Hello,
I know it is kind of a late reply, but my co-authors and I have been
working hard to get ready an extended version of the paper for this
work. The paper is now available at https://eprint.iacr.org/2018/472
In this paper, we describe in detail the scriptless script (SS) ECDSA
construction a
Good morning Benjamin,
Your caution is laudable, I think.
> Yes, bitcoin is wise to at least hash the pub key until use. Granted,
> lightning (necessarily?) risks public key exposure, but in a pinch there are
> other signature algorithms for lightning to move to.
Lightning cannot *quickly* mov
Good evening Jim,
> I don't agree that quantum resistance should be a blocker to deployment of
> scriptless scripts on lightning
>
I don't mean to speak narrowly about quantum cryptanalysis, but more
generally about the need for backups to every primitive we use. DL is no
exception, but for DL s
Benjamin,
I don't agree that quantum resistance should be a blocker to deployment of
scriptless scripts on lightning because 1) it is a layer-2 solution and 2)
it already critically depends on the security of DL.
There are arguments against making certain protocol changes to the base
Bitcoin bloc
Sorry, I do not wish to spam the list, but I need to correct a rather
serious error in my last email. We must never call something
"post-quantum", absent mathematical proof. (And good luck with that.) I
apologise for my mistake in doing so myself.
I should not even refer to lattice based cryptogra
That would be awesome. Do you have a reference?
As pertains to the whole of asymmetric cryptography, I believe there are
not a variety of post quantum schemes, there is only one*: lattice-based
cryptography. (Which scares me, because it is not all that different from
the others.)
(* Actually, in
>From what I understand talking to folks, the linear properties of these
signature tricks are maintained under a number of post-quantum schemes.
On Tue, May 8, 2018 at 8:44 AM, Benjamin Mord wrote:
>
> If I'm not mistaken, the scriptless scripts concept (as currently
> formulated) falls to Schor
If I'm not mistaken, the scriptless scripts concept (as currently
formulated) falls to Schor's algorithm, and at present there is no
alternative implementation of the concept to fall back on. Correct? Lest we
build a house of cards, I'd strongly urge everyone to not depend on
functional concepts wh
FWIW, Conner pointed out that the initial ZK Proof for the correctness of
the
Paillier params (even w/ usage of bulletproofs) has multiple rounds of
interaction,
iirc up to 5+ (with additional pipelining) rounds of interaction.
-- Laolu
On Mon, May 7, 2018 at 5:14 PM Olaoluwa Osuntokun wrote:
>
Actually, just thought about this a bit more and I think it's possible to
deploy this in unison with (or after) any sort of SS based on schnorr
becomes
possible in Bitcoin. My observation is that since both techniques are based
on
the same underlying technique (revealing a secret value in a signatu
> It is also not clear to me how well B-N signature aggregation can work for
> Lightning use-cases; certainly onchain claims of unilateral closes can be
> made smaller with signature aggregation, but for mutual closes, there is
> only one input, unless we support close aggregation somehow
>From th
Hi Pedro,
Very cool stuff! When I originally discovered the Lindell's technique, my
immediate thought was the we could phase this in as a way to _immediately_
(no
additional Script upgrades required), replace the regular 2-of-2 mulit-sig
with
a single p2wkh. The immediate advantages of this would:
Good morning Pedro,
This is certainly of great interest to me; unfortunately I am not a
mathematician and probably cannot review if the math is correct or not. In
particular it seems to me, naively, to be able to implement my AMP idea which
supports both path decorrelation and proof-of-payment
13 matches
Mail list logo
