Return-Path: Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 06F47C000E for ; Wed, 1 Sep 2021 15:15:44 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id DD88C40283 for ; Wed, 1 Sep 2021 15:15:43 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: 0.602 X-Spam-Level: X-Spam-Status: No, score=0.602 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: smtp2.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NVR0fJOGoTUb for ; Wed, 1 Sep 2021 15:15:42 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) by smtp2.osuosl.org (Postfix) with ESMTPS id A6E1340158 for ; Wed, 1 Sep 2021 15:15:42 +0000 (UTC) Received: by mail-io1-xd32.google.com with SMTP id a15so4492018iot.2 for ; Wed, 01 Sep 2021 08:15:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LK480Z7Dl9FGH6ow7z1S6YYnFBFHYa/zEnkC5HyF+ec=; b=PaYlS1b0F+Rd++tyHgldgvAmNCUQsOXqh1B+HKskxMHF6NKJOkyYBLh5UPNga9MecG Z72l2p0EpW/6RvYWyvvY/Q51T6PZcbVQWLbDtjppyKtj3NC4dlaH5cgclQJhXKxfQTP2 ZHcP3aastfUhhRk5/Rax+nD54NCIpOnw713h0zZCzyE8ecmvBCexMN24aMkHFHiwiFES vx/u5SuR0geG5oXJo4mBZAei1juqInUOXSd1qX6cdbcaOC0pv4dXzwLgrbm27so0d4B0 jLRVJssafbwWl6h377JQmcDx+A1fSTW++pe7ZfzgaXJpWg4qlcsYQWI2O/ozr7OiNyfT aUIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LK480Z7Dl9FGH6ow7z1S6YYnFBFHYa/zEnkC5HyF+ec=; b=WlU9lsmw3yCebeuQ7/ave/NZoQJQB02ZPi0IKVylMRdV34kZj7jlqh5OXxiHWH7ZwO Ng+Po4FvAmYMXxxU8QS6SoK8YIvyjAjCpT4fw9KRfYh/1Ta6fJ3u+C/xYyF7JJQYa+xZ Ia9WvNY3Iguz7VMRpsJra9Z7whPwDwuQh8IJe5+wBdJnUpMSdOiLZSw9dR+4+uKMwWO7 6HhFWI0rBezxFEUVKt7AjSg6NfOotgDE5RYmsl44dCelqTxqWQK8dr+DeDJwxHyaGSJn nT0+jJF4pPhpYI8RVbJyi1OA/W7LaDwWswxcsL0MRY6X28LHJdiduPGUnSCSU7m3y5H+ uR5Q== X-Gm-Message-State: AOAM530VBPcSn82ThzRfVHOhnbGFJzWssORIjZz4UhqWNI/TueLfQVV6 /EDcPOAzt1kJTE8aF8rjAZBQNYZ8IeLow04wArg= X-Google-Smtp-Source: ABdhPJzs0nIxd+kNuA4n4A5pNkulX4pxxg2z4pcde3/8Tgk20lWTkD0t8oBCvL1CJFyBq+ROanAoRq+L4eKenoZWmts= X-Received: by 2002:a6b:8bcf:: with SMTP id n198mr114130iod.178.1630509341742; Wed, 01 Sep 2021 08:15:41 -0700 (PDT) MIME-Version: 1.0 References: <1qkQ1p1rAZApZhMKVFwQV6gfLyZxMYIUPrhcjtXNU4z0DBRwslPSbi76GnNnllpvPPfqt1bH3EyzJNhfK0Uxum7zJ_dh3H0DXqUpf2nmHyk=@protonmail.com> In-Reply-To: From: Zac Greenwood Date: Wed, 1 Sep 2021 17:15:30 +0200 Message-ID: To: ZmnSCPxj Content-Type: multipart/alternative; boundary="0000000000001e1b7105caf08abf" X-Mailman-Approved-At: Wed, 01 Sep 2021 15:28:44 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Exploring: limiting transaction output amount as a function of total input value X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Sep 2021 15:15:44 -0000 --0000000000001e1b7105caf08abf Content-Type: text/plain; charset="UTF-8" Hi ZmnSCPxj, The rate-limiting algorithm would be relatively straightforward. I documented the rate-limiting part of the algorithm below, perhaps they can evoke new ideas of how to make this MAST-able or otherwise implement this in a privacy preserving way. Something like the following: => Create an output at block height [h0] with the following properties: Serving as input at any block height, the maximum amount is limited to [limit] sats; // This rule introduces [limit] and is permanent and always copied over to a change output Serving as input at a block height < [h0 + window], the maximum amount is limited to [limit - 0] sats; // [limit - 0] to emphasize that nothing was spent yet and no window has started. => A transaction occurs at block height [h1], spending [h1_spent]. The payment output created at [h1] is not encumbered and of value [h1_spent]; // Note, this is the first encumbered transaction so [h1] is the first block of the first window The change output created at block height [h1] must be encumbered as follows: Serving as input at any block height, the maximum amount is limited to [limit] sats; // Permanent rule repeats Serving as input at a block height < [h1 + window], the maximum amount is limited to [limit - h1_spent] // Second permanent rule reduces spendable amount until height [h1 + window] by [h1_spent] => A second transaction occurs at block height [h2], spending [h2_spent]. The payment output created at [h2] is not encumbered and of value [h2_spent]; // Second transaction, so a second window starts at [h2] The change output created at block height [h2] must be encumbered as follows: Serving as input at any block height, the maximum amount is limited to [limit] sats; // Permanent rule repeats Serving as input at a block height < [h1 + window], the max amount is limited to [limit - h1_spent - h2_spent] // Reduce spendable amount between [h1] and [h1 + window] by an additional [h2_spent] Serving as input in range [h1 + window] <= block height < [h2 + window], the max amount is limited to [limit - h2_spent] // First payment no longer inside this window so [h1_spent] no longer subtracted ... and so on. A rule that pertains to a block height < the current block height can be abandoned, keeping the number of rules equal to the number of transactions that exist within the oldest still active window. Zac On Tue, Aug 31, 2021 at 4:22 PM ZmnSCPxj wrote: > Good morning Zac, > > > Hi ZmnSCPxj, > > > > Thank you for your helpful response. We're on the same page concerning > privacy so I'll focus on that. I understand from your mail that privacy > would be reduced by this proposal because: > > > > * It requires the introduction of a new type of transaction that is > different from a "standard" transaction (would that be P2TR in the > future?), reducing the anonymity set for everyone; > > * The payment and change output will be identifiable because the change > output must be marked encumbered on-chain; > > * The specifics of how the output is encumbered must be visible on-chain > as well reducing privacy even further. > > > > I don't have the technical skills to judge whether these issues can > somehow be resolved. In functional terms, the output should be spendable in > a way that does not reveal that the output is encumbered, and produce a > change output that cannot be distinguished from a non-change output while > still being encumbered. Perhaps some clever MAST-fu could somehow help? > > I believe some of the covenant efforts may indeed have such clever MAST-fu > integrated into them, which is why I pointed you to them --- the people > developing these (aj I think? RubenSomsen?) might be able to accommodate > this or some subset of the desired feature in a sufficiently clever > covenant scheme. > > There are a number of such proposals, though, so I cannot really point you > to one that seems likely to have a lot of traction. > > Regards, > ZmnSCPxj > --0000000000001e1b7105caf08abf Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi ZmnSCPxj,

The rate-= limiting algorithm would be relatively straightforward. I documented the ra= te-limiting part of the algorithm below, perhaps they can evoke new ideas o= f how to make this MAST-able or otherwise implement this in a privacy prese= rving way.

Something like the following:

=3D> Create an output at block height [h0] with the foll= owing properties:

Serving as input at any blo= ck height, the maximum amount is limited to [limit] sats;=C2=A0 // This rul= e introduces [limit] and is permanent and always copied over to a change ou= tput
Serving as input at a block height < [h0 + window], the m= aximum amount is limited to [limit - 0] sats;=C2=A0 // [limit - 0] to empha= size that nothing was spent yet and no window has started.
=
=3D> A transaction occurs at block height [h1], spending = [h1_spent].
The payment output created at [h1] is not encumbered = and of value [h1_spent]; // Note, this is the first encumbered transaction = so [h1] is the first block of the first window

The= change output created at block height [h1] must be encumbered as follows:<= /div>
Serving as input at any block height, the maximum amount is = limited to [limit] sats;=C2=A0 // Permanent rule repeats
Serving = as input at a block height < [h1 + window], the maximum amount is limite= d to [limit - h1_spent]=C2=A0 // Second permanent rule reduces spendable am= ount until height [h1 + window] by [h1_spent]

=3D&= gt; A second transaction occurs at block height [h2], spending [h2_spent].<= /div>
The payment output created at [h2] is not encumbered an= d of value [h2_spent]; // Second transaction, so a second window starts at = [h2]

The change output created at block heig= ht [h2] must be encumbered as follows:
Serving as input at any bl= ock height, the maximum amount is limited to [limit] sats;=C2=A0 // Permane= nt rule repeats
Serving as input at a block height < [h1= =C2=A0+ window], the max amount is limited to [limit - h1_spent - h2_spent]= // Reduce spendable amount between [h1] and [h1=C2=A0+ window] by an addit= ional [h2_spent]
Serving as input in range [h1 + window] <=3D = block height < [h2 + window], the max amount is limited to [limit - h2_s= pent]=C2=A0 // First payment no longer inside this window so [h1_spent] no = longer subtracted

... and so on. A rule that perta= ins to a block height < the current block height can be abandoned, keepi= ng the number of rules equal to the number of transactions that exist withi= n the oldest still active window.

Zac<= /div>


On Tue, Aug 31, 2021 at 4:22 PM ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
=
Good morning Zac,
> Hi ZmnSCPxj,
>
> Thank you for your helpful response. We're on the same page concer= ning privacy so I'll focus on that. I understand from your mail that pr= ivacy would be reduced by this proposal because:
>
> * It requires the introduction of a new type of transaction that is di= fferent from a "standard" transaction (would that be P2TR in the = future?), reducing the anonymity set for everyone;
> * The payment and change output will be identifiable because the chang= e output must be marked encumbered on-chain;
> * The specifics of how the output is encumbered must be visible on-cha= in as well reducing privacy even further.
>
> I don't have the technical skills to judge whether these issues ca= n somehow be resolved. In functional terms, the output should be spendable = in a way that does not reveal that the output is encumbered, and produce a = change output that cannot be distinguished from a non-change output while s= till being encumbered. Perhaps some clever MAST-fu could somehow help?

I believe some of the covenant efforts may indeed have such clever MAST-fu = integrated into them, which is why I pointed you to them --- the people dev= eloping these (aj I think? RubenSomsen?) might be able to accommodate this = or some subset of the desired feature in a sufficiently clever covenant sch= eme.

There are a number of such proposals, though, so I cannot really point you = to one that seems likely to have a lot of traction.

Regards,
ZmnSCPxj
--0000000000001e1b7105caf08abf--