Author: Olaoluwa Osuntokun 2018-05-07 23:57:39
Published on: 2018-05-07T23:57:39+00:00
The Lindell's technique is a proposed solution that can replace the regular 2-of-2 multi-sig with a single p2wkh. This replacement would not require additional script upgrades, and it offers several benefits such as reducing fees for opening and closing channels, blending openings and cooperative close transactions with the anonymity set of regular p2wkh transactions, and making htlc timeout+success transactions smaller by removing the multi-sig. Additionally, non-advertised channels could also take advantage of this "stealth" feature.To integrate this scheme into the existing protocol, the primary thing to account for is the additional cryptographic overhead that it would add. The initial setup and verification phase required for both parties before the actual signing process can take place could be piggy-backed on top of the existing accept_channel/open_channel dance both sides need to go through in order to advance the channel negotiation process today. Conner has already started implementing this scheme, and the implementation of the initial set of proofs is well-understood. The three proofs required for the set up phase are a proof that the Paillier public key is well-formed, a dlog proof for the signing keys themselves, and a proof that value encrypted (the Paillier ciphertext) is actually the dlog of the public key to be used for signing.The third proof is interactive and contains a ZK range proof as a sub-protocol. However, it can be replaced with Bulletproofs, making this section non-interactive and allowing the proof itself to take 1.5 RTT. Additionally, this would only need to be done once at the start, as we can re-use the encryption of the secp256k1 private key of both parties. The current channel opening process requires 2 RTT, but all the opening proofs could be piggy-backed on top of the existing funding protocol. The main cost would be the increased size of these opening messages and the additional computational cost of operations within the Paillier modulus and the new range proof. The process of adding+settling an HTLC would also need to be modified, and randomized payment identifiers across the route would need to be allowed.Another proposed solution for the Lightning Network is a new cryptographic construction using only 2-party ECDSA signatures, offered by Pedro Moreno Sanchez. This scriptless version of the adaptor signatures and contract in the Lightning Network offers an advantage of being directly applicable today, without waiting for Schnorr signatures to be deployed in Bitcoin. However, the process of adding and settling an HTLC is now more interactive, requiring N RTT with the new scheme. The onion payload would need to be modified to encode G*alpha, which takes 33 bytes but can be reduced to 32 by selecting the x coordinate to always be either even or odd. Due to the introduction of a new end-to-end contract type, plausible path diversity takes as the network can no longer utilize all channels for routing. The new upper hop limit would be 10 if each hop consumes an extra payload.To roll out this new scheme, a new global feature bit may be necessary, and introducing new end-to-end contract types may require coordination costs. Nevertheless, if this scheme were integrated, it would add significant benefits such as improved privacy, security, and scalability.
Updated on: 2023-05-20T08:16:47.635942+00:00