4

If I remember / understand it correctly by using the mechanisms from the scriptless scripts paper we could easily create homomorphic preimages / paymenthashes.

I think this would be a very desirable property (in combination with shamir secret sharing) for example to create trustless escrow services (and not only for payment decolleration)

As far as I understand SHA-256 - which is currently used for payment hashes - is not homomorphic. In fact it is not even supposed to be homomorphic.

Does anyone see any way to gain the onchain enforcable homomorphic property with the current setup / protocol for htlcs and Bitcoin script without the necessity to change to 2party ecdsa magic / scriptless scripts or schnorr?

I fear the answer would be it is impossible but I thought I would ask since I am still a beginner with low level cryptography.

Rene Pickhardt
  • 11,670
  • 8
  • 35

2 Answers2

2

with the current system, it seems impossible to do so. The most probable protocol change/update will be after activating BIP Schnorr, when we have the chance to move away from payment_hash/preimage and can go to payment_point/secret_scalar.

Once we achieved this htlc's can be exchanged by adoptor signatures as described in this tutorial.

Those would obviously be additative since going from the group order to the group element is obviously a homemorphism so that we have (r1 + r2)*G = r1*G + r2*G where ri = preimage or secret_scalar and ri*G1 = payment_point

vincenzopalazzo
  • 1,303
  • 1
  • 8
  • 26
Rene Pickhardt
  • 11,670
  • 8
  • 35
0

Not specific to bitcoin, but IBM released a homomorphic encryption toolkit in June 2020.

Mylo Mylo
  • 136
  • 2