1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
|
Return-Path: <james.obeirne@gmail.com>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
by lists.linuxfoundation.org (Postfix) with ESMTP id 52EBBC002D
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 19 Oct 2022 15:12:13 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp2.osuosl.org (Postfix) with ESMTP id 20D4A40CE0
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 19 Oct 2022 15:12:13 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 20D4A40CE0
Authentication-Results: smtp2.osuosl.org;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.a=rsa-sha256 header.s=20210112 header.b=SJGygwqF
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01]
autolearn=ham autolearn_force=no
Received: from smtp2.osuosl.org ([127.0.0.1])
by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 6-vg92sizSJf
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 19 Oct 2022 15:12:11 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 100DE40CC6
Received: from mail-oa1-x29.google.com (mail-oa1-x29.google.com
[IPv6:2001:4860:4864:20::29])
by smtp2.osuosl.org (Postfix) with ESMTPS id 100DE40CC6
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 19 Oct 2022 15:12:10 +0000 (UTC)
Received: by mail-oa1-x29.google.com with SMTP id
586e51a60fabf-134072c15c1so21024082fac.2
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 19 Oct 2022 08:12:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:from:to:cc:subject:date:message-id:reply-to;
bh=x+F8Z/7KMP7MlR4IdwXRnRtZafdnNH1ZvPbk2nk1SNs=;
b=SJGygwqFY7peEiL6Qd15fLBmAlgaz9EU0zB8XRKD5MnUa5A+anLb8cyP62rm63UVzS
tNoB5NAnHAbyn/3xesC2R5ck8uGEYfQXPjUNpugXrHPlC9BwIO1jynrT686ui6hVdnvv
LQDxz1u6dGVZKv6UvR1bddcu/gvItMv8hTN4e8Qym/mFyC7HS4c+3jfQ8PvZKKI9tonI
rON9UDLcJv5Xgu/Vrdv6DOHKbPBFD/5uOHjduRfpWz2g1x2Mdx+Qarj7aVAtiP6pBuNN
7/LttWnN903HwhJ0uKV7eUPGQK24O71uUYdhCPE/Wgutxp5aEvrHQlKF6mdJaW5dLJUm
ZFsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=x+F8Z/7KMP7MlR4IdwXRnRtZafdnNH1ZvPbk2nk1SNs=;
b=nh5VJrLWlL/NlV5BRXN12zHr8r8+UOSAosOuOAqVNUSU7uGm+kQVRFa/YyW7pd0UVs
Xlh5liG5Dz+ddqA/Q+PGstlS9WKxf8yNBjHCrAaUh98Lr+xxwAQJn6FmCqc0Blw+nq3s
mHEMeK951kUmAoib8ykSf/32lcz38qYWn9mZEo5lf1o1bTBeMcVrSiHS9ttuUaDWjbkR
FxMvm5IA3qx4q2Y4x2Bv4mo3o6TSBuB1h0qrOnus6X/A3NlYvpDIWZeD/vHhXijLuep2
lRZose6IZTy0nDZBGOHLjtlX9AVbwGFBd7qs8VAF7aWlVImR62ptoPFD0YRS7XIyg7yl
LiKw==
X-Gm-Message-State: ACrzQf1LSEg1VLKLlRtGGOLR/AJmwt9ws7nzPg89uWVU5V08DbWyuh7B
rXO670RP0fyttWclu6VdsuKiQi89JnkYUdP1YDs=
X-Google-Smtp-Source: AMsMyM7AFzkWl/lecmgt+htCtZWSBdbCl9NQI0Io+ZonJjrPsf+CNeuWTsyJ9fAlJVydNQBRF7RLf+w+tSWw8Kk6h3c=
X-Received: by 2002:a05:6870:b002:b0:131:ec02:b906 with SMTP id
y2-20020a056870b00200b00131ec02b906mr5536647oae.222.1666192329866; Wed, 19
Oct 2022 08:12:09 -0700 (PDT)
MIME-Version: 1.0
References: <CAB3F3Dukoz3P3Ne7tCxMiwwAGm3Fv8r_fUkNbGAtGhAZDYDgCQ@mail.gmail.com>
<ec952a9c-d810-4996-9ca9-1e9c6f6faca4@app.fastmail.com>
<CAB3F3DvH3FnK8krykbcRVKc-z8F4yjt9mzYHevpYxaWkH4w9tw@mail.gmail.com>
<CAD5xwhgFBQ-ScyBU5=WnREGsN-T=Nv=oR6vOsnHJ-ZMzDF8Vqg@mail.gmail.com>
In-Reply-To: <CAD5xwhgFBQ-ScyBU5=WnREGsN-T=Nv=oR6vOsnHJ-ZMzDF8Vqg@mail.gmail.com>
From: "James O'Beirne" <james.obeirne@gmail.com>
Date: Wed, 19 Oct 2022 11:11:57 -0400
Message-ID: <CAPfvXf+N8aF+bqjGzpfDrhCYg7ngciSDCpUnCMHD+k5F+m3oWA@mail.gmail.com>
To: Jeremy Rubin <j@rubin.io>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="000000000000f302e805eb64a1ab"
Cc: Greg Sanders <gsanders87@gmail.com>
Subject: Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF
againstpackage limit pinning
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2022 15:12:13 -0000
--000000000000f302e805eb64a1ab
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
I'm also very happy to see this proposal, since it gets us closer to having
a mechanism that allows the contribution to feerate in an "unauthenticated"
way, which seems to be a very helpful feature for vaults and other
contracting protocols.
One possible advantage of the sponsors interface -- and I'm curious for
your input here Greg -- is that with sponsors, assuming we relaxed the "one
sponsor per sponsoree" constraint, multiple uncoordinated parties can
collaboratively bump a tx's feerate. A simple example would be a batch
withdrawal from an exchange could be created with a low feerate, and then
multiple users with a vested interest of expedited confirmation could all
"chip in" to raise the feerate with multiple sponsor transactions.
Having a single ephemeral output seems to create a situation where a single
UTXO has to shoulder the burden of CPFPing a package. Is there some way we
could (possibly later) amend the ephemeral anchor interface to allow for
this kind of collaborative sponsoring? Could you maybe see "chained"
ephemeral anchors that would allow this?
On Tue, Oct 18, 2022 at 12:52 PM Jeremy Rubin via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Excellent proposal and I agree it does capture much of the spirit of
> sponsors w.r.t. how they might be used for V3 protocols.
>
> The only drawbacks I see is they don't work for lower tx version
> contracts, so there's still something to be desired there, and that the
> requirement to sweep the output must be incentive compatible for the mine=
r,
> or else they won't enforce it (pass the buck onto the future bitcoiners).
> The Ephemeral UTXO concept can be a consensus rule (see
> https://rubin.io/public/pdfs/multi-txn-contracts.pdf "Intermediate UTXO")
> we add later on in lieu of managing them by incentive, so maybe it's a
> cleanup one can punt.
>
> One question I have is if V3 is designed for lightning, and this is
> designed for lightning, is there any sense in requiring these outputs for
> v3? That might help with e.g. anonymity set, as well as potentially keep
> the v3 surface smaller.
>
> On Tue, Oct 18, 2022 at 11:51 AM Greg Sanders via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> > does that effectively mark output B as unspendable once the child gets
>> confirmed?
>>
>> Not at all. It's a normal spend like before, since the parent has been
>> confirmed. It's completely unrestricted, not being bound to any
>> V3/ephemeral anchor restrictions on size, version, etc.
>>
>> On Tue, Oct 18, 2022 at 11:47 AM Arik Sosman via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>> Hi Greg,
>>>
>>> Thank you very much for sharing your proposal!
>>>
>>> I think there's one thing about the second part of your proposal that
>>> I'm missing. Specifically, assuming the scenario of a v3 transaction wi=
th
>>> three outputs, A, B, and the ephemeral anchor OP_TRUE. If a child
>>> transaction spends A and OP_TRUE, does that effectively mark output B a=
s
>>> unspendable once the child gets confirmed? If so, isn't the implication
>>> therefore that to safely spend a transaction with an ephemeral anchor, =
all
>>> outputs must be spent? Thanks!
>>>
>>> Best,
>>> Arik
>>>
>>> On Tue, Oct 18, 2022, at 6:52 AM, Greg Sanders via bitcoin-dev wrote:
>>>
>>> Hello Everyone,
>>>
>>> Following up on the "V3 Transaction" discussion here
>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-September/=
020937.html
>>> , I would like to elaborate a bit further on some potential follow-on w=
ork
>>> that would make pinning severely constrained in many setups].
>>>
>>> V3 transactions may solve bip125 rule#3 and rule#5 pinning attacks unde=
r
>>> some constraints[0]. This means that when a replacement is to be made a=
nd
>>> propagated, it costs the expected amount of fees to do so. This is a gr=
eat
>>> start. What's left in this subset of pinning is *package limit* pinning=
. In
>>> other words, a fee-paying transaction cannot enter the mempool due to t=
he
>>> existing mempool package it is being added to already being too large i=
n
>>> count or vsize.
>>>
>>> Zooming into the V3 simplified scenario for sake of discussion, though
>>> this problem exists in general today:
>>>
>>> V3 transactions restrict the package limit of a V3 package to one paren=
t
>>> and one child. If the parent transaction includes two outputs which can=
be
>>> immediately spent by separate parties, this allows one party to disallo=
w a
>>> spend from the other. In Gloria's proposal for ln-penalty, this is work=
ed
>>> around by reducing the number of anchors per commitment transaction to =
1,
>>> and each version of the commitment transaction has a unique party's key=
on
>>> it. The honest participant can spend their version with their anchor an=
d
>>> package RBF the other commitment transaction safely.
>>>
>>> What if there's only one version of the commitment transaction, such as
>>> in other protocols like duplex payment channels, eltoo? What about mult=
i
>>> party payments?
>>>
>>> In the package RBF proposal, if the parent transaction is identical to
>>> an existing transaction in the mempool, the parent will be detected and
>>> removed from the package proposal. You are then left with a single V3 c=
hild
>>> transaction, which is then proposed for entry into the mempool. In the =
case
>>> of another parent output already being spent, this is simply rejected,
>>> regardless of feerate of the new child.
>>>
>>> I have two proposed solutions, of which I strongly prefer the latter:
>>>
>>> 1) Expand a carveout for "sibling eviction", where if the new child is
>>> paying "enough" to bump spends from the same parent, it knocks its sibl=
ing
>>> out of the mempool and takes the one child slot. This would solve it, b=
ut
>>> is a new eviction paradigm that would need to be carefully worked throu=
gh.
>>>
>>> 2) Ephemeral Anchors (my real policy-only proposal)
>>>
>>> Ephemeral Anchors is a term which means an output is watermarked as an
>>> output that MUST be spent in a V3 package. We mark this anchor by being=
the
>>> bare script `OP_TRUE` and of course make these outputs standard to rela=
y
>>> and spend with empty witness data.
>>>
>>> Also as a simplifying assumption, we require the parent transaction wit=
h
>>> such an output to be 0-fee. This makes mempool reasoning simpler in cas=
e
>>> the child-spend is somehow evicted, guaranteeing the parent will be as =
well.
>>>
>>> Implications:
>>>
>>> a) If the ephemeral anchor MUST be spent, we can allow *any* value, eve=
n
>>> dust, even 0, without worrying about bloating the utxo set. We relax th=
is
>>> policy for maximum smart contract flexibility and specification simplic=
ity..
>>>
>>> b) Since this anchor MUST be spent, any spending of other outputs in th=
e
>>> same parent transaction MUST directly double-spend prior spends of the
>>> ephemeral anchor. This causes the 1 block CSV timelock on outputs to be
>>> removed in these situations. This greatly magnifies composability of sm=
art
>>> contracts, as now we can do things like safely splice directly into new
>>> channels, into statechains, your custodial wallet account, your cold
>>> wallet, wherever, without requiring other wallets to support arbitrary
>>> scripts. Also it hurts that 1 CSV time locked scripts may not be minisc=
ript
>>> compatible to begin with...
>>>
>>> c) *Anyone* can bump the transaction, without any transaction key
>>> material. This is essentially achieving Jeremy's Transaction Sponsors (
>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-September/=
018168.html)
>>> proposal without consensus changes. As long as someone gets a fully sig=
ned
>>> parent, they can execute a bump with minimal wallet tooling. If a
>>> transaction author doesn=E2=80=99t want a =E2=80=9Csponsor=E2=80=9D, do=
not include the output.
>>>
>>> d) Lightning Carve-out(
>>> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/=
002240.html)
>>> is superseded by this logic, as we are not restricted to two immediatel=
y
>>> spendable output scenarios. In its place, robust multi-party fee bumpin=
g is
>>> possible.
>>>
>>> e) This also benefits more traditional wallet scenarios, as change
>>> outputs can no longer be pinned, and RBF/CPFP becomes robust. Payees in
>>> simple spends cannot pin you. Batched payouts become a lot less painful=
.
>>> This was one of the motivating use cases that created the term =E2=80=
=9Cpinning=E2=80=9D in
>>> the first place(
>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-February/0=
15717.html),
>>> even if LN/L2 discussion has largely overtaken it due to HTLC theft ris=
ks.
>>>
>>> Open Question(s):
>>>
>>>
>>> 1.
>>>
>>> If we allow non-zero value in ephemeral outputs, does this open up a
>>> MEV we are worried about? Wallets should toss all the value directly=
to
>>> fees, and add their own additional fees on top, otherwise miners hav=
e
>>> incentive to make the smallest utxo burn transaction to claim those =
funds.
>>> They just confirmed your parent transaction anyways, so do we care?
>>> 2.
>>>
>>> SIGHASH_GROUP like constructs would allow uncommitted ephemeral
>>> anchors to be added at spend time, depending on spending requirement=
s.
>>> SIGHASH_SINGLE already allows this.
>>>
>>>
>>>
>>>
>>> Hopefully this gives people something to consider as we move forward in
>>> thinking about mempool design within the constraints we have today.
>>>
>>>
>>> Greg
>>>
>>> 0: With V3 transactions where you have "veto power" over all the inputs
>>> in that transaction. Therefore something like ANYONECANPAY is still bro=
ken.
>>> We need a more complex solution, which I=E2=80=99m punting for the sake=
of progress.
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>>>
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--000000000000f302e805eb64a1ab
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div>I'm also very happy to see this proposal, since i=
t gets us closer to having a mechanism that allows the contribution to fee=
rate in an "unauthenticated" way, which seems to be a very helpfu=
l feature for vaults and other contracting protocols.</div><div><br></div><=
div>One possible advantage of the sponsors interface -- and I'm curious=
for your input here Greg -- is that with sponsors, assuming we relaxed the=
"one sponsor per sponsoree" constraint, multiple uncoordinated p=
arties can collaboratively bump a tx's feerate. A simple example would =
be a batch withdrawal from an exchange could be created with a low feerate,=
and then multiple users with a vested interest of expedited confirmation c=
ould all "chip in" to raise the feerate with multiple sponsor tra=
nsactions. <br></div><div><br></div><div>Having a single ephemeral output s=
eems to create a situation where a single UTXO has to shoulder the burden o=
f CPFPing a package. Is there some way we could (possibly later) amend the =
ephemeral anchor interface to allow for this kind of collaborative sponsori=
ng? Could you maybe see "chained" ephemeral anchors that would al=
low this?<br></div><div><br></div></div><br><div class=3D"gmail_quote"><div=
dir=3D"ltr" class=3D"gmail_attr">On Tue, Oct 18, 2022 at 12:52 PM Jeremy R=
ubin via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@lists.linuxfoundatio=
n.org">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br></div><block=
quote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1=
px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div class=3D"=
gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font-size:sm=
all;color:rgb(0,0,0)">Excellent proposal and I agree it does capture much o=
f the spirit of sponsors w.r.t. how they might be used for V3 protocols.</d=
iv><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-s=
erif;font-size:small;color:rgb(0,0,0)"><br></div><div class=3D"gmail_defaul=
t" style=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:rg=
b(0,0,0)">The only drawbacks I see=C2=A0is they don't work for lower tx=
version contracts, so there's still something to be desired there, and=
that the requirement to sweep the output must be incentive compatible for =
the miner, or else they won't enforce it (pass the buck onto the future=
bitcoiners). The Ephemeral UTXO concept can be a consensus rule (see=C2=A0=
<a href=3D"https://rubin.io/public/pdfs/multi-txn-contracts.pdf" target=3D"=
_blank">https://rubin.io/public/pdfs/multi-txn-contracts.pdf</a> "Inte=
rmediate UTXO") we add later on in lieu of managing them by incentive,=
so maybe it's a cleanup one can punt.</div><div class=3D"gmail_default=
" style=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:rgb=
(0,0,0)"><br></div><div class=3D"gmail_default" style=3D"font-family:arial,=
helvetica,sans-serif;font-size:small;color:rgb(0,0,0)">One question I have =
is if V3 is designed for lightning, and this is designed for lightning, is =
there any sense in requiring these outputs for v3? That might help with e.g=
. anonymity set, as well as potentially keep the v3 surface smaller.</div><=
/div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">O=
n Tue, Oct 18, 2022 at 11:51 AM Greg Sanders via bitcoin-dev <<a href=3D=
"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">bitcoin-de=
v@lists.linuxfoundation.org</a>> wrote:<br></div><blockquote class=3D"gm=
ail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,=
204,204);padding-left:1ex"><div dir=3D"ltr">> does that effectively mark=
output B as unspendable once the child gets confirmed?<div><br></div><div>=
Not at all. It's a normal spend like before, since the parent has been =
confirmed. It's completely unrestricted, not being bound to any V3/ephe=
meral anchor restrictions on size, version, etc.</div></div><br><div class=
=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Tue, Oct 18, 2022=
at 11:47 AM Arik Sosman via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@=
lists.linuxfoundation.org" target=3D"_blank">bitcoin-dev@lists.linuxfoundat=
ion.org</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"=
margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-lef=
t:1ex"><div><u></u><div><div>Hi Greg,<br></div><div><br></div><div>Thank yo=
u very much for sharing your proposal!</div><div><br></div><div>I think the=
re's one thing about the second part of your proposal that I'm miss=
ing. Specifically, assuming the scenario of a v3 transaction with three out=
puts, A, B, and the ephemeral anchor OP_TRUE. If a child transaction spends=
A and OP_TRUE, does that effectively mark output B as unspendable once the=
child gets confirmed? If so, isn't the implication therefore that to s=
afely spend a transaction with an ephemeral anchor, all outputs must be spe=
nt? Thanks!<br></div><div><br></div><div>Best,<br></div><div>Arik</div><div=
><br></div><div>On Tue, Oct 18, 2022, at 6:52 AM, Greg Sanders via bitcoin-=
dev wrote:<br></div><blockquote type=3D"cite" id=3D"m_5142274361577099701m_=
8177486709224577946m_-7024055043742391057m_4368086065316228638qt"><div dir=
=3D"ltr"><span id=3D"m_5142274361577099701m_8177486709224577946m_-702405504=
3742391057m_4368086065316228638qt-gmail-docs-internal-guid-2d3e64aa-7fff-66=
f1-ed3d-c94d5a1f62c6"><p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0=
pt;margin-bottom:0pt"><span style=3D"color:rgb(0,0,0);background-color:tran=
sparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical=
-align:baseline;white-space:pre-wrap"><span style=3D"font-family:Arial"><sp=
an style=3D"font-size:11pt">Hello Everyone,</span></span></span><br></p><di=
v><br></div><p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-=
bottom:0pt"><span style=3D"color:rgb(0,0,0);background-color:transparent;fo=
nt-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:bas=
eline;white-space:pre-wrap"><span style=3D"font-family:Arial"><span style=
=3D"font-size:11pt">Following up on the "V3 Transaction" discussi=
on here <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/=
2022-September/020937.html" target=3D"_blank">https://lists.linuxfoundation=
.org/pipermail/bitcoin-dev/2022-September/020937.html</a> , I would like to=
elaborate a bit further on some potential follow-on work that would make p=
inning severely constrained in many setups].</span></span></span><br></p><d=
iv><br></div><p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin=
-bottom:0pt"><span style=3D"color:rgb(0,0,0);background-color:transparent;f=
ont-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:ba=
seline;white-space:pre-wrap"><span style=3D"font-family:Arial"><span style=
=3D"font-size:11pt">V3 transactions may solve bip125 rule#3 and rule#5 pinn=
ing attacks under some constraints[0]. This means that when a replacement i=
s to be made and propagated, it costs the expected amount of fees to do so.=
This is a great start. What's left in this subset of pinning is *packa=
ge limit* pinning. In other words, a fee-paying transaction cannot enter th=
e mempool due to the existing mempool package it is being added to already =
being too large in count or vsize.</span></span></span><br></p><div><br></d=
iv><p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bottom:0p=
t"><span style=3D"color:rgb(0,0,0);background-color:transparent;font-varian=
t-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;whi=
te-space:pre-wrap"><span style=3D"font-family:Arial"><span style=3D"font-si=
ze:11pt">Zooming into the V3 simplified scenario for sake of discussion, th=
ough this problem exists in general today:</span></span></span><br></p><div=
><br></div><p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-b=
ottom:0pt"><span style=3D"color:rgb(0,0,0);background-color:transparent;fon=
t-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:base=
line;white-space:pre-wrap"><span style=3D"font-family:Arial"><span style=3D=
"font-size:11pt">V3 transactions restrict the package limit of a V3 package=
to one parent and one child. If the parent transaction includes two output=
s which can be immediately spent by separate parties, this allows one party=
to disallow a spend from the other. In Gloria's proposal for ln-penalt=
y, this is worked around by reducing the number of anchors per commitment t=
ransaction to 1, and each version of the commitment transaction has a uniqu=
e party's key on it. The honest participant can spend their version wit=
h their anchor and package RBF the other commitment transaction safely.</sp=
an></span></span><br></p><div><br></div><p dir=3D"ltr" style=3D"line-height=
:1.38;margin-top:0pt;margin-bottom:0pt"><span style=3D"color:rgb(0,0,0);bac=
kground-color:transparent;font-variant-numeric:normal;font-variant-east-asi=
an:normal;vertical-align:baseline;white-space:pre-wrap"><span style=3D"font=
-family:Arial"><span style=3D"font-size:11pt">What if there's only one =
version of the commitment transaction, such as in other protocols like dupl=
ex payment channels, eltoo? What about multi party payments?</span></span><=
/span><br></p><div><br></div><p dir=3D"ltr" style=3D"line-height:1.38;margi=
n-top:0pt;margin-bottom:0pt"><span style=3D"color:rgb(0,0,0);background-col=
or:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;v=
ertical-align:baseline;white-space:pre-wrap"><span style=3D"font-family:Ari=
al"><span style=3D"font-size:11pt">In the package RBF proposal, if the pare=
nt transaction is identical to an existing transaction in the mempool, the =
parent will be detected and removed from the package proposal. You are then=
left with a single V3 child transaction, which is then proposed for entry =
into the mempool. In the case of another parent output already being spent,=
this is simply rejected, regardless of feerate of the new child.</span></s=
pan></span><br></p><div><br></div><p dir=3D"ltr" style=3D"line-height:1.38;=
margin-top:0pt;margin-bottom:0pt"><span style=3D"color:rgb(0,0,0);backgroun=
d-color:transparent;font-variant-numeric:normal;font-variant-east-asian:nor=
mal;vertical-align:baseline;white-space:pre-wrap"><span style=3D"font-famil=
y:Arial"><span style=3D"font-size:11pt">I have two proposed solutions, of w=
hich I strongly prefer the latter:</span></span></span><br></p><div><br></d=
iv><p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bottom:0p=
t"><span style=3D"color:rgb(0,0,0);background-color:transparent;font-varian=
t-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;whi=
te-space:pre-wrap"><span style=3D"font-family:Arial"><span style=3D"font-si=
ze:11pt">1) Expand a carveout for "sibling eviction", where if th=
e new child is paying "enough" to bump spends from the same paren=
t, it knocks its sibling out of the mempool and takes the one child slot. T=
his would solve it, but is a new eviction paradigm that would need to be ca=
refully worked through.</span></span></span><br></p><div><br></div><p dir=
=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span =
style=3D"color:rgb(0,0,0);background-color:transparent;font-variant-numeric=
:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:=
pre-wrap"><span style=3D"font-family:Arial"><span style=3D"font-size:11pt">=
2) Ephemeral Anchors (my real policy-only proposal)</span></span></span><br=
></p><div><br></div><p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt=
;margin-bottom:0pt"><span style=3D"color:rgb(0,0,0);background-color:transp=
arent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-a=
lign:baseline;white-space:pre-wrap"><span style=3D"font-family:Arial"><span=
style=3D"font-size:11pt">Ephemeral Anchors is a term which means an output=
is watermarked as an output that MUST be spent in a V3 package. We mark th=
is anchor by being the bare script `OP_TRUE` and of course make these outpu=
ts standard to relay and spend with empty witness data.</span></span></span=
><br></p><div><br></div><p dir=3D"ltr" style=3D"line-height:1.38;margin-top=
:0pt;margin-bottom:0pt"><span style=3D"color:rgb(0,0,0);background-color:tr=
ansparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertic=
al-align:baseline;white-space:pre-wrap"><span style=3D"font-family:Arial"><=
span style=3D"font-size:11pt">Also as a simplifying assumption, we require =
the parent transaction with such an output to be 0-fee. This makes mempool =
reasoning simpler in case the child-spend is somehow evicted, guaranteeing =
the parent will be as well.</span></span></span><br></p><div><br></div><p d=
ir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bottom:0pt"><spa=
n style=3D"color:rgb(0,0,0);background-color:transparent;font-variant-numer=
ic:normal;font-variant-east-asian:normal;vertical-align:baseline;white-spac=
e:pre-wrap"><span style=3D"font-family:Arial"><span style=3D"font-size:11pt=
">Implications:</span></span></span><br></p><div><br></div><p dir=3D"ltr" s=
tyle=3D"line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style=3D"c=
olor:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;fo=
nt-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">=
<span style=3D"font-family:Arial"><span style=3D"font-size:11pt">a) If the =
ephemeral anchor MUST be spent, we can allow *any* value, even dust, even 0=
, without worrying about bloating the utxo set. We relax this policy for ma=
ximum smart contract flexibility and specification simplicity..</span></spa=
n></span><br></p><div><br></div><p dir=3D"ltr" style=3D"line-height:1.38;ma=
rgin-top:0pt;margin-bottom:0pt"><span style=3D"color:rgb(0,0,0);background-=
color:transparent;font-variant-numeric:normal;font-variant-east-asian:norma=
l;vertical-align:baseline;white-space:pre-wrap"><span style=3D"font-family:=
Arial"><span style=3D"font-size:11pt">b) Since this anchor MUST be spent, a=
ny spending of other outputs in the same parent transaction MUST directly d=
ouble-spend prior spends of the ephemeral anchor. This causes the 1 block C=
SV timelock on outputs to be removed in these situations. This greatly magn=
ifies composability of smart contracts, as now we can do things like safely=
splice directly into new channels, into statechains, your custodial wallet=
account, your cold wallet, wherever, without requiring other wallets to su=
pport arbitrary scripts. Also it hurts that 1 CSV time locked scripts may n=
ot be miniscript compatible to begin with...</span></span></span><br></p><d=
iv><br></div><p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin=
-bottom:0pt"><span style=3D"color:rgb(0,0,0);background-color:transparent;f=
ont-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:ba=
seline;white-space:pre-wrap"><span style=3D"font-family:Arial"><span style=
=3D"font-size:11pt">c) *Anyone* can bump the transaction, without any trans=
action key material. This is essentially achieving Jeremy's Transaction=
Sponsors (</span></span></span><a href=3D"https://lists.linuxfoundation.or=
g/pipermail/bitcoin-dev/2020-September/018168.html" style=3D"text-decoratio=
n-line:none" target=3D"_blank"><span style=3D"background-color:transparent;=
font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-=
line:underline;vertical-align:baseline;white-space:pre-wrap"><span style=3D=
"font-family:Arial"><span style=3D"font-size:11pt">https://lists.linuxfound=
ation.org/pipermail/bitcoin-dev/2020-September/018168.html</span></span></s=
pan></a><span style=3D"color:rgb(0,0,0);background-color:transparent;font-v=
ariant-numeric:normal;font-variant-east-asian:normal;vertical-align:baselin=
e;white-space:pre-wrap"><span style=3D"font-family:Arial"><span style=3D"fo=
nt-size:11pt">) proposal without consensus changes. As long as someone gets=
a fully signed parent, they can execute a bump with minimal wallet tooling=
. If a transaction author doesn=E2=80=99t want a =E2=80=9Csponsor=E2=80=9D,=
do not include the output.</span></span></span><br></p><div><br></div><p d=
ir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bottom:0pt"><spa=
n style=3D"color:rgb(0,0,0);background-color:transparent;font-variant-numer=
ic:normal;font-variant-east-asian:normal;vertical-align:baseline;white-spac=
e:pre-wrap"><span style=3D"font-family:Arial"><span style=3D"font-size:11pt=
">d) Lightning Carve-out(</span></span></span><a href=3D"https://lists.linu=
xfoundation.org/pipermail/lightning-dev/2019-October/002240.html" style=3D"=
text-decoration-line:none" target=3D"_blank"><span style=3D"background-colo=
r:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;te=
xt-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">=
<span style=3D"font-family:Arial"><span style=3D"font-size:11pt">https://li=
sts.linuxfoundation.org/pipermail/lightning-dev/2019-October/002240.html</s=
pan></span></span></a><span style=3D"color:rgb(0,0,0);background-color:tran=
sparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical=
-align:baseline;white-space:pre-wrap"><span style=3D"font-family:Arial"><sp=
an style=3D"font-size:11pt">)=C2=A0 is superseded by this logic, as we are =
not restricted to two immediately spendable output scenarios. In its place,=
robust multi-party fee bumping is possible.</span></span></span><br></p><d=
iv><br></div><p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin=
-bottom:0pt"><span style=3D"color:rgb(0,0,0);background-color:transparent;f=
ont-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:ba=
seline;white-space:pre-wrap"><span style=3D"font-family:Arial"><span style=
=3D"font-size:11pt">e) This also benefits more traditional wallet scenarios=
, as change outputs can no longer be pinned, and RBF/CPFP becomes robust. P=
ayees in simple spends cannot pin you. Batched payouts become a lot less pa=
inful. This was one of the motivating use cases that created the term =E2=
=80=9Cpinning=E2=80=9D in the first place(</span></span></span><a href=3D"h=
ttps://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-February/015717=
.html" style=3D"text-decoration-line:none" target=3D"_blank"><span style=3D=
"background-color:transparent;font-variant-numeric:normal;font-variant-east=
-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-=
space:pre-wrap"><span style=3D"font-family:Arial"><span style=3D"font-size:=
11pt">https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-February=
/015717.html</span></span></span></a><span style=3D"color:rgb(0,0,0);backgr=
ound-color:transparent;font-variant-numeric:normal;font-variant-east-asian:=
normal;vertical-align:baseline;white-space:pre-wrap"><span style=3D"font-fa=
mily:Arial"><span style=3D"font-size:11pt">), even if LN/L2 discussion has =
largely overtaken it due to HTLC theft risks.</span></span></span><br></p><=
div><br></div><p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margi=
n-bottom:0pt"><span style=3D"color:rgb(0,0,0);background-color:transparent;=
font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:b=
aseline;white-space:pre-wrap"><span style=3D"font-family:Arial"><span style=
=3D"font-size:11pt">Open Question(s):</span></span></span><br></p><div><br>=
</div><ol style=3D"margin-top:0px;margin-bottom:0px"><li dir=3D"ltr" style=
=3D"list-style-type:decimal;font-size:11pt;font-family:Arial;color:rgb(0,0,=
0);background-color:transparent;font-variant-numeric:normal;font-variant-ea=
st-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir=3D"ltr=
" style=3D"line-height:1.38;margin-top:0pt;margin-bottom:0pt" role=3D"prese=
ntation"><span style=3D"background-color:transparent;font-variant-numeric:n=
ormal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pr=
e-wrap"><span style=3D"font-size:11pt">If we allow non-zero value in epheme=
ral outputs, does this open up a MEV we are worried about? Wallets should t=
oss all the value directly to fees, and add their own additional fees on to=
p, otherwise miners have incentive to make the smallest utxo burn transacti=
on to claim those funds. They just confirmed your parent transaction anyway=
s, so do we care?</span></span><br></p></li><li dir=3D"ltr" style=3D"list-s=
tyle-type:decimal;font-size:11pt;font-family:Arial;color:rgb(0,0,0);backgro=
und-color:transparent;font-variant-numeric:normal;font-variant-east-asian:n=
ormal;vertical-align:baseline;white-space:pre-wrap"><p dir=3D"ltr" style=3D=
"line-height:1.38;margin-top:0pt;margin-bottom:0pt" role=3D"presentation"><=
span style=3D"background-color:transparent;font-variant-numeric:normal;font=
-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><s=
pan style=3D"font-size:11pt">SIGHASH_GROUP like constructs would allow unco=
mmitted ephemeral anchors to be added at spend time, depending on spending =
requirements. SIGHASH_SINGLE already allows this.</span></span><br></p></li=
></ol><div><br></div><div><br></div><div><br></div><p dir=3D"ltr" style=3D"=
line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style=3D"color:rgb=
(0,0,0);background-color:transparent;font-variant-numeric:normal;font-varia=
nt-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><span st=
yle=3D"font-family:Arial"><span style=3D"font-size:11pt">Hopefully this giv=
es people something to consider as we move forward in thinking about mempoo=
l design within the constraints we have today.</span></span></span><br></p>=
<div><br></div><div><br></div><p dir=3D"ltr" style=3D"line-height:1.38;marg=
in-top:0pt;margin-bottom:0pt"><span style=3D"color:rgb(0,0,0);background-co=
lor:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;=
vertical-align:baseline;white-space:pre-wrap"><span style=3D"font-family:Ar=
ial"><span style=3D"font-size:11pt">Greg</span></span></span><br></p><div><=
br></div><p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bot=
tom:0pt"><span style=3D"color:rgb(0,0,0);background-color:transparent;font-=
variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseli=
ne;white-space:pre-wrap"><span style=3D"font-family:Arial"><span style=3D"f=
ont-size:11pt">0: With V3 transactions where you have "veto power"=
; over all the inputs in that transaction. Therefore something like ANYONEC=
ANPAY is still broken. We need a more complex solution, which I=E2=80=99m p=
unting for the sake of progress.</span></span></span><br></p></span></div><=
div>_______________________________________________<br></div><div>bitcoin-d=
ev mailing list<br></div><div><a href=3D"mailto:bitcoin-dev@lists.linuxfoun=
dation.org" target=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a><br>=
</div><div><a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bi=
tcoin-dev" target=3D"_blank">https://lists.linuxfoundation.org/mailman/list=
info/bitcoin-dev</a><br></div><div><br></div></blockquote><div><br></div></=
div>_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</div></blockquote></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
--000000000000f302e805eb64a1ab--
|