitcoin is by revealing enough info so he can claim the corresponding
> litecoin. But there isn't any on-chain information linking the two
> transactions, because R1 and R2 are independent (and could even be
> using different hash functions as well as different preimages).
> After the funds have been claimed, the private communication is
> also completely deniable, since anyone could generate R1^R2 and a
> corresponding SNARK proof just using the info on the blockchain.
>
> _______________________________________________
> Lightning-dev mailing list
> Lightning-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20151202/97972a83/attachment.html>;
Andrew Miller [ARCHIVE] /
npub1rh…jcxem
2023-06-09 12:45:19
in reply to nevent1q…52vg
Author Public Key
npub1rhmu9sjnhraz783t3ffylkdwu75ld98ncelrdtwstup36p92tgnqfjcxemPublished at
2023-06-09 12:45:19Event JSON
{
"id": "02612250c87c3376371507d70ee4536c4b469e81e3ee0b961f3e00167159e143",
"pubkey": "1df7c2c253b8fa2f1e2b8a524fd9aee7a9f694f3c67e36add05f031d04aa5a26",
"created_at": 1686314719,
"kind": 1,
"tags": [
[
"e",
"4015f860c08a0cb43711c0d54900e95a6260d2b3de3325a8b01553fbd2837058",
"",
"reply"
],
[
"p",
"9456f7acb763eaab2e02bd8e60cf17df74f352c2ae579dce1f1dd25c95dd611c"
]
],
"content": "📅 Original date posted:2015-12-02\n📝 Original message:\nSo, it turns out that a SNARK is overkill for the application in this\nthread. It was just a one-off experiment. But the performance estimates\nseemed pretty far off compared to what’s reported in in the snark science\npapers. So, Sean (a Zcash engineer, in his “20% fun time”) replicated the\nexperiment from the original post, in libsnark (not snarklib).\n\nFirst, as a recap, this is the specification of the original post’s SNARK,\nsummarized in Camenisch-Stadler notation:\nZkPoK{ (R1, R2): H1 = sha256(R1) and H2 = sha256(R2) and R1 = R2 xor X }\n\nIn other words: given a statement H1, H2, and X, you can prove that you\nknow a secret witness R1, and R2, such that the predicate holds (i.e., R1\nand R2 are preimages of H1,H2 and are related by X)\n\nThis is almost a complete specification of the SNARK: all that’s left is to\nchoose a representation size for R1 and R2…. here these are forced to be\n32-byte strings.\n\nHere are the results for a libsnark implementation of this, ordered up to\nthe above spec:\nhttps://github.com/ebfull/lightning_circuit/\n\nMost relevant benchmarks:\nkey generation time: 11.6270s\nproof generation time: 3.0968s\nverification time: 0.0270s\nproof size: ~287 bytes\nproving key size: ~12.85 megabytes\nverifying key size: ~573 bytes\nR1CS constraints: 56612 (mostly sha256-related)\n\nThe difference in proof time and proving key size (this is ~3x faster to\nprove, with ~10x less key size) might be explained by libsnark having a\nmore efficient SHA256 implementation. The libsnark one is hand-optimized.\nBut I don’t have any idea why the OP and snarklib reported such large\nverification keys or memory consumption during verification. The verifier\nshould only have to think of about a kilobyte.\n\nOn Tue, Nov 17, 2015 at 4:14 PM, Anthony Towns \u003caj at erisian.com.au\u003e wrote:\n\n\u003e Hi all,\n\u003e\n\u003e An obvious privacy limitation with lightning is that even with onion\n\u003e routing, differents hops can be associated as being part of the same\n\u003e transaction due to sharing a common R value. So if you see a HTLC from\n\u003e Alice to Bob, paying $5 to Bob on receipt of R where SHA(R)=12345..;\n\u003e and you see another HTLC from Carol to Dave, paying $4.95 to Bob on\n\u003e receipt of R under the same condition, SHA(R)=12345..., then you know\n\u003e it's part of the same transaction.\n\u003e\n\u003e If you could change R at each step in the route, this would go away,\n\u003e improving payment anonymity and making it harder to attack the system in\n\u003e general.\n\u003e\n\u003e That's hard, because as a forwarding node, if you receive a HTLC payable\n\u003e on R1, then to send a HTLC payable on R2, you need to be able to\n\u003e calculate R1 from R2 or you'll be out of pocket. But you also can't be\n\u003e able to calculate R1 *without* R2, or you could just rip off whoever's\n\u003e making the payment. And, of course you have to know SHA(R2) to forward the\n\u003e payment at all. And if you only know SHA(R1) and SHA(R2) it's hard to\n\u003e say anything at all about R1 and R2 because cryptographic hash functions\n\u003e are designed to make any structural relationships go away.\n\u003e\n\u003e BUT! I think the magic of SNARKs [0] lets you do this!\n\u003e\n\u003e With a SNARK, you can \"prove\" that you have some secrets (ie, R1 and R2)\n\u003e that satisfy some programmable condition (ie, SHA(R1)=H1 and SHA(R2)=H2\n\u003e and R1=R2 XOR X), based on public inputs (H1, H2 and X), without revealing\n\u003e those secrets.\n\u003e\n\u003e I think that's pretty safe, because if you receive an HTLC asking for a\n\u003e preimage for H1, along with instructions in the onion saying ask Bob for\n\u003e a preimage for H2, and here's X and a proof, then either:\n\u003e\n\u003e - your forwarded HTLC will fail, and everything's fine\n\u003e\n\u003e - you'll receive R2, calculate R1=R2 XOR X and see SHA(R1)=H1 as\n\u003e expected, and everything's fine\n\u003e\n\u003e - you'll receive R2, calculate R1=R2 XOR X and see SHA(R1) != H1,\n\u003e which is only possible if the cryptography behind SNARKs are broken\n\u003e\n\u003e - you'll receive RX, such that H2=SHA(RX) but RX being too\n\u003e long or too short. If SNARKs aren't broken, this means that you know\n\u003e R2alt and someone else knows R2 that are different but hash to the\n\u003e same value, meaning SHA has been broken.\n\u003e\n\u003e It seems like there are research-level tools out there that actually\n\u003e make this practical to try out. I've had a go at implementing this using\n\u003e snarkfront [1]. Using it looks like:\n\u003e\n\u003e 1) initial setup of proof/verification keys\n\u003e\n\u003e $ ./test_lightning -m keygen \u003e keygen.txt # global setup\n\u003e\n\u003e 2) generate a proof, using a 32 byte secret, and XOR key (64 hex digits)\n\u003e\n\u003e $ SECRET=\"the quick brown fox jumps lazily\"\n\u003e $ XOR=$(echo \"she sells sea shells\" | sha256sum | head -c64)\n\u003e $ cat keygen.txt |\n\u003e ./test_lightning -m proof -s \"$SECRET\" -x \"$XOR\" \u003e proof.txt\n\u003e m: proof.\n\u003e f: .\n\u003e b: .\n\u003e x: 5677d356ccd6ff29b296a697791d109a1703557ecbbcf52b4f38d4b680858912.\n\u003e F: 74686520717569636b2062726f776e20666f78206a756d7073206c617a696c79\n\u003e B: 221fb676bda3964ad9b6c4e5166a7eba716c2d5ea1c9985b3c18b8d7faece56b\n\u003e #F: ae4d48f71fdb6f74149fab591e88f2cc07d4e696968def1aa7ca1e07096c5b85\n\u003e #B: 166e4f9b8ec5895e870f0f0508327d73ba9ad9af4e9841599bafb1bf55c8a245\n\u003e generate proof\n\u003e (6) ..................................................\n\u003e (5) ..................................................\n\u003e (4) ..................................................\n\u003e (3) ..................................................\n\u003e (2) ..................................................\n\u003e (1) ..................................................\n\u003e\n\u003e 3) Verify the proof:\n\u003e\n\u003e $ F=ae4d48f71fdb6f74149fab591e88f2cc07d4e696968def1aa7ca1e07096c5b85\n\u003e $ B=166e4f9b8ec5895e870f0f0508327d73ba9ad9af4e9841599bafb1bf55c8a245\n\u003e $ cat keygen.txt proof.txt |\n\u003e ./test_lightning -m verify -h \"$F\" -b \"$B\" -x \"$XOR\"\n\u003e m: verify.\n\u003e f: ae4d48f71fdb6f74149fab591e88f2cc07d4e696968def1aa7ca1e07096c5b85.\n\u003e b: 166e4f9b8ec5895e870f0f0508327d73ba9ad9af4e9841599bafb1bf55c8a245.\n\u003e x: 5677d356ccd6ff29b296a697791d109a1703557ecbbcf52b4f38d4b680858912.\n\u003e verify proof (6) (5) (4) (3) (2) (1)\n\u003e proof is verified\n\u003e\n\u003e 4) Verify it doesn't report a valid proof with different inputs:\n\u003e\n\u003e $ cat keygen.txt proof.txt |\n\u003e ./test_lightning -m verify -h \"$B\" -b \"$F\" -x \"$XOR\"\n\u003e m: verify.\n\u003e f: 166e4f9b8ec5895e870f0f0508327d73ba9ad9af4e9841599bafb1bf55c8a245.\n\u003e b: ae4d48f71fdb6f74149fab591e88f2cc07d4e696968def1aa7ca1e07096c5b85.\n\u003e x: 5677d356ccd6ff29b296a697791d109a1703557ecbbcf52b4f38d4b680858912.\n\u003e verify proof (6) (5) (4) (3) (2)\n\u003e proof is rejected\n\u003e\n\u003e Some results:\n\u003e\n\u003e * the proof/verification key data take up about 100MB -- in theory\n\u003e one set of this data can be used by everyone; the only catch is\n\u003e that everyone has to trust that nobody has kept the original random\n\u003e numbers used to generate it.\n\u003e\n\u003e * proof/verification key data takes about a minute to generate,\n\u003e and about 650MB of RAM.\n\u003e\n\u003e * the proof data itself (which would need to be sent to the node that's\n\u003e going to switch R's) is just 864 bytes; so it'd use up about 5 hops\n\u003e worth of onion routing at 192B per hop -- in a 4096 byte packet eg,\n\u003e you could have four hops, changing R each time; or you could have 9\n\u003e hops, changing R only three times.\n\u003e\n\u003e * generating the proof data for a given R1,X pair takes about 10\n\u003e seconds, and 260MB of RAM\n\u003e\n\u003e * verifying the proof is quick-ish -- it takes 0.5s on my laptop,\n\u003e and uses about 150MB of RAM.\n\u003e\n\u003e For comparison, that last point makes a SNARK verification 500+ times\n\u003e more expensive than an ECDH operation. If I got my maths right, you\n\u003e can translate 3c for a linode CPU-hour into 2.5 satoshi for a linode\n\u003e CPU-second (at $338/BTC), so you're probably looking at a minimum fee\n\u003e of a few satoshi per SNARK verification, but that's still pretty okay\n\u003e for transactions of 500 satoshi or more, ie anything more than about a\n\u003e fifth of a US cent.\n\u003e\n\u003e The 10s proof generation time is probably more of a limitation -- though\n\u003e you could generate them in advance easily enough and just store them until\n\u003e you need to use them, which would avoid lag being a problem at least. But\n\u003e even then it's still essentially adding up to 30c of additional costs to\n\u003e your transaction (ie 10s cpu time valued at up to 3c/s), which probably\n\u003e isn't worthwhile for transactions smaller than a dollar or two.\n\u003e\n\u003e A drawback is that you'd either (a) have to do all this on the merchant's\n\u003e side (not just sending SHA(R) to whoever wants to pay you, but sending\n\u003e SHA(R1), SHA(R2), SHA(R3), SHA(R4), X12, X23, X34, and three proofs,\n\u003e which would be pretty painful; or (b) you'd have to generate all the\n\u003e R secrets as a consumer, and you wouldn't get to use the fact that you\n\u003e know R as evidence that you paid the merchant.\n\u003e\n\u003e Anyway, it's obviously not ready for prime time today: SNARKs are still\n\u003e pretty new as a concept; I'm definitely not familiar enough with SNARK\n\u003e theory to be sure I'm not misusing the concept somehow; snarkfront may not\n\u003e have implemented the theory fully correctly; and I might not have captured\n\u003e everything I needed to in order for my \"proof\" to actually say what I\n\u003e want it to. So not a great idea to use this to protect real money today.\n\u003e\n\u003e But still, this seems like it's not all /that/ far from being practical,\n\u003e and if the crypto's not fundamentally broken, seems like it goes a long\n\u003e way to filling in the biggest privacy hole in lightning today [3]...\n\u003e\n\u003e Code is at https://github.com/ajtowns/snarkfront/ or more directly at:\n\u003e https://github.com/ajtowns/snarkfront/blob/lightning-sha/test_lightning.cpp\n\u003e\n\u003e Cheers,\n\u003e aj\n\u003e\n\u003e [0] https://tahoe-lafs.org/trac/tahoe-lafs/wiki/SNARKs\n\u003e\n\u003e [1] https://github.com/jancarlsson/snarkfront\n\u003e\n\u003e [2] This would also improve privacy/anonymity for other applications of\n\u003e HTLCs, such as atomic swaps across chains:\n\u003e\n\u003e 1 bitcoin, payable on R1 + Alice's sig or timeout + Bob's sig\n\u003e 100 litecoin, payable on R2 + Robert's sig or timeout + Ally's sig\n\u003e\n\u003e Alice and Bob communicate privately, agreeing to trade 1 BTC for 100\n\u003e litecoin and revealing their aliases Robert and Ally; Alice generates\n\u003e R1, R2, and reveals SHA(R1), SHA(R2), R1^R2 and the SNARK proof and\n\u003e publishes the litecoin payment. Bob verifies the proof, and publishes\n\u003e the bitcoin payment. Alice claims the bitcoin payment, revealing R1;\n\u003e Bob calculates R2 and claims the litecoin payment. The swap can take\n\u003e place trustlessly because Bob knows the only way Alice can claim his\n\u003e bitcoin is by revealing enough info so he can claim the corresponding\n\u003e litecoin. But there isn't any on-chain information linking the two\n\u003e transactions, because R1 and R2 are independent (and could even be\n\u003e using different hash functions as well as different preimages).\n\u003e After the funds have been claimed, the private communication is\n\u003e also completely deniable, since anyone could generate R1^R2 and a\n\u003e corresponding SNARK proof just using the info on the blockchain.\n\u003e\n\u003e _______________________________________________\n\u003e Lightning-dev mailing list\n\u003e Lightning-dev at lists.linuxfoundation.org\n\u003e https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20151202/97972a83/attachment.html\u003e",
"sig": "a484d2247f9f724280c29702b4232fd84351e6ead4fcf70f8e29da37d541f4cbf9d5de79dc8c10c912125a0b6add1baee5ffd897fc9a608808b2be379a2f29f2"
}