Return-Path: <ZmnSCPxj@protonmail.com>
Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])
 by lists.linuxfoundation.org (Postfix) with ESMTP id A2884C0032
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 12 Sep 2023 09:41:53 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp3.osuosl.org (Postfix) with ESMTP id 89FF5610CD
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 12 Sep 2023 09:41:53 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 89FF5610CD
Authentication-Results: smtp3.osuosl.org;
 dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com
 header.a=rsa-sha256 header.s=protonmail3 header.b=F8YmT6MQ
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -0.599
X-Spam-Level: 
X-Spam-Status: No, score=-0.599 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, BITCOIN_OBFU_SUBJ=1, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, RCVD_IN_MSPIKE_H5=0.001,
 RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
 autolearn=no autolearn_force=no
Received: from smtp3.osuosl.org ([127.0.0.1])
 by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 2f_YO6BPBOW6
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 12 Sep 2023 09:41:52 +0000 (UTC)
Received: from mail-4319.protonmail.ch (mail-4319.protonmail.ch [185.70.43.19])
 by smtp3.osuosl.org (Postfix) with ESMTPS id B66C060B0B
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 12 Sep 2023 09:41:52 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org B66C060B0B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1694511710; x=1694770910;
 bh=36F/4Mek9x1bP/JBsT+s65Sqc2urWIjb5/tBEBA9kzc=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector;
 b=F8YmT6MQJfiFXttCL9lLRob98QDeXmtudw27gsiZSY5hs4MeFT/UlmnK+wbhqAH2e
 XrBxkajlHz3WO2YbZYgzTiqALMxPIwZp9cx0uWXJN5xIF+YtfwJvnY2nQi0B1VGq/X
 AnH636azGioKko56VAcSnxteF1dFSI9dhAb1uRtZyCRVrps1SjejK6uM9XJivijWYv
 Pnm6LQPU3Ipfjqx9iroiFrmm1NrAZzEldcl+hfnm96nITuieESEDFEnueY9Tm7UXTp
 X0pu2inb6ZZon6dkMwkAGuuj7x+gYyTwq/SRCYd4xvhDts9dO23GlLn7WISoRe+cjG
 L7nheTFRGiaaA==
Date: Tue, 12 Sep 2023 09:41:18 +0000
To: Antoine Riard <antoine.riard@gmail.com>
From: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Message-ID: <6iN_WxykhKvHyD1bZRwbbPnePA36zekfcmUFDAchzjw6j7uSYXVmhrHRBhvAU-igU4AAGAggcV1FI9ScujGOZN8fN1GRZWN5u8rs1FMpSCQ=@protonmail.com>
In-Reply-To: <CALZpt+ECDxM5mD3e0UjsS+r+E+xYLim-yUYoJ_P9Vpjk32_pPA@mail.gmail.com>
References: <3G-PTmIOM96I32Sh_uJQqQlv8pf81bEbIvH9GNphyj0429Pan9dQEOez69bgrDzJunXaC9d2O5HWPmBQfQojo67mKQd7TOAljBFL3pI2Dbo=@protonmail.com>
 <CALZpt+ECDxM5mD3e0UjsS+r+E+xYLim-yUYoJ_P9Vpjk32_pPA@mail.gmail.com>
Feedback-ID: 2872618:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Actuarial System To Reduce Interactivity In
	N-of-N (N > 2) Multiparticipant Offchain Mechanisms
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Sep 2023 09:41:53 -0000

Good morning Antoine,


> Hi Zeeman
>=20
> > What we can do is to add the actuary to the contract that
> > controls the funds, but with the condition that the
> > actuary signature has a specific `R`.
>=20
> > As we know, `R` reuse --- creating a new signature for a
> > different message but the same `R` --- will leak the
> > private key.
>=20
> > The actuary can be forced to put up an onchain bond.
> > The bond can be spent using the private key of the actuary.
> > If the actuary signs a transaction once, with a fixed `R`,
> > then its private key is still safe.
>=20
> > However, if the actuary signs one transaction that spends
> > some transaction output, and then signs a different
> > transaction that spends the same transaction output, both
> > signatures need to use the same fixed `R`.
> > Because of the `R` reuse, this lets anyone who expected
> > one transaction to be confirmed, but finds that the other
> > one was confirmed, to derive the secret key of the
> > actuary from the two signatures, and then slash the bond
> > of the actuary.
>=20
> From my understanding, if an off-chain state N1 with a negotiated group o=
f 40 is halted in the middle of the actuary's R reveals due to the 40th par=
ticipant non-interactivity, there is no guarantee than a new off-chain stat=
e N1' with a new negotiated group of 39 (from which evicted 40th's output i=
s absent) do not re-use R reveals on N1. So for the actuary bond security, =
I think the R reveal should only happen once all the group participants hav=
e revealed their own signature. It sounds like some loose interactivity is =
still assumed, i.e all the non-actuary participants must be online at the s=
ame time, and lack of contribution is to blame as you have a "flat" off-cha=
in construction (i.e no layering of the promised off-chain outputs in subgr=
oups to lower novation interactivity).

Yes, there is some loose interactivity assumed.

However:

* The actuary is always online and can gather signatures for the next state=
 in parallel with signing new transactions on top of the next state.
  * This is why `SIGHASH_ANYPREVOUT` is needed, as the transactions on top =
of the next state might spend either the actual next state (if the next sta=
te is successfully signed), or the current state plus additional transactio=
ns (i.e. the transaction that move from current state to next state) (if th=
e next state fails to get fully signed and the participants decide to give =
up on the next state getting signed).

> More fundamentally, I think this actuarial system does not solve the "mul=
ti-party off-chain state correction" problem as there is no guarantee that =
the actuary does not slash the bond itself. And if the bond is guarded by u=
sers' pubkeys, there is no guarantee that the user will cooperate after the=
 actuary equivocation is committed to sign a "fair" slashing transaction.

Indeed.

One can consider that the participants other than the actuary would generat=
e a single public key known by the participants.
But then only one sockpuppet of the actuary is needed to add to the partici=
pant set.

Basically, the big issue is that the actuary needs to bond a significant am=
ount of funds to each participant, and that bond is not part of the funding=
 of the construction.

Other ways of ensuring single-use can be replaced, if that is possible.
Do you know of any?

Regards,
ZmnSCPxj