1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
|
Return-Path: <jim.posen@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id E1445CAF
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 4 Apr 2018 23:11:54 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-io0-f181.google.com (mail-io0-f181.google.com
[209.85.223.181])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 3329762B
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 4 Apr 2018 23:11:54 +0000 (UTC)
Received: by mail-io0-f181.google.com with SMTP id 141so28309417iou.12
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 04 Apr 2018 16:11:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:cc; bh=ptydcroPFsAhUQ4eO9iqoi7QDC7k/ZjKZ8uPiZT6bBs=;
b=Er3XRq8i4MyUy8falBWse4iLC7qYPkdSQcWHRxaqX31CEGMtjhIruG7m+GXBEx1caH
+eZDIde6fScPiuordBVDJRvB8FCcLiwm7AfOApKKPeAAv8WU74PmBatbFL74yD8/Rb18
AfLvjjkbL0k7jNOWpPK1Xq7SDLhtLm3YuHK/IqAA3RbHH06yVSX8znS0UfKPMfDIb0Nx
bNIC6K5RCuWX2qHaLr+kC8Xavy34SeGX/QdXdmOy49jsSrw9RYs8tmGi54Viseg9jfy2
FkpkIt6mgG2fY8hCfLRtytTrL1GgqxWbsubsyBco1Z3mg3q3ghYFSNsqWbXqTMOOT8Vp
X+1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to:cc;
bh=ptydcroPFsAhUQ4eO9iqoi7QDC7k/ZjKZ8uPiZT6bBs=;
b=gAE3OYIlygtUOw1hK0S5+MSbU1oYcw37Q4ofwGU1vQ7YTC4oiU5UWcJulro3ap9I9C
VM2kD3ENmDXK9OWHkVF6TaAjGKuMlY6syyDgkekW8XXeYq10OEfO02bOLYO8lzDVy+ka
OHUw2aT49+eVbz2n/EVrWbiVLghBjLR4oNsaWfKYkFLDlWKTcfzXUn/OK7T2b1Hv5xZ9
TEYsf/N7CLpT/mWPb7k8IzFXz8N+Ma+21XSRksWL1UqMy7Y2zfti8Km3WYf202Wb8b0R
fSwjYLQZY+IuMriUnehyxNrWzHRS0Ygz2+sMlwGrj87R7R8df1jnHsoki1+aoFtjnolv
QoOw==
X-Gm-Message-State: AElRT7EPkj8bIR99pnmq/slVBr0+NuiWkmeDE0125AxZQYF2RNHvH9lP
MbX/FVPNYoipSHO+O66wJgl2F3ljzZtoWM+V86Expg==
X-Google-Smtp-Source: AIpwx4/inwbeghGcoVl3pUBvbWdqbXSVfrbjl/5HtSK2kGqc0rroKHgGG1sj9AKumH4CEwS+IDrBQfBbJW6TlxmjI3Q=
X-Received: by 10.107.186.139 with SMTP id k133mr17336907iof.95.1522883513373;
Wed, 04 Apr 2018 16:11:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.52.80 with HTTP; Wed, 4 Apr 2018 16:11:52 -0700 (PDT)
In-Reply-To: <87sh8cc0ur.fsf@rustcorp.com.au>
References: <874lktdvdm.fsf@rustcorp.com.au>
<20180403035723.GA21120@erisian.com.au>
<87sh8cc0ur.fsf@rustcorp.com.au>
From: Jim Posen <jim.posen@gmail.com>
Date: Wed, 4 Apr 2018 16:11:52 -0700
Message-ID: <CADZtCSh43AQ5zkRN=RJnUYPY9f=MBMmXwmAnL+Ou0kguOptBhg@mail.gmail.com>
To: Rusty Russell <rusty@rustcorp.com.au>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="94eb2c07077ad9574d05690df25c"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Fri, 06 Apr 2018 13:36:33 +0000
Subject: Re: [bitcoin-dev] Signature bundles
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2018 23:11:55 -0000
--94eb2c07077ad9574d05690df25c
Content-Type: text/plain; charset="UTF-8"
I'll just mention that non-interactive one-way aggregation with BLS
signatures solves this problem rather nicely.
On Mon, Apr 2, 2018 at 10:31 PM, Rusty Russell via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Anthony Towns via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>
> writes:
> > If you've got one bundle that overpays fees and another that underpays,
> > you can safely combine the two only if you can put a SIGHASH_ALL sig in
> > the one that overpays (otherwise miners could just make their own tx of
> > just the overpaying bundle).
>
> This is a potential problem, yes :( And I'm not sure how to solve it,
> unless you do some crazy thing like commit to a set of keys which are
> allowed to bundle, which kind of defeats the generality of outsourcing.
>
> > This could replace SINGLE|ANYONECANPAY at a cost of an extra couple of
> > witness bytes.
> >
> > I think BUNDLESTART is arguably redundant -- you could just infer
> > BUNDLESTART if you see an INBUNDLE flag when you're not already in
> > a bundle. Probably better to have the flag to make parsing easier,
> > so just have the rule be BUNDLESTART is set for precisely the first
> > INBUNDLE signature since the last bundle finished.
>
> Indeed.
>
> >> One of the issues we've struck with lightning is trying to guess future
> >> fees for commitment transactions: we can't rely on getting another
> >> signature from our counterparty to increase fees. Nor can we use
> >> parent-pays-for-child since the outputs we can spend are timelocked.
> >
> > That doesn't quite work with the HTLC-Success/HTLC-Timeout transactions
> > though, does it? They spend outputs from the commitment transaction
> > and need to be pre-signed by your channel partner in order to ensure
> > the output address is correct -- but if the commitment transaction gets
> > bundled, its txid will change, so it can't be pre-signed.
>
> Not without SIGHASH_NOINPUT, no.
>
> > FWIW, a dumb idea I had for this problem was to add a zero-value
> > anyone-can-spend output to commitment transactions, that can then be
> > used with CPFP to bump the fees. Not very nice for UTXO bloat if fee
> > bumping isn't needed though, and I presume it would fail to pass the
> > dust threshold...
>
> Yeah, let's not do that.
>
> > I wonder if it would be plausible to have after-the-fact fee-bumping
> > via special sighash flags at the block level anyway though. Concretely:
> > say you have two transactions, X and Y, that don't pay enough in fees,
> > you then provide a third transaction whose witness is [txid-for-X,
> > txid-for-Y, signature committing to (txid-for-X, txid-for-Y)], and can
> > only be included in a block if X and Y are also in the same block. You
> > could make that fairly concise if you allowed miners to replace
> txid-for-X
> > with X's offset within the block (or the delta between X's txnum and the
> > third transaction's txnum), though coding that probably isn't terribly
> > straightforward.
>
> What would it spend though? Can't use an existing output, so this
> really needs to be stashed in an *output script*, say a zero-amount
> output which is literally a push of txids, and is itself unspendable.
>
> <txid1>... <txidN>
>
> That's pretty large though, and it's non-witness data (though
> discardable). How about 'OP_NOP4 <N> <ripemd160-of-last-N-txids>'?
> Then the miner just bundles those tx all together?
>
> Cheers,
> Rusty.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--94eb2c07077ad9574d05690df25c
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">I'll just mention that non-interactive one-way aggrega=
tion with BLS signatures solves this problem rather nicely.</div><div class=
=3D"gmail_extra"><br><div class=3D"gmail_quote">On Mon, Apr 2, 2018 at 10:3=
1 PM, Rusty Russell via bitcoin-dev <span dir=3D"ltr"><<a href=3D"mailto=
:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">bitcoin-dev@lists=
.linuxfoundation.org</a>></span> wrote:<br><blockquote class=3D"gmail_qu=
ote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex=
"><span class=3D"">Anthony Towns via bitcoin-dev <<a href=3D"mailto:bitc=
oin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.<wbr>linuxfoundation.o=
rg</a>> writes:<br>
> If you've got one bundle that overpays fees and another that under=
pays,<br>
> you can safely combine the two only if you can put a SIGHASH_ALL sig i=
n<br>
> the one that overpays (otherwise miners could just make their own tx o=
f<br>
> just the overpaying bundle).<br>
<br>
</span>This is a potential problem, yes :( And I'm not sure how to solv=
e it,<br>
unless you do some crazy thing like commit to a set of keys which are<br>
allowed to bundle, which kind of defeats the generality of outsourcing.<br>
<span class=3D""><br>
> This could replace SINGLE|ANYONECANPAY at a cost of an extra couple of=
<br>
> witness bytes.<br>
><br>
> I think BUNDLESTART is arguably redundant -- you could just infer<br>
> BUNDLESTART if you see an INBUNDLE flag when you're not already in=
<br>
> a bundle. Probably better to have the flag to make parsing easier,<br>
> so just have the rule be BUNDLESTART is set for precisely the first<br=
>
> INBUNDLE signature since the last bundle finished.<br>
<br>
</span>Indeed.<br>
<span class=3D""><br>
>> One of the issues we've struck with lightning is trying to gue=
ss future<br>
>> fees for commitment transactions: we can't rely on getting ano=
ther<br>
>> signature from our counterparty to increase fees.=C2=A0 Nor can we=
use<br>
>> parent-pays-for-child since the outputs we can spend are timelocke=
d.<br>
><br>
> That doesn't quite work with the HTLC-Success/HTLC-Timeout transac=
tions<br>
> though, does it? They spend outputs from the commitment transaction<br=
>
> and need to be pre-signed by your channel partner in order to ensure<b=
r>
> the output address is correct -- but if the commitment transaction get=
s<br>
> bundled, its txid will change, so it can't be pre-signed.<br>
<br>
</span>Not without SIGHASH_NOINPUT, no.<br>
<span class=3D""><br>
> FWIW, a dumb idea I had for this problem was to add a zero-value<br>
> anyone-can-spend output to commitment transactions, that can then be<b=
r>
> used with CPFP to bump the fees. Not very nice for UTXO bloat if fee<b=
r>
> bumping isn't needed though, and I presume it would fail to pass t=
he<br>
> dust threshold...<br>
<br>
</span>Yeah, let's not do that.<br>
<span class=3D""><br>
> I wonder if it would be plausible to have after-the-fact fee-bumping<b=
r>
> via special sighash flags at the block level anyway though. Concretely=
:<br>
> say you have two transactions, X and Y, that don't pay enough in f=
ees,<br>
> you then provide a third transaction whose witness is [txid-for-X,<br>
> txid-for-Y, signature committing to (txid-for-X, txid-for-Y)], and can=
<br>
> only be included in a block if X and Y are also in the same block. You=
<br>
> could make that fairly concise if you allowed miners to replace txid-f=
or-X<br>
> with X's offset within the block (or the delta between X's txn=
um and the<br>
> third transaction's txnum), though coding that probably isn't =
terribly<br>
> straightforward.<br>
<br>
</span>What would it spend though?=C2=A0 Can't use an existing output, =
so this<br>
really needs to be stashed in an *output script*, say a zero-amount<br>
output which is literally a push of txids, and is itself unspendable.<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 <txid1>... <txidN><br>
<br>
That's pretty large though, and it's non-witness data (though<br>
discardable).=C2=A0 How about 'OP_NOP4 <N> <ripemd160-of-last-=
N-txids>'?<br>
Then the miner just bundles those tx all together?<br>
<br>
Cheers,<br>
Rusty.<br>
<div class=3D"HOEnZb"><div class=3D"h5">______________________________<wbr>=
_________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.=
<wbr>linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.<wbr>org=
/mailman/listinfo/bitcoin-<wbr>dev</a><br>
</div></div></blockquote></div><br></div>
--94eb2c07077ad9574d05690df25c--
|