fixed the multi-hop-locks graphic which seemed to have an "off by one" error in the setup phase

[renepickhardt]

I think there was an off by one error in the png file of the multi-hop-lock folder. I guess that is why the last triplet which was send to Dave also contained ... as stuff did not end up but the concept seemed clear. Hope I did not break it as I am still fighting a little bit with the notation of the entire document and I am not able to reproduce the entire multihop workflow yet.

fyi @jonasnick

[jonasnick]

Thanks for the suggestion, but that's not correct because z is Alice's proof of payment as mentioned in the document. The ... for Dave should be removed indeed. Tuple notation with () is unnecessary makes it harder to read.

[renepickhardt]

I don't get the first part of your statement about z is Alices proof of payment. This is also how I understood it. But isn't the idea that Alice has to learn z with the following updates / settlements which contain all that data?

Why would Alice send the triplet (zG,y0,(z+y0)G) to herself? and why sending even stuff with y1 over to Bob? In that case I don't understand what Dave will get? There is no y3 in the construction. Also how otherwise would Dave during the first settlement step be able to create / compute
adaptor_sig(D,txD, (z+y0+y1+y2)G)(for which it seems in the picture there is going from secrete to public key is missing) if Dave is never being told the "adoptor secret" z+y0+y1+y2? (or even psig(D,txD,(z+y0+y1+y2)G)in the last handshake of the update phase?)

[jonasnick]

Why would Alice send the triplet (zG,y0,(z+y0)G) to herself?

She doesn't send herself anything, she just set up locks. The proof of payment can be thought of as an additional pair of locks she sets up for herself. y0 is necessary to prevent Bob from also learning z. There should be a note about that.

and why sending even stuff with y1 over to Bob?

I don't understand. Can you clarify that?

In that case I don't understand what Dave will get?

Dave gets y0 + y1 + y2 from Alice.

Dave is never being told the "adoptor secret" z+y0+y1+y2?

Dave knows z because he has generated in the very first step, before giving z*G to Alice. He can therefore compute the adaptor secret.

[renepickhardt]

please review again. I have fixed my previous mistake but I have removed the ... from the setup phase and fixed the arguments of the adaptor_siganture calls in the settlement phase.

[jonasnick]

ACK fbcb5a7

[jonasnick]

Could you rebase please?

[renepickhardt]

I wonder why github still shows the conflict. I guess it is just with those binary files. but I did a "manual" rebase

[jonasnick]

Looks like there's something wrong with your rebase. Your PR now contains 6 commits; ideally it would be only one as before.

[renepickhardt]

one commit even though still not rebased. here you go.

[jonasnick]

Hm, looks like this PR was indeed successfully rebased with the image having the changes from master. Merging.