š
Original date posted:2015-10-18
š Original message:
> This makes some sense (though the anchor transactions don't need to be
> P2SH, it's nicer for bitcoin's UTXO if they are).
Well, currently there is no one working on a malleability fix, so we
should probably work forwards the next available goal. ;)
>> For the current form it would be enough to have
>> SecretAHash || KeyB' || KeyB || KeyA || TxID || SignatureB (L=231B)
>> with KeyB being the node pubkey (lots of key reusage...)
>> or
>> SecretAHash || KeyB' || KeyB || KeyA || TxID || nodePubKey ||
>> SignatureB (L=264B) with KeyB as a channel key that does not need to
>> be equal with the nodePubKey.
>
> Yes, I think avoiding key reuse is good. So, to be clear, the anchor TX
> output looks like:
>
> P2SH (2 KEYA KEYB 2 OP_CHECKMULTISIG)
Having to deal with malleability, the only viable solution for anchor
transactions are with escape and fast-escape?
> I think we can do slightly better with Schnorr signatures (which you can
> simply do multisig by addition, if I understand correctly) where both
> parties cooperate to form:
>
> KEYA KEYB NODE-PUBKEYA NODE-PUBKEYB TXID DUAL-SIGNATURE
>
> That's 33+33+33+33+32+64 = 228 bytes per channel.
Interesting, I kinda feel uncomfortable with Schnorr though. It feels
like some experimental method, and at least for Java, there are very
few implementations around (and I don't feel comfortable implementing
it on my own either..)
I like the idea of adding together one object for the channel to be
sent by both nodes. Even without Schnorr it saves some bytes and the
overhead of gossipping.. We can always switch the signature to Schnorr
too..
> Also, once a node is live, I'm not sure how much of the map it will need
> to keep. It might be able to prune distant parts of the map randomly,
> and get it back from the rest of the network if needed? Requires more
> thought, though.
>
>> As I'm implementing broadcast messages anyways for other purposes (see
>> other ML post), I tent to like (2) the most, it is the most expensive
>> to attack as well I think.
>
> I agree. Least on-chain spam.
Well, all nodes can always refuse to participate in the gossip network
anyway by just never requesting data and never relaying anything
either. For a lot of things, it is very similar to the whole
blockchain. Important to keep at some points, most of it is throw-away
for individual nodes already participating in the network though.. But
I don't see this a problem anywhere soon..
Cheers,
Mats
Mats Jerratsch [ARCHIVE] /
npub1hzā¦q5x8w
2023-06-09 12:44:48
in reply to nevent1qā¦3hqs
Author Public Key
npub1hz386xq4qszumlx5fsxa3kuxpaf8qvfrqqjg8zdl2l892hrcg55q6q5x8wPublished at
2023-06-09 12:44:48Event JSON
{
"id": "c119778f3a4448521bf460e6d47617fcea2b8e8604d37d818cd8854b4f0e68df",
"pubkey": "b8a27d18150405cdfcd44c0dd8db860f5270312300248389bf57ce555c784528",
"created_at": 1686314688,
"kind": 1,
"tags": [
[
"e",
"a852f7164f575698e067e8fc679f5003dd9087247fc7ef7f6067ab966288eef1",
"",
"root"
],
[
"e",
"f7123bf389c1c12813c587a13457d0972eeffe3b431318db51475f118c3b2b94",
"",
"reply"
],
[
"p",
"f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab"
]
],
"content": "š
Original date posted:2015-10-18\nš Original message:\n\u003e This makes some sense (though the anchor transactions don't need to be\n\u003e P2SH, it's nicer for bitcoin's UTXO if they are).\n\nWell, currently there is no one working on a malleability fix, so we\nshould probably work forwards the next available goal. ;)\n\n\u003e\u003e For the current form it would be enough to have\n\u003e\u003e SecretAHash || KeyB' || KeyB || KeyA || TxID || SignatureB (L=231B)\n\u003e\u003e with KeyB being the node pubkey (lots of key reusage...)\n\u003e\u003e or\n\u003e\u003e SecretAHash || KeyB' || KeyB || KeyA || TxID || nodePubKey ||\n\u003e\u003e SignatureB (L=264B) with KeyB as a channel key that does not need to\n\u003e\u003e be equal with the nodePubKey.\n\u003e\n\u003e Yes, I think avoiding key reuse is good. So, to be clear, the anchor TX\n\u003e output looks like:\n\u003e\n\u003e P2SH (2 KEYA KEYB 2 OP_CHECKMULTISIG)\n\nHaving to deal with malleability, the only viable solution for anchor\ntransactions are with escape and fast-escape?\n\n\u003e I think we can do slightly better with Schnorr signatures (which you can\n\u003e simply do multisig by addition, if I understand correctly) where both\n\u003e parties cooperate to form:\n\u003e\n\u003e KEYA KEYB NODE-PUBKEYA NODE-PUBKEYB TXID DUAL-SIGNATURE\n\u003e\n\u003e That's 33+33+33+33+32+64 = 228 bytes per channel.\n\nInteresting, I kinda feel uncomfortable with Schnorr though. It feels\nlike some experimental method, and at least for Java, there are very\nfew implementations around (and I don't feel comfortable implementing\nit on my own either..)\n\nI like the idea of adding together one object for the channel to be\nsent by both nodes. Even without Schnorr it saves some bytes and the\noverhead of gossipping.. We can always switch the signature to Schnorr\ntoo..\n\n\u003e Also, once a node is live, I'm not sure how much of the map it will need\n\u003e to keep. It might be able to prune distant parts of the map randomly,\n\u003e and get it back from the rest of the network if needed? Requires more\n\u003e thought, though.\n\u003e\n\u003e\u003e As I'm implementing broadcast messages anyways for other purposes (see\n\u003e\u003e other ML post), I tent to like (2) the most, it is the most expensive\n\u003e\u003e to attack as well I think.\n\u003e\n\u003e I agree. Least on-chain spam.\n\nWell, all nodes can always refuse to participate in the gossip network\nanyway by just never requesting data and never relaying anything\neither. For a lot of things, it is very similar to the whole\nblockchain. Important to keep at some points, most of it is throw-away\nfor individual nodes already participating in the network though.. But\nI don't see this a problem anywhere soon..\n\nCheers,\nMats",
"sig": "6eda378c48730f5ee7c746c69ebfca3e3b39aab44d85fd70c9df3c7e0bdae48e73333bad951931158d97dbb11793e9c4c16717cff693b7a0d8993476c7c0d985"
}