[Lightning-dev] Better privacy with SNARKs
rusty at rustcorp.com.au
Fri Nov 20 01:35:46 UTC 2015
Mats Jerratsch <matsjj at gmail.com> writes:
> After a night of sleep and some reassurance with sipa, I thought about
> something similar but with EC keys, that will allow us to do the same,
> but without SNARKS.
Nice job! I've been saying there might be a way using keypairs, but I'm
just not this clever :)
Even then, it took me several reads to make sure I understood your post
> If we would switch from preimage-hash verification to
> privatekey-publickey, we can use the arithmetic operations inherited
> from the elliptic curve field.
> Assume two keypairs, K1(Q, q) and K2(R, r). Further we have a scalar
> p, such that
> r = p * q
Yes, the two private keys are related by p...
> R = r * G = ( p * q ) * G = p * ( q * G ) = p * Q.
...And if the two public keys are related by p, we know it's true. Thus
we know revealing their privkey will give us our privkey.
> There is one caveat. We are currently unable to enforce a payment with
> a priv/pub key pair. We would need a new operator
> OP_CHECKPRIVPUBKEYPAIR or similar that pops two items from the stack
Or we could do an OP_FFMUL to do multiply over a finite field and check
the result, too:
<G> OP_FFMUL <PUBKEY> OP_EQUAL
With the segregated witness proposal, introducing new opcodes is easy,
so maybe someone would find a reason to prefer open-coding it like this?
More information about the Lightning-dev