📅 Original date posted:2016-08-12
📝 Original message:
Joseph Poon <joseph at lightning.network> writes:
> On Wed, Aug 10, 2016 at 11:33:46AM +0930, Rusty Russell wrote:
>> Unfortunately, watcher knows revocation preimage N, so it can figure out
>> some or all previous revocation preimages (and thus hashes).
>
> If you take the results then HMAC it as the final step in
> shachain/elkrem (to establish a single leaf), should be fine even if
> revocation hashes are used in lieu of a revocation pubkey.
Sure, or just SHA the leaf again. But such schemes prevent the watcher
from using the elkrem/shachain space-savings themselves, which is kind
of painful. (Though see below...)
Let's look at space & comms requirements, per new commitment tx, for
different schemes. Let's say we have N htlcs in the current HTLC.
Bytes Bytes
Communicated Stored (per tx)
Naive (whole steal tx) ~300 * (N+1) ~300 * (N+1)
rhash+sig+HTLCdata 32 + 32 + 24*N 32 + 32 + 24*N
+shachain/elkrem 32 + 32 + 24*N 32 + 24*N
+SIG_NOINPUT 32 + 24*N 24*N
+Dual-scriptpubkey MAST 32 0
The ultimate is shachain/elkrem, SIG_NOINPUT and a MAST scheme which
places two scripthashes into the scriptpubkey, either of which would
allow spending. In that case, we'd simply send a series of SIG_NOINPUT
signed steal txs with 1, 2, 3 ... inputs at the beginning, and then send
each new revocation preimage as we learned it. The storage overhead is
basically constant (technically, log(N) for the shachain).
Interestingly, MAST by itself buys us nothing (bytewise): the 32 bytes
we'd need to send for the other branch of MAST is larger than the 24
bytes for the HTLC description.
Revealing the preimages seems a win, BUT if we give them unencrypted to
the watcher we need some other way of avoiding guessable prior
commitment txs. Which implies we change at least one key in some way,
which means we need to send that key to the watcher to store, which
costs as much as they save using shachain/elkrem!
The other win is sharing HTLCs across transactions somehow (which
reduces N to the "number of new HTLCs" instead of "number of HTLCs").
I can't come up with anything very good here, though :(
>> But it rests on the assumption that there are no unknown malleability
>> issues on signatures, which I believe makes crypto people nervous. I've
>> asked some, though, as that's above my pay grade!
>>
>> It also assumes they can't set up the witness such that our sig is not
>> 2nd or 3rd in the witness element. I think that's true...
>
> Yeah, good point. Perhaps it could be better to keep it simple and just
> use an HMAC of the non-witness transaction. There shouldn't be stuff
> that's easily mutatable, and the exposure is not expanded (since that
> would break LN's child transactions anyway).
I still don't understand why use an HMAC-of-tx instead of just the txid?
What does it gain?
Thanks!
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:46:38
in reply to nevent1q…2cfw
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:46:38Event JSON
{
"id": "67d0327ddfc1ca4bf7d28a689608cb697ed5bf388dc4cefa101e3080465a20b5",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314798,
"kind": 1,
"tags": [
[
"e",
"ccc2d459792b926854b04bc74e6ea324d2314fff88991806647cc195016ae9ae",
"",
"root"
],
[
"e",
"24ba003dbd12074c1cd292d457bb5edc6bda683ea3d9aa0d306654ea080788bc",
"",
"reply"
],
[
"p",
"ccb4cc87c455b74febaee5929cfd0726421b2eea64ad2b16440b68e8c7433211"
]
],
"content": "📅 Original date posted:2016-08-12\n📝 Original message:\nJoseph Poon \u003cjoseph at lightning.network\u003e writes:\n\u003e On Wed, Aug 10, 2016 at 11:33:46AM +0930, Rusty Russell wrote:\n\u003e\u003e Unfortunately, watcher knows revocation preimage N, so it can figure out\n\u003e\u003e some or all previous revocation preimages (and thus hashes). \n\u003e\n\u003e If you take the results then HMAC it as the final step in\n\u003e shachain/elkrem (to establish a single leaf), should be fine even if\n\u003e revocation hashes are used in lieu of a revocation pubkey.\n\nSure, or just SHA the leaf again. But such schemes prevent the watcher\nfrom using the elkrem/shachain space-savings themselves, which is kind\nof painful. (Though see below...)\n\nLet's look at space \u0026 comms requirements, per new commitment tx, for\ndifferent schemes. Let's say we have N htlcs in the current HTLC.\n\n Bytes Bytes\n Communicated Stored (per tx)\nNaive (whole steal tx) ~300 * (N+1) ~300 * (N+1)\nrhash+sig+HTLCdata 32 + 32 + 24*N 32 + 32 + 24*N\n+shachain/elkrem 32 + 32 + 24*N 32 + 24*N\n+SIG_NOINPUT 32 + 24*N 24*N\n+Dual-scriptpubkey MAST 32 0\n\nThe ultimate is shachain/elkrem, SIG_NOINPUT and a MAST scheme which\nplaces two scripthashes into the scriptpubkey, either of which would\nallow spending. In that case, we'd simply send a series of SIG_NOINPUT\nsigned steal txs with 1, 2, 3 ... inputs at the beginning, and then send\neach new revocation preimage as we learned it. The storage overhead is\nbasically constant (technically, log(N) for the shachain).\n\nInterestingly, MAST by itself buys us nothing (bytewise): the 32 bytes\nwe'd need to send for the other branch of MAST is larger than the 24\nbytes for the HTLC description.\n\nRevealing the preimages seems a win, BUT if we give them unencrypted to\nthe watcher we need some other way of avoiding guessable prior\ncommitment txs. Which implies we change at least one key in some way,\nwhich means we need to send that key to the watcher to store, which\ncosts as much as they save using shachain/elkrem!\n\nThe other win is sharing HTLCs across transactions somehow (which\nreduces N to the \"number of new HTLCs\" instead of \"number of HTLCs\").\nI can't come up with anything very good here, though :(\n\n\u003e\u003e But it rests on the assumption that there are no unknown malleability\n\u003e\u003e issues on signatures, which I believe makes crypto people nervous. I've\n\u003e\u003e asked some, though, as that's above my pay grade!\n\u003e\u003e \n\u003e\u003e It also assumes they can't set up the witness such that our sig is not\n\u003e\u003e 2nd or 3rd in the witness element. I think that's true...\n\u003e\n\u003e Yeah, good point. Perhaps it could be better to keep it simple and just\n\u003e use an HMAC of the non-witness transaction. There shouldn't be stuff\n\u003e that's easily mutatable, and the exposure is not expanded (since that\n\u003e would break LN's child transactions anyway).\n\nI still don't understand why use an HMAC-of-tx instead of just the txid?\nWhat does it gain?\n\nThanks!\nRusty.",
"sig": "be88a9c3decde09fc0b3b63df56e3f681e8777853c09f4b33ed6edc596b306b685c98b6898a3ae286e3eabce0b772bfcf4623f82a3fba230eac92de502fcccf8"
}