Author: ZmnSCPxj 2021-09-24 02:10:14
Published on: 2021-09-24T02:10:14+00:00
Lightning provides proof-of-payment for standard forms of payment, but not for keysend or non-high hash-based AMP. The Lamport Signature Scheme is one of the earliest cryptographic digital signing schemes. In current Lightning, a BOLT11 invoice provides a single hash. The payee signs the BOLT11 invoice using ECDSA secp256k1 using its node id as pubkey, specifying a 0-bit Lamport public key (the hash in the BOLT11), and delegating responsibility for that particular invoice to that key. Given the above idea, would it be useful to consider that a PTLC-based LN should explicitly use Schnorr signatures for proof-of-payment? Schnorr signatures are `(R, s)`, and once `R` has been established, we do know that we can implement a pay-for-signature to acquire the `s` using PTLCs, which can be transported across the network. At its minimum, even a simple scalar-behind-this-point PTLC payment scheme could still work for proof-of-payment, as the function `f(x) = x * G` is a perfectly fine trapdoor function for the purposes of Lamport signing, so there is no real need to have "full" signatures as the basic mechanism in a PTLC-based Lightning Network.
Updated on: 2023-06-01T18:48:09.121366+00:00