Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id D26AFCCC for ; Mon, 12 Aug 2019 13:15:12 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-40133.protonmail.ch (mail-40133.protonmail.ch [185.70.40.133]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id D4A468A6 for ; Mon, 12 Aug 2019 13:15:11 +0000 (UTC) Date: Mon, 12 Aug 2019 13:15:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1565615709; bh=CMfYwMRG2M5s5qCBdp7xHdRfnNSSzsG79xjGYAed22M=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=lD20sCc056fwh5KWJgbp9k+6K1ixf91SB3inwcVGVMf+amy118YVDF7mu1dDwnYK2 gwTfQ0JXASmcf52EU8Qeyx9b2/iX4gX7hfNDiCN69r7CKKLLG0GDuz3NI+ppL6IoSO fiGepjfEVVXkXH0eSJDtLYJgKhggG9MiM2BFqF5U= To: Runchao Han From: ZmnSCPxj Reply-To: ZmnSCPxj Message-ID: In-Reply-To: <419535C8-DE1D-425B-A38C-4196607E43D3@monash.edu> References: <212E8AD5-0EED-468E-8AFC-134611514CBC@monash.edu> <419535C8-DE1D-425B-A38C-4196607E43D3@monash.edu> Feedback-ID: el4j0RWPRERue64lIQeq9Y2FP-mdB86tFqjmrJyEPR9VAtMovPEo9tvgA0CrTsSHJeeyPXqnoAu6DN-R04uJUg==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, FROM_LOCAL_NOVOWEL, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Bitcoin Protocol Discussion , "jiangshan.yu@monash.edu" Subject: Re: [bitcoin-dev] OP_LOOKUP_OUTPUT proposal X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Aug 2019 13:15:12 -0000 Good morning Runchao, > Thanks for your explanation. It=E2=80=99s comprehensive. > > I think our disagreement is on the step 6. > In step 6, > > - Alice can publish or withhold the WJT tx > - Bob can wait or unilaterally close the WJT payment channel > > I see the following things: > > First, both Alice and Bob can do something on the WJT blockchain at this = stage. What will happen if they publish txs simultaneously? > For example, Alice publishes WJT tx while Bob publishes the tx closing th= e channel. I am uncertain what you refer to by the "WJT payment channel". What I am proposing here is there is a single funding transaction that will= output to a modified HTLC where hashlock is Alice+Bob while Timelock is Bo= b, spending inputs from both Alice (10,000 WJT) and Bob (1,000,000 WJT). So let me rephrase the nearest question as I understand it: * What happens when Alice broadcasts the funding tx at the same time as Bob= double-spends his 1,000,000 WJT input? As both transactions spend the same input (the 1,000,000 WJT from Bob) then= what happens depends on the miners. The miners decide which transaction is valid and gets confirmed onchain. That is the reason why we need large timeouts in the HTLC constructions: we= need to give enough time, not only to react to transactions being publishe= d, but also to have transactions become deeply confirmed. Otherwise we could have made the timelocks so small as to be practically wo= rthless as an option. > > Second, will the concurrent txs introduce some attacks? =C2=A0I guess con= current-while-conflicting txs lead to highly unpredictable behaviours. > For example, Alice or Bob uses high tx fee to bribe miners to accept her/= his tx, in order to gain some advantage on the concurrent txs? > Also, the =E2=80=9Cwhale transaction=E2=80=9D works here. Will this intro= duce some double-spending variants? Yes, that is why Alice and Bob need to wait for deep confirmations of the t= ransactions involved. Once deeply confirmed, they now know which way the protocol went and can sa= fely perform the next step (or abort the protocol). > > Third, assume Bob doesn=E2=80=99t wait any more and closes the channel. I= n this case, Bob cannot get the premium. > This is not consistent with the original American Call Option, in which B= ob should still get the premium. It does not matter, because Bob doing so *prevents* the option. Think of it this way: Suppose we were to meet face-to-face, in order for you to sell me an option= s contract. Now, suppose I agree to buy the options contract. But, while filling up the paperwork, you change your mind. Until the paperwork is properly filled up, the option does not exist. Thus, until the paperwork is properly filled,, the option is not exerciseab= le (and I should not pay anything to you since you did not push through wit= h completing the option). This is similar in effect. > > To conclude, I find this protocol highly depends on the implementation of= the payment channel as well as the expertise of participants (Alice and Bo= b) c.f. relatively low usability. > We may need a suitable payment channel implementation here. What=E2=80= =99s your opinion on the payment channel suitable for this scenario? Any payment channel has the problem of non-cooperation by the other side. I already mentioned this before. Again, this is always an issue regardless of the existence or non-existence= of an `OP_LOOKUP_OUTPUT`: you have to execute onchain activity anyway in o= rder to enforce anything offchain in case of non-cooperation, and adding in= the possibility of various attacks makes it more likely that non-cooperati= on occurs. It is the main reason why I think it is difficult to make Lightning support= multiple currencies on the same network. Usability can always be improved by proper software design; you do not worr= y about what voltage levels need to be transmitted over the wires in order = to transmit your email to me, yet you probably consider your email client q= uite usable. Regards, ZmnSCPxj