Return-Path: Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 16773C0052 for ; Sat, 5 Sep 2020 01:10:53 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 0161E86DE4 for ; Sat, 5 Sep 2020 01:10:53 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HQIc+4Aeb-Li for ; Sat, 5 Sep 2020 01:10:51 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com [209.85.221.46]) by whitealder.osuosl.org (Postfix) with ESMTPS id 2AC87869CA for ; Sat, 5 Sep 2020 01:10:51 +0000 (UTC) Received: by mail-wr1-f46.google.com with SMTP id j2so9155542wrx.7 for ; Fri, 04 Sep 2020 18:10:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/b4zIuRGimEslQqZzz/Luc6+bLzkDgNNWOPb5jwr0is=; b=Xp1U352LZkonva8Rqn4WCQyAoyrdbGDZQJb4nyoGPLLAEayhvyApiZ+2i2SYxgaYx9 /Q61WNx16iYa6g8iW+YPjsu/3A0KfGjShe6T+aOd2s0KWFP5Liym+1PNYvAbJ/JpKDX/ xrmVRVYw81ynGJ87UsN6eqVJNBWa85JY50jdazZqRwj9m3QM2C8apup5wmhnWN+yy8A6 mhdMEZtiJPNHQMBHEggNO/G4naXwcIFKbIsenVEoKSU9HF9FyjMj1Mbo4inZi2aK3Wx0 1a73F5gP6kyXsTf2srHGmyCcyEnbWcgEbq0HftEe3hEmi/+Z+VAdfWV5dJGyNg6jx0AX TLoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/b4zIuRGimEslQqZzz/Luc6+bLzkDgNNWOPb5jwr0is=; b=Hexc9ht2TDy59suT1upPUF5GGHX1Eei65igsI+QWW4fVo85rGevght2c99koWSulax oxxbCU//ons9zkYRDil0JOifHxJ700pXjmCBS26pH4n+86B+cnDnIQhG1GgKzKDCppRo M0gByuSmFQBXRjdgWqAfhyADeMyA0e6sVQm/Q7dQTDq21SXjRsHqEcf092yxjR7BDtVm 5DciYN+fbOzA+Q5cuVpyd5sa6zdKRilpy/0L9CCCmsoWuXYmDtZe70DiWcwGDChGJHV9 MWRddRCQAiSbF7m3bXs0NGp2VU+CTdZ2A7YIEDwdQtmifxCAqPH66UXhJUvBg4Qk7YbM bCYA== X-Gm-Message-State: AOAM531O/pprAUjecwGSGH6/ZAaBq3lHeULdvxEAD+fur9g8dh5mlIs/ QwBZlN3xqb94llVHtxkiwzBXx2KhxMtKffZDDYk= X-Google-Smtp-Source: ABdhPJyH5Yvptu+Zq+MEGL20xrMPcfTqU/BHBzPV3dfBMwELAmVBWx7oPlVX1QauRPaCRXg5xNKcbOgO5F8Xt1hp7x0= X-Received: by 2002:adf:f88b:: with SMTP id u11mr9689239wrp.376.1599268249613; Fri, 04 Sep 2020 18:10:49 -0700 (PDT) MIME-Version: 1.0 References: <813e51a1-4252-08c0-d42d-5cef32f684bc@riseup.net> In-Reply-To: From: Antoine Riard Date: Fri, 4 Sep 2020 21:10:36 -0400 Message-ID: To: ZmnSCPxj Content-Type: multipart/alternative; boundary="000000000000eb39cb05ae86a712" X-Mailman-Approved-At: Sat, 05 Sep 2020 06:58:07 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Detailed protocol design for routed multi-transaction CoinSwap X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Sep 2020 01:10:53 -0000 --000000000000eb39cb05ae86a712 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Zeeman, I think one of the general problems for any participant in an interdependent chain of contracts like Lightning or CoinSwap is to avoid a disequilibrium in its local HTLC ledger. Concretely sending forward more than you receive backward. W.r.t, timelocks delta aim to enforce order of events, namely that a forward contract must be terminated before any backward contract to avoid a discrepancy in settlement. Order of events can be enforced by a) absolute timelocks and thus linearized on the same scale by blockchain ticks or b) by a counterparty to two relative-time locked contracts which observe the broadcast of the backward transaction and thus manually trigger the kickoff of forward timelock by broadcasting the corresponding transaction. With this rough model in mind, pinning an absolute or relative timelocked transaction produce the same effect, i.e breaking contracts settlement order. > This can be arranged by having one side offer partial signatures for the transaction of the other, and once completing the signature, not sharing it with the other until we are ready to actually broadcast the transaction of our own volition. > There is no transaction that both participants hold in completely-signed form I don't think that's different from the current model where you have either a valid HTLC-timeout or HTLC-Sucess tx to solve a HTLC output but never full witness material to build both ? I see a theoretical issue with RBF-range, if you're likely to lose the balance, you can broadcast your highest-RBF version thus incentivizing miners to censor counterparty claim tx. Kind of a "nothing at stake" issue. As of today, you have to take this fee out of your pocket if you want to incentivize miners to act so, not promising a fee from an ongoing disputed balance. > Private key turnover is still useful even in an absolute-timelock world. The way I understand the either-HTLC-or-private-key-turnover construction in CoinSwap is for the HTLC to serve as a security backup in case the cooperative key turnover fails. Lightning don't have this model as you don't switch funding transaction ownership. > To reduce this risk, A can instead first swap A->B->A, then when that completes, A->C->A. This limits its funding lockup to 1 week. Okay I think I understand your point. So by intermediating the chain with the taker you ensure that in case of previous hop failure, taker funds are only timelocked for the delta of this faulting hop not the whole route. But still not anchoring onchain the next route segment means that any moment the next maker can exit from the proposed position ? That's interesting, so a) you require all takers to lock their funds onchain before initiating the whole routing and you will pay more in service fees or b) you only lock them step by step but you increase risk of next hop default and thus latency. Roughly. It might be an interesting construction to explore on its own, minus the downside of producing weird spend patterns due to next hop maker bidding with another party. Cheers, Antoine Le lun. 24 ao=C3=BBt 2020 =C3=A0 23:16, ZmnSCPxj = a =C3=A9crit : > > Good morning Antoine, > > > > Note, I think this is independent of picking up either relative or > absolute timelocks as what matters is the block delta between two links. > > I believe it is quite dependent on relative locktimes. > Relative locktimes *require* a contract transaction to kick off the > relative locktime period. > On the other hand, with Scriptless Script (which we know how to do with > 2p-ECDSA only, i.e. doable pre-Taproot), absolute locktimes do not need a > contract transaction. > > With absolute locktimes + Scriptless SCript, in a single onchain PTLC, on= e > participant holds a completely-signed timelock transaction while the othe= r > participant holds a completely-signed pointlock transaction. > This can be arranged by having one side offer partial signatures for the > transaction of the other, and once completing the signature, not sharing = it > with the other until we are ready to actually broadcast the transaction o= f > our own volition. > There is no transaction that both participants hold in completely-signed > form. > > This should remove most of the shenanigans possible, and makes the 30xRBF > safe for any range of fees. > I think. > > Since for each PTLC a participant holds only its "own" transaction, it is > possible for a participant to define its range of fees for the RBF versio= ns > of the transaction it owns, without negotiation with the other participan= t. > Since the fee involved is deducted from its own transaction, each > participant can define this range of RBFed fees and impose it on the > partial signatures it gets from the other participant. > > -- > > Private key turnover is still useful even in an absolute-timelock world. > > If we need to bump up the block delta between links, it might be > impractical to have the total delta of a multi-hop swap be too long at th= e > taker. > > As a concrete example, suppose A is a taker who wants to route over maker= s > B and C. > However, B and C require a CLTV delta of 1 week. > > If A wants to route "directly" A->B->C->A, then if something bad happens, > it could be looking at having its funds locked for two weeks. > > To reduce this risk, A can instead first swap A->B->A, then when that > completes, A->C->A. > This limits its funding lockup to 1 week. > > Private key turnover is useful since as soon as the A->B->A swap > completes, it can directly fund the A->C->A swap from the B-side funding > transaction of the A->B->A swap. > > | A->B->A | A->C->A | > : : : > A -:->funding A&B--> B : : > : : : > B -:->funding A&B -----:--> funding A&C --> C : > : : : > : :C-> funding A&C ------:-> to-cold A --> > : : : > > This increases the number of transactions by 1 per swap beyond the first, > compared to a direct routing A->B->C->A, but this may be worth it for A i= f > the timelocks involved are too big for A. > > With 2p-ECDSA, a funding A&C looks exactly the same as a to-cold A, so B > is unable to reliably determine if it is the last hop in the route. > > Without private key turnover, A would have: > > **NO** private key turnover! > > | A->B->A | A->C->A | > : : : > A -:->funding A&B--> B : : > : : : > B -:->funding A&B -----:--> claim A -> funding A&C --> C : > : : : > : : C-> funding A&C ------:-> > to-cold A --> > : : : > > So if timelock-deltas are possibly-high (to reduce the probability of the > MAD-HTLC argument, and other attacks, succeeding), takers might prefer to > route by completing one swap first before starting the next one, and > private key turnover is useful by reducing blockspace required by each ho= p. > > For reference, this is how it looks like with a single A->B->C->A swap > with private key turnover: > > | A->B->C->A | > : : > A -:->funding A&B--> B : > : : > B -:->funding B&C -> C : > : : > C -:->funding A&C -----:-> to-cold A --> > : : > > This is still smaller than in the A->B->A, A->C->A with private key > turnover, by one funding tx per hop. > However, A risks a much higher timelock (twice the timelock). > Thus, A might prefer a lower timelock in exchange for paying for an > additional transaction. > > Regards, > ZmnSCPxj > --000000000000eb39cb05ae86a712 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Zeeman,

I think one of the general problems for = any participant in an interdependent chain of contracts like Lightning or C= oinSwap is to avoid a disequilibrium in its local HTLC ledger. Concretely s= ending forward more than you receive backward. W.r.t, timelocks delta aim t= o enforce order of events, namely that a forward contract must be terminate= d before any backward contract to avoid a discrepancy in settlement. Order = of events can be enforced by a) absolute timelocks and thus linearized on t= he same scale by blockchain ticks or b) by a counterparty to two relative-t= ime locked contracts which observe the broadcast of the backward transactio= n and thus manually trigger the kickoff of forward timelock by broadcasting= the corresponding transaction.

With this rough model in mind, pinni= ng an absolute or relative timelocked transaction produce the same effect, = i.e breaking contracts settlement order.

> This can be arranged b= y having one side offer partial signatures for the transaction of the other= , and once completing the signature, not sharing it with the other until we= are ready to actually broadcast the transaction of our own volition.
&g= t; There is no transaction that both participants hold in completely-signed= form

I don't think that's different from the current model = where you have either a valid HTLC-timeout or HTLC-Sucess tx to solve a HTL= C output but never full witness material to build both ?

I see a the= oretical issue with RBF-range, if you're likely to lose the balance, yo= u can broadcast your highest-RBF version thus incentivizing miners to censo= r counterparty claim tx. Kind of a "nothing at stake" issue. As o= f today, you have to take this fee out of your pocket if you want to incent= ivize miners to act so, not promising a fee from an ongoing disputed balanc= e.

> Private key turnover is still useful even in an absolute-tim= elock world.

The way I understand the either-HTLC-or-private-key-tur= nover construction in CoinSwap is for the HTLC to serve as a security backu= p in case the cooperative key turnover fails. Lightning don't have this= model as you don't switch funding transaction ownership.

> T= o reduce this risk, A can instead first swap A->B->A, then when that = completes, A->C->A.
This limits its funding lockup to 1 week.
<= br>Okay I think I understand your point. So by intermediating the chain wit= h the taker you ensure that in case of previous hop failure, taker funds ar= e only timelocked for the delta of this faulting hop not the whole route. B= ut still not anchoring onchain the next route segment means that any moment= the next maker can exit from the proposed position ?

That's int= eresting, so a) you require all takers to lock their funds onchain before i= nitiating the whole routing and you will pay more in service fees or b) you= only lock them step by step but you increase risk of next hop default and = thus latency. Roughly.
=C2=A0
It might be an interesting construction= to explore on its own, minus the downside of producing weird spend pattern= s due to next hop maker bidding with another party.

Cheers,

A= ntoine

Le=C2=A0lun. 24 ao=C3=BBt 2020 =C3=A0=C2=A023:16, ZmnSCPxj <ZmnSCPxj@protonmail.com> a = =C3=A9crit=C2=A0: