Date: Tue, 01 Dec 2020 14:19:56 +0000
To: eric@voskuil.org,
 'Bitcoin Protocol Discussion' <bitcoin-dev@lists.linuxfoundation.org>
From: Sebastian Geisler <sebastian@gnet.me>
Reply-To: Sebastian Geisler <sebastian@gnet.me>
Message-ID: <3f172428-fb03-755f-3020-43817fdb1897@gnet.me>
In-Reply-To: <00e301d6c77e$2a4eeab0$7eecc010$@voskuil.org>
References: <9a068476-855e-0dd7-4c9c-264d5d8bf60a@gnet.me>
 <00e301d6c77e$2a4eeab0$7eecc010$@voskuil.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [bitcoin-dev] Out-of-band transaction fees
Precedence: list

Hi Eric,

> In paying fees externally one must find another way to associate a fee wi=
th its transaction. This of course increases the possibility of taint, as y=
ou describe in part here:

I'm not sure I follow, do you see a problem beyond the facts that miners
would need to authenticate somehow? This can be done in a privacy
preserving way per block. I don't think transactions would need to
change in any way. The bounty-transaction link is upheld by a third
party service which the miners have to trust that it will pay out if the
transaction is included (not perfect, but a business decision they can
make).

> It is also the case that the "bounty" must be associated with the transac=
tion. Even with miner and payer mutual anonymity, the fee inputs and output=
s will be associated with the transaction inputs and outputs by the miner, =
rendering the proposal counterproductive.
> Total transaction sizing is not reduced by paying fees externally, in fac=
t it would be increased. The only possible reduction would come from aggreg=
ation of fees. Yet it is not clear how that aggregation would occur private=
ly in less overall block space. At least with integral fees, it's *possible=
* to spend and pay a fee with a single input and output. That is not the ca=
se with externalized fees.

I should have made this more clear, I don't imagine anyone to pay these
fees with L1 transactions, but rather some L2 system like Lightning or a
BTC backed chaumian token issued for that purpose by the bounty service
provider. Even Lightning would be far more private for the use cases I
described that don't allow fee deduction from inputs. But if one accepts
more counter party risk with e.g. some centrally pegged chaumian token
it can be anonymous.

I see that this might not be very useful today, but I imagine a future
in which Bitcoin is mostly a settlement and reserve layer. This would
make it feasible to keep most UTXOs in common sizes. Only large, round
transactions happen on-chain, the rest can happen on L2. This would
allow tumbling these already evenly-sized UTXOs on spend without toxic
waste if we can somehow tackle the fee payment problem. I know of the
following solutions:

 * everyone has to add a second UTXO per input
 * Someone is chosen fairly at random to pay the total fee
 * pay a service on L2 to add an input/output for fee payment
 * out-of-band L2 fee payments

Only L2 fee payments can hide who is involved in such a tumbling
operation as additional fee inputs that get reused would indicate the
same entity was present in two tumbling operations. The out-of-band
approach saves one input and one output and appears more general (e.g.
could be used like rbf).

This is also not a general solution for fee payments. In many cases it
will still be preferable to pay on-chain fees. But having the option to
avoid that in a standardized way could help some protocols imo.

Best,
Sebastian


> -----Original Message-----
> From: bitcoin-dev <bitcoin-dev-bounces@lists.linuxfoundation.org> On Beha=
lf Of Sebastian Geisler via bitcoin-dev
> Sent: Monday, November 30, 2020 3:03 PM
> To: bitcoin-dev@lists.linuxfoundation.org
> Subject: [bitcoin-dev] Out-of-band transaction fees
>=20
> Hi all,
>=20
> the possibility of out of band transaction fee payments is a well known f=
act. Yet it has been mostly discussed as an annoying inevitability that can=
 be problematic if on-chain fees are to be used as a consensus parameter. T=
he potential use cases have seen little interest though (please correct me =
if I'm wrong).
>=20
> One such use case is sending UTXOs "intact". Let's assume we get to a poi=
nt where Bitcoin is primarily a settlement layer for L2 systems.
> These L2 systems might want to protect their privacy and keep UTXOs of a =
common sizes (e.g. 1 BTC, 10 BTC, =E2=80=A6). For certain settlement applic=
ations these can be transferred as a whole, but currently fee requirements =
force the system to add another input for fees which will introduce taint (=
because it's used repeatedly). If instead a fee could be paid out of band i=
n a privacy preserving way the TXO chain would leak little about the interm=
ediate holders.
>=20
> Taking this concept even further CoinJoin-like protocols could also be us=
ed to introduce further ambiguity without leaking that a certain entity too=
k part in the CJ (which fee inputs/reused "toxic waste"
> inevitably do afaik). Such a mechanism would probably also make CJ transa=
ctions much smaller as _no_ fee inputs had to be provided (assuming the inp=
uts already have the right size).
>=20
> Out-of-band transaction "accelerators" already exist and taking fee payme=
nt out-of-band can not be effectively prevented. So even though any such pr=
oposal will probably have slight centralizing effects I believe that having=
 a standard for it is preferable to having every pool implement their own A=
PI making it harder for small pools to get into the market.
>=20
> Imo the central questions are:
>  * how to build such a out-of-band "transaction bounty" system
>  * how to standardized it
>  * how can the centralizing effects from it be mitigated
>=20
> Imo fees are small enough to not really care about counter party risk tha=
t much. It's more important that it is easy to run so that there is some ch=
oice for users and miners. In that sense I consider single-operator service=
s providing both standardized user and miner APIs as well as an optional UI=
 suitable. I would still take into account that this could change and might=
 consider the needs of federated services in the protocol.
>=20
> Each such service would need to announce which means of payment it suppor=
ts and allow users and miners to choose when paying/redeeming fees. Users s=
hould be able to submit transactions and either be presented with a single =
payment method dependent "invoice" or one per input (for the CoinJoin use c=
ase). As soon as all invoices are paid the bounty goes live and is visible =
to miners through an API.
>=20
> Miners that included a transaction need a way to authenticate when claimi=
ng the bounty. One possibility would be to optionally include a unique publ=
ic key e.g. in the coinbase scriptsig after the height push (is this feasib=
le?). This could be used to claim any bounties after 100, 120, or even a us=
er-defined confirmation threshold is met. If the key is unique for every bl=
ock there won't be a problem with pool accountability which might become a =
risk down the road (so this should also be enforced at least in the bounty =
protocol to avoid lazy implementations leading to dangerous precedents).
>=20
> Any feedback is welcome :)
>=20
> tl;dr Out-of-band fee payment services are inevitable and useful, so we s=
hould at least standardize them and mitigate negative effects as much as po=
ssible.
>=20
> Best,
> Sebastian
>=20
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>=20