1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
|
Return-Path: <antoine.riard@gmail.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])
by lists.linuxfoundation.org (Postfix) with ESMTP id BCAC5C000E
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 12 Jul 2021 00:02:27 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp1.osuosl.org (Postfix) with ESMTP id A921C81B17
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 12 Jul 2021 00:02:27 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: smtp1.osuosl.org (amavisd-new);
dkim=pass (2048-bit key) header.d=gmail.com
Received: from smtp1.osuosl.org ([127.0.0.1])
by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id yO7cF4Ry-zTj
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 12 Jul 2021 00:02:26 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com
[IPv6:2a00:1450:4864:20::334])
by smtp1.osuosl.org (Postfix) with ESMTPS id 8867C8100F
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 12 Jul 2021 00:02:26 +0000 (UTC)
Received: by mail-wm1-x334.google.com with SMTP id w13so10166778wmc.3
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 11 Jul 2021 17:02:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=AORjHDbsT2QAlDYpViFnZzRlb3lsArt0FvM+6Q6ulrA=;
b=WM/IHOefA/3GnQPpe0H5QnBtAddR/gCsGk3NTNHCs9S5PmiUl/4CffsnAyZEyvDWsb
UlK1tQeVMpVijHgUQsXXJ+KILvNo5DBMhRMeNOBIJLzAU5dACVmynnXD67Xz8AxfkUTP
UBxCgZFO24KpjObopLJhAg2UpE5DyQCbsULVz3qlxm7QvL4SpOLy2c0AtgpPYjt9bglR
+AmrEMGugqonyTmpF8hxxmm1uJA8AbwEFx8ReKfnAS5s7RCBvUfLPBuABkVwD5NPhhVd
NQQCtc9ZPeRkDcuxtvulpa4dMcn8rsnhDzEkaL4PxSbb6vb9brA9Dcbl5nPOMJD3O4Rk
zvKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=AORjHDbsT2QAlDYpViFnZzRlb3lsArt0FvM+6Q6ulrA=;
b=hsDIU6ghWiWBWpuZzu2CDTB0vIRRqM9MMLLA5zTQdLKr/PJ8IlFWCnNr6ZRs2UaIqy
NJTHJvSdaQ5nCsdOwX1B1iV3XgBIs50brFtGj6kprdZZwPeASMv8bS6A+4WHcKuf1W3F
DLL3QjXGd7GbK/cUsRst9OElWB8OIB3rm+EBYCEKMWFYYD6T2N3EMI83twDqW5Svc6pN
DVq47ZYQfcDbEO+0vsfWbRmKNZMjeAP/V6tJIFyMVYXkYlWSeeQFT3BInvxq4dX6Kn6W
MgQEHqd/u1Co690rKVLaj/fD3Vo+xZkxaAW1D77vbZl02wRSSS85fps3k0gdqZ3vKm1o
ZMlQ==
X-Gm-Message-State: AOAM531ge/k6kGahJ1QAr4Uj5rPc3gqft3vJjYCV+2CycL+hMmN88a4t
+ivfE7Ghf/fCC8dKLdhcqpG8XbnK5IeXPWRkTkrMTcmEPxC3Jg==
X-Google-Smtp-Source: ABdhPJxGeZYYddDzU4clCmNGOKT+e7EBJu63K8SSQJCHWC5r+pJ+PVDt3ALloPC4UbPvz95NcqBZJRKwuXkv0D+mE0o=
X-Received: by 2002:a05:600c:287:: with SMTP id 7mr8122445wmk.1.1626048144555;
Sun, 11 Jul 2021 17:02:24 -0700 (PDT)
MIME-Version: 1.0
References: <CALZpt+FvLb=N5Qygs+dPmh1o9QCwXj8RoznF5n47opOq7CG_0g@mail.gmail.com>
<20210708111716.GC1339@erisian.com.au>
<CALZpt+FCCgSiRh2qAL+RM0S9Vm8s-xS3VdTAZhS9VwLcFi_1QQ@mail.gmail.com>
<20210710014732.GA5164@erisian.com.au>
In-Reply-To: <20210710014732.GA5164@erisian.com.au>
From: Antoine Riard <antoine.riard@gmail.com>
Date: Sun, 11 Jul 2021 20:02:12 -0400
Message-ID: <CALZpt+G0uN_ek5kVre_e38OtSZ5izRUC2qb5qJC3bVkh5FV-Fw@mail.gmail.com>
To: Anthony Towns <aj@erisian.com.au>
Content-Type: multipart/alternative; boundary="0000000000000b445005c6e1d675"
X-Mailman-Approved-At: Mon, 12 Jul 2021 00:16:16 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] A Stroll through Fee-Bumping Techniques :
Input-Based vs Child-Pay-For-Parent
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2021 00:02:27 -0000
--0000000000000b445005c6e1d675
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
> So the sha256 of the span of the group doesn't commit to start and end
> -- it just serializes a vector, so commits to the number of elements,
> the order, and the elements themselves.
Gotcha wasn't clear to me that the new state pair isn't committed as part
of the annex.
Have been confused by "Introduce a new SIGHASH_GROUP flag, as an
alternative to ALL/SINGLE/NONE, that commits to each output i, start <=3D i=
<
end."
> Does the above resolve that?
I think so. It shouldn't be susceptible to any spend replay attack, as the
state pair prevents output group overlapping though you might still have to
be careful about siphoning ? Something you should already care about if you
use SIGHASH_SINGLE and your x's amount > y's value.
Le ven. 9 juil. 2021 =C3=A0 21:47, Anthony Towns <aj@erisian.com.au> a =C3=
=A9crit :
> On Fri, Jul 09, 2021 at 09:19:45AM -0400, Antoine Riard via bitcoin-dev
> wrote:
> > > The easy way to avoid O(n^2) behaviour in (3) is to disallow partial
> > > overlaps. So let's treat the tx as being distinct bundles of x-inputs
> > > and y-outputs, and we'll use the annex for grouping, since that is
> > > committed to by singatures. Call the annex field "sig_group_count".
> > > When processing inputs, setup a new state pair, (start, end), initial=
ly
> > > (0,0).
> > > When evaluating an input, lookup sig_group_count. If it's not present=
,
> > > then set start :=3D end. If it's present and 0, leave start and end
> > > unchanged. Otherwise, if it's present and greather than 0, set
> > > start :=3D end, and then set end :=3D start + sig_group_count.
> > IIUC the design rationale, the "sig_group_count" lockdowns the hashing =
of
> > outputs for a given input, thus allowing midstate reuse across signatur=
es
> > input.
>
> No midstates, the message being signed would just replace
> SIGHASH_SINGLE's:
>
> sha_single_output: the SHA256 of the corresponding output in CTxOut
> format
>
> with
>
> sha_group_outputs: the SHA256 of the serialization of the group
> outputs in CTxOut format.
>
> ie, you'd take span<CTxOut>{start,end}, serialize it (same as if it were
> a vector of just those CTxOuts), and sha256 it.
>
> > Let's say you want to combine {x_1, y_1} and {x_2, y_2} where {x, y}
> denotes
> > bundles of Lightning commitment transactions.
> > x_1 is dual-signed by Alice and Bob under the SIGHASH_GROUP flag with
> > `sig_group_count`=3D3.
> > x_2 is dual-signed by Alice and Caroll under the SIGHASH_GROUP flag, wi=
th
> > `sig_group_count`=3D2.
> > y_1 and y_2 are disjunctive.
> > At broadcast, Alice is not able to combine {x_1,y_1} and {x_2, y_2} for
> the
> > reason that x_1, x_2 are colliding on the absolute output position.
>
> So the sha256 of the span of the group doesn't commit to start and end
> -- it just serializes a vector, so commits to the number of elements,
> the order, and the elements themselves. So you're taking serialize(y_1)
> and serialize(y_2), and each of x_1 signs against the former, and each
> of x_2 signs against the latter.
>
> (Note that the annex for x_1_0 specifies sig_group_count=3Dlen(y_1)
> and the annex for x_1_{1..} specifies sig_group_count=3D0, for "reuse
> previous input's group", and the signatures for each input commit to
> the annex anyway)
>
> > One fix could be to skim the "end > num_ouputs" semantic,
>
> That's only there to ensure the span doesn't go out of range, so I don't
> think it makes any sense to skip it?
>
> > I think this SIGHASH_GROUP proposal might solve other use-cases, but if=
I
> > understand the semantics correctly, it doesn't seem to achieve the batc=
h
> > fee-bumping of multiple Lightning commitment with O(1) onchain footprin=
t
> I was
> > thinking of for IOMAP...
>
> Does the above resolve that?
>
> Cheers,
> aj
>
>
--0000000000000b445005c6e1d675
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">> So the sha256 of the span of the group doesn't co=
mmit to start and end<br>> -- it just serializes a vector, so commits to=
the number of elements,<br>> the order, and the elements themselves.<br=
><br>Gotcha wasn't clear to me that the new state pair isn't commit=
ted as part of the annex.<br><br>Have been confused by "Introduce a ne=
w SIGHASH_GROUP flag, as an alternative to ALL/SINGLE/NONE, that commits to=
each output i, start <=3D i < end."<br><br>> Does the above =
resolve that?<br><br>I think so. It shouldn't be susceptible to any spe=
nd replay attack, as the state pair prevents output group overlapping thoug=
h you might still have to be careful about siphoning ? Something you should=
already care about if you use SIGHASH_SINGLE and your x's amount > =
y's value.<br></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" cla=
ss=3D"gmail_attr">Le=C2=A0ven. 9 juil. 2021 =C3=A0=C2=A021:47, Anthony Town=
s <<a href=3D"mailto:aj@erisian.com.au">aj@erisian.com.au</a>> a =C3=
=A9crit=C2=A0:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0=
px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">O=
n Fri, Jul 09, 2021 at 09:19:45AM -0400, Antoine Riard via bitcoin-dev wrot=
e:<br>
> > The easy way to avoid O(n^2) behaviour in (3) is to disallow part=
ial<br>
> > overlaps. So let's treat the tx as being distinct bundles of =
x-inputs<br>
> > and y-outputs, and we'll use the annex for grouping, since th=
at is<br>
> > committed to by singatures. Call the annex field "sig_group_=
count".<br>
> > When processing inputs, setup a new state pair, (start, end), ini=
tially<br>
> > (0,0).<br>
> > When evaluating an input, lookup sig_group_count. If it's not=
present,<br>
> > then set start :=3D end. If it's present and 0, leave start a=
nd end<br>
> > unchanged. Otherwise, if it's present and greather than 0, se=
t<br>
> > start :=3D end, and then set end :=3D start + sig_group_count.<br=
>
> IIUC the design rationale, the "sig_group_count" lockdowns t=
he hashing of<br>
> outputs for a given input, thus allowing midstate reuse across signatu=
res<br>
> input.<br>
<br>
No midstates, the message being signed would just replace<br>
SIGHASH_SINGLE's:<br>
<br>
=C2=A0 sha_single_output: the SHA256 of the corresponding output in CTxOut<=
br>
=C2=A0 format<br>
<br>
with<br>
<br>
=C2=A0 sha_group_outputs: the SHA256 of the serialization of the group<br>
=C2=A0 outputs in CTxOut format.<br>
<br>
ie, you'd take span<CTxOut>{start,end}, serialize it (same as if =
it were<br>
a vector of just those CTxOuts), and sha256 it.<br>
<br>
> Let's say you want to combine {x_1, y_1} and {x_2, y_2} where {x, =
y} denotes<br>
> bundles of Lightning commitment transactions.<br>
> x_1 is dual-signed by Alice and Bob under the SIGHASH_GROUP flag with<=
br>
> `sig_group_count`=3D3.<br>
> x_2 is dual-signed by Alice and Caroll under the SIGHASH_GROUP flag, w=
ith<br>
> `sig_group_count`=3D2.<br>
> y_1 and y_2 are disjunctive.<br>
> At broadcast, Alice is not able to combine {x_1,y_1} and {x_2, y_2} fo=
r the<br>
> reason that x_1, x_2 are colliding on the absolute output position.<br=
>
<br>
So the sha256 of the span of the group doesn't commit to start and end<=
br>
-- it just serializes a vector, so commits to the number of elements,<br>
the order, and the elements themselves. So you're taking serialize(y_1)=
<br>
and serialize(y_2), and each of x_1 signs against the former, and each<br>
of x_2 signs against the latter.<br>
<br>
(Note that the annex for x_1_0 specifies sig_group_count=3Dlen(y_1)<br>
and the annex for x_1_{1..} specifies sig_group_count=3D0, for "reuse<=
br>
previous input's group", and the signatures for each input commit =
to<br>
the annex anyway)<br>
<br>
> One fix could be to skim the "end > num_ouputs" semantic,=
<br>
<br>
That's only there to ensure the span doesn't go out of range, so I =
don't<br>
think it makes any sense to skip it?<br>
<br>
> I think this SIGHASH_GROUP proposal might solve other use-cases, but i=
f I<br>
> understand the semantics correctly, it doesn't seem to achieve the=
batch<br>
> fee-bumping of multiple Lightning commitment with O(1) onchain footpri=
nt I was<br>
> thinking of for IOMAP...<br>
<br>
Does the above resolve that?<br>
<br>
Cheers,<br>
aj<br>
<br>
</blockquote></div>
--0000000000000b445005c6e1d675--
|
