Date: Sat, 13 Jun 2020 01:20:16 +0000
To: ZmnSCPxj <ZmnSCPxj@protonmail.com>,
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
From: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Reply-To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Message-ID: <7BPgx65Eh5HE5wLIqeG9G-bdsxxkDJJIzcyOJvS6_FIxXfA10sbFe5dfwQDNiEOExZ9Y72lHq88lKzcBRIFnYGFY5I2vwk6Dg7BcCMjmS2Y=@protonmail.com>
In-Reply-To: <m-yAKsQ52s-bYOrtEXVwETAcJ8sSbJt0k9WDN1ueidJ01IaEHRJtq9Odffmz_2utLxPfmI418x58aFc3vKBpOD2FKqgeCUAn1mvI1OSyGRY=@protonmail.com>
References: <CALZpt+FqAWCAqCLF2HsajL84sOvst_X9_34bb_tvUxLFw=HTAA@mail.gmail.com>
 <7cWQJzkWNEZCI2fYYrJCFxrmGfDGFAtsOyGpXRmB-g4Qhm2jzhyxLtuOIpJAr2CMJjAjri12lmR-h96ev3NWqaTgDtc_NN0yhyVxuIlBuzU=@protonmail.com>
 <CALZpt+EsACbq1QM9MFkC63_gDXW0vHfeTjXc7C9r4+2-1WKAJw@mail.gmail.com>
 <m-yAKsQ52s-bYOrtEXVwETAcJ8sSbJt0k9WDN1ueidJ01IaEHRJtq9Odffmz_2utLxPfmI418x58aFc3vKBpOD2FKqgeCUAn1mvI1OSyGRY=@protonmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [bitcoin-dev] CoinPool,
	exploring generic payment pools for Fun and Privacy
Precedence: list

Good morning Antoine,

By dropping the requirement that a participant can seamlessly leave the Coi=
nPool, it allows participants to split up their coins among new aliases and=
 to use a different identity for later claiming coins.
With WabiSabi, none of the other participants can get a mapping between cur=
rent-state aliases and the actual participants.

Now, in order to authorize moving coins from an output on the current state=
 to a new output on the next state, obviously the pool needs to get a signa=
ture from its current owner.
Ideally, we would not want to have to implement SCRIPT inside the CoinPool =
software.

And with Taproot, a pubkey can hide one or more SCRIPTs.
If we use pubkeys as the identities of owners of coins, then it allows an a=
lias to encode a SCRIPT.

With the combination of both features, we can instantiate HTLCs (or, with `=
SIGHASH_ANYPREVOUT`, PTLCs) inside a CoinPool "alias" pubkey identity, allo=
wing for interoperation with LN.

Now suppose I have 1.0 BTC in a CoinPool.
I want to make an HTLC with you (hashlocked to you, timelocked to me), for =
0.5 BTC.

I encode the HTLC SCRIPT, and put it into a Taproot whose internal pubkey i=
s a MuSig of fresh identities of mine and yours.

Then, inside the CoinPool, I split my 1.0BTC to a 0.5BTC coin to a fresh id=
entity of mine, and 0.5BTC to our HTLC Taproot.

If you can acquire the hash, you give it to me, and I am supposed to hand y=
ou a partial signature share to the HTLC Taproot that you can later complet=
e and present to the CoinPool in the next update round in order to get the =
HTLC value.
If I do not hand you the signature share even after you hand the hash, you =
just drop the entire CoinPool onchain, instantiating the HTLC Taproot outpu=
t onchain, and using the SCRIPT branch to claim using the hash you know.

If the timelock expires, I ask you to hand over your partial signature to t=
he HTLC Taproot that I can later complete and present to the CoinPool in th=
e next update round to recover the HTLC value.
If you do not hand over the signature share, I drop the CoinPool onchain, w=
hich instantiates the HTLC Taproot output onchain, and use the SCRIPT branc=
h to claim using the timelock branch.

You can also ask to abort the HTLC "early", before the timelock expires, by=
 handing over your partial signature to the HTLC Taproot, which I can later=
 complete and present to the CoinPool in the next update round.
This is equivalent to `update_fail_htlc` in the current LN BOLT spec.

This allows operation of any SCRIPT, incidentally, without requiring that C=
oinPool software include a SCRIPT interpreter, only signature validation.
Any time an output absolutely needs a SCRIPT, we just drop the CoinPool onc=
hain and let onchain handle the SCRIPT interpretation.

Regards,
ZmnSCPxj