Return-Path: <ZmnSCPxj@protonmail.com>
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 8ADCBC016F
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Fri, 10 Jul 2020 03:30:06 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by whitealder.osuosl.org (Postfix) with ESMTP id A097C890E5
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Fri, 10 Jul 2020 03:29:52 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
 by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id OaJwETVGveU8
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Fri, 10 Jul 2020 03:29:50 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-40132.protonmail.ch (mail-40132.protonmail.ch
 [185.70.40.132])
 by whitealder.osuosl.org (Postfix) with ESMTPS id AB0818695F
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Fri, 10 Jul 2020 03:29:50 +0000 (UTC)
Date: Fri, 10 Jul 2020 03:29:39 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail; t=1594351788;
 bh=fF5sz9q4YBINJ8ND6qdLl45m1zb58Y7QsX9EKXS1cCg=;
 h=Date:To:From:Reply-To:Subject:In-Reply-To:References:From;
 b=tyrK4B498c48kAuzhUia+7TLxolhv5ez2EM+cf6iHw02uZGAoOh0BmSK034rY9yKE
 eqeTEBYU0KDLSiNgF3S+g000zX49N6F+ZsLgJAcmiBqZm6ASzWrHd4NZ30qYuhFA5U
 Z4MZtepwo/Ir1mlWj2RDprbIGS5K/wBaA4t6YU1k=
To: Anthony Towns <aj@erisian.com.au>,
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
From: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Reply-To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Message-ID: <O_Zr7tM2TYwJdFS0o9RraXrtRPI4ZcVU65qcBpg-tvTPOqnGWkEUDQY5XqcihbUyAHF31L4isFWsD_u2SsSb8YzfjYDWiVXQsr6oAd9YXBY=@protonmail.com>
In-Reply-To: <20200709214048.27mycsi5h2bnv3cc@erisian.com.au>
References: <20200709214048.27mycsi5h2bnv3cc@erisian.com.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [bitcoin-dev] BIP 118 and SIGHASH_ANYPREVOUT
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 03:30:06 -0000

Good morning aj,

It seems okay to me.

--

Slightly off-topic, but I suppose a Decker-Russell-Osuntokun construction c=
ould, in theory, have only a single internal taproot pubkey, `P =3D MuSig(A=
, B)` for a channel between A and B.

So the funding outpoint would be spent with a taprooted P + a single tapscr=
ipt `<1> OP_CHECKSIG`.

Update transactions would be signed with the internal taproot pubkey using =
`SIGHASH_ANYPREVOUTANYSCRIPT`.
The update transaction output would be spendable with a taprooted P + a sin=
gle tapscript `<index + 1> OP_CHECKLOCKTIMEVERIFY OP_DROP <1> OP_CHECKSIG`.
Each update transaction would have a monotonically-increasing `nLockTime`, =
i.e. the above `index`.

Then a state transaction would be signed with the internal taproot pubkey u=
sing `SIGHASH_ANYPREVOUT`, which commits to the exact script including `<in=
dex + 1>`, which is unique for each update transaction.
Thus a state transaction can only spend the specific update transaction, bu=
t the update transaction can spend the funding outpoint or any update trans=
action outpoint.
State transaction input would have an `nSequence` requiring a relative lock=
time of the agreed-upon unilateral close delay.

The above assumes MuSig signing, which requires 1.5 round trips for a chann=
el, or three broadcast rounds for a multiparticipant (n >=3D 3) constructio=
n.


Regards,
ZmnSCPxj

> Hello world,
>
> After talking with Christina ages ago, we came to the conclusion that
> it made more sense to update BIP 118 to the latest thinking than have
> a new BIP number, so I've (finally) opened a (draft) PR to update BIP
> 118 with the ANYPREVOUT bip I've passed around to a few people,
>
> https://github.com/bitcoin/bips/pull/943
>
> Probably easiest to just read the new BIP text on github:
>
> https://github.com/ajtowns/bips/blob/bip-anyprevout/bip-0118.mediawiki
>
> It doesn't come with tested code at this point, but I figure better to
> have the text available for discussion than nothing.
>
> Some significant changes since previous discussion include complete lack
> of chaperone signatures or anything like it (if you want them, you can
> always add them yourself, of course), and that ANYPREVOUTANYSCRIPT no
> longer commits to the value (details/rationale in the text).
>
> Cheers,
> aj
>
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev