Anthony Towns [ARCHIVE] on Nostr: 📅 Original date posted:2015-11-22 📝 Original message: On Fri, Nov 20, 2015 at ...
📅 Original date posted:2015-11-22
📝 Original message:
On Fri, Nov 20, 2015 at 05:44:15PM +1000, Anthony Towns wrote:
> Hmm, I'm not sure if you can divide QN by (r2*..*rN) to get back to Q1,
> but I think you can [...] If you can,
> you even get the original receipt/proof of payment!
Yep, this works!
> _And_ I think you could just use SHA(ECDH_SEC || 3) as the r values at
> each stage rather than needing any additional entropy, or having to add
> any significant data to the onion packets.
This doesn't quite, though: if a txn routes from Alice through Bob to
Carol, with Alice/Bob's secret being p,P and Bob/Carol's being q,Q,
with p = q*r and P = Q*r; Alice has to pass on both p and q; p as part
of the HTLC contract, and q inside the onion payload because calculating
q=p/r is infeasible unless elliptic curve crypto is broken.
So add an extra 32B of payload to each onion hop if calculating r from
the ECDH secret is fine, or 64B of payload if it's not.
Cheers,
aj
📝 Original message:
On Fri, Nov 20, 2015 at 05:44:15PM +1000, Anthony Towns wrote:
> Hmm, I'm not sure if you can divide QN by (r2*..*rN) to get back to Q1,
> but I think you can [...] If you can,
> you even get the original receipt/proof of payment!
Yep, this works!
> _And_ I think you could just use SHA(ECDH_SEC || 3) as the r values at
> each stage rather than needing any additional entropy, or having to add
> any significant data to the onion packets.
This doesn't quite, though: if a txn routes from Alice through Bob to
Carol, with Alice/Bob's secret being p,P and Bob/Carol's being q,Q,
with p = q*r and P = Q*r; Alice has to pass on both p and q; p as part
of the HTLC contract, and q inside the onion payload because calculating
q=p/r is infeasible unless elliptic curve crypto is broken.
So add an extra 32B of payload to each onion hop if calculating r from
the ECDH secret is fine, or 64B of payload if it's not.
Cheers,
aj