š
Original date posted:2021-09-21
š Original message:
Good morning again Joost,
> However, we can do "pay for signature" protocols using PTLCs, and rather than requesting for a scalar behind a point as the proof-of-payment, we can instead ask for a signature of a message that attests "this recipient got paid `payment_amount` with `encoded_order_details`" and have a recipient pubkey (not necessarily the node key, it might be best to reduce signing for node keys) as the signing key.
>
> So it seems to me that this cannot work with hashes, but can work with PTLCs if we use pay-for-signature and the proof-of-payment is a signature rather than a scalar.
No, it does not work either.
The reason is that for signing, we need an `R` as well.
Typically, this is a transient keypair generated by the signer as `r = rand(); R = r * G`.
In order to set up a pay-for-signature, the sender needs to know an `R` from the recipient, and the recipient, being the signer, has to generate that `R` for itself.
And if you are just going to do something like sender->request->receiver, receiver->R->sender, and *then* do the sender->PTLC->receiver, then you might as well just do sender->request->receiver, receiver->invoice->sender, sender->PTLC->receiver.
I think your goal, as I understand it, is to reduce it to one round, i.e. sender->PTLC+some_data->receiver, then receiver responds to the PTLC that somehow generates the proof-of-payment.
Is my understanding correct?
We cannot have the sender generate the `r` and `R = r * G` as knowledge of `r`, `s` and the signed message `m` results in learning the privkey `a`:
s = r - a * h(R | m)
a = (r - s) / h(R | m)
Even with MuSig2 we need a separate round for `R` establishment before the round where everyone gives shares of `s`, and one can argue that a proof-of-payment, being an agreement of the sender and a receiver, is semantically equivalent to a 2-of-2 signature of both sender and the receiver signing off on the fact that the payment happened.
Thus, it seems to me that we can adapt any *secure* single-round multisignature Schnorr scheme to this problem of needing a single-round pay-for-signature.
Perhaps another mechanism?
WARNING: THIS IS NOVEL CRYPTOGRAPHY I THOUGHT UP IN FIVE MINUTES AND I AM NOT A CRYPTOGRAPHER, DO NOT ROLL YOUR OWN CRYPTO.
Instead of having a single receiver-scalar, the receiver knows two scalars.
A = a * G
B = b * G
The sender knows both `A` and `B`.
Now, suppose sender wants to make a payment to the receiver.
At its simplest, the sender can simply add `A + B` and lock an outgoing PTLC to that point.
The proof-of-payment is the sum `a + b`, but knowledge of this sum does not imply knowledge of either `a` or `b` (I THINK --- I AM NOT A CRYPTOGRAPHER).
Now, suppose we want a proof-of-payment to be keyed to some data.
We can translate that data to a scalar (e.g. just hash it) and call it `d`.
Then the sender makes a payment to the receiver using this point:
d * A + B
The sender then receives the scalar behind the above point:
d * a + b
Even with knowledge of `d`, the sender cannot learn either `a` or `b` and thus cannot synthesize any other proof-of-payment with a different `d`, thus "locking" the proof-of-payment to a specific `d`.
The above proof-of-payment is sufficient by showing the point `d * A + B`, the committed data `d`, and the receiver public keys `A` and `B`.
AGAIN THIS IS NOVEL CRYPTOGRAPHY I THOUGHT UP IN FIVE MINUTES AND I AM NOT A CRYPTOGRAPHER, THIS NEEDS ACTUAL MATHEMATICAL REVIEW FROM AN ACTUAL CRYPTOGRAPHER.
Regards,
ZmnSCPxj
ZmnSCPxj [ARCHIVE] /
npub1g5ā¦3ms3l
2023-06-09 13:03:48
in reply to nevent1qā¦2dhf
Author Public Key
npub1g5zswf6y48f7fy90jf3tlcuwdmjn8znhzaa4vkmtxaeskca8hpss23ms3lPublished at
2023-06-09 13:03:48Event JSON
{
"id": "bb6654823017e9abadc89ed1db925e0903981ec7270ddfad40a11a3514daf5b9",
"pubkey": "4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861",
"created_at": 1686315828,
"kind": 1,
"tags": [
[
"e",
"e4e7ab359e7c5557c58c3d4556f5e2b70b0dd56c221200159af6ed9115c412d1",
"",
"root"
],
[
"e",
"5b952842f1df534b0733f960041652cd289732d2f06d9d4d24c3b8c229f2acf1",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "š
Original date posted:2021-09-21\nš Original message:\nGood morning again Joost,\n\n\u003e However, we can do \"pay for signature\" protocols using PTLCs, and rather than requesting for a scalar behind a point as the proof-of-payment, we can instead ask for a signature of a message that attests \"this recipient got paid `payment_amount` with `encoded_order_details`\" and have a recipient pubkey (not necessarily the node key, it might be best to reduce signing for node keys) as the signing key.\n\u003e\n\u003e So it seems to me that this cannot work with hashes, but can work with PTLCs if we use pay-for-signature and the proof-of-payment is a signature rather than a scalar.\n\nNo, it does not work either.\n\nThe reason is that for signing, we need an `R` as well.\nTypically, this is a transient keypair generated by the signer as `r = rand(); R = r * G`.\n\nIn order to set up a pay-for-signature, the sender needs to know an `R` from the recipient, and the recipient, being the signer, has to generate that `R` for itself.\nAnd if you are just going to do something like sender-\u003erequest-\u003ereceiver, receiver-\u003eR-\u003esender, and *then* do the sender-\u003ePTLC-\u003ereceiver, then you might as well just do sender-\u003erequest-\u003ereceiver, receiver-\u003einvoice-\u003esender, sender-\u003ePTLC-\u003ereceiver.\n\nI think your goal, as I understand it, is to reduce it to one round, i.e. sender-\u003ePTLC+some_data-\u003ereceiver, then receiver responds to the PTLC that somehow generates the proof-of-payment.\nIs my understanding correct?\n\nWe cannot have the sender generate the `r` and `R = r * G` as knowledge of `r`, `s` and the signed message `m` results in learning the privkey `a`:\n\n s = r - a * h(R | m)\n a = (r - s) / h(R | m)\n\nEven with MuSig2 we need a separate round for `R` establishment before the round where everyone gives shares of `s`, and one can argue that a proof-of-payment, being an agreement of the sender and a receiver, is semantically equivalent to a 2-of-2 signature of both sender and the receiver signing off on the fact that the payment happened.\nThus, it seems to me that we can adapt any *secure* single-round multisignature Schnorr scheme to this problem of needing a single-round pay-for-signature.\n\n\nPerhaps another mechanism?\nWARNING: THIS IS NOVEL CRYPTOGRAPHY I THOUGHT UP IN FIVE MINUTES AND I AM NOT A CRYPTOGRAPHER, DO NOT ROLL YOUR OWN CRYPTO.\n\nInstead of having a single receiver-scalar, the receiver knows two scalars.\n\n A = a * G\n B = b * G\n\nThe sender knows both `A` and `B`.\n\nNow, suppose sender wants to make a payment to the receiver.\nAt its simplest, the sender can simply add `A + B` and lock an outgoing PTLC to that point.\nThe proof-of-payment is the sum `a + b`, but knowledge of this sum does not imply knowledge of either `a` or `b` (I THINK --- I AM NOT A CRYPTOGRAPHER).\n\nNow, suppose we want a proof-of-payment to be keyed to some data.\nWe can translate that data to a scalar (e.g. just hash it) and call it `d`.\nThen the sender makes a payment to the receiver using this point:\n\n d * A + B\n\nThe sender then receives the scalar behind the above point:\n\n d * a + b\n\nEven with knowledge of `d`, the sender cannot learn either `a` or `b` and thus cannot synthesize any other proof-of-payment with a different `d`, thus \"locking\" the proof-of-payment to a specific `d`.\n\nThe above proof-of-payment is sufficient by showing the point `d * A + B`, the committed data `d`, and the receiver public keys `A` and `B`.\n\nAGAIN THIS IS NOVEL CRYPTOGRAPHY I THOUGHT UP IN FIVE MINUTES AND I AM NOT A CRYPTOGRAPHER, THIS NEEDS ACTUAL MATHEMATICAL REVIEW FROM AN ACTUAL CRYPTOGRAPHER.\n\nRegards,\nZmnSCPxj",
"sig": "1c84ce0f8452f7ca946faa1a6419528c60cc277a298c690ffbc1a2d6caf322611d549e6f1a0b13f524d843e15c76f682412f762998e9ce9168bae269149c2771"
}