[Lightning-dev] Laundry list of inter-peer wire protocol changes

Anthony Towns aj at erisian.com.au
Wed Jan 27 14:22:29 UTC 2016 

On Wed, Jan 27, 2016 at 01:37:04PM +1030, Rusty Russell wrote:
> Misc
> ----
> - shachain vs elkrem
>   - We use this to generate the revocation secrets, to minimize storage
>     and computation for a huge number of old commitment txs.
>   - They're actually very similar, but elkrem is much easier to grok.[6]

Hmm, I was going to say I like it, but I'm not sure I do...

The comments in the code don't quite make sense to me, for instance,
the given examples:

 0b0000: L(L(L(L(seed))))
 0b0001: R(L(L(L(seed))))
 0b1000:   L(L(L(seed)))

should be 0, 1 and 2, I think, not 0, 1 and 8; and with four hash
operations, you've got 31 nodes not 15, and 16 leaves, not 8?

I think the pattern is:

 0b0000:  LLL (ie L(L(L(seed)))
 0b0001:  RLL (ie R(L(L(seed)))
 0b0010:  LL -> (0, 1)
 0b0011:  LRL
 0b0100:  RRL
 0b0101:  RL -> (3, 4)
 0b0110:  L -> (0, 1, 2, 3, 4, 5)
 0b0111:  LLR
 0b1000:  RLR
 0b1001:  LR -> (7, 8)
 0b1010:  LRR
 0b1011:  RRR
 0b1100:  RR -> (10, 11)
 0b1101:  R -> (7, 8, 9, 10, 11, 12)
 0b1110:  seed -> (0,..,13)

(Running the code translated into python gives those results too)

I don't the code is quite right either (though I may have translated
something wrong); eg if I try calling:

  descend(6, 13, 2, R(seed))

I get

  L(L(R(seed)))

instead of an error (since the right answer would be L(seed), which
can't be derived from R(seed)).

Personally, I think both this and shachain have the indexing backwards;
I think i=0 should match the seed, and the first hash transmitted across
the wire should be i=2^64-1, then counting down from there. This matches
the numbering used in https://en.wikipedia.org/wiki/Hash_chain fwiw.

With shachain, that gives the nice property that the only parameter
you need is the seed, you can work out the hash for any given index
directly from that, up to any arbitrary index, until you run out of
integer precision, or bits of security in your hash function.

With elkrem you can build an arbitrarily deep tree given a seed at the
conceptual level without any further parameters, but when you start
mapping that to indexes you need to know the desired height first.
This is, in essence, because L(seed) (eg) gets sent at different places
depending on the "height"; with a height of 1 it's the first value (or
third from last), with a height of 2 it's the third value (or fifth
from last), with a height of 3 it's the seventh value (or ninth from
last), etc.

Probably doesn't really matter, but I think it leads me to prefer Rusty's
construction. Might be good to have an explanation with it diagrammed
as an n-way tree structure though, in a similar way to how you visualise
the elkrem tree...

> - R value vs keypair
>   - Using a simple secret "redeemhash" allows easy tracing of
>     transactions through the network.
>   - Mats Jeratsch proposed a keypair scheme which decorrelates them[3],
>     Greg Maxwell optimized it slightly, and Anthony Towns[4] and Andrew
>     Poelstra independently came up with a way to do it without any
>     bitcoin mods.

FWIW I think this should still be considered an R&D idea rather than
trying to release it in v1.0.

> - Multi-sig txs
>   - Joseph pointed out that by simply allowing more than one signature on
>     commit txs[5], we can enable escrow-style services (including things
>     like GreenAddress.it which does this for normal wallets).

It's "more than one hash" not more than one /signature/, isn't it? (The
proposal was also to support 2-of-3 hashes, slightly more complicated
than just multiple hashes)

Cheers,
aj

More information about the Lightning-dev mailing list