search

mit-dci / lit

Lightning Network node software
MIT License
551 stars 119 forks source link

Shorter (vanity) addresses for lit #264

Open gertjaap opened 6 years ago

gertjaap commented 6 years ago

Goal: create shorter vanity addresses for ID’s of LN’s, channels, users, etc.

Original process for generating an address:

  1. generate public key (33 bytes) from private key (32 bytes)
    • private key * G → public key
    • hash the public key
    • h(pub) → 20 bytes
    • wallit/keyderiv.go PathPubHash160
  2. encode public key hash into address using bech32, a checksummed format
    • enc(pub) → string
    • litrpc/walletcmds.go Address
    • alternative formats: base64, base58

To generate a shorter vanity address:

  1. generate public key (33 bytes) from private key (32 bytes)
    • private key * G → public key
    • hash the public key and a nonce (20 bytes)
    • h(pub, nonce) → <20 bytes
  2. iterate to find nonce that yields a public key hash with more leading zeroes (and thus a shorter hash)
    • faster to do more work in this step than step 1 to yield a shorter public key hash
    • use revision of wallit/keyderiv.go PathPubHash160 that includes nonce
  3. encode public key hash into address using bech32, a checksummed format
    • enc(pub, nonce) → string (shorter)
    • use revision of litrpc/walletcmds.go Address
    • alternative formats: base64, base58

To verify an address:

  1. decode the address (string)
    • dec(address) → hash
  2. verify
    • verify(pub, nonce, hash) → bool

Notes:

the normal attack is to keep trying to find a key until it matches the victim’s address.  If the address is 160 bits long, this will take about 2160 attempts.  Take a shorter address, which is down to say 100 bits long.  Yes, the attacker only needs to make 2100 attempts to match this address.  But each *attempt* now takes 260 work, so it’s the same amount of work to break as before.  In the extreme case, say the user did 2152 work on their address (not possible) and their address was just two letters long.  The attacker would only have to try 256 different letters… but to get that far, for each letter they tried they’d have to replicate the 2152 work the honest user did.
the addresses are not actually shorter. the string of characters that make the address up is as such that the leading characters are implied to be zero (or blank). e.g. an address with 40 characters "xcupwowevcnpowegjww280357u84932509423902" [40 characters] can be hashed until it looks like "000000000cnpowegjww280357u84932509423902" [still 40 characters]. The next step is just to show it to the user "cnpowegjww280357u84932509423902" [31 characters] although the address that LIT uses when internally is still "000000000cnpowegjww280357u84932509423902"
exponentially more difficult to shorten address
user can request to shorten address
can outsource work to find nonce that yields a shorter public key hash

Work to be done:

Varunram commented 6 years ago

forgot to link the PR. PR: #320