Author: Anthony Towns 2015-11-22 02:13:27
Published on: 2015-11-22T02:13:27+00:00
In an email conversation, Anthony Towns was discussing the possibility of dividing QN by (r2*..*rN) to get back to Q1 in Bitcoin transactions. He wasn't sure if it was possible but thought that if it were, the original receipt/proof of payment could be obtained. It turns out that this method does work. Additionally, he suggested using SHA(ECDH_SEC || 3) as the r values at each stage instead of needing additional entropy or adding significant data to the onion packets.However, a problem arises if a transaction routes from Alice through Bob to Carol. In this case, Alice has to pass on both p and q. P is part of the HTLC contract, and q is inside the onion payload because calculating q=p/r is infeasible unless elliptic curve cryptography is broken. Therefore, an extra 32B of payload must be added to each onion hop if calculating r from the ECDH secret is fine, or 64B of payload if it's not.
Updated on: 2023-05-18T15:49:55.067421+00:00