Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0539EC002D for ; Tue, 18 Oct 2022 18:19:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id B72C841A10 for ; Tue, 18 Oct 2022 18:19:03 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org B72C841A10 Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=H3ua+JS3 X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -1.838 X-Spam-Level: X-Spam-Status: No, score=-1.838 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wj9PzGnvRi4T for ; Tue, 18 Oct 2022 18:18:59 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 61FDF41A0F Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) by smtp4.osuosl.org (Postfix) with ESMTPS id 61FDF41A0F for ; Tue, 18 Oct 2022 18:18:59 +0000 (UTC) Received: by mail-ej1-x62d.google.com with SMTP id fy4so34302461ejc.5 for ; Tue, 18 Oct 2022 11:18:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=07+MBtTQEAdQDrF2nAl5rTYP7PINi+gt3hiNwV6HXGw=; b=H3ua+JS3+9RRy3ExRy6nq9kAfuIKxDh9k1vsrNyIo7TzWRXtlWCnGecDXgyWV+hPGv JJZ5DVwTd2FxncJVk75N6VIM7NPmb1KNHv8Y7u84nYMCEOXJF+IfvTupgyVZhJwYlxYy eOg2cbpx515qdGEtr7ak6P9furiRGrcUUGd+CQmyu0khGbeiAC0u1k6+XMve5Lv8AZXV 5klPECwI0k4l0EgbO8rVJqBur8LOh6ZuhfEhD4ab4Ex1yvPL9c0oPVjIWM06i/zLaxOe iNo0/FGaet4mbVGJ44G1Bv2pBtmzZwVCA4Rym53BE5Zlua0pTFOm/bgBHgA3qXFZUT9s PFoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=07+MBtTQEAdQDrF2nAl5rTYP7PINi+gt3hiNwV6HXGw=; b=YRCwPFpvIpwQvAm4bjDr+We4jlienxXxJHT+dNgfDSYE93aRYS2bVEzEftYhyYhJNw vTF7r9b8srw+N9ZKz1cLyMYVxLda8iSjaMYjlU02w0IlYlQhrD/A01/N6i0D8QcFdbUV 5HRE13fF1YQt/568nZtPjUPfGboUzxCzM79sZSer1rSZtfgI0BLSntUIYszlmzymGChU uNuVw/CHp+Uug0wgvrFBnVzg39OvNQ+Ykmnh4My4nDUAni+zrdIYm2lLEIJjzonxTagK BJ4IhsEjjntF/5tn0ZEUGz9IPtZWvByP3lX/khd3Dll/G1YrnJ/M6oM8HE2EpiPMKVpN Bs8g== X-Gm-Message-State: ACrzQf1CtGxhrTecfN+5kbEpmkaQgmsJyuVWH2GZFk7DtDOnTckFR9jS n3DwXSdi6KC9W/IL8q2iBxpI/j00RbAK/lfpEcGkq+6w X-Google-Smtp-Source: AMsMyM6PfJt7renAsHLhDg9Q6g457mYByLVaMyvTzU8GLjpKL6L/4OWj0TJo10REWNyyvHTb2hVNUdfUvFS6hGFSpPE= X-Received: by 2002:a17:906:d550:b0:78d:a6d4:c18f with SMTP id cr16-20020a170906d55000b0078da6d4c18fmr3602142ejc.113.1666117137341; Tue, 18 Oct 2022 11:18:57 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Greg Sanders Date: Tue, 18 Oct 2022 14:18:45 -0400 Message-ID: To: Jeremy Rubin Content-Type: multipart/alternative; boundary="0000000000002022d905eb5320ab" Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2022 18:19:04 -0000 --0000000000002022d905eb5320ab Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > (see https://rubin.io/public/pdfs/multi-txn-contracts.pdf "Intermediate UTXO") I think I remember you trying to explain this to me a long time ago. Thanks for the callback! > One question I have is if V3 is designed for lightning, and this is designed for lightning, is there any sense in requiring these outputs for v3? That might help with e.g. anonymity set, as well as potentially keep the v3 surface smaller. The fingerprinting angle is yet another thing to consider. There are definitely uses of V3 that do not require ephemeral anchors, and you can save a healthy amount of bytes not requiring them. I think in the cases where RBF of the parent is possible, at least. f.e., I think V3 alone makes splicing robust even in the presence of external inputs, since the commitment tx(s) can (package) RBF the splice at any point. V3 may have enough value-add by itself where the additional bytes and inability to opt out of "transaction sponsor" style bumps may be undesirable. Lastly this would tie deployments of these improvements together. Something to consider. Cheers, Greg On Tue, Oct 18, 2022 at 12:41 PM Jeremy Rubin wrote: > Excellent proposal and I agree it does capture much of the spirit of > sponsors w.r.t. how they might be used for V3 protocols. > > The only drawbacks I see is they don't work for lower tx version > contracts, so there's still something to be desired there, and that the > requirement to sweep the output must be incentive compatible for the mine= r, > or else they won't enforce it (pass the buck onto the future bitcoiners). > The Ephemeral UTXO concept can be a consensus rule (see > https://rubin.io/public/pdfs/multi-txn-contracts.pdf "Intermediate UTXO") > we add later on in lieu of managing them by incentive, so maybe it's a > cleanup one can punt. > > One question I have is if V3 is designed for lightning, and this is > designed for lightning, is there any sense in requiring these outputs for > v3? That might help with e.g. anonymity set, as well as potentially keep > the v3 surface smaller. > > On Tue, Oct 18, 2022 at 11:51 AM Greg Sanders via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > >> > does that effectively mark output B as unspendable once the child gets >> confirmed? >> >> Not at all. It's a normal spend like before, since the parent has been >> confirmed. It's completely unrestricted, not being bound to any >> V3/ephemeral anchor restrictions on size, version, etc. >> >> On Tue, Oct 18, 2022 at 11:47 AM Arik Sosman via bitcoin-dev < >> bitcoin-dev@lists.linuxfoundation.org> wrote: >> >>> Hi Greg, >>> >>> Thank you very much for sharing your proposal! >>> >>> I think there's one thing about the second part of your proposal that >>> I'm missing. Specifically, assuming the scenario of a v3 transaction wi= th >>> three outputs, A, B, and the ephemeral anchor OP_TRUE. If a child >>> transaction spends A and OP_TRUE, does that effectively mark output B a= s >>> unspendable once the child gets confirmed? If so, isn't the implication >>> therefore that to safely spend a transaction with an ephemeral anchor, = all >>> outputs must be spent? Thanks! >>> >>> Best, >>> Arik >>> >>> On Tue, Oct 18, 2022, at 6:52 AM, Greg Sanders via bitcoin-dev wrote: >>> >>> Hello Everyone, >>> >>> Following up on the "V3 Transaction" discussion here >>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-September/= 020937.html >>> , I would like to elaborate a bit further on some potential follow-on w= ork >>> that would make pinning severely constrained in many setups]. >>> >>> V3 transactions may solve bip125 rule#3 and rule#5 pinning attacks unde= r >>> some constraints[0]. This means that when a replacement is to be made a= nd >>> propagated, it costs the expected amount of fees to do so. This is a gr= eat >>> start. What's left in this subset of pinning is *package limit* pinning= . In >>> other words, a fee-paying transaction cannot enter the mempool due to t= he >>> existing mempool package it is being added to already being too large i= n >>> count or vsize. >>> >>> Zooming into the V3 simplified scenario for sake of discussion, though >>> this problem exists in general today: >>> >>> V3 transactions restrict the package limit of a V3 package to one paren= t >>> and one child. If the parent transaction includes two outputs which can= be >>> immediately spent by separate parties, this allows one party to disallo= w a >>> spend from the other. In Gloria's proposal for ln-penalty, this is work= ed >>> around by reducing the number of anchors per commitment transaction to = 1, >>> and each version of the commitment transaction has a unique party's key= on >>> it. The honest participant can spend their version with their anchor an= d >>> package RBF the other commitment transaction safely. >>> >>> What if there's only one version of the commitment transaction, such as >>> in other protocols like duplex payment channels, eltoo? What about mult= i >>> party payments? >>> >>> In the package RBF proposal, if the parent transaction is identical to >>> an existing transaction in the mempool, the parent will be detected and >>> removed from the package proposal. You are then left with a single V3 c= hild >>> transaction, which is then proposed for entry into the mempool. In the = case >>> of another parent output already being spent, this is simply rejected, >>> regardless of feerate of the new child. >>> >>> I have two proposed solutions, of which I strongly prefer the latter: >>> >>> 1) Expand a carveout for "sibling eviction", where if the new child is >>> paying "enough" to bump spends from the same parent, it knocks its sibl= ing >>> out of the mempool and takes the one child slot. This would solve it, b= ut >>> is a new eviction paradigm that would need to be carefully worked throu= gh. >>> >>> 2) Ephemeral Anchors (my real policy-only proposal) >>> >>> Ephemeral Anchors is a term which means an output is watermarked as an >>> output that MUST be spent in a V3 package. We mark this anchor by being= the >>> bare script `OP_TRUE` and of course make these outputs standard to rela= y >>> and spend with empty witness data. >>> >>> Also as a simplifying assumption, we require the parent transaction wit= h >>> such an output to be 0-fee. This makes mempool reasoning simpler in cas= e >>> the child-spend is somehow evicted, guaranteeing the parent will be as = well. >>> >>> Implications: >>> >>> a) If the ephemeral anchor MUST be spent, we can allow *any* value, eve= n >>> dust, even 0, without worrying about bloating the utxo set. We relax th= is >>> policy for maximum smart contract flexibility and specification simplic= ity.. >>> >>> b) Since this anchor MUST be spent, any spending of other outputs in th= e >>> same parent transaction MUST directly double-spend prior spends of the >>> ephemeral anchor. This causes the 1 block CSV timelock on outputs to be >>> removed in these situations. This greatly magnifies composability of sm= art >>> contracts, as now we can do things like safely splice directly into new >>> channels, into statechains, your custodial wallet account, your cold >>> wallet, wherever, without requiring other wallets to support arbitrary >>> scripts. Also it hurts that 1 CSV time locked scripts may not be minisc= ript >>> compatible to begin with... >>> >>> c) *Anyone* can bump the transaction, without any transaction key >>> material. This is essentially achieving Jeremy's Transaction Sponsors ( >>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-September/= 018168.html) >>> proposal without consensus changes. As long as someone gets a fully sig= ned >>> parent, they can execute a bump with minimal wallet tooling. If a >>> transaction author doesn=E2=80=99t want a =E2=80=9Csponsor=E2=80=9D, do= not include the output. >>> >>> d) Lightning Carve-out( >>> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/= 002240.html) >>> is superseded by this logic, as we are not restricted to two immediatel= y >>> spendable output scenarios. In its place, robust multi-party fee bumpin= g is >>> possible. >>> >>> e) This also benefits more traditional wallet scenarios, as change >>> outputs can no longer be pinned, and RBF/CPFP becomes robust. Payees in >>> simple spends cannot pin you. Batched payouts become a lot less painful= . >>> This was one of the motivating use cases that created the term =E2=80= =9Cpinning=E2=80=9D in >>> the first place( >>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-February/0= 15717.html), >>> even if LN/L2 discussion has largely overtaken it due to HTLC theft ris= ks. >>> >>> Open Question(s): >>> >>> >>> 1. >>> >>> If we allow non-zero value in ephemeral outputs, does this open up a >>> MEV we are worried about? Wallets should toss all the value directly= to >>> fees, and add their own additional fees on top, otherwise miners hav= e >>> incentive to make the smallest utxo burn transaction to claim those = funds. >>> They just confirmed your parent transaction anyways, so do we care? >>> 2. >>> >>> SIGHASH_GROUP like constructs would allow uncommitted ephemeral >>> anchors to be added at spend time, depending on spending requirement= s. >>> SIGHASH_SINGLE already allows this. >>> >>> >>> >>> >>> Hopefully this gives people something to consider as we move forward in >>> thinking about mempool design within the constraints we have today. >>> >>> >>> Greg >>> >>> 0: With V3 transactions where you have "veto power" over all the inputs >>> in that transaction. Therefore something like ANYONECANPAY is still bro= ken. >>> We need a more complex solution, which I=E2=80=99m punting for the sake= of progress. >>> _______________________________________________ >>> bitcoin-dev mailing list >>> bitcoin-dev@lists.linuxfoundation.org >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >>> >>> >>> _______________________________________________ >>> bitcoin-dev mailing list >>> bitcoin-dev@lists.linuxfoundation.org >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >>> >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> > --0000000000002022d905eb5320ab Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
>=C2=A0(see=C2=A0https://rubin.io/public/pdfs/multi-txn-contracts.pdf= =C2=A0"Intermediate UTXO")

I think I = remember you trying to explain this to me a long time ago. Thanks for the c= allback!

>=C2=A0One question I have= is if V3 is designed for lightning, and this is designed for lightning, is= there any sense in requiring these outputs for v3? That might help with e.= g. anonymity set, as well as potentially keep the v3 surface smaller.

The fingerprinting angle is yet another thing t= o consider. There are definitely uses of V3 that do not require ephemeral a= nchors, and you can save a healthy amount of bytes not requiring them. I th= ink in the cases where RBF of the parent is possible, at least.

f.e., I think V3 alone makes splicing robust even = in the presence of external inputs, since the commitment tx(s) can (package= ) RBF the splice at any point. V3 may have enough value-add by itself where= the additional bytes and inability to opt out of "transaction sponsor= " style bumps may be undesirable.

Lastly this= would tie deployments of these improvements together. Something to conside= r.

Cheers,
Greg

On Tue, Oct 18, 202= 2 at 12:41 PM Jeremy Rubin <j@rubin.io> wrote:
Excellen= t proposal and I agree it does capture much of the spirit of sponsors w.r.t= . how they might be used for V3 protocols.

The only drawbacks I= see=C2=A0is they don't work for lower tx version contracts, so there&#= 39;s still something to be desired there, and that the requirement to sweep= the output must be incentive compatible for the miner, or else they won= 9;t enforce it (pass the buck onto the future bitcoiners). The Ephemeral UT= XO concept can be a consensus rule (see=C2=A0https://rubin.io/publi= c/pdfs/multi-txn-contracts.pdf "Intermediate UTXO") we add la= ter on in lieu of managing them by incentive, so maybe it's a cleanup o= ne can punt.

One question I have is if V3 is designed for ligh= tning, and this is designed for lightning, is there any sense in requiring = these outputs for v3? That might help with e.g. anonymity set, as well as p= otentially keep the v3 surface smaller.


On Tue, Oct 18, 2022 at 11:47 AM Arik Sosman via b= itcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
H= i Greg,

Thank you very much for sharing your p= roposal!

I think there's one thing about the s= econd part of your proposal that I'm missing. Specifically, assuming th= e scenario of a v3 transaction with three outputs, A, B, and the ephemeral = anchor OP_TRUE. If a child transaction spends A and OP_TRUE, does that effe= ctively mark output B as unspendable once the child gets confirmed? If so, = isn't the implication therefore that to safely spend a transaction with= an ephemeral anchor, all outputs must be spent? Thanks!

=
Best,
Arik

On Tue, Oct 18= , 2022, at 6:52 AM, Greg Sanders via bitcoin-dev wrote:

Hello Everyone,


Following up on the "V3 Transaction&q= uot; discussion here https://lists.li= nuxfoundation.org/pipermail/bitcoin-dev/2022-September/020937.html , I = would like to elaborate a bit further on some potential follow-on work that= would make pinning severely constrained in many setups].


V3 transactions may solve bip125 rule#3 and= rule#5 pinning attacks under some constraints[0]. This means that when a r= eplacement is to be made and propagated, it costs the expected amount of fe= es to do so. This is a great start. What's left in this subset of pinni= ng is *package limit* pinning. In other words, a fee-paying transaction can= not enter the mempool due to the existing mempool package it is being added= to already being too large in count or vsize.

=

Zooming into the V3 simplified scenario for sake of di= scussion, though this problem exists in general today:=


V3 transactions restrict the package limit of = a V3 package to one parent and one child. If the parent transaction include= s two outputs which can be immediately spent by separate parties, this allo= ws one party to disallow a spend from the other. In Gloria's proposal f= or ln-penalty, this is worked around by reducing the number of anchors per = commitment transaction to 1, and each version of the commitment transaction= has a unique party's key on it. The honest participant can spend their= version with their anchor and package RBF the other commitment transaction= safely.


What if there'= ;s only one version of the commitment transaction, such as in other protoco= ls like duplex payment channels, eltoo? What about multi party payments?


In the package RBF proposal,= if the parent transaction is identical to an existing transaction in the m= empool, the parent will be detected and removed from the package proposal. = You are then left with a single V3 child transaction, which is then propose= d for entry into the mempool. In the case of another parent output already = being spent, this is simply rejected, regardless of feerate of the new chil= d.


I have two proposed s= olutions, of which I strongly prefer the latter:


1) Expand a carveout for "sibling eviction"= ;, where if the new child is paying "enough" to bump spends from = the same parent, it knocks its sibling out of the mempool and takes the one= child slot. This would solve it, but is a new eviction paradigm that would= need to be carefully worked through.


=

2) Ephemeral Anchors (my real policy-only proposal)


Ephemeral Anchors is a term which mea= ns an output is watermarked as an output that MUST be spent in a V3 package= . We mark this anchor by being the bare script `OP_TRUE` and of course make= these outputs standard to relay and spend with empty witness data.<= /span>


Also as a simplifying assumption,= we require the parent transaction with such an output to be 0-fee. This ma= kes mempool reasoning simpler in case the child-spend is somehow evicted, g= uaranteeing the parent will be as well.

Implications:


a) If the ephemeral anchor MUST be spent, we can allow *any* value, even = dust, even 0, without worrying about bloating the utxo set. We relax this p= olicy for maximum smart contract flexibility and specification simplicity..=


b) Since this anchor MUST= be spent, any spending of other outputs in the same parent transaction MUS= T directly double-spend prior spends of the ephemeral anchor. This causes t= he 1 block CSV timelock on outputs to be removed in these situations. This = greatly magnifies composability of smart contracts, as now we can do things= like safely splice directly into new channels, into statechains, your cust= odial wallet account, your cold wallet, wherever, without requiring other w= allets to support arbitrary scripts. Also it hurts that 1 CSV time locked s= cripts may not be miniscript compatible to begin with...


= c) *Anyone* can bump the transaction, withou= t any transaction key material. This is essentially achieving Jeremy's = Transaction Sponsors (https://lists= .linuxfoundation.org/pipermail/bitcoin-dev/2020-September/018168.html) proposal without consensus changes. As long as s= omeone gets a fully signed parent, they can execute a bump with minimal wal= let tooling. If a transaction author doesn=E2=80=99t want a =E2=80=9Csponso= r=E2=80=9D, do not include the output.

d) Lightning Carve-out(https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/002= 240.html)=C2=A0 is superseded by this logic,= as we are not restricted to two immediately spendable output scenarios. In= its place, robust multi-party fee bumping is possible.


<= span style=3D"font-size:11pt">e) This also benefits more traditional wallet= scenarios, as change outputs can no longer be pinned, and RBF/CPFP becomes= robust. Payees in simple spends cannot pin you. Batched payouts become a l= ot less painful. This was one of the motivating use cases that created the = term =E2=80=9Cpinning=E2=80=9D in the first place(https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-= February/015717.html), even if LN/L2 discuss= ion has largely overtaken it due to HTLC theft risks.<= br>


Open Question(s):

<= div>
  1. If we allow non-zero value = in ephemeral outputs, does this open up a MEV we are worried about? Wallets= should toss all the value directly to fees, and add their own additional f= ees on top, otherwise miners have incentive to make the smallest utxo burn = transaction to claim those funds. They just confirmed your parent transacti= on anyways, so do we care?

  2. SIGHASH_GROUP like constructs would = allow uncommitted ephemeral anchors to be added at spend time, depending on= spending requirements. SIGHASH_SINGLE already allows this.




Hopefull= y this gives people something to consider as we move forward in thinking ab= out mempool design within the constraints we have today.



Greg
=


0: With V3 transactions where you have "veto = power" over all the inputs in that transaction. Therefore something li= ke ANYONECANPAY is still broken. We need a more complex solution, which I= =E2=80=99m punting for the sake of progress.

_______________________________________________
bitcoin-dev mailing list

=
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--0000000000002022d905eb5320ab--