Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 4C21BA70 for ; Wed, 22 May 2019 08:10:39 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 103CA6C5 for ; Wed, 22 May 2019 08:10:37 +0000 (UTC) Received: from mail-ed1-f48.google.com (mail-ed1-f48.google.com [209.85.208.48]) (authenticated bits=0) (User authenticated as jlrubin@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x4M8AZjv032581 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 22 May 2019 04:10:36 -0400 Received: by mail-ed1-f48.google.com with SMTP id e24so2506724edq.6 for ; Wed, 22 May 2019 01:10:36 -0700 (PDT) X-Gm-Message-State: APjAAAXsQ1KTGpwJKxGZIrBXCu0C1RBEgk7xrZxPrTB6QI//TwMlouLl NIRrQcGnUlmWBB6zeSHt+vzYhe47ydStFak7yqE= X-Google-Smtp-Source: APXvYqzelPMS5plN0MATMp9KNCrVtAnw7aRCaFFk2oT2hpXvbcT9ys6MzYn9ic2hV0arz4ri2KAxUXkMCVkyzjxHyug= X-Received: by 2002:a17:906:66c9:: with SMTP id k9mr20878945ejp.21.1558512635039; Wed, 22 May 2019 01:10:35 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Jeremy Date: Wed, 22 May 2019 01:10:23 -0700 X-Gmail-Original-Message-ID: Message-ID: To: ZmnSCPxj Content-Type: multipart/alternative; boundary="000000000000fd54560589757fe4" X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,HTML_MESSAGE, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Wed, 22 May 2019 13:30:30 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Congestion Control via OP_CHECKOUTPUTSHASHVERIFY proposal X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 May 2019 08:10:39 -0000 --000000000000fd54560589757fe4 Content-Type: text/plain; charset="UTF-8" > * I do not think CoinJoin is much improved by this opcode. > Typically, you would sign off only if one of the outputs of the CoinJoin transaction is yours, and this does not really improve this situation. Coinjoin benefits a lot I think. Coinjoin is improved because you can fit more users into the protocol and create many more outputs at lower cost or include more participants. Ideally a coinjoin creates a lot of outputs so that the ownership is smeared more, but this has a cost at the time of the coinjoin. Coinjoin is also improved because you don't reveal the outputs created by the coinjoin until some time, perhaps very far in the future, when you need the coin. In fact, you only need to reveal where you're moving the coins to participants in your subtree because participants need only verify their branch. It also makes the protocol more stable with respect to input choice. This is because, similar to how NOINPUT may work, OP_COSHV outputs are spendable without knowing what the TXID will be. Therefore if someone changes their input or non segwit spend script, it won't break the presigned txns. This also means that all the inputs can be ANYONECANPAY, so there is no need to reveal your inputs before anyone else. This culminates in being able to open channels from a coinjoin safely, I believe this is difficult/impossible to do currently. > * Using this for congestion control increases blockchain usage by one TXO and one input, ending up with *more* bytes onchain, and a UTXO that will be removed later in (we hope) short time. > I do not know if this is a good idea, to increase congestion by making unnecessary intermediate transaction outputs, at times when congestion is a problem. This is a good idea because it improves QoS for most users. For receiving money pending spendable but confirmed payment (i.e. certified checks) is superior to having unconfirmed funds. For sending money, being able to clear all liabilities in a single txn decreases business exposure to fee variance and confirmation time variance. E.g., if I'm doing payroll in Bitcoin I will pay big fines if I am a day late. If I have 10,000 employees this might be painful if fees are currently up. It also helps to have a backlog of low priority txns to support the fee market. Overall block bandwidth utilization is fairly spikey, so having long term well known outputs that are not time sensitive can be used to better utilize bandwidth. The total extra bandwidth btw is really small given the expansion factor optimizations available. > * I cannot find a way to implement Decker-Russell-Osuntokun (or any offchain update mechanism) on top of this opcode, so I cannot support replacing `SIGHASH_NOINPUT` with this opcode. > In particular, while the finite loop support by this opcode appears (at first glance) to be useable as the "stepper" for an offchain update mechanism, I cannot find a good way to short-circuit the transaction chain without `SIGHASH_NOINPUT` anyway. I'm not deeply familiar with DRO channels. This opcode isn't a replacement for SIGHASH_NOINPUT -- SIGHASH_NOINPUT is mentioned merely to contrast using SIGHASH_NOINPUT for the uses presented in this BIP. Lastly there's no 'replacing'. Neither NOINPUT nor COSHV are accepted by the community at large yet, and they do different things. > * Channel factories created by this opcode do not, by themselves, support updates to the channel structure. > But such simple "close only" channel factories can be done using n-of-n and a pre-signed offchain transaction (especially since the entities interested in the factory are known and enumerable, and thus can be induced to sign in order to enter the factory). I'm not really an expert at Bitcoin Lightning, but this basic mechanism should work. Imagine the script at a leaf node: Taproot([Alice, Bob], [OP_COSHV ] where uncooperative script is: Taproot([Alice, Bob], ["1 week" CHECKSEQUENCEVERIFY DROP OP_COSHV ) Cooperative closing skips the extra transactions. Updates are signed against the uncooperative script with repudation. E.g.: HASH160 EQUAL IF ELSE "1 week" CHECKSEQUENCEVERIFY DROP ENDIF CHECKSIG It can even be optimized by letting the uncooperative script branches in the leaf be blaming Alice or Bob. Does that not work? --000000000000fd54560589757fe4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


> * I= do not think CoinJoin is much improved by this opcode.
> =C2=A0= Typically, you would sign off only if one of the outputs of the CoinJoin t= ransaction is yours, and this does not really improve this situation.
=

Coinjoin benefits a= lot I think.


Coinjo= in is improved because you can fit more users into the protocol and create = many more outputs at lower cost or include more participants. Ideally a coi= njoin creates a lot of outputs so that the ownership is smeared more, but t= his has a cost at the time of the coinjoin.

Coinjoin is als= o improved because you don't reveal the outputs created by the coinjoin= until some time, perhaps very far in the future, when you need the coin. I= n fact, you only need to reveal where you're moving the coins to partic= ipants in your subtree because participants need only verify their branch.<= br>

It also makes the protocol more stable with respect to inpu= t choice. This is because, similar to how NOINPUT may work, OP_COSHV output= s are spendable without knowing what the TXID will be. Therefore if someone= changes their input or non segwit spend script, it won't break the pre= signed txns. This also means that all the inputs can be ANYONECANPAY, so th= ere is no need to reveal your inputs before anyone else.

This c= ulminates in being able to open channels from a coinjoin safely, I believe = this is difficult/impossible to do currently.



> * Using this for congestion control increases blockchain u= sage by one TXO and one input, ending up with *more* bytes onchain, and a U= TXO that will be removed later in (we hope) short time.
> =C2=A0= I do not know if this is a good idea, to increase congestion by making unn= ecessary intermediate transaction outputs, at times when congestion is a pr= oblem.

This is= a good idea because it improves QoS for most users.

For re= ceiving money pending spendable but confirmed payment (i.e. certified check= s) is superior to having unconfirmed funds.

For sending money, = being able to clear all liabilities in a single txn decreases business expo= sure to fee variance and confirmation time variance. E.g., if I'm doing= payroll in Bitcoin I will pay big fines if I am a day late. If I have 10,0= 00 employees this might be painful if fees are currently up.

It also helps to have a backlog of low priority txns to support the fee m= arket.

Overall block bandwidth utilization is fairly spikey, so= having long term well known outputs that are not time sensitive can be use= d to better utilize bandwidth.

The total extra bandwidth btw is really small gi= ven the expansion factor optimizations available.


> *= I cannot find a way to implement Decker-Russell-Osuntokun (or any offchain= update mechanism) on top of this opcode, so I cannot support replacing `SI= GHASH_NOINPUT` with this opcode.
> =C2=A0 In particular, while t= he finite loop support by this opcode appears (at first glance) to be useab= le as the "stepper" for an offchain update mechanism, I cannot fi= nd a good way to short-circuit the transaction chain without `SIGHASH_NOINP= UT` anyway.

I&= #39;m not deeply familiar with DRO channels. This opcode isn't a replac= ement for SIGHASH_NOINPUT -- SIGHASH_NOINPUT is mentioned merely to contras= t using SIGHASH_NOINPUT for the uses presented in this BIP.

La= stly there's no 'replacing'. Neither NOINPUT nor COSHV are acce= pted by the community at large yet, and they do different things.
=

> * Channel factories created by this opcode do= not, by themselves, support updates to the channel structure.
>= =C2=A0 But such simple "close only" channel factories can be don= e using n-of-n and a pre-signed offchain transaction (especially since the = entities interested in the factory are known and enumerable, and thus can b= e induced to sign in order to enter the factory).

=
I'm not really an expert at Bitcoin= Lightning, but this basic mechanism should work.

Imagine the script at a leaf node:

Taproot([Ali= ce, Bob], [OP_COSHV <H(H(2 coins to uncooperative script))>]
where uncooperative script is:

Taproot([Alice, Bob], ["1 week" CHECKSEQUENCEVERIFY DROP OP_COSHV <H(H(Pay alice 2 coins))>)

Coo= perative closing skips the extra transactions. Updates are signed against t= he uncooperative script with repudation. E.g.:

=C2=A0 =C2=A0 HASH160 <revokehash> EQUAL
= =C2=A0 =C2=A0 IF
=C2=A0 =C2=A0 =C2=A0 =C2=A0 <Bob's pubkey>=C2=A0 =C2=A0 ELSE
=C2=A0 =C2=A0 =C2=A0 =C2=A0 "1 week" CHECKSEQUENCEVERIFY DROP
=C2=A0 =C2=A0 =C2=A0 =C2=A0 <Alice&#= 39;s pubkey>
=C2=A0 =C2=A0 ENDIF
=C2=A0 =C2=A0 CHECKSIG

It = can even be optimized by letting the uncooperative script branches in the l= eaf be blaming Alice or Bob.
<= br>
Does that not work?
<= br>
--000000000000fd54560589757fe4--