[Lightning-dev] DRAFT: interactive tx construction protocol

ZmnSCPxj ZmnSCPxj at protonmail.com
Fri Jan 31 23:56:46 UTC 2020


Good morning darosior,

> Hi ZmnSCPxj,
>
> Using joinmarket's PoDLEs is a great idea, and it seems preferable to using a transaction chain with a distinguishable SIGHASH.
>
> Just a naive question, what is described in https://gist.github.com/AdamISZ/9cbba5e9408d23813ca8#defence-2-committing-to-a-utxo-in-publicplaintext-at-the-start-of-the-handshake and https://joinmarket.me/blog/blog/poodle/ uses Schnorr signature. Can we use this protocol with ECDSA ?

I cannot really grok the exact mathematics of ECDSA, and the signing scheme for PoDLE is not *exactly* Schnorr but certainly uses the same schema.

It looks to me that the DLEQ proof is based on Fiat-Shamir (as Schnorr signing is), though you might do better from an answer from an actual cryptographer.

In any case it is not used onchain anyway, and it is not going to be exactly the same as normal ECDSA signing so code reuse is still unlikely.


> I'm now thinking about how this could be integrated into niftynei's work on the dual-funded channel proposal. The PoDLE broadcast protocol seems to be the bigger part.
>
> Imagining the size of the monster PR if PoDLEs ever get integrated

Another wrinkle is that, PoDLE needs to be exchanged if the acceptor wants to add its own funds.
If the opener offers to open a channel but the acceptor is not interested in revealing its own funds, then the opener need not reveal PoDLE of its UTXOs.

It seems to me that individual PoDLEs are small enough (32 bytes, `h(P2)` is all you need for the commitment, the signature-like thing is part of the opening, if my understanding is correct) that a simple gossip protocol might work.


Regards,
ZmnSCPxj


More information about the Lightning-dev mailing list