Bastien TEINTURIER <bast...@acinq.fr> writes: > Hey Rusty, > > Good questions. > > I think we could use additive tweaks, and they are indeed faster so it can > be worth doing. > We would replace `B(i) = HMAC256("blinded_node_id", ss(i)) * P(i)` by `B(i) > = HMAC256("blinded_node_id", ss(i)) * G + P(i)`. > Intuitively since the private key of the tweak comes from a hash function, > it should offer the same security. > But there may be dragons lurking there, I don't know how to properly > evaluate whether it's as secure (whereas the multiplicative > version is really just Sphinx, so we know it should be secure).
I agree. I'll ask a real crypto person to review it, though. > If we're able to use additive tweaks, we can probably indeed use x-only > pubkeys. > Even though we're not storing these on-chain, so the 1 byte saved isn't > worth much. > I'd say that if it's trivial to use them, let's do it, otherwise it's not > worth any additional effort. I'll try and report back; I think it's trivial (I converted offers, and indeed it was trivial except needing a way to lookup a x-only node_id, which simply required two lookups). Cheers, Rusty. _______________________________________________ Lightning-dev mailing list Lightning-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev