## How to make a homomorphic preimage/payment hash with current lightning network / Bitcoin implementations?

2

If I remember / understand it correctly by using the mechanisms from the scriptless scripts paper we could easily create homomorphic preimages / paymenthashes.

I think this would be a very desirable property (in combination with shamir secret sharing) for example to create trustless escrow services (and not only for payment decolleration)

As far as I understand SHA-256 - which is currently used for payment hashes - is not homomorphic. In fact it is not even supposed to be homomorphic.

Does anyone see any way to gain the onchain enforcable homomorphic property with the current setup / protocol for htlcs and Bitcoin script without the necessity to change to 2party ecdsa magic / scriptless scripts or schnorr?

I fear the answer would be it is impossible but I thought I would ask since I am still a beginner with low level cryptography.

Those would obviously be additative since going from the group order to the group element is obviously a homemorphism so that we have (r1 + r2)*G = r1*G + r2*G where ri = preimage or secret_scalar and ri*G1 = payment_point