ZmnSCPxj [ARCHIVE] on Nostr: 📅 Original date posted:2020-06-20 📝 Original message: Good morning again, > ...
📅 Original date posted:2020-06-20
📝 Original message:
Good morning again,
> Good morning Dave,
>
> > ZmnSCPxj noted that pay-to-preimage doesn't work with PTLCs.[2] I was
> > hoping one of Bitcoin's several inventive cryptographers would come
> > along and describe how someone with an adaptor signature could use that
> > information to create a pubkey that could be put into a transaction with
> > a second output that OP_RETURN included the serialized adaptor
> > signature. The pubkey would be designed to be spendable by anyone with
> > the final signature in a way that revealed the hidden value to the
> > pubkey's creator, allowing them to resolve the PTLC. But if that's
> > fundamentally not possible, I think we could advocate for making
> > pay-to-revealed-adaptor-signature possible using something like
> > OP_CHECKSIGFROMSTACK.[3]
>
> <snip>
>
> The signed message could be a signature to `SIGHASH_NONE`, finally an actual use for that flag.
If you are going to embed it in an `OP_RETURN` in the same transaction, you also need `SIGHASH_ANYPREVOUT`, otherwise you cannot embed the adaptor signature for spending from that transaction in the transaction being spent, it also implies `A[p4s] = a[p4s] * G` is a one-time-use keypair.
Regards,
ZmnSCPxj
📝 Original message:
Good morning again,
> Good morning Dave,
>
> > ZmnSCPxj noted that pay-to-preimage doesn't work with PTLCs.[2] I was
> > hoping one of Bitcoin's several inventive cryptographers would come
> > along and describe how someone with an adaptor signature could use that
> > information to create a pubkey that could be put into a transaction with
> > a second output that OP_RETURN included the serialized adaptor
> > signature. The pubkey would be designed to be spendable by anyone with
> > the final signature in a way that revealed the hidden value to the
> > pubkey's creator, allowing them to resolve the PTLC. But if that's
> > fundamentally not possible, I think we could advocate for making
> > pay-to-revealed-adaptor-signature possible using something like
> > OP_CHECKSIGFROMSTACK.[3]
>
> <snip>
>
> The signed message could be a signature to `SIGHASH_NONE`, finally an actual use for that flag.
If you are going to embed it in an `OP_RETURN` in the same transaction, you also need `SIGHASH_ANYPREVOUT`, otherwise you cannot embed the adaptor signature for spending from that transaction in the transaction being spent, it also implies `A[p4s] = a[p4s] * G` is a one-time-use keypair.
Regards,
ZmnSCPxj