Date: Fri, 20 Sep 2019 12:22:20 +0000
From: Andrew Poelstra <apoelstra@wpsoftware.net>
To: Lloyd Fournier <lloyd.fourn@gmail.com>,
	Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Message-ID: <20190920122220.GR13224@boulet>
References: <7e7SBK5tLdpzTkgh-sNrAZR7qnPfu_i0tHY5ia4pk3Mjdw3dSZx3kcKiIMC9Hmu_lp8Y3mBFqlqsA_iHobJo58MSiW8NW1zKHUQKOWuuw4c=@protonmail.com>
	<CAH5Bsr1G6r-g_so96ALo0gpboWDduRaZzFT7Z1rDBFdzDHsXTA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="3wm5X47Ts/nUgpUh"
Content-Disposition: inline
In-Reply-To: <CAH5Bsr1G6r-g_so96ALo0gpboWDduRaZzFT7Z1rDBFdzDHsXTA@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Subject: Re: [bitcoin-dev] Timelocks and Lightning on MimbleWimble
Precedence: list


--3wm5X47Ts/nUgpUh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Sep 20, 2019 at 04:54:34AM +1000, Lloyd Fournier via bitcoin-dev wr=
ote:
> Hi ZmnSCPxj,
>=20
> I can give some context on the exchange during the talk. I was the "Q" and
> Andrew Polestra was the "A".
>=20
> I followed up with Andrew after and he indeed knew about the pre-signed
> nlocktime transaction double spend technique (actually, I thought he was
> the one who originally came up with that idea for scriptless atomic swaps=
).
> He clarified saying that you can do that with locktime (absolute time
> locks) but not with sequence numbers (relative time locks). i.e. to enfor=
ce
> sequence numbers you need to use OP_CHECKSEQUENCEVERIFY. He said that it
> would make sense to change that so it's enforced regardless of script.
>=20
> However, I talked to Antoine Riard later who was adamant that sequence
> numbers already worked as expected. He pointed to the fact that BIP68
> already describes it as an independent constraint [1]
>=20
> So if things do work as described in BIP68 then we should be able to do
> lightning on Bitcoin without any script once we have Schnorr. I'm keen to
> actually figure out all the details of how to do this. It works in my head
> but I think I should write it down somewhere to make sure it works.
>=20
>  [1] https://github.com/bitcoin/bips/blob/master/bip-0068.mediawiki
>=20
> LL
>

Yep, during the recorded exchange I was confused about the content of
the BIP. Later I described the exchange to Dan Robinson, who showed me
the actual text :).

Sorry for the confusion - Lloyd was totally right and you can do
relative locktimes this way in Taproot without needing to expose a
script.


Having said this, there is the important caveat that your "emergency
backout" keys are online to produce a pre-signed transaction, and
that a suitable destination is known beforehand. This makes sense for
Lightning or most atomic swap protocols where the money simply returns
to the original owner, but not e.g. for Liquid, where the emergency
keys have never been brought online (and anyway the contents of any
transaction they might sign depends on facts and circumstances that
aren't known ahead of time).


--=20
Andrew Poelstra
Director of Research, Blockstream
Email: apoelstra at wpsoftware.net
Web:   https://www.wpsoftware.net/andrew

The sun is always shining in space
    -Justin Lewis-Webster


--3wm5X47Ts/nUgpUh
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEkPnKPD7Je+ki35VexYjWPOQbl8EFAl2ExHsACgkQxYjWPOQb
l8F/agf+KicIrtMvQIdCXRT7vUphny4h9ibFqQX86i+QEB6B53oQ+V85Ci6qxurw
jrdojItTvlKbKckOlVjrUN12cStpAgJE4OyRNwiYz4OCejTL/FpYeuTt/nzgxyHY
TDZijrixw4F4DE5dt8gY6j6Q8m37YoW1ffEhif25pHzb+ZcJSbvSAu3hQQlaTHOs
6/4P+BuxEKisVWberJ0ADrrJCn4x130KEVIV9ZDTeA8gkA+onLI7teEGMmuIcbw5
4Wm6Q07lWMdGRRtPkIF/rcdgWeN9pXoDmYksfb+45QJCI0BNN3aQYofVeqNDxlA/
5dFHnUm+TQCDwe9AePLfvMbVKwZZGg==
=Q2Z4
-----END PGP SIGNATURE-----

--3wm5X47Ts/nUgpUh--