Good morning list,
I sketch here the idea, of making atomic multipath payment (AMP), with the
1. Has a proof-of-payment.
2. Multipath decorrelation.
Note: I am not a mathematician. Thus, it is likely, that there is a mistake
here, and we cannot make this work.
First, we look at BIP32 hierarchically derived (HD) keys by Wuille. Roughly,
given a parent private key k_par, we can do derive k_i child keys for integer i
k_i = H(i || k_par * G) + k_par
where H(x) is a hash function and G is the generator point. (this it not quite
how BIP32 does it, it uses HMAC, maybe that is safer for some reason that my
non-mathematician self is unaware of...)
The parent public key K_par = k_par * G. We can derive K_i public child keys
for integer i by:
K_i = H(i || K_par) * G + K_par
Note that K_i = k_i * G still, as is usual for elliptic curve asymmetric
K_i = k_i * G = (H(i || k_par * G) + k_par) * G = H(i || k_par * G) * G + k_par
* G = H(i || K_par) * G + K_par
Of note is that if we know an i, a private child key k_i corresponding to that
i, and the public parent key K_par, we can derive the private parent key k_par:
k_i = H(i || K_par) + k_par
k_par = k_i - H(i || K_par)
Now all we need is to have a conditional payment, which can only be performed
if the payee provides a private key which matches a public key, i.e. given x *
G, the payee must provide x.
Fortunately Poelstra has done this work beforehand in the Scriptless Script
(SS) concept, where the payee provides a T = t * G, and the Scriptless Script
construction requires that the payee reveal the t in order to claim the
payment. I will not go into the math since there is a good chance I shall make
a mistake; look up discussions by better mathematicians by me. Scriptless
Script requires Bellare-Neven (BN) signatures to work.
Note that Scriptless Script handles only the equivalent of hashlocking. We
still need a timelock in case the payee refuses to reveal the proof-of-payment
Fortunately, Maxwell has provided a construction, taproot (TR). This
construction has two top-level branches: a Bellare-Neven n-of-n, or a Bitcoin
Script. We know that Scriptless Script can make an equivalent to a hashlock
from a Bellare-Neven n-of-n. The other branch of a taproot construction can
now be a simple OP_CLTV+OP_CHECKSIG script, forming the timelock half of an
How would a multipath payment work? The invoice would contain the parent
public key K_par. From this, the payer derives as many K_i, as it needs to
split the payment to. It sets up conditional payments that require revelation
of the private child key k_i for each K_i it derives.
When the payee receives a partial payment, it is not incentivized to claim it
immediately yet. This is because revelation of even one child key k_i will, in
combination with the parent public key K_par, reveal the parent private key
k_par, which serves as proof-of-payment. The payee will wait for the entire
payment to reach it, and then claim all of them. This reveals all the private
child keys k_i, any one of which will let the payer extract the parent private
key k_par that serves as proof-of-payment.
Each path has a different k_i, thus providing multipath decorrelation.
(Please check my math --- I am not a mathematician and it is possible I have
made a mistake somewhere)
Lightning-dev mailing list