Skip to content

Commit 11ab798

Browse files
authored
Merge pull request #6 from jonasnick/musig-roundtrips
Mention how to deal with MuSig rounds in multi-hop locks
2 parents 94a4e2f + 89ed4c9 commit 11ab798

File tree

3 files changed

+16
-10
lines changed

3 files changed

+16
-10
lines changed

md/images/multi-hop-locks.png

8.29 KB
Loading

md/images/multi-hop-locks.txt

+8-8
Original file line numberDiff line numberDiff line change
@@ -22,14 +22,14 @@ participant Dave
2222

2323
== Update ==
2424

25-
Alice->Bob : add 2-of-2 MuSig(A,B) output with timelocked refund to A
26-
Bob->Alice : txB, psig(B,txB,(z+y0)*G)
27-
Alice->Bob : psig(A,txB,(z+y0)*G)
28-
Bob->Carol : add 2-of-2 MuSig(B,C) output with timelocked refund to B
29-
Carol->Bob : txC, psig(C,txC,(z+y0+y1)*G)
30-
Bob->Carol : psig(B,txC,(z+y0+y1)*G)
31-
Carol->Dave : add 2-of-2 MuSig(C,D) output with timelocked refund to C
32-
Dave->Carol : txD, psig(D,txD,(z+y0+y1+y2)*G)
25+
Alice->Bob : add 2-of-2 MuSig(A,B) output with timelocked refund to A,\ncreate txB spending this to B, nonce(A,txB)
26+
Bob->Alice : nonce(B,txB), psig(B,txB,(z+y0)*G)
27+
Alice->Bob : psig(A,txB,(z+y0)*G)
28+
Bob->Carol : add 2-of-2 MuSig(B,C) output with timelocked refund to B,\ncreate txC spending this to C, nonce(B,txC)
29+
Carol->Bob : nonce(C,txC), psig(C,txC,(z+y0+y1)*G)
30+
Bob->Carol : psig(B,txC,(z+y0+y1)*G)
31+
Carol->Dave : add 2-of-2 MuSig(C,D) output with timelocked refund to C,\ncreate txD spending this to D, nonce(C,txD)
32+
Dave->Carol : nonce(D,txD), psig(D,txD,(z+y0+y1+y2)*G)
3333
Carol->Dave : psig(C,txD,(z+y0+y1+y2)*G)
3434

3535
== Settlement ==

md/multi-hop-locks.md

+8-2
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,8 @@ In addition, scriptless script multi-hop locks enable improved proof of payment
1414

1515
Notation
1616
---
17-
- `psig(i,m,T) := ki + H(R+T,m)*xi` is a partial 2-of-2 MuSig from user `i` for `m` with combined nonce `R` (note that `R` has nothing to do with the right lock `R` defined below and we won't use `R` to mean the nonce again).
17+
- `nonce(i, m)` is the public nonce of user `i` for a MuSig signature on `m` (note that we don't call nonces `R` here to avoid confusion with the right lock `R`).
18+
- `psig(i,m,T) := ki + H(nonce(i,m)+nonce(j,m)+T,m)*xi` is a partial 2-of-2 MuSig from user `i` with user `j` for `m`.
1819
- `adaptor_sig(i,m,T) := psig(i,m,t*G) + t`
1920
- `sig(m,T) = psig(i,m,T) + adaptor_sig(j,m,T)` is the completed 2-of-2 MuSig from user i and j. It can be computed from a partial signature and an adaptor signature.
2021

@@ -41,7 +42,12 @@ But otherwise scriptless script HTLCs are plain 2-of-2 MuSig outputs and the has
4142
For demonstration purposes we assume [eltoo](https://blockstream.com/eltoo.pdf)-style channels which means that both parties have symmetric state and there's no need for revocation.
4243

4344
If the payment does not time out, the coins in the scriptless script HTLC output shared by two adjacent hops will be spent by the right hop.
44-
Therefore, the right hop `j` prepares a transaction `txj` spending the HTLC and partially signs it as `psig(j,txj,Lj)` which is similar to a regular partial signature except that its left lock `Lj` is added to the combined signature nonce.
45+
Therefore, the left hop `i` creates a transaction `txj` that spends the HTLC and sends to coins to an output that the right hop `j` controls.
46+
Because the left hop is now aware of the message (i.e. the transaction digest of `txj`) it is going to sign, its public signature nonce can be sent to the right hop.
47+
Nonce commitments have been exchanged earlier whenever convenient for both nodes such that the nonce commitment roundtrips are not on the critical path of the payment.
48+
49+
Upon receiving notice of the new HTLC and the left hops public nonce, the right hop `j` creates transaction `txj` as well, combines both nonces and partially signs `txj` as `psig(j,txj,Lj)`.
50+
This is similar to a regular partial signature except that its left lock `Lj` is added to the combined signature nonce.
4551
The left hop verifies the partial signature and sends its own partial signature for `txj` to the right hop in the following two cases:
4652

4753
- the left hop is the payer

0 commit comments

Comments
 (0)