Return-Path: Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 95DCFC0032 for ; Mon, 18 Sep 2023 00:12:55 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 5A51060EF9 for ; Mon, 18 Sep 2023 00:12:55 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 5A51060EF9 X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -0.902 X-Spam-Level: X-Spam-Status: No, score=-0.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, BITCOIN_OBFU_SUBJ=1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6yX70nG66Hsg for ; Mon, 18 Sep 2023 00:12:54 +0000 (UTC) Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [IPv6:2607:fe70:0:3::d]) by smtp3.osuosl.org (Postfix) with ESMTPS id 835E560EF6 for ; Mon, 18 Sep 2023 00:12:54 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 835E560EF6 Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id C87992800043; Sun, 17 Sep 2023 17:12:50 -0700 (PDT) Received: from [127.0.0.1] (unknown [173.197.107.5]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by smtpauth.rollernet.us (Postfix) with ESMTPSA; Sun, 17 Sep 2023 17:12:49 -0700 (PDT) Date: Sun, 17 Sep 2023 14:12:45 -1000 From: "David A. Harding" To: ZmnSCPxj , Bitcoin Protocol Discussion User-Agent: K-9 Mail for Android In-Reply-To: <3G-PTmIOM96I32Sh_uJQqQlv8pf81bEbIvH9GNphyj0429Pan9dQEOez69bgrDzJunXaC9d2O5HWPmBQfQojo67mKQd7TOAljBFL3pI2Dbo=@protonmail.com> References: <3G-PTmIOM96I32Sh_uJQqQlv8pf81bEbIvH9GNphyj0429Pan9dQEOez69bgrDzJunXaC9d2O5HWPmBQfQojo67mKQd7TOAljBFL3pI2Dbo=@protonmail.com> Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rollernet-Abuse: Contact abuse@rollernet.us to report. Abuse policy: http://www.rollernet.us/policy X-Rollernet-Submit: Submit ID 488e.65079601.aa646.0 Subject: Re: [bitcoin-dev] Actuarial System To Reduce Interactivity In N-of-N (N > 2) Multiparticipant Offchain Mechanisms X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Sep 2023 00:12:55 -0000 On September 8, 2023 3:27:38 PM HST, ZmnSCPxj via bitcoin-dev wrote: >Now, suppose that participant A wants B to be assured that >A will not double-spend the transaction=2E >Then A solicits a single-spend signature from the actuary, >getting a signature M: > > current state +--------+----------------+ > ---------+-------------+ | | (M||CSV) && A2 | > |(M||CSV) && A| ----> | M,A +----------------+ > +-------------+ | | (M||CSV) && B2 | > |(M||CSV) && B| +--------+----------------+ > +-------------+ > |(M||CSV) && C| > ---------+-------------+ > >The above is now a confirmed transaction=2E Good morning, ZmnSCPxj=2E What happens if A and M are both members of a group of thieves that contro= l a moderate amount of hash rate? Can A provide the "confirmed transaction= " containing M's sign-only-once signature to B and then, sometime[1] before= the CSV expiry, generate a block that contains A's and M's signature over = a different transaction that does not pay B? Either the same transaction o= r a different transaction in the block also spends M's fidelity bond to a n= ew address exclusively controlled by M, preventing it from being spent by a= nother party unless they reorg the block chain=2E If the CSV is a significant amount of time in the future, as we would prob= ably want it to be for efficiency, then the thieving group A and M are part= of would not need to control a large amount of hash rate to have a high pr= obability of being successful (and, if they were unsuccessful at the attemp= ted theft, they might not even lose anything and their theft attempt would = be invisible to anyone outside of their group)=2E If A is able to double spend back to herself funds that were previously in= tended to B, and if cut through transactions were created where B allocated= those same funds to C, I think that the double spend invalidates the cut-t= hrough even if APO is used, so I think the entire mechanism collapses into = reputational trust in M similar to the historic GreenAddress=2Eit co-signin= g mechanim=2E Thanks, -Dave [1] Including in the past, via a Finney attack or an extended Finney attac= k supported by selfish mining=2E =20