📅 Original date posted:2020-11-21
📝 Original message:
Bastien TEINTURIER <bastien at acinq.fr> writes:
> Hey Rusty,
>
> Good questions.
>
> I think we could use additive tweaks, and they are indeed faster so it can
> be worth doing.
> We would replace `B(i) = HMAC256("blinded_node_id", ss(i)) * P(i)` by `B(i)
> = HMAC256("blinded_node_id", ss(i)) * G + P(i)`.
> Intuitively since the private key of the tweak comes from a hash function,
> it should offer the same security.
> But there may be dragons lurking there, I don't know how to properly
> evaluate whether it's as secure (whereas the multiplicative
> version is really just Sphinx, so we know it should be secure).
I agree. I'll ask a real crypto person to review it, though.
> If we're able to use additive tweaks, we can probably indeed use x-only
> pubkeys.
> Even though we're not storing these on-chain, so the 1 byte saved isn't
> worth much.
> I'd say that if it's trivial to use them, let's do it, otherwise it's not
> worth any additional effort.
I'll try and report back; I think it's trivial (I converted offers, and
indeed it was trivial except needing a way to lookup a x-only node_id,
which simply required two lookups).
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 13:01:29
in reply to nevent1q…vgtm
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 13:01:29Event JSON
{
"id": "40ab5e2caa51ec5c444060b9402716efb5435b1bde048b9e4b8cfd2fd8150622",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686315689,
"kind": 1,
"tags": [
[
"e",
"c1340c1c46d4d807babfdef2c05616535df9e94b926d2d546bf6e8aef3224aae",
"",
"root"
],
[
"e",
"d2fe46a312d193b5bb39c1a48f477253585eb49f74e21333dd8ef157eac07ef6",
"",
"reply"
],
[
"p",
"f26569a10f83f6935797b8b53a87974fdcc1de6abd31e3b1a3a19bdaed8031cb"
]
],
"content": "📅 Original date posted:2020-11-21\n📝 Original message:\nBastien TEINTURIER \u003cbastien at acinq.fr\u003e writes:\n\u003e Hey Rusty,\n\u003e\n\u003e Good questions.\n\u003e\n\u003e I think we could use additive tweaks, and they are indeed faster so it can\n\u003e be worth doing.\n\u003e We would replace `B(i) = HMAC256(\"blinded_node_id\", ss(i)) * P(i)` by `B(i)\n\u003e = HMAC256(\"blinded_node_id\", ss(i)) * G + P(i)`.\n\u003e Intuitively since the private key of the tweak comes from a hash function,\n\u003e it should offer the same security.\n\u003e But there may be dragons lurking there, I don't know how to properly\n\u003e evaluate whether it's as secure (whereas the multiplicative\n\u003e version is really just Sphinx, so we know it should be secure).\n\nI agree. I'll ask a real crypto person to review it, though.\n\n\u003e If we're able to use additive tweaks, we can probably indeed use x-only\n\u003e pubkeys.\n\u003e Even though we're not storing these on-chain, so the 1 byte saved isn't\n\u003e worth much.\n\u003e I'd say that if it's trivial to use them, let's do it, otherwise it's not\n\u003e worth any additional effort.\n\nI'll try and report back; I think it's trivial (I converted offers, and\nindeed it was trivial except needing a way to lookup a x-only node_id,\nwhich simply required two lookups).\n\nCheers,\nRusty.",
"sig": "4f2553445f749db3284045c93af73c27d37ee31428e1f1e53987a327b9aa122e99ea7f1e4051c738cc259fa5b5e85ec16340a7a5c741f6f120e136cf42aa6162"
}