Re: [bitcoin-dev] Storm: escrowed storage and messaging at L2/L3

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: ZmnSCPxj <ZmnSCPxj@protonmail•com>
To: Dr Maxim Orlovsky <orlovsky@protonmail•com>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Storm: escrowed storage and messaging at L2/L3
Date: Wed, 21 Aug 2019 12:48:16 +0000	[thread overview]
Message-ID: <-88WqEQyIbOd9y51ewaYLJwIbxCxCUQZKPD7zd3KhaCVw8Tknts8zKLmqGRZBJBQzGYbUVLgW4RZny6eQu-rGof5yImn7MLEKsNi5T0GOnI=@protonmail.com> (raw)
In-Reply-To: <gzj3nFgqW8Tc2eV8WQRGrC6GYyAGEJiVLgG7KA5tmosZ5NJpz3k4cIgBH9KszySwe3pcQMtit_-hOb6JZzPjH5p4Mi9-xqyWCT6p8leSU8Q=@protonmail.com>

Good morning Maxim,

> > <...>
> > It might be that you imply this in your step 1 for Alice validation of the probabilistically checkable proof though it may be better clarified that Alice has to keep the Merkle Tree root for the original data it originally requested:
> >
> > > With these data, Alice will be able to check with this zero-knowledge argument by:
> > >
> > > 1.  Checking Merkle tree paths leading to the chunks and resulting Merkle tree root hash to correspond to them
>
> Correct, I forgot to put this step into the description, will fix, sorry for that. Indeed, Alice needs to take a "shot" from the data in a form of Merkle tree and keep its root for herself

Thank you for the clarification, indeed it is better to explicit this step.

> > If there exists some asymmetric encryption using EC (I know of no such, but that is only due to my ignorance), where the decryption key is a scalar and the encryption key is the scalar times the generator then it would be possible to use 2p-ECDSA / Schnorr Scriptless Script to atomically pay for knowledge of the scalar / decryption key, while knowing the encryption key.
> > Instead of a hash of the decryption key, Bob sends the encryption key during setup and Alice and Bob use that in the pointlocked timelocked contract under Scriptless Script.
>
> A very elegant solution, thank you! Yes, seems one can encrypt/decrypt with EC:https://developer.ibm.com/swift/2019/03/04/blueecc-elliptic-curve-cryptography/ and this should work. I will include your solution to the proposal.
>
> It also might be possible to implement your solution with threshold ECDSA signatures, that will enable Storm before Schorr's will get to Bitcoin. I am not very good in understanding them yet, but it seems that multiparty ECDSA (or threshold ECDSA, t-ECDSA) unlock many of Schnorr’s signature features and benefits.
> One may check https://github.com/KZen-networks/multi-party-ecdsa and papers

I did mention 2p-ECDSA, which the last time I checked, was the "best" available multiparty ECDSA.
I have not checked in detail the relative security details of 2p-ECDSA compared to the various multiparty ECDSAs.

In this particular case this is only between two parties, thus 2p-ECDSA should be sufficient.

https://eprint.iacr.org/2011/494.pdf
https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-April/001221.html

I have not checked your links and it is possible we are referring to the exact same thing, or your t-ECDSA is a strict improvement over 2p-ECDSA.

> You are right, my solution is limited to a single LN channels, i.e. there must be a direct dually-funded channel between Alice and Bob (and we don't have dually-funded channels as a part of current LN BOLT's). I will add this disclaimer to the spec.

Strictly speaking, dual-funding is completely and totally unnecessary.
As submarine swaps / off-to-onchain swaps are already possible, a simple ritual like the below can emulate dual-funding (at the cost that one side must own the total they agree on onchain):

1.  Alice and Bob agree to each put 10mBTC each to form 20mBTC channel.
2.  Alice happens to have 20mBTC onchain in her pocket, while Bob has 10mBTC.
3.  Bob puts his 10mBTC into an onchain 10mBTC HTLC with locktime 2*L paying to Bob, hashlock paying to Alice (with a preimage known only by Bob).
4.  Alice sets up the 20mBTC channel using her 20mBTC onchain.
5.  After the channel funding tx is deeply confirmed, Alice forwards a 10mBTC HTLC over that channel with locktime L paying to Alice, hashlock paying to Bob (with the same hash as the above).
6.  Bob claims the payment offchain.
7.  Alice can now claim the onchain payment.
8.  Alice and Bob now have a perfectly balanced channel (as all channels should be), while Alice is now in possession of an extra 10mBTC onchain.
    So Alice has 10mBTC offchain, 10mBTC onchain, while Bob has 10mBTC offchain on the same channel.

Dual-funding simply makes the above *much* more efficient, but is not strictly necessary in a world where atomic cross-system swaps are already possible.
From this point of view, every distinct channel is a unique cryptocurrency system, and if atomic cross-system swaps are possible at all, it is immaterial if one system is a blockchain and the other is a payment channel, etc.

You may also be interested in Fulgurite.
This is a project to "split" a channel into Lightning part and DLC (discreet log contract) part.
The reason for splitting is because LN is expected to have much more state updates than DLC (you forward payments all the time, but set up only a few DLCs with direct counterparties).
DLCs require a lot of signatures if they are reanchored to a new state update transaction, so splitting the channel into an LN part with many updates and a DLC part with few updates is sensible to reduce processing and bandwidth.
Similar reasoning may hold for Storm.

Regards,
ZmnSCPxj

next prev parent reply	other threads:[~2019-08-21 12:48 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-19 22:08 Dr Maxim Orlovsky
2019-08-21  4:14 ` ZmnSCPxj
2019-08-21  7:32   ` ZmnSCPxj
2019-08-21  9:33     ` Stefan Richter
2019-08-21 17:04     ` Dr Maxim Orlovsky
2019-08-21 10:51   ` Dr Maxim Orlovsky
2019-08-21 12:48     ` ZmnSCPxj [this message]
     [not found]   ` <A733B8A1-2E88-47F4-A6CF-C56C84E8FF9A@pandoracore.com>
2019-08-21 12:12     ` ZmnSCPxj

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='-88WqEQyIbOd9y51ewaYLJwIbxCxCUQZKPD7zd3KhaCVw8Tknts8zKLmqGRZBJBQzGYbUVLgW4RZny6eQu-rGof5yImn7MLEKsNi5T0GOnI=@protonmail.com' \
    --to=zmnscpxj@protonmail$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    --cc=orlovsky@protonmail$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox