Published on: 2018-03-06T21:06:25+00:00
In a message posted on March 6th, Andrew Poelstra, a member of the Mathematics Department at Blockstream, explains a new method for updating states in a payment channel using adaptor/Bellare-Neven signatures. This method allows for the use of multipaths in Atomic Multipath Payments (AMP) by linking multiple state updates together. The proposed approach involves jointly signing a transaction with A(i), Revocation(B,i) to distribute funds in a two-party transaction, ensuring that both parties have time to penalize misbehavior and properly close the channel. The author also suggests using Schnorr for HTLCs to make them indistinguishable from regular transactions. They propose a solution for efficient outsourced channel monitoring using 2-of-2 multisig funding transactions, which can be converted to Schnorr/muSig when available. Various types of transactions are involved in this process, including channel state commitment transactions, channel fund distribution transactions, timeout/success transactions, and pay2pubkey(hash) outputs.The author notes that monitoring can be efficiently outsourced with minimal overhead and without significant changes to Bitcoin. However, they mention that constant space outsourced channel monitoring without SIGHASH_NOINPUT is currently not feasible. Revoking an old state requires sending an adaptor signature that reveals half of AB_i or AB_{i-1}, giving the other party access to the secret key and allowing them to take the coins. The required state to store consists of these adaptor signatures, which increases linearly with the number of state updates in each channel. The discrete-log based nature of the method makes blind monitoring a possibility.The email thread also discusses optimizing for the rare case of misbehavior in closing a lightning channel by using muSig Schnorr pay-to-pubkey transactions. The author includes references to various links and papers discussing the use of blockchain and discreet log contracts. One suggestion is to use a zero-knowledge proof to confirm a new revocation hash conforms to standards without revealing the secret, generating the public key without using the muSig construct. Another suggestion is to create a transaction pre-signed by B that spends the commitment tx A holds, giving all channel funds to A after a large CSV timeout. However, this approach could incentivize blocking someone from accessing the blockchain.Overall, Andrew Poelstra presents a new method for updating states in a payment channel using adaptor/Bellare-Neven signatures. They propose various ideas for efficient channel monitoring, optimizing for misbehavior in channel closure, and maintaining privacy through Schnorr and discreet log contracts. The author provides references to further resources on the topic.
Updated on: 2023-07-31T19:49:38.428611+00:00