Author: Rusty Russell 2015-11-27 03:55:09
Published on: 2015-11-27T03:55:09+00:00
Rusty Russell, a Bitcoin developer, suggested two approaches to forcing someone to reveal the private key corresponding to secp256k1 public key P. The first approach involves generating a signature with P, that produces and parameters for the signature that have a combined total of 15 leading zero bytes (or more). To satisfy this script, it requires brute-forcing about 4B parameters to get a valid signature. Using one such value reveals the secret key p. The second approach is a lot more complicated but faster while still being secure. It involves assuming two keypairs, K1(Q, q) and K2(R, r), and further having a scalar p, such that r = p * q. Greg Maxwell also pointed out that if Q was the public key from the incoming HTLC, and P is the public key you'll use for the outgoing HTLC, and r is your secret, then calculating P just requires multiplying the base point and an addition, which is quicker than multiplying an arbitrary point. Once you find out p, calculating q=p-r is obviously easy.
Updated on: 2023-05-23T21:30:16.728917+00:00