Joseph Poon [ARCHIVE] on Nostr: 📅 Original date posted:2016-08-11 📝 Original message: On Wed, Aug 10, 2016 at ...
📅 Original date posted:2016-08-11
📝 Original message:
On Wed, Aug 10, 2016 at 11:33:46AM +0930, Rusty Russell wrote:
> Unfortunately, watcher knows revocation preimage N, so it can figure out
> some or all previous revocation preimages (and thus hashes).
If you take the results then HMAC it as the final step in
shachain/elkrem (to establish a single leaf), should be fine even if
revocation hashes are used in lieu of a revocation pubkey.
> But it rests on the assumption that there are no unknown malleability
> issues on signatures, which I believe makes crypto people nervous. I've
> asked some, though, as that's above my pay grade!
>
> It also assumes they can't set up the witness such that our sig is not
> 2nd or 3rd in the witness element. I think that's true...
Yeah, good point. Perhaps it could be better to keep it simple and just
use an HMAC of the non-witness transaction. There shouldn't be stuff
that's easily mutatable, and the exposure is not expanded (since that
would break LN's child transactions anyway).
--
Joseph Poon
Published at
2023-06-09 12:46:37Event JSON
{
"id": "24ba003dbd12074c1cd292d457bb5edc6bda683ea3d9aa0d306654ea080788bc",
"pubkey": "ccb4cc87c455b74febaee5929cfd0726421b2eea64ad2b16440b68e8c7433211",
"created_at": 1686314797,
"kind": 1,
"tags": [
[
"e",
"ccc2d459792b926854b04bc74e6ea324d2314fff88991806647cc195016ae9ae",
"",
"root"
],
[
"e",
"4ecfe21b16d35c7fcb536acf629f0c7c7b804a1e5c3b803846fecdffc2e49bde",
"",
"reply"
],
[
"p",
"13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425"
]
],
"content": "📅 Original date posted:2016-08-11\n📝 Original message:\nOn Wed, Aug 10, 2016 at 11:33:46AM +0930, Rusty Russell wrote:\n\u003e Unfortunately, watcher knows revocation preimage N, so it can figure out\n\u003e some or all previous revocation preimages (and thus hashes). \n\nIf you take the results then HMAC it as the final step in\nshachain/elkrem (to establish a single leaf), should be fine even if\nrevocation hashes are used in lieu of a revocation pubkey.\n\n\u003e But it rests on the assumption that there are no unknown malleability\n\u003e issues on signatures, which I believe makes crypto people nervous. I've\n\u003e asked some, though, as that's above my pay grade!\n\u003e \n\u003e It also assumes they can't set up the witness such that our sig is not\n\u003e 2nd or 3rd in the witness element. I think that's true...\n\nYeah, good point. Perhaps it could be better to keep it simple and just\nuse an HMAC of the non-witness transaction. There shouldn't be stuff\nthat's easily mutatable, and the exposure is not expanded (since that\nwould break LN's child transactions anyway).\n\n-- \nJoseph Poon",
"sig": "60b1e7257ef5df014f14b9c7756b6f5215f9a57864e08e6e91e5756cc2fdb2e856de6ed4b813064cf8d6ec5334c7b1d9a903f4bf68f5de1a0dc0f7de36effbee"
}