Return-Path: <antoine.riard@gmail.com> Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id D3599C0171 for <bitcoin-dev@lists.linuxfoundation.org>; Sun, 9 Feb 2020 22:32:54 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id C7A70849DF for <bitcoin-dev@lists.linuxfoundation.org>; Sun, 9 Feb 2020 22:32:54 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bvibwFjgBBJJ for <bitcoin-dev@lists.linuxfoundation.org>; Sun, 9 Feb 2020 22:32:54 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com [209.85.215.181]) by fraxinus.osuosl.org (Postfix) with ESMTPS id EDF9284826 for <bitcoin-dev@lists.linuxfoundation.org>; Sun, 9 Feb 2020 22:32:53 +0000 (UTC) Received: by mail-pg1-f181.google.com with SMTP id u131so2842841pgc.10 for <bitcoin-dev@lists.linuxfoundation.org>; Sun, 09 Feb 2020 14:32:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=2vVhNFZ6fZoBDeONtRSp1YOau1qRRfHj++LbwrpUODU=; b=plAqEfJyQBEag71tyfPgVrpiAeUpZ4k4Z5/8J+pA5z3Vhpx/ycYpopUo+h2fSux3me ZXNgUxtbw8/94a8UwOF7AdAoYz4y3LMT0nk66VKpWdRy0Ubv2UzRPu+BD4YWOt0Ub7Pt dD1vpElhvw1D7mOkRcViCB8V5j2yhdhE668Ro1bL4z/mmAagNWpQfNHTzTHabXjgsXzo wPWirhzkpxbyXKsaQsO+B+4OxtmqGg/lP5bxQxQ+Dc+epbkMxLdL2T2tgMOcF7+p1NuE ed4HWsqP/iJFcgepZQvdXIl57fGySVIM/C0B8NkHTrqzrHYtRL3v/k2MGtIJyip0CXh7 HZEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=2vVhNFZ6fZoBDeONtRSp1YOau1qRRfHj++LbwrpUODU=; b=DeAwDC9qtYMqwf1ljSc7qx2FqwOC/reuBsR69HYUDd+lpXArgGuJiC44TlWvi41uzt sRn149/ye5eyiQgz611H/fxKqlZQHl722TaY+M8hfGoCiIG+d/Ae0SI1Rj5aGlozar2t AjBv84u4F/IZ8hq2WJwEUn60Rntqo94Jj5dA5KU5OkyuKg2UHyby1JZLWwHr11qxx/Ma CQ8MiXlJN6jd68gdqyrUcfgWLjahHr9/osbgbP4nTmC3oOQ77NwrhkY3xZ0ACMxYfjNH 28xZMbBo2WtCR/tTXQrXKJvzxc7v3afhLEWfhqPCHkVJOPpi13I3/GaAq51kqiOdg/Vp esyQ== X-Gm-Message-State: APjAAAXYrJ9YoifegGfgKMdKpb/zqxNYfRhymhqGX+YVjOIhJVdqyzXk +2icXq5dyDT9QiBD5Bd3aaX/8ZtPONRiUYWO+rGDCPWJa0k= X-Google-Smtp-Source: APXvYqxbdwBxZ7xDg42LLK85EqLWsfRO64NR4BioM/Z7E61RosOE/WHzpitOfnJMPs8QDQkI+/W/7llzNoNTIXUt744= X-Received: by 2002:a63:ec0c:: with SMTP id j12mr3094328pgh.78.1581287573411; Sun, 09 Feb 2020 14:32:53 -0800 (PST) MIME-Version: 1.0 References: <CABaSBaxgdfeyPrnaJD+Gs-5agV4sX+b66ZA6AfkjiHvuE0JSXA@mail.gmail.com> <2d9970d8-209d-7223-6564-ad858dce5981@mattcorallo.com> In-Reply-To: <2d9970d8-209d-7223-6564-ad858dce5981@mattcorallo.com> From: Antoine Riard <antoine.riard@gmail.com> Date: Sun, 9 Feb 2020 17:32:41 -0500 Message-ID: <CALZpt+HRuxNxKsdwtyMD=+hE-Tq+8Wt9mLVP0vj9Z+yENg_UJg@mail.gmail.com> To: Matt Corallo <lf-lists@mattcorallo.com>, Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org> Content-Type: multipart/alternative; boundary="00000000000019dd2a059e2c3494" X-Mailman-Approved-At: Sun, 09 Feb 2020 22:36:35 +0000 Subject: Re: [bitcoin-dev] Taproot (and graftroot) complexity X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org> List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe> List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/> List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org> List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help> List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe> X-List-Received-Date: Sun, 09 Feb 2020 22:32:55 -0000 --00000000000019dd2a059e2c3494 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > In particular, you care more about privacy when you are contesting a > close of a channel or other script path because then the miners could be more > likely to extract a rent from you as "ransom" for properly closing your channel > (or in other words, in a contested close the value of the closing transaction is > larger than usual). Not sure this point holds, independently of which Taproot/MASTmechanism deployed, any time-sensitive transaction will likely leak its "contestness" by the setting of its nSequence/nLocktime fields. E.g, for LN, justice tx are not encumbered by a CSV delay which distinguish them from a non-revoked spend. And when you're relaying htlcs and need to close unilaterally channel to prevent different settlement on incoming/outgoing links the HTLC-timeout tx broadcast have a nLocktime set. Beyond LN, timelocks are a privacy leak and miner-withholding vector for an= y offchain protocols but this problem is not tied to Taproot design. Confidential enforcement of them would be great but that's another debate.. Antoine Le dim. 9 f=C3=A9vr. 2020 =C3=A0 15:40, Matt Corallo via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> a =C3=A9crit : > Responding purely to one point as this may be sufficient to clear up > lots of discussion: > > On 2/9/20 8:19 PM, Bryan Bishop via bitcoin-dev wrote: > > Is Taproot just a probability assumption about the frequency and > > likelihood of > > the signature case over the script case? Is this a good assumption? Th= e > BIP > > only goes as far as to claim that the advantage is apparent if the > outputs > > *could be spent* as an N of N, but doesn't make representations about > > how likely > > that N of N case would be in practice compared to the script paths. > Perhaps > > among use cases, more than half of the ones we expect people to be doin= g > > could be > > spent as an N of N. But how frequently would that path get used? > > Further, while > > the *use cases* might skew toward things with N of N opt-out, we might > > end up in > > a power law case where it's the one case that doesn't use an N of N opt > > out at > > all (or at a de minimis level) that becomes very popular, thereby makin= g > > Taproot > > more costly then beneficial. > Its not just about the frequency and likelihood, no. If there is a > clearly-provided optimization for this common case in the protocol, then > it becomes further more likely that developers put in the additional > effort required to make this possibility a reality. This has a very > significant positive impact on user privacy, especially those who wish > to utilize more advanced functionality in Bitcoin. Further, yes, it is > anticipated that the N of N case is possible to take in the vast > majority of deployed use-cases for advanced scripting systems, ensuring > that it is maximally efficient to do so (and thereby encouraging > developers to do so) is a key goal in this work. > > Matt > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --00000000000019dd2a059e2c3494 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div><div><div> > In particular, you care more about pr= ivacy when you are contesting a<br>> close of a channel or other script = path because then the miners could be more<br>> likely to extract a rent= from you as "ransom" for properly closing your channel<br>> (= or in other words, in a contested close the value of the closing transactio= n is<br>> larger than usual).<br><br></div>Not sure this point holds, in= dependently of which Taproot/MASTmechanism deployed,<br></div>any time-sens= itive transaction will likely leak its "contestness" by the setti= ng of its <br></div><div>nSequence/nLocktime fields. E.g, for LN, justice t= x are not encumbered by a CSV<br></div><div>delay which distinguish them fr= om a non-revoked spend. And when you're relaying<br></div><div>htlcs an= d need to close unilaterally channel to prevent different settlement on <br= ></div><div>incoming/outgoing links the HTLC-timeout tx broadcast have a nL= ocktime set.<br><br></div><div>Beyond LN, timelocks are a privacy leak and = miner-withholding vector for any<br></div><div>offchain protocols but this = problem is not tied to Taproot design. Confidential<br></div><div>enforceme= nt of them would be great but that's another debate..<br><br></div><div= >Antoine<br></div><div><br><br></div><div><br><br></div><div><br></div><div= ><br><br></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class= =3D"gmail_attr">Le=C2=A0dim. 9 f=C3=A9vr. 2020 =C3=A0=C2=A015:40, Matt Cora= llo via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation= .org">bitcoin-dev@lists.linuxfoundation.org</a>> a =C3=A9crit=C2=A0:<br>= </div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;b= order-left:1px solid rgb(204,204,204);padding-left:1ex">Responding purely t= o one point as this may be sufficient to clear up<br> lots of discussion:<br> <br> On 2/9/20 8:19 PM, Bryan Bishop via bitcoin-dev wrote:<br> > Is Taproot just a probability assumption about the frequency and<br> > likelihood of<br> > the signature case over the script case? Is this a good assumption?=C2= =A0 The BIP<br> > only goes as far as to claim that the advantage is apparent if the out= puts<br> > *could be spent* as an N of N, but doesn't make representations ab= out<br> > how likely<br> > that N of N case would be in practice compared to the script paths. Pe= rhaps<br> > among use cases, more than half of the ones we expect people to be doi= ng<br> > could be<br> > spent as an N of N. But how frequently would that path get used?<br> > Further, while<br> > the *use cases* might skew toward things with N of N opt-out, we might= <br> > end up in<br> > a power law case where it's the one case that doesn't use an N= of N opt<br> > out at<br> > all (or at a de minimis level) that becomes very popular, thereby maki= ng<br> > Taproot<br> > more costly then beneficial.<br> Its not just about the frequency and likelihood, no. If there is a<br> clearly-provided optimization for this common case in the protocol, then<br= > it becomes further more likely that developers put in the additional<br> effort required to make this possibility a reality. This has a very<br> significant positive impact on user privacy, especially those who wish<br> to utilize more advanced functionality in Bitcoin. Further, yes, it is<br> anticipated that the N of N case is possible to take in the vast<br> majority of deployed use-cases for advanced scripting systems, ensuring<br> that it is maximally efficient to do so (and thereby encouraging<br> developers to do so) is a key goal in this work.<br> <br> Matt<br> _______________________________________________<br> bitcoin-dev mailing list<br> <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">= bitcoin-dev@lists.linuxfoundation.org</a><br> <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" = rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev</a><br> </blockquote></div> --00000000000019dd2a059e2c3494--