Good morning list,

I sketch here the idea, of making atomic multipath payment (AMP), with the 

1.  Has a proof-of-payment.
2.  Multipath decorrelation.

Note: I am not a mathematician.  Thus, it is likely, that there is a mistake 
here, and we cannot make this work.

First, we look at BIP32 hierarchically derived (HD) keys by Wuille.  Roughly, 
given a parent private key k_par, we can do derive k_i child keys for integer i 

k_i = H(i || k_par * G) + k_par

where H(x) is a hash function and G is the generator point. (this it not quite 
how BIP32 does it, it uses HMAC, maybe that is safer for some reason that my 
non-mathematician self is unaware of...)

The parent public key K_par = k_par * G.  We can derive K_i public child keys 
for integer i by:

K_i = H(i || K_par) * G + K_par

(I think)

Note that K_i = k_i * G still, as is usual for elliptic curve asymmetric 

K_i = k_i * G = (H(i || k_par * G) + k_par) * G = H(i || k_par * G) * G + k_par 
* G = H(i || K_par) * G + K_par

Of note is that if we know an i, a private child key k_i corresponding to that 
i, and the public parent key K_par, we can derive the private parent key k_par:

k_i = H(i || K_par) + k_par

k_par = k_i - H(i || K_par)

Now all we need is to have a conditional payment, which can only be performed 
if the payee provides a private key which matches a public key, i.e. given x * 
G, the payee must provide x.

Fortunately Poelstra has done this work beforehand in the Scriptless Script 
(SS) concept, where the payee provides a T = t * G, and the Scriptless Script 
construction requires that the payee reveal the t in order to claim the 
payment.  I will not go into the math since there is a good chance I shall make 
a mistake; look up discussions by better mathematicians by me.  Scriptless 
Script requires Bellare-Neven (BN) signatures to work.

Note that Scriptless Script handles only the equivalent of hashlocking.  We 
still need a timelock in case the payee refuses to reveal the proof-of-payment 

Fortunately, Maxwell has provided a construction, taproot (TR).  This 
construction has two top-level branches: a Bellare-Neven n-of-n, or a Bitcoin 
Script.  We know that Scriptless Script can make an equivalent to a hashlock 
from a Bellare-Neven n-of-n.  The other branch of a taproot construction can 
now be a simple OP_CLTV+OP_CHECKSIG script, forming the timelock half of an 

How would a multipath payment work?  The invoice would contain the parent 
public key K_par.  From this, the payer derives as many K_i, as it needs to 
split the payment to.  It sets up conditional payments that require revelation 
of the private child key k_i for each K_i it derives.

When the payee receives a partial payment, it is not incentivized to claim it 
immediately yet.  This is because revelation of even one child key k_i will, in 
combination with the parent public key K_par, reveal the parent private key 
k_par, which serves as proof-of-payment.  The payee will wait for the entire 
payment to reach it, and then claim all of them.  This reveals all the private 
child keys k_i, any one of which will let the payer extract the parent private 
key k_par that serves as proof-of-payment.

Each path has a different k_i, thus providing multipath decorrelation.

(Please check my math --- I am not a mathematician and it is possible I have 
made a mistake somewhere)

Lightning-dev mailing list

Reply via email to