Bastien TEINTURIER <bast...@acinq.fr> writes:
> Hey Rusty,
>
> Good questions.
>
> I think we could use additive tweaks, and they are indeed faster so it can
> be worth doing.
> We would replace `B(i) = HMAC256("blinded_node_id", ss(i)) * P(i)` by `B(i)
> = HMAC256("blinded_node_id", ss(i)) * G + P(i)`.
> Intuitively since the private key of the tweak comes from a hash function,
> it should offer the same security.
> But there may be dragons lurking there, I don't know how to properly
> evaluate whether it's as secure (whereas the multiplicative
> version is really just Sphinx, so we know it should be secure).I agree. I'll ask a real crypto person to review it, though. > If we're able to use additive tweaks, we can probably indeed use x-only > pubkeys. > Even though we're not storing these on-chain, so the 1 byte saved isn't > worth much. > I'd say that if it's trivial to use them, let's do it, otherwise it's not > worth any additional effort. I'll try and report back; I think it's trivial (I converted offers, and indeed it was trivial except needing a way to lookup a x-only node_id, which simply required two lookups). Cheers, Rusty. _______________________________________________ Lightning-dev mailing list Lightning-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
