📅 Original date posted:2016-08-10
📝 Original message:
Tadge Dryja <tadge at lightning.network> writes:
>>
>> 4. When the watcher receives a new block, they HMAC(txid+salt1) all
>> transactions and compare against the key-value store
>>
>> This method does not require significant computation upon receiving a
>> new block and checking against the datastore. I forgot to note, that the
>
> If you're only watching 1 channel, this is OK as you're just doing one HMAC
> operation per incoming tx. This works when the number of states per
> channel is high but the number of channels watched is low.
> If you're watching 1M channels with 1K states each, this requires 1M HMAC
> operations for every incoming tx.
>
> By giving the whole (or a truncated part) of the txid, the observing node
> can put all txids being watched for into the same tree and have seek access
> time independent of the number of separate channels being watched. Whether
> it's 1 channel with 1 billion states, or 100M channels with 10 states each,
> you have the same cpu and I/O cost per incoming tx.
Yes, I think I agree.
> I'm not clear on the advantages of sending encrypted state information to
> the observer. Most information the observer needs to construct a punishing
> transaction is available in the observed commitment tx; the only per-state
> information which needs to be stored is the signature (and in the case of
> HTLCs, the preimage).
Yes. To be precise, watcher needs preimage, pubkeys, a signature,
OP_CSV delay amounts for each side, and HTLCs.
If the pubkeys and OP_CSV delay amounts are fixed, you need a signature
and preimage (required to steal the to-them output as well as htlcs)
every new commit tx (ie. every new watch request). And you'll add a new
HTLC information on average every second commit tx.
But I think you're better attaching every relevant HTLC to every watch
request; otherwise, you're exposing all previous HTLCs. I recalculated:
they're only 24 bytes each (ripemd hash + expiry).
If we really want to optimize that,maybe we can come up with a cleverer
scheme, where you optionally include the key to the previous watch
request with the encrypted information, allowing the sender to control
the privacy/data tradeoff? Then the watcher would gather HTLCs from
those previous requests as well, and see which ones are required?
{Insert bikeshed here}. {No, here}.
> Reconstructing messages from hashes and / or
> signatures isn't possible as long as there's sufficient unknown data in the
> preimage or message. This is achievable by changing the pubkeys used in
> the commit tx script and pubkey hash each state, without needing additional
> data in an OP_RETURN.
FWIW, I take back the idea about using the signature as a key:
1) While the crypto people tell me it's probably OK, they can't prove it.
2) If we go to Schnorr, I think it falls apart as both sigs are combined.
OTOH, changing pubkeys every step isn't required if we go for Laolu's
key-revocation scheme instead of shachain/elkrem. I think? (Roasbeef,
this is your cue to describe it in detail!)
Cheers,
Rusty,
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:46:35
in reply to nevent1q…ldx3
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:46:35Event JSON
{
"id": "2c19b1f7eae43f406501e29b0f33ebff3e7c1663fbe72d9f6e014edc169f3d20",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314795,
"kind": 1,
"tags": [
[
"e",
"ccc2d459792b926854b04bc74e6ea324d2314fff88991806647cc195016ae9ae",
"",
"root"
],
[
"e",
"e992a1f46fa9e845c336ac9ea942fa0754d740cea3cbacf7008feeab146f523a",
"",
"reply"
],
[
"p",
"650f4d21ea171bfb75c6bd78ba5b1aeace2a658bf7bee367bde3736055bf4e2d"
]
],
"content": "📅 Original date posted:2016-08-10\n📝 Original message:\nTadge Dryja \u003ctadge at lightning.network\u003e writes:\n\u003e\u003e\n\u003e\u003e 4. When the watcher receives a new block, they HMAC(txid+salt1) all\n\u003e\u003e transactions and compare against the key-value store\n\u003e\u003e\n\u003e\u003e This method does not require significant computation upon receiving a\n\u003e\u003e new block and checking against the datastore. I forgot to note, that the\n\u003e\n\u003e If you're only watching 1 channel, this is OK as you're just doing one HMAC\n\u003e operation per incoming tx. This works when the number of states per\n\u003e channel is high but the number of channels watched is low.\n\u003e If you're watching 1M channels with 1K states each, this requires 1M HMAC\n\u003e operations for every incoming tx.\n\u003e\n\u003e By giving the whole (or a truncated part) of the txid, the observing node\n\u003e can put all txids being watched for into the same tree and have seek access\n\u003e time independent of the number of separate channels being watched. Whether\n\u003e it's 1 channel with 1 billion states, or 100M channels with 10 states each,\n\u003e you have the same cpu and I/O cost per incoming tx.\n\nYes, I think I agree.\n\n\u003e I'm not clear on the advantages of sending encrypted state information to\n\u003e the observer. Most information the observer needs to construct a punishing\n\u003e transaction is available in the observed commitment tx; the only per-state\n\u003e information which needs to be stored is the signature (and in the case of\n\u003e HTLCs, the preimage).\n\nYes. To be precise, watcher needs preimage, pubkeys, a signature,\nOP_CSV delay amounts for each side, and HTLCs.\n\nIf the pubkeys and OP_CSV delay amounts are fixed, you need a signature\nand preimage (required to steal the to-them output as well as htlcs)\nevery new commit tx (ie. every new watch request). And you'll add a new\nHTLC information on average every second commit tx.\n\nBut I think you're better attaching every relevant HTLC to every watch\nrequest; otherwise, you're exposing all previous HTLCs. I recalculated:\nthey're only 24 bytes each (ripemd hash + expiry).\n\nIf we really want to optimize that,maybe we can come up with a cleverer\nscheme, where you optionally include the key to the previous watch\nrequest with the encrypted information, allowing the sender to control\nthe privacy/data tradeoff? Then the watcher would gather HTLCs from\nthose previous requests as well, and see which ones are required?\n{Insert bikeshed here}. {No, here}.\n\n\u003e Reconstructing messages from hashes and / or\n\u003e signatures isn't possible as long as there's sufficient unknown data in the\n\u003e preimage or message. This is achievable by changing the pubkeys used in\n\u003e the commit tx script and pubkey hash each state, without needing additional\n\u003e data in an OP_RETURN.\n\nFWIW, I take back the idea about using the signature as a key:\n1) While the crypto people tell me it's probably OK, they can't prove it.\n2) If we go to Schnorr, I think it falls apart as both sigs are combined.\n\nOTOH, changing pubkeys every step isn't required if we go for Laolu's \nkey-revocation scheme instead of shachain/elkrem. I think? (Roasbeef,\nthis is your cue to describe it in detail!)\n\nCheers,\nRusty,",
"sig": "89d1c42772be546c6ccf48131d82dbb67b137f1ae441aa9f9332316ee7231f057bd9bd34c78a2ae57850ff8bcabe757ac1b0215dabf3c3b7f9a39572169770a6"
}