the sender could treat the preimage as a private key, derive its public key, tweak the recipient's public key with it, and use the tweaked public key as the keypath. Then the recipient can spend the money once they learn the preimage without using branch 1. Just add the privkey to their "real" privkey to derive the privkey of the tweaked public key.
Discussion
Yeah i think so, i think that ticks all the boxes.
This is like the payjoin equivalent for onchain/offchain swaps.
It's unfortunate that LN nodes in route could correlate it right? But that's still a lot better than status quo onchain/offchain swaps (from what i vaguely remember of submarine swaps as used today, which isn't much).
> It's unfortunate that LN nodes in route could correlate it right?
They get to learn the preimage, and can derive its pubkey, subtract it from every pubkey that spent money recently, and check if the result is a pubkey they know. I think you can fix this by tweaking it twice, and sending your recipient one of the tweaks with your invoice. That way, routing nodes can only untweak one step, which isn't good enough. They would need to learn *both* tweaks to identify the recipient's "real" pubkey.
Yes i think so. Good call.