Published on: 2018-05-24T16:20:57+00:00
ZmnSCPxj, a contributor to the Lightning Network protocol, is exploring the use of scriptless script (SS) and hierarchical deterministic (HD) features for atomic multipath payments (AMP). He believes that implementing these features could enhance the Lightning Network by reducing fees for opening and closing channels and decreasing transaction sizes. The proposed method does not require any major changes to the network and can easily integrate randomized payment identifiers across the route. However, both parties involved would need to complete an initial setup and verification phase before the signing process can take place.During the setup phase, three proofs are required. The first proof verifies the validity of the Paillier public key. The second proof involves a dlog proof for the signing keys. Finally, the third proof confirms that the value encrypted in the Paillier ciphertext is the dlog of the public key used for signing. The third proof is interactive and contains a zero-knowledge (ZK) range proof as a sub-protocol. Using Bulletproofs could potentially make this section non-interactive, reducing the time it takes for the proof to be completed.Another proposal discussed in the email exchange is a scriptless version of adaptor signatures and contracts for the Lightning Network. This alternative scheme uses only two-party ECDSA signatures, which can be applied immediately without waiting for Schnorr signatures to be deployed in Bitcoin. However, implementing this proposal would require modifications to the channel opening process, adding and settling Hashed Time-Locked Contracts (HTLCs), and the onion payload. Utilizing bulletproofs for one of the sub-proofs could make the proof shorter and non-interactive. Adding an HTLC would take 2.5 round-trip times (RTTs), while settling HTLCs would remain unchanged. The onion payload would either need to be hacked or extended to support packaging the point.The deployment of Schnorr signatures in the Lightning Network was also discussed. While Schnorr signatures offer potential benefits, their implementation would require significant effort and could complicate routing implementations. To support routing of scriptless-script conditional payments, a new global feature bit called `option_support_scriptless` would need to be added to the Lightning BOLT specification. Additionally, the concept of intra-path decorrelation, which involves passing a blinding secret to each layer of the onion in the onion routes, may also need to be considered.There were also concerns raised about the Bellare-Neven signature aggregation and its suitability for Lightning use-cases. It was noted that there is only one input for mutual closes unless close aggregation involving more than two parties is supported. However, using a 2-of-2 with a single signature could reduce the size of mutual close and commitment transactions by eliminating one signature and one public key.In conclusion, these discussions highlight various proposals and considerations related to the deployment of scriptless scripts, Schnorr signatures, and other cryptographic schemes in the Lightning Network. These proposals aim to enhance privacy, security, and efficiency while addressing the potential threats posed by quantum computing.ZmnSCPxj, a contributor to the Lightning Network protocol, is exploring the use of scriptless script (SS) and hierarchical deterministic (HD) features for atomic multipath payments (AMP). He has concerns about the compatibility of ECDSA and Bellare-Neven SS, as well as the ease of switching between them dynamically. He also suggests that a 2-of-2 with a single signature could reduce the size of mutual close and commitment transactions in the Lightning Network.At the Lightning BOLT spec level, ZmnSCPxj proposes the introduction of a new global feature bit called `option_support_scriptless` to support routing of scriptless-script conditional payments. This would require all nodes in the payment route to support this option. He also suggests the addition of local-level feature bits for `option_support_scriptless_ecdsa` and `option_support_scriptless_bn`, depending on the ease of translation between ECDSA and Bellare-Neven SS. These changes would impact BOLT11, which would need to support both `SHA256(secret)` and `secret * G` in invoices. Additionally, intra-path decorrelation may be necessary, involving the passing of a blinding secret to each layer of the onion in the onion routes.Pedro, a developer working on cryptographic constructions for the Lightning Network, has created a scriptless version of the adaptor signatures and contract using only 2-party ECDSA signatures. This new version can be implemented immediately, without having to wait for Schnorr signatures to be deployed in Bitcoin. Pedro welcomes comments and suggestions from interested parties and provides further details in the attached PDF.In summary, there are two proposed solutions for the Lightning Network. The first involves replacing the regular 2-of-2 multi-sig with a single pay-to-witness-public-key-hash (p2wkh), offering benefits such as reduced fees, increased anonymity, and smaller transaction sizes.
Updated on: 2023-07-31T20:01:52.089032+00:00