Return-Path: Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 78BA7C0177 for ; Thu, 26 Mar 2020 18:53:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 6354920444 for ; Thu, 26 Mar 2020 18:53:28 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fY8MxouOSjA3 for ; Thu, 26 Mar 2020 18:53:26 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-oi1-f193.google.com (mail-oi1-f193.google.com [209.85.167.193]) by silver.osuosl.org (Postfix) with ESMTPS id 2C79420413 for ; Thu, 26 Mar 2020 18:53:26 +0000 (UTC) Received: by mail-oi1-f193.google.com with SMTP id y71so6494141oia.7 for ; Thu, 26 Mar 2020 11:53:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Zt9y/fSkxdaG5CdxlpEwWcbOmTN69QWBqoN4IctaFjw=; b=Bs7UrE8X33OB409MjGVobu14d6wd3c/Ehw4zMas5bSIP7RbBKrHyb4E+EaaD5aujDL mE5Kyak2uscMytbA9oH1mzhrf5hfzlCibgvpTIa5zu1quBZH5KpsQSev91vYGT1Xw5p4 PEBsVU7D9SeXs2lkrzhKDyM9PZGiOh1WXxDKWF6KHcF4ypLkyeVpL4R6aLPvt9h0XvvB jufAgODLkYc/EivsXQndfRITKtUuAuooYmzuhs8LqzztAVpvIWLz0Myo4SkN4wK7I5+g xLIT/T6DZUgIEndtjtIoDVp8y75j3ogiQG5/Yi1FuPO0XSeFk1GXrJwDm0S4r2r8v95d +zRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Zt9y/fSkxdaG5CdxlpEwWcbOmTN69QWBqoN4IctaFjw=; b=ulzfSgtObnf6xyz+AD0e9tk9orIAvjvwbzBhUfEjfhg92Gh4YSDkitiGYJePnMLFlo N7XdF1vm0E9X3lD/Ovz7gXR9WAmIkgDAmi36juFA1cZpEDZYwgNtxT2qhoRUfxUgfBzt V4sb6SMc9QHT18GNwv4yhcf1Vr9sCyWxq3rwsKZ09LkcK4MirSviUwx9UYrKvh3swR9J R0KITEvqWZ/VJMuX1ln7DHXp8YygM2kyN6Inob77nW0PZ62kdiAxke3NH0S9W+fADrm2 ftF06x3Rtgoam15dmLUSGrAQ1fNKXz9+iDsJ5jqAY3qg6NoOTpyFPPfgtLecx0kfiMSz j2wQ== X-Gm-Message-State: ANhLgQ22v5fe3Cfv1d94jBTnRsgx/4jPcEZm5dxw6hTEG9mMKCaewvHN NAsfuQRweVLdUfOBEGIW590mYZshrCzecFxdsrk= X-Google-Smtp-Source: ADFU+vs2ZgohTTTpVDKC2f6HUFtwj3SQaPSjSmMUxmvWJEdxAzjWAE/8BxAcU277PeH2xbzGT4m7aGtStEcLFOY8DCA= X-Received: by 2002:aca:adc7:: with SMTP id w190mr1304045oie.42.1585248805279; Thu, 26 Mar 2020 11:53:25 -0700 (PDT) MIME-Version: 1.0 References: <79753214-9d5e-40c7-97ac-1d4e9ea3c64e@www.fastmail.com> <87369v6nw3.fsf@gmail.com> In-Reply-To: From: Ruben Somsen Date: Thu, 26 Mar 2020 19:53:13 +0100 Message-ID: To: Christian Decker Content-Type: multipart/alternative; boundary="000000000000eb5c2d05a1c67f9d" X-Mailman-Approved-At: Thu, 26 Mar 2020 18:53:58 +0000 Cc: Bitcoin Protocol Discussion , tom@commerceblock.com, Greg Sanders Subject: Re: [bitcoin-dev] Statechain implementations X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Mar 2020 18:53:28 -0000 --000000000000eb5c2d05a1c67f9d Content-Type: text/plain; charset="UTF-8" Hey Christian, Thanks for chiming in :) >It might be worth adopting the late fee binding we have in eltoo That is where my thinking originally went as well, but then I remembered that this alters the txid, causing the settlement tx to become invalid. What I am suggesting should be functionally the same (albeit less space-efficient): a secondary output that can be spent by anyone, which can be used to fee bump the kickoff tx with CPFP. I believe this same idea was considered for Lightning as well at some point. Do you happen to recall if there was some kind of non-standardness issue with it? >Wouldn't that result in a changing pubkey at each update, and thus require an onchain move to be committed? I have yet to take a closer look at the math, but my understanding is that the same key (x) gets redistributed. First x = s1 + o1 and after the transfer x = s2 + o2 (not the actual math, but it demonstrates how the transitory key can change from o1 to o2). Assuming s1 is then thrown away (trust assumption), o1 becomes harmless information. Cheers, Ruben On Thu, Mar 26, 2020 at 6:17 PM Greg Sanders wrote: > > Wouldn't that result in a changing pubkey at each update, and thus > require an onchain move to be committed? > > Suggestion was in line with original proposal where no keys are changing > ever, just not presupposing existence of MuSig. > > On Thu, Mar 26, 2020 at 1:15 PM Christian Decker via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > >> Ruben Somsen via bitcoin-dev >> writes: >> > Regarding modification 1, I agree with ZmnSCPxj that >> > Decker-Wattenhofer is your next best option, given that eltoo is not >> > yet available. But if you are going to use a kickoff transaction, keep >> > in mind that every previous owner will have a copy of it. Because of >> > this, you can't include a fee, and will instead need to have a second >> > output for CPFP. This way a previous owner will at least have to pay >> > the fee if they want to publish it. Note that it's still an >> > improvement, because even if the kickoff transaction gets posted, it >> > basically becomes no different than what it would have been, had you >> > not used a kickoff transaction at all. >> >> It might be worth adopting the late fee binding we have in eltoo by >> having the kickoff transaction input spending the funding tx signed with >> sighash_single. This works because we only have 1 input and 1 output >> that we really care about, and can allow others to attach fees at >> will. That'd at least remove the need to guess the feerate days or >> months in advance and thus having to overestimate. >> >> > Regarding modification 2, I like it a lot conceptually. It hadn't >> > occurred to me before, and it's a clear security improvement. The only >> > question is something Greg Sanders mentioned: whether it's enough to >> > justify the added complexity of using 2P ECDSA. The alternative would >> > be to simply use a regular 2-of-2 multisig (until Schnorr arrives, >> > possibly). >> >> Wouldn't that result in a changing pubkey at each update, and thus >> require an onchain move to be committed? >> >> > I'm looking forward to seeing statechains become a reality. >> >> That'd indeed be great :-) >> >> Cheers, >> Christian >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> > --000000000000eb5c2d05a1c67f9d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hey Christian,

Thanks for ch= iming in :)

>It might be worth adopting the late fee= binding we have in eltoo

That is where my thinking = originally went as well, but then I remembered that this alters the txid, c= ausing the settlement tx to become invalid. What I am suggesting should be = functionally the same (albeit less space-efficient): a secondary output tha= t can be spent by anyone, which can be used to fee bump the kickoff tx with= CPFP. I believe this same idea was considered for Lightning as well at som= e point. Do you happen to recall if there was some kind of non-standardness= issue with it?

>Wouldn't that result in a = changing pubkey at each update, and thus require an onchain move to be comm= itted?

I have yet to take a closer look at the= math, but my understanding is that the same key (x) gets redistributed. Fi= rst x =3D s1=C2=A0+ o1 and after the transfer x =3D s2=C2=A0+ o2 (not the a= ctual math, but it demonstrates how the transitory key can change from o1 t= o o2). Assuming s1 is then thrown away (trust assumption), o1 becomes harml= ess information.

Cheers,
Ruben

On T= hu, Mar 26, 2020 at 6:17 PM Greg Sanders <gsanders87@gmail.com> wrote:
> Wouldn't that resul= t in a changing pubkey at each update, and thus
require an onchain move = to be committed?

Suggestion was in line with original pr= oposal where no keys are changing ever, just not presupposing existence of = MuSig.

On Thu, Mar 26, 2020 at 1:15 PM Christian Decker via bitcoin-de= v <bitcoin-dev@lists.linuxfoundation.org> wrote:
Ruben Somsen via bitcoin-dev <= ;bitcoin-dev@lists.linuxfoundation.org>
writes:
> Regarding modification 1, I agree with ZmnSCPxj that
> Decker-Wattenhofer is your next best option, given that eltoo is not > yet available. But if you are going to use a kickoff transaction, keep=
> in mind that every previous owner will have a copy of it. Because of > this, you can't include a fee, and will instead need to have a sec= ond
> output for CPFP. This way a previous owner will at least have to pay > the fee if they want to publish it. Note that it's still an
> improvement, because even if the kickoff transaction gets posted, it > basically becomes no different than what it would have been, had you > not used a kickoff transaction at all.

It might be worth adopting the late fee binding we have in eltoo by
having the kickoff transaction input spending the funding tx signed with sighash_single. This works because we only have 1 input and 1 output
that we really care about, and can allow others to attach fees at
will. That'd at least remove the need to guess the feerate days or
months in advance and thus having to overestimate.=C2=A0

> Regarding modification 2, I like it a lot conceptually. It hadn't<= br> > occurred to me before, and it's a clear security improvement. The = only
> question is something Greg Sanders mentioned: whether it's enough = to
> justify the added complexity of using 2P ECDSA. The alternative would<= br> > be to simply use a regular 2-of-2 multisig (until Schnorr arrives,
> possibly).

Wouldn't that result in a changing pubkey at each update, and thus
require an onchain move to be committed?

> I'm looking forward to seeing statechains become a reality.

That'd indeed be great :-)

Cheers,
Christian
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--000000000000eb5c2d05a1c67f9d--