Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 719F9E7A for ; Fri, 21 Dec 2018 15:37:25 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from sender-of-o51.zoho.com (sender-of-o51.zoho.com [135.84.80.216]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id CB9AD177 for ; Fri, 21 Dec 2018 15:37:24 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; t=1545406632; cv=none; d=zoho.com; s=zohoarc; b=jvW2ni5BfSCvlYxacasyT7g+cIGHBFCboKDt6cyniP/9jgsNOAVQYYETT8ry12OjJvHcIRTgApVe6xZvDagXIgTnmGXKKBV1FjdUPKGWtT/belbZ1r+D5c5SU1fyNu/VjrDaTU3oR4v0Bc9U/EXfpy5c+vRPagHopDZWTgXgGlo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1545406632; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To:ARC-Authentication-Results; bh=Z7ZmYzRIH7rN64Vktjyq+kC/C8q33ymPoNw1vh6y9OY=; b=ZBZIcmGCaDe30EdNUVzQPPmt2rRWZPXDciTPbg9/lvVaV08kw7ki4awn8QEEZH56zYdI6gMwfTg5yfBzcfzZJGFfaHbQ6z4ECmIU7wiKTgiYyniHm1InVYHA9F+r5sDfzNST8K8srqDCU4bKM2ma5KxcTI9VxkLH6A0qOdhfCUc= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass header.i=xbt.hk; spf=pass smtp.mailfrom=jl2012@xbt.hk; dmarc=pass header.from= header.from= Received: from [10.8.0.105] (n218103234118.netvigator.com [218.103.234.118]) by mx.zohomail.com with SMTPS id 1545406631564256.77185132031; Fri, 21 Dec 2018 07:37:11 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\)) From: Johnson Lau In-Reply-To: <8z5NQkaOUo9z-wdBphQtZrxIf7OCtVQFvK3neMWvcRsngld5XJs-vt7CLuY46ZOp_pX8gEd92pMdkEkp8CUOMH9lUTw5ocWsbDPiaKdSa2I=@protonmail.com> Date: Fri, 21 Dec 2018 23:37:05 +0800 Content-Transfer-Encoding: quoted-printable Message-Id: <34B38940-524D-42B9-8A67-6A62DCE04665@xbt.hk> References: <9F8C0789-48E9-448A-A239-DB4AFB902A00@xbt.hk> <8z5NQkaOUo9z-wdBphQtZrxIf7OCtVQFvK3neMWvcRsngld5XJs-vt7CLuY46ZOp_pX8gEd92pMdkEkp8CUOMH9lUTw5ocWsbDPiaKdSa2I=@protonmail.com> To: ZmnSCPxj X-Mailer: Apple Mail (2.3445.100.39) X-ZohoMailClient: External X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Fri, 21 Dec 2018 23:30:36 +0000 Cc: bitcoin-dev Subject: Re: [bitcoin-dev] Safer NOINPUT with output tagging X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Dec 2018 15:37:25 -0000 > On 21 Dec 2018, at 7:40 PM, ZmnSCPxj wrote: >=20 > Good morning Johnson, >=20 >> The proposed solution is that an output must be =E2=80=9Ctagged=E2=80=9D= for it to be spendable with NOINPUT, and the =E2=80=9Ctag=E2=80=9D must = be made explicitly by the payer. There are 2 possible ways to do the = tagging: >=20 > First off, this is a very good idea I think. >=20 >=20 >> While this seems fully compatible with eltoo, is there any other = proposals require NOINPUT, and is adversely affected by either way of = tagging? >=20 >=20 > It prevents use of SIGHASH_NOINPUT to support walletless offchain = protocols. > = https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-May/015925.ht= ml > = https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-May/015926.ht= ml >=20 > In brief, this idea of "walletless offchain software" is motivated by = the fact, that various onchain wallets exist with many features. > For instance, privacy-enhancement as in Samourai/Wasabi/etc. > And so on. > There are requests to include such features in e.g. Lightning = software, for example: = https://github.com/ElementsProject/lightning/issues/2105 > But it is enough of a challenge to implement Lightning, without the = additional burden of implementing nice onchain features like coin = control and change labelling. >=20 > It would be best if we can retain features from an onchain wallet, = while using our coin on an offchain system. > Further, it would allow onchain wallet developers to focus and gain = expertise on onchain wallet features, and, vice versa, for offchain = walletless software developers to focus on offchain software features. >=20 > The core idea comes from the way that offchain systems need to be set = up: >=20 > 1. First we agree on a (currently unconfirmed) txid and output number = on which to anchor our offchain system (the funding transaction). > 2. Then we sign a backout transaction (the initial commitment = transactions under Poon-Dryja, or the timelock branches for CoinSwapCS, = or the initial kickoff-settlement transactions for = Decker-Russell-Osuntokun) spending the agreed TXO, to return the money = back to the owner(s) in case some participant aborts the setting up of = the offchain system. > 3. Then we sign and broadcast the funding transaction. >=20 > Unfortunately, the typical onchain wallet has a very simple and atomic = (uncuttable) process for making transactions: >=20 > 1. Make, sign, and broadcast transaction with an output paying to the = desired address. >=20 > Thus a typical onchain wallet cannot be used to set up a funding = transaction for an offchain system. >=20 > Now suppose we take advantage of `SIGHASH_NOINPUT`, and modify our = offchain system setup as below: >=20 > 1. First we agree on a N-of-N pubkey on which to anchor our offchain = system (the funding address). > 2. Then we sign (with SIGHASH_NOINPUT) a backout transaction (the = initial commitment transactions under Poon-Dryja, or the timelock = branches for CoinSwapCS, or the initial kickoff-settlement transactions = for Decker-Russell-Osuntokun), spending the agreed funding address, to = return the money back to the owner(s) in case some participant aborts = the setting up of the offchain system. > 3. Make, sign, and broadcast transaction with an output paying to the = funding address. This step can be done by any typical onchain wallet. >=20 > Note that only the starting backout transaction is *required* to sign = with `SIGHASH_NOINPUT`. > For instance, a Poon-Dryja channel may sign succeeding commitment = transactions with `SIGHASH_ALL`. > Finally, only in case of disaster (some participant aborts before the = offchain system is set up) is the `SIGHASH_NOINPUT` backoff transaction = broadcasted. > A "normal close" of the offchain system can be signed with typical = `SIGHASH_ALL` for no fungibility problems. >=20 > With this, an offchain system need not require its implementing = software to implement its own wallet. > Further, onchain wallets can directly put its funds into an offchain = system, without requiring an onchain transfer to an offchain software = wallet. >=20 > This can be helpful when building overall software. > We might take any commodity onchain wallet and any commodity offchain = software, and we can integrate them easily to create a seamless wallet = experience that allows spending and receiving onchain and offchain. > Further, improvements in one software component do not require = re-building of the other software component. >=20 > -- >=20 > That said: >=20 > 1. For Lightning and similar systems, the fact that the Lightning = node will give you an address that, when paid using any commodity = onchain wallet, opens a channel, means that people will make wrong = assumptions. > In particular, they are likely to assume that address reuse is safe = and will attempt to "refill" their channel by paying to the same address = again in the future. > =46rom this alone, we can immediately see that this idea is = pointless. > 2. Dual-funding, which for some reason is asked for as a feature, = cannot be done with this anyway. > 3. It may be better to provide some standard way of signing = transactions without broadcasting them. > This would still allow similar separation of concerns between = onchain and offchain software components. >=20 > So output tagging still seems fine to me, even if this particular use = cannot be supported. >=20 > Regards, > ZmnSCPxj >=20 >=20 Generally speaking, I think walletless protocol is needed only when you = want to rely a third party to open a offchain smart contract. It could = be coinswap, eltoo, or anything similar. However, since NOINPUT still commits to the input value, if the third = party paid an unexpected value, even off by 1 satoshi, the smart = contract is toast. It is not uncommon as some exchanges would deduct = fees from withdrawal amount. Since we don=E2=80=99t have a social norm = to require the payer to always pay the exact requested amount, the = exchange might not be liable for the loss. It is of course possible to have a NOINPUT_NOAMOUNT, but I can=E2=80=99t = see any chance for this being accepted. So, unless the payer is liable for paying a wrong amount, walletless = contract opening is unreliable. Johnson=