scriptless-scripts icon indicating copy to clipboard operation
scriptless-scripts copied to clipboard
verified publisher icon ElementsProject

Question about "the right partial sig" in multi-hop-locks.md

Open hieblmi opened this issue 2 years ago • 10 comments

Thank you for the thorough description of PTLCs in https://github.com/BlockstreamResearch/scriptless-scripts/blob/master/md/multi-hop-locks.md.

My question is if the multi hop lock scheme would still work as intended if the partial signatures of the right sides psig(j,m,T) wouldn't be tweaked with the adaptor, but if only the left sides' partial signatures would be required to be offset by t to form a valid signature, e.g. sig = psig(i,m,T) + psig(j,m) + t?

hieblmi avatar Oct 12 '23 08:10 hieblmi

I'm not sure if I fully understand your problem. psig(j,m) does not look right because j must take T into account when signing.

jonasnick avatar Oct 16 '23 19:10 jonasnick

Thanks for your response. Looking at the example txB below I am not clear on why B sends their partial signature with an adaptor like (s_b, R_b+T). Couldn't they omit the adaptor in their signature? If B sends psig (s_b, R_b) and A responds with psig (s_a, R_a+T) then couldn't B complete the sig for txB upon learning t? I hope this makes sense and I really appreciate your time.

image

hieblmi avatar Oct 16 '23 20:10 hieblmi

Thanks for the clarification. If I understand correctly, we need to look more in depth into the equations. If B sends (s_b, R_b) and A responds with (s_a, R_a+T), then we have (roughly)

s_aG = R_a + c*X
s_bG = R_b + c'*X
where X = keyagg(A, B)
           c = hash(R_a + R_b + T, ...)
           c' = hash(R_a + R_b, ...)

Hence, c != c' and we can't just add up the s_a, s_b and t to produce a complete Schnorr signature.

I hope that helps.

jonasnick avatar Oct 17 '23 08:10 jonasnick

Thank you, that helps with my understanding. I forgot that the adaptor is also part of the hash to be signed, which is I believe to prevent forging signatures for relative private keys...

Last question: That means that if the adaptor wasn't part of the hash then B could only send (s_b, R_b) in order to create a valid sig with (s_a, R_a+T) and t, is that correct?

hieblmi avatar Oct 17 '23 08:10 hieblmi

I don't think so.

Let s = s_a + s_b
    R = R_a + R_b

s*G = R + T + hash(R, ...)*X

which means that (s,R) is not a valid Schnorr signature (due to the additional T).

There's a variant of adaptor signatures where the "adaptor is not part of the hash": A sends (s_a' = s_a+t, R_a). Then from a valid signature (s, R_a + R_b) it is possible to compute t.

s*G = (R_a + R_b) + hash(R_a + R_b, ...)X
=>
s_a' + s_b - s = t

I tried this version in an initial writeup of the multi-hop scheme, but switched away from it for reasons I don't remember anymore.

jonasnick avatar Oct 20 '23 12:10 jonasnick

I can follow the second example, great!

For my prior example I want to make sure you saw the "and t". In the example I meant that (s_a+s_b+t, R_a+R_b+T) should be a valid sig. Thanks for your effort again!

hieblmi avatar Oct 20 '23 14:10 hieblmi

In the example I meant that (s_a+s_b+t, R_a+R_b+T) should be a valid sig.

Yes that'd be a valid sig. But you mentioned that T wouldn't be input to the hash which would then result in the equation I wrote in my reply.

jonasnick avatar Oct 20 '23 15:10 jonasnick

Excuse me for being vague and inaccurate, by "T" missing from the hash I actually meant "R and T" missing from the hash. So I was talking about a scenario where only the message m is hashed.

hieblmi avatar Oct 20 '23 16:10 hieblmi

If R is missing from the hash it's not a Schnorr signature either. If your public key is Y, I can choose a random s and then set

R = - s*G + hash(m)*Y

which would be a valid signature (if R wasn't hashed).

jonasnick avatar Oct 20 '23 18:10 jonasnick

It is all clear now, thank you.

hieblmi avatar Oct 21 '23 15:10 hieblmi