Joseph Poon [ARCHIVE] on Nostr: š Original date posted:2016-08-11 š Original message: On Wed, Aug 10, 2016 at ...
š
Original date posted:2016-08-11
š Original message:
On Wed, Aug 10, 2016 at 11:33:46AM +0930, Rusty Russell wrote:
> Unfortunately, watcher knows revocation preimage N, so it can figure out
> some or all previous revocation preimages (and thus hashes).
If you take the results then HMAC it as the final step in
shachain/elkrem (to establish a single leaf), should be fine even if
revocation hashes are used in lieu of a revocation pubkey.
> But it rests on the assumption that there are no unknown malleability
> issues on signatures, which I believe makes crypto people nervous. I've
> asked some, though, as that's above my pay grade!
>
> It also assumes they can't set up the witness such that our sig is not
> 2nd or 3rd in the witness element. I think that's true...
Yeah, good point. Perhaps it could be better to keep it simple and just
use an HMAC of the non-witness transaction. There shouldn't be stuff
that's easily mutatable, and the exposure is not expanded (since that
would break LN's child transactions anyway).
--
Joseph Poon
š Original message:
On Wed, Aug 10, 2016 at 11:33:46AM +0930, Rusty Russell wrote:
> Unfortunately, watcher knows revocation preimage N, so it can figure out
> some or all previous revocation preimages (and thus hashes).
If you take the results then HMAC it as the final step in
shachain/elkrem (to establish a single leaf), should be fine even if
revocation hashes are used in lieu of a revocation pubkey.
> But it rests on the assumption that there are no unknown malleability
> issues on signatures, which I believe makes crypto people nervous. I've
> asked some, though, as that's above my pay grade!
>
> It also assumes they can't set up the witness such that our sig is not
> 2nd or 3rd in the witness element. I think that's true...
Yeah, good point. Perhaps it could be better to keep it simple and just
use an HMAC of the non-witness transaction. There shouldn't be stuff
that's easily mutatable, and the exposure is not expanded (since that
would break LN's child transactions anyway).
--
Joseph Poon