[Lightning-dev] Better privacy with SNARKs

Anthony Towns aj at erisian.com.au
Fri Nov 27 04:42:19 UTC 2015

On Fri, Nov 27, 2015 at 02:25:09PM +1030, Rusty Russell wrote:
> Anthony Towns <aj at erisian.com.au> writes:
> > The alternative approach, which andytoshi and I came up with
> > independently is a lot more complicated:
> >   revealP( Q, R, sigA, sigB, sigC ) {
> >     check_multisig_verify(2, P, R, 2, sigA, sigB); code_separtor();
> >     check_multisig_verify(2, Q, R, 2, sigA, sigC); code_separtor();
> >     check_multisig_verify(2, P, Q, 2, sigC, sigB);
> >   }
> > If sigA, sigB and sigC all share the same r and SIGHASH settings,
> I don't think this works?  We can't provide the signatures in the
> scriptPubkey, since that requires them signing themselves.  

The scriptPubkey has the pubkey P, and a whole mess of stack operations
to implement the function above; the scriptSig just has Q, R and the
three signatures.

> We can't
> have them provide it in the scriptSig, since theres no "do these have
> the same r value" operator in script.

There's six sig ops, but only three different signatures. Getting the
various combinations to have the same signature forces the same r value
between each of the signatures, without needing a separate op to check
it explicitly.

It's mathematically possible to come up with Q, R, sigA, sigB, sigC where
sigA.r, sigB.r and sigC.r are all different; but it requires being able
to come up with a transaction with a particular hash, or calculating the
discrete log of a weird value to do so, so should be safely intractable.


More information about the Lightning-dev mailing list