Content-Type: text/plain;
	charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
From: Johnson Lau <jl2012@xbt.hk>
In-Reply-To: <CAPv7TjYRVUGWCyFweootbMCJEkyFG4YOJ+M_N_N4j_t043bUfw@mail.gmail.com>
Date: Tue, 18 Dec 2018 04:08:55 +0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <B4234D7B-B1AA-41C3-B60B-F1E89E90A47D@xbt.hk>
References: <9F8C0789-48E9-448A-A239-DB4AFB902A00@xbt.hk>
	<CAPv7TjYRVUGWCyFweootbMCJEkyFG4YOJ+M_N_N4j_t043bUfw@mail.gmail.com>
To: Ruben Somsen <rsomsen@gmail.com>
Cc: bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Safer NOINPUT with output tagging
Precedence: list


> On 17 Dec 2018, at 11:48 PM, Ruben Somsen <rsomsen@gmail.com> wrote:
>=20
> Hi Johnson,
>=20
> The design considerations here seem similar to the ML discussion of
> whether Graftroot should be optional [1].

Yes, but the =E2=80=9Ctagging=E2=80=9D emphasises more on the payer=E2=80=99=
s side: if the payer cannot guarantee that the payee would never reuse =
the key, the payer could avoid any NOINPUT-related trouble by tagging =
properly.

>=20
>> While this seems fully compatible with eltoo, is there any other =
proposals require NOINPUT, and is adversely affected by either way of =
tagging?
>=20
> As far as I can tell it should be compatible with Statechains [2],
> since it pretty much mirrors Eltoo in setup.
>=20
> My understanding is somewhat lacking, so perhaps I am missing the
> mark, but it is not completely clear to me how this affects
> fungibility if taproot gets added and the setup and trigger tx for
> Eltoo get combined into a single transaction. Would the NOINPUT
> spending condition be hidden inside the taproot commitment?

For the design considerations I mentioned above, the tags must be =
explicit and configurable by the payer. So it couldn=E2=80=99t be hidden =
in taproot.

If you don=E2=80=99t care about fungibility, you can always tag your =
setup output, and makes it ready for NOINPUT spending. Every update will =
need 2 signatures: a NOINPUT to spend the setup output or an earlier =
update output, and a NOINPUT to settle the latest update output.

If you care about fungibility, you can=E2=80=99t tag your setup output. =
Every update will need 3 signatures: a SINGLEINPUT (aka ANYONECANPAY) to =
spend the setup output, a NOINPUT to spend an earlier update output, and =
a NOINPUT to settle the latest update output.

(Actually, as soon as you made the first update tx with SINGLEINPUT, you =
don=E2=80=99t strictly need to make any SINGLEINPUT signatures in the =
later updates again, as the first update tx (or any update with a =
SINGLEINPUT signature) could be effectively the trigger tx. While it =
makes the settlement more expensive, it also means accidentally missing =
a SINGLEINPUT signature will not lead to any fund loss. So security-wise =
it=E2=80=99s same as the always-tagging scenario.)

The most interesting observation is: you never have the need to use =
NOINPUT on an already confirmed UTXO, since nothing about a confirmed =
UTXO is mutable. And every smart contract must anchor to a confirmed =
UTXO, or the whole contract is double-spendable. So the ability to =
NOINPUT-spend a setup output should not be strictly needed. In some (but =
not all) case it might make the protocol simpler, though.

So the philosophy behind output tagging is =E2=80=9Cavoid NOINPUT at all =
cost, until it is truly unavoidable"

>=20
> Cheers,
> Ruben Somsen
>=20
> [1] =
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-May/016006.ht=
ml
> [2]  =
https://www.reddit.com/r/Bitcoin/comments/9nhjea/eli51525faq_for_statechai=
ns_offchain_transfer_of/
>=20
> On Mon, Dec 17, 2018 at 8:20 PM Johnson Lau via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>=20
>> NOINPUT is very powerful, but the tradeoff is the risks of signature =
replay. While the key holders are expected not to reuse key pair, little =
could be done to stop payers to reuse an address. Unfortunately, =
key-pair reuse has been a social and technical norm since the creation =
of Bitcoin (the first tx made in block 170 reused the previous public =
key). I don=E2=80=99t see any hope to change this norm any time soon, if =
possible at all.
>>=20
>> As the people who are designing the layer-1 protocol, we could always =
blame the payer and/or payee for their stupidity, just like those people =
laughed at victims of Ethereum dumb contracts (DAO, Parity multisig, =
etc). The existing bitcoin script language is so restrictive. It =
disallows many useful smart contracts, but at the same time prevented =
many dumb contracts. After all, =E2=80=9Csmart=E2=80=9D and =E2=80=9Cdumb=E2=
=80=9D are non-technical judgement. The DAO contract has always been =
faithfully executed. It=E2=80=99s dumb only for those invested in the =
project. For me, it was just a comedy show.
>>=20
>> So NOINPUT brings us more smart contract capacity, and at the same =
time we are one step closer to dumb contracts. The target is to find a =
design that exactly enables the smart contracts we want, while =
minimising the risks of misuse.
>>=20
>> The risk I am trying to mitigate is a payer mistakenly pay to a =
previous address with the exactly same amount, and the previous UTXO has =
been spent using NOINPUT. Accidental double payment is not uncommon. =
Even if the payee was honest and willing to refund, the money might have =
been spent with a replayed NOINPUT signature. Once people lost a =
significant amount of money this way, payers (mostly exchanges) may =
refuse to send money to anything other than P2PKH, native-P2WPKH and =
native-P2WSH (as the only 3 types without possibility of NOINPUT)
>>=20
>> The proposed solution is that an output must be =E2=80=9Ctagged=E2=80=9D=
 for it to be spendable with NOINPUT, and the =E2=80=9Ctag=E2=80=9D must =
be made explicitly by the payer. There are 2 possible ways to do the =
tagging:
>>=20
>> 1. A certain bit in the tx version must be set
>> 2. A certain bit in the scriptPubKey must be set
>>=20
>> I will analyse the pros and cons later.
>>=20
>> Using eltoo as example. The setup utxo is a simple 2-of-2 multisig, =
and should not be tagged. This makes it indistinguishable from normal =
1-of-1 utxo. The trigger tx, which spends the setup utxo, should be =
tagged, so the update txs could spend the trigger utxo with NOINPUT. =
Similarly, all update txs should be tagged, so they could be spent by =
other update txs and settlement tx with NOINPUT. As the final =
destination, there is no need to tag in the settlement tx.
>>=20
>> In payer=E2=80=99s perspective, tagging means =E2=80=9CI believe this =
address is for one-time-use only=E2=80=9D Since we can=E2=80=99t control =
how other people manage their addresses, we should never do tagging when =
paying to other people.
>>=20
>> I mentioned 2 ways of tagging, and they have pros and cons. First of =
all, tagging in either way should not complicate the eltoo protocol in =
anyway, nor bring extra block space overhead.
>>=20
>> A clear advantage of tagging with scriptPubKey is we could tag on a =
per-output basis. However, scriptPubKey tagging is only possible with =
native-segwit, not P2SH. That means we have to disallow NOINPUT in =
P2SH-segwit (Otherwise, *all* P2SH addresses would become =E2=80=9Crisky=E2=
=80=9D for payers) This should be ok for eltoo, since it has no reason =
to use P2SH-segwit in intermediate txs, which is more expensive.
>>=20
>> Another problem with scriptPubKey tagging is all the existing bech32 =
implementations will not understand the special tag, and will pay to a =
tagged address as usual. An upgrade would be needed for them to refuse =
sending to tagged addresses by default.
>>=20
>> On the other hand, tagging with tx version will also protect =
P2SH-segwit, and all existing wallets are protected by default. However, =
it is somewhat a layer violation and you could only tag all or none =
output in the same tx. Also, as Bitcoin Core has just removed the tx =
version from the UTXO database, adding it back could be a little bit =
annoying, but doable.
>>=20
>> There is an extension to the version tagging, which could make =
NOINPUT even safer. In addition to tagging requirement, NOINPUT will =
also sign the version of the previous tx. If the wallet always uses a =
randomised tx version, it makes accidental replay very unlikely. =
However, that will burn a few more bits in the tx version field.
>>=20
>> While this seems fully compatible with eltoo, is there any other =
proposals require NOINPUT, and is adversely affected by either way of =
tagging?
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev