summaryrefslogtreecommitdiff
path: root/88/467a814c39813ef2f9c035e10f63b61f21811d
blob: 1058e2b435d56a12325e7b949822676de7fdea86 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
Return-Path: <zachgrw@gmail.com>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id F1909C000E
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 28 Jul 2021 04:57:46 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp4.osuosl.org (Postfix) with ESMTP id CC455405B6
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 28 Jul 2021 04:57:46 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level: 
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: smtp4.osuosl.org (amavisd-new);
 dkim=pass (2048-bit key) header.d=gmail.com
Received: from smtp4.osuosl.org ([127.0.0.1])
 by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id DINLfGRacICG
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 28 Jul 2021 04:57:45 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com
 [IPv6:2607:f8b0:4864:20::12f])
 by smtp4.osuosl.org (Postfix) with ESMTPS id 0C243404C1
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 28 Jul 2021 04:57:44 +0000 (UTC)
Received: by mail-il1-x12f.google.com with SMTP id u7so1486329ilj.8
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 27 Jul 2021 21:57:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=cxzNtpILMb50fXDKYFB73X1327ArWgi0SDw3vrvbpSo=;
 b=CYYhNusnfVkXRL1pGkv5cbSgy77nFfVDGQNf6LYlfV0xmzXX4Blngn1bgPrpc0gKiW
 tCtgqJB2w9y5nSpnMh2fZOWhZYWvxXk4Ud7d2uAPy1fHhleq13gVe6tBQoXtzsCbyjCA
 iyDA/kZgYrjGuUWBbtHCSAPGNlpgnyvaI/bqnLZ3Bj9sRGt17CdXbxZSTONSgmLvLOOm
 5izK6OVoCi0ExyXbBOyO4VJVtVHVDLZCz0RMUARMhJBUJRYunqvGt0cYI+9Ake6k3IGB
 /ld6u0hoMpuIgvedbtaaOpFgBstKlB1X4CkLjOekTc2DCCOrMNvMt/KQvpcsy4ZhhXEZ
 bNmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=cxzNtpILMb50fXDKYFB73X1327ArWgi0SDw3vrvbpSo=;
 b=FPOqkVwV2p04+5Kb+JVLYQCw+kJH2mNbdFQWUiOsfnHt5GWLXNU58UCNVsH1ocvXZd
 mc3yjtklUM+zokWWkrK0jvFR6XryEsFSZEwIXet9kfRw+M50UXtupU+9Y0n24FiRQjRL
 5ijWZ2HJHoXQAxeq3SMYmNqv0iZFzHVMHpB/lBLHCML4y00QevBIeOEd339JZjPRaNAF
 OwP22ZHFf1RFLvTpqW8D1Vhb5cqxLORyGPk0KqylomEO8waBT7RQyu3GMkVVfAYXb4F3
 H91dP7Qx+3PtW9GF/bp0PzJFSqkT4HwLsXlyM0xByFcmTqiJLRkoefpZlcNwjCN8zQVD
 +b/w==
X-Gm-Message-State: AOAM53071UfItZQnyGNu98I4ENh3Af/YxwojXAbPIUOZvjACnsNAQENm
 nUy+/xRkh4Uzg6uHkV50X1VtAoAlRyCBf3rR7W8=
X-Google-Smtp-Source: ABdhPJzLOz4vr4Yemie/kwyGPgz1ZWMjNT7riVWFWY8Dn3g3WODrJSZjr9nGzLIYCxYsZJsSD7I5ETaZ3vLXaQ+PWiY=
X-Received: by 2002:a92:7d08:: with SMTP id y8mr19051997ilc.111.1627448264087; 
 Tue, 27 Jul 2021 21:57:44 -0700 (PDT)
MIME-Version: 1.0
References: <CAGpPWDZ0aos5qHw2=popCpjuH7OXC0geEj8i3dwDTfP0j=or4w@mail.gmail.com>
 <20210725053803.fnmd6etv3f7x3u3p@ganymede>
 <CAGpPWDZ8EWd7kGV5pFZadQM1kqETrTK2zybsGF1hW9fx2oZb7w@mail.gmail.com>
 <CAH+Axy7cPufMUCMQbCz2MUgRqQbgenAozPBFD8kPYrSjwcRG8w@mail.gmail.com>
 <CAGpPWDb8yzGO-VtCO-x09e-phKHT7ezOms+DzeWc9vS3rN1AAw@mail.gmail.com>
 <CAJ4-pEDWuNfdE4NXkZBsOnuSQ4YOv28YVwGavyiU+FPvpC6y1w@mail.gmail.com>
 <CAGpPWDZL6BpzoNa0Qgf-Ux60fyWPjZH=NESkgbhEQO_My=XiAg@mail.gmail.com>
In-Reply-To: <CAGpPWDZL6BpzoNa0Qgf-Ux60fyWPjZH=NESkgbhEQO_My=XiAg@mail.gmail.com>
From: Zac Greenwood <zachgrw@gmail.com>
Date: Wed, 28 Jul 2021 06:57:33 +0200
Message-ID: <CAJ4-pEBwdUJ3kg=yb-kWZLoaX5f_2t353K7Tr+dJy+JpAoKTmQ@mail.gmail.com>
To: Billy Tetrud <billy.tetrud@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000abdd1105c827d37a"
X-Mailman-Approved-At: Wed, 28 Jul 2021 07:40:50 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Covenant opcode proposal OP_CONSTRAINDESTINATION
 (an alternative to OP_CTV)
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jul 2021 04:57:47 -0000

--000000000000abdd1105c827d37a
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Billy,

Thank you for your comprehensive reply. My purpose was to find out whether
a proposal to somehow limit the amount being sent from an address exists
and to further illustrate my thoughts by giving a concrete example of how
this might work functionally without getting to deep into the
technicalities.

As for your assumption: for an amount limit to have the desired effect, I
realize now that there must also exist some limit on the number of
transactions that will be allowed from the encumbered address.

Taking a step back, a typical use case would be a speculating user
intending to hodl bitcoin but who still wishes to be able to occasionally
transact minor amounts.

Ideally, such user should optionally still be able to bypass the rate limit
and spend the entire amount in a single transaction by signing with an
additional private key (multisig).

During the setup phase, a user sends all their to-be-rate-limited coin to a
single address. When spending from this rate limited address, any change
sent to the change address must be rate limited as well using identical
parameters. I believe that=E2=80=99s also what you=E2=80=99re suggesting.

I believe that a smart wallet should be able to set up and maintain
multiple rate-limited addresses in such a way that their aggregate
behaviour meets any rate-limiting parameters as desired by the user. This
ought to alleviate your privacy concerns because it means that the wallet
will be able to mix outputs.

The options for the to-be implemented rate-limiting parameters vary from
completely arbitrary to more restrictive.

Completely arbitrary parameters would allow users to set up a rate limit
that basically destroys their funds, for instance rate-limiting an address
to an amount of 1 satoshi per 100 blocks.

More restrictive rate limits would remove such footgun and may require that
only a combination of parameters are allowed such that all funds will be
spendable within a set number of blocks (for instance 210,000).

As for the rate-limiting parameters, in addition to a per-transaction
maximum of (minimum amount in satoshi or a percentage of the total amount
stored at the address), also the transaction frequency must be limited. I
would propose this to be expressed as a number of blocks before a next
transaction can be sent from the encumbered address(es).

I believe such user-enabled rate-limiting is superior to one that requires
a third party.

As an aside, I am not sure how a vault solution would be able to prevent an
attacker who is in possession of the vaults=E2=80=99 private key from sabot=
aging
the user by replacing the user transaction with one having a higher fee
every time the user attempts to transact. I am probably missing something
here though.

Zac


On Tue, 27 Jul 2021 at 19:21, Billy Tetrud <billy.tetrud@gmail.com> wrote:

> Hi Zac,
>
> I haven't heard of any proposal for limiting the amount that can be sent
> from an address. I assume you mean limiting the amount that can be sent i=
n
> a period of time - eg something that would encode that for address A, onl=
y
> X bitcoin can be sent from the address in a given day/week/etc, is that
> right? That would actually be a somewhat difficult thing to do in the
> output-based system Bitcoin uses, and would be easier in an account based
> system like Ethereum. The problem is that each output is separate, and
> there's no concept in bitcoin of encumbering outputs together.
>
> What you could do is design a system where coins would be combined in a
> single output, and then encumber that output with a script that allows a
> limited amount of coin be sent to a destination address and requires all
> other bitcoins be returned to sender in a new change output that is also
> timelocked. That way, the new change output can't be used again until the
> timelock expires (eg a week). However, to ensure this wallet works
> properly, any deposit into the wallet would have to also spend the wallet=
's
> single output, so as to create a new single output at that address. So 3r=
d
> parties wouldn't be able to arbitrarily send money in (or rather, they
> could, but each output would have its own separate spending limit).
>
> > such kind of restriction would be extremely effective in thwarting the
> most damaging type of theft being the one where all funds are swept in a
> single transaction
>
> It would. However a normal wallet vault basically already has this
> property - a thief can't simply sweep funds instantly, but instead the
> victim will see an initiated transaction and will be able to reverse it
> within a delay time-window. I don't think adding a spending limit would a=
dd
> meaningful security to a delayed-send wallet vault like that. But it coul=
d
> be used to increase the security of a wallet vault that can be instantly
> spent from - ie if the attacker successfully steals funds, then the victi=
m
> has time to go gather their additional keys and move the remaining
> (unstolen) funds into a new wallet.
>
> OP_CD could potentially be augmented to allow specifying limit amounts fo=
r
> each destination, which would allow you to create a wallet like this. It
> would be a bit of an awkward wallet to use tho, since you couldn't receiv=
e
> directly into it from a 3rd party and you also couldn't keep separate
> outputs (which is bad for privacy).
>
> An alternate way of doing this that you don't need any new opcodes for
> would be to have a 3rd party service that signs multisig transactions fro=
m
> a wallet only up to a limit. The end-user could have additional keys such
> that the 3rd party can't prevent them from accessing that (if they turn
> uncooperative), and the 3rd party would only have a single key so they
> can't steal funds, but the user would sign a transaction with one key, an=
d
> the 3rd party with another as long as the spending limit hasn't been
> reached. This wouldn't have much counterparty risk, but would be a less
> awkward wallet than what I described above - meaning anyone could send
> funds into the wallet without defeating the spending limit, and privacy
> could be kept intact (minus the fact that the 3rd party would know what
> your outputs are).
>
> BT
>
> On Tue, Jul 27, 2021 at 4:18 AM Zac Greenwood <zachgrw@gmail.com> wrote:
>
>> Hi Billy,
>>
>> On the topic of wallet vaults, are there any plans to implement a way to
>> limit the maximum amount to be sent from an address?
>>
>> An example of such limit might be: the maximum amount allowed to send is
>> max(s, p) where s is a number of satoshi and p a percentage of the total
>> available (sendable) amount.
>>
>> A minimum value may be imposed on the percentage to ensure that the
>> address can be emptied within a reasonable number of transactions. The
>> second parameter s allows a minimum permitted amount. (This is necessary
>> because with only the percentage parameter the minimum permitted amount
>> converges to zero, making it impossible to empty the address).
>>
>> There may be other ways too. In my view, such kind of restriction would
>> be extremely effective in thwarting the most damaging type of theft bein=
g
>> the one where all funds are swept in a single transaction.
>>
>> Zac
>>
>>
>> On Tue, 27 Jul 2021 at 03:26, Billy Tetrud via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>> Hey James,
>>>
>>> In the examples you mentioned, what I was exploring was a mechanism of
>>> attack by which the attacker could steal user A's key and use that key =
to
>>> send a transaction with the maximum possible fee. User B would still
>>> receive some funds (probably), but if the fee could be large, the attac=
ker
>>> would either do a lot of damage to user B (griefing) or could make an
>>> agreement with a miner to give back some of the large fee (theft).
>>>
>>> But as for use cases, the proposal mentions a number of use cases
>>> <https://github.com/fresheneesz/bip-efficient-bitcoin-vaults/blob/main/=
cd/bip-constraindestination.md#motivation> and
>>> most overlap with the use cases of op_ctv <https://utxos.org/uses/> (Je=
remy
>>> Rubin's website for op_ctv has a lot of good details, most of which are
>>> also relevant to op_cd). The use case I'm most interested in is wallet
>>> vaults. This opcode can be used to create a wallet vault where the user
>>> only needs to use, for example, 1 key to spend funds, but the attacker =
must
>>> steal 2 or more keys to spend funds. The benefits of a 2 key wallet vau=
lt
>>> like this vs a normal 2-of-2 multisig wallet are that not only does an
>>> attacker have to steal both keys (same level of security), but also the
>>> user can lose one key and still recover their funds (better redundancy)=
 and
>>> also that generally the user doesn't need to access their second key - =
so
>>> that can remain in a much more secure location (which would also probab=
ly
>>> make that key harder to steal). The only time the second key only comes
>>> into play if one key is stolen and the attacker attempts to send a
>>> transaction. At that point, the user would go find and use his second k=
ey
>>> (along with the first) to send a revoke transaction to prevent the atta=
cker
>>> from stealing their funds. This is somewhat akin to a lightning watchto=
wer
>>> scenario, where your wallet would watch the chain and alert you about a=
n
>>> unexpected transaction, at which point you'd manually do a revoke (vs a
>>> watchtower's automated response). You might be interested in taking a l=
ook
>>> at this wallet vault design
>>> <https://github.com/fresheneesz/bip-efficient-bitcoin-vaults/blob/main/=
cd/op_cdWalletVault1.md>
>>> that uses OP_CD or even my full vision
>>> <https://github.com/fresheneesz/bip-efficient-bitcoin-vaults> of the
>>> wallet vault I want to be able to create.
>>>
>>> With a covenant opcode like this, its possible to create very usable an=
d
>>> accessible but highly secure wallets that can allow normal people to ho=
ld
>>> self custody of their keys without fear of loss or theft and without th=
e
>>> hassle of a lot of safe deposit boxes (or other secure seed storage
>>> locations).
>>>
>>> Cheers,
>>> BT
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Jul 26, 2021 at 2:08 PM James MacWhyte <macwhyte@gmail.com>
>>> wrote:
>>>
>>>> Hi Billy!
>>>>
>>>> See above, but to break down that situation a bit further, these are
>>>>> the two situations I can think of:
>>>>>
>>>>>    1. The opcode limits user/group A to send the output to user/group
>>>>>    B
>>>>>    2. The opcode limits user A to send from one address they own to
>>>>>    another address they own.
>>>>>
>>>>> I'm trying to think of a good use case for this type of opcode. In
>>>> these examples, an attacker who compromises the key for user A can't s=
teal
>>>> the money because it can only be sent to user B. So if the attacker wa=
nts
>>>> to steal the funds, they would need to compromise the keys of both use=
r A
>>>> and user B.
>>>>
>>>> But how is that any better than a 2-of-2 multisig? Isn't the end resul=
t
>>>> exactly the same?
>>>>
>>>> James
>>>>
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>>

--000000000000abdd1105c827d37a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div><div dir=3D"auto" style=3D"font-size:1rem;word-spacing:1px;border-colo=
r:rgb(49,49,49);color:rgb(49,49,49)">Hi Billy,</div><div dir=3D"auto" style=
=3D"font-size:16px;word-spacing:1px;border-color:rgb(49,49,49);color:rgb(49=
,49,49)"><br></div><div dir=3D"auto" style=3D"font-size:1rem;word-spacing:1=
px;border-color:rgb(49,49,49);color:rgb(49,49,49)">Thank you for your compr=
ehensive reply. My purpose was to find out whether a proposal to somehow li=
mit the amount being sent from an address exists and to further illustrate =
my thoughts by giving a concrete example of how this might work functionall=
y without getting to deep into the technicalities.</div><div dir=3D"auto" s=
tyle=3D"font-size:16px;word-spacing:1px;border-color:rgb(49,49,49);color:rg=
b(49,49,49)"><br></div><div dir=3D"auto" style=3D"font-size:1rem;word-spaci=
ng:1px;border-color:rgb(49,49,49);color:rgb(49,49,49)">As for your assumpti=
on: for an amount limit to have the desired effect, I realize now that ther=
e must also exist some limit on the number of transactions that will be all=
owed from the encumbered address.</div><div dir=3D"auto" style=3D"font-size=
:16px;word-spacing:1px;border-color:rgb(49,49,49);color:rgb(49,49,49)"><br>=
</div><div dir=3D"auto" style=3D"font-size:1rem;word-spacing:1px;border-col=
or:rgb(49,49,49);color:rgb(49,49,49)">Taking a step back, a typical use cas=
e would be a speculating user intending to hodl bitcoin but who still wishe=
s to be able to occasionally transact minor amounts.</div><div dir=3D"auto"=
 style=3D"font-size:16px;word-spacing:1px;border-color:rgb(49,49,49);color:=
rgb(49,49,49)"><br></div><div dir=3D"auto" style=3D"font-size:1rem;word-spa=
cing:1px;border-color:rgb(49,49,49);color:rgb(49,49,49)">Ideally, such user=
 should optionally still be able to bypass the rate limit and spend the ent=
ire amount in a single transaction by signing with an additional private ke=
y (multisig).</div><div dir=3D"auto" style=3D"font-size:16px;word-spacing:1=
px;border-color:rgb(49,49,49);color:rgb(49,49,49)"><br></div><div dir=3D"au=
to" style=3D"font-size:1rem;word-spacing:1px;border-color:rgb(49,49,49);col=
or:rgb(49,49,49)">During the setup phase, a user sends all their to-be-rate=
-limited coin to a single address. When spending from this rate limited add=
ress, any change sent to the change address must be rate limited as well us=
ing identical parameters. I believe that=E2=80=99s also what you=E2=80=99re=
 suggesting.</div><div dir=3D"auto" style=3D"font-size:16px;word-spacing:1p=
x;border-color:rgb(49,49,49);color:rgb(49,49,49)"><br></div><div dir=3D"aut=
o" style=3D"font-size:1rem;word-spacing:1px;border-color:rgb(49,49,49);colo=
r:rgb(49,49,49)">I believe that a smart wallet should be able to set up and=
 maintain multiple rate-limited addresses in such a way that their aggregat=
e behaviour meets any rate-limiting parameters as desired by the user. This=
 ought to alleviate your privacy concerns because it means that the wallet =
will be able to mix outputs.</div><div dir=3D"auto" style=3D"font-size:16px=
;word-spacing:1px;border-color:rgb(49,49,49);color:rgb(49,49,49)"><br></div=
><div dir=3D"auto" style=3D"font-size:1rem;word-spacing:1px;border-color:rg=
b(49,49,49);color:rgb(49,49,49)">The options for the to-be implemented rate=
-limiting parameters vary from completely arbitrary to more restrictive.</d=
iv><div dir=3D"auto" style=3D"font-size:16px;word-spacing:1px;border-color:=
rgb(49,49,49);color:rgb(49,49,49)"><br></div><div dir=3D"auto" style=3D"fon=
t-size:1rem;word-spacing:1px;border-color:rgb(49,49,49);color:rgb(49,49,49)=
">Completely arbitrary parameters would allow users to set up a rate limit =
that basically destroys their funds, for instance rate-limiting an address =
to an amount of 1 satoshi per 100 blocks.</div><div dir=3D"auto" style=3D"f=
ont-size:16px;word-spacing:1px;border-color:rgb(49,49,49);color:rgb(49,49,4=
9)"><br></div><div dir=3D"auto" style=3D"font-size:1rem;word-spacing:1px;bo=
rder-color:rgb(49,49,49);color:rgb(49,49,49)">More restrictive rate limits =
would remove such footgun and may require that only a combination of parame=
ters are allowed such that all funds will be spendable within a set number =
of blocks (for instance 210,000).=C2=A0</div><div dir=3D"auto" style=3D"fon=
t-size:16px;word-spacing:1px;border-color:rgb(49,49,49);color:rgb(49,49,49)=
"><br></div><div dir=3D"auto" style=3D"font-size:1rem;word-spacing:1px;bord=
er-color:rgb(49,49,49);color:rgb(49,49,49)">As for the rate-limiting parame=
ters, in addition to a per-transaction maximum of (minimum amount in satosh=
i or a percentage of the total amount stored at the address), also the tran=
saction frequency must be limited. I would propose this to be expressed as =
a number of blocks before a next transaction can be sent from the encumbere=
d address(es).</div><div dir=3D"auto" style=3D"font-size:16px;word-spacing:=
1px;border-color:rgb(49,49,49);color:rgb(49,49,49)"><br></div><div dir=3D"a=
uto" style=3D"font-size:1rem;word-spacing:1px;border-color:rgb(49,49,49);co=
lor:rgb(49,49,49)">I believe such user-enabled rate-limiting is superior to=
 one that requires a third party.</div><div dir=3D"auto" style=3D"font-size=
:16px;word-spacing:1px;border-color:rgb(49,49,49);color:rgb(49,49,49)"><br>=
</div><div dir=3D"auto" style=3D"font-size:1rem;word-spacing:1px;border-col=
or:rgb(49,49,49);color:rgb(49,49,49)">As an aside, I am not sure how a vaul=
t solution would be able to prevent an attacker who is in possession of the=
 vaults=E2=80=99 private key from sabotaging the user by replacing the user=
 transaction with one having a higher fee every time the user attempts to t=
ransact. I am probably missing something here though.</div><div dir=3D"auto=
" style=3D"font-size:1rem;word-spacing:1px;border-color:rgb(49,49,49);color=
:rgb(49,49,49)"><br></div><div dir=3D"auto" style=3D"font-size:1rem;word-sp=
acing:1px;border-color:rgb(49,49,49);color:rgb(49,49,49)">Zac</div><div dir=
=3D"auto" style=3D"font-size:1rem;word-spacing:1px;border-color:rgb(49,49,4=
9);color:rgb(49,49,49)"><br></div></div><div><br><div class=3D"gmail_quote"=
><div dir=3D"ltr" class=3D"gmail_attr">On Tue, 27 Jul 2021 at 19:21, Billy =
Tetrud &lt;<a href=3D"mailto:billy.tetrud@gmail.com">billy.tetrud@gmail.com=
</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:=
0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-lef=
t:1ex;border-left-color:rgb(204,204,204)"><div dir=3D"ltr">Hi Zac,<div><br>=
</div><div>I haven&#39;t heard of any proposal for limiting the amount that=
 can be sent from an address. I assume you mean limiting the amount that ca=
n be sent in a period of time - eg something that would encode that for add=
ress A, only X bitcoin can be sent from the address in a given day/week/etc=
, is that right? That would actually be a somewhat difficult thing to do in=
 the output-based system Bitcoin uses, and would be easier in an account ba=
sed system like Ethereum. The problem is that each output is separate, and =
there&#39;s no concept in bitcoin of encumbering outputs together.=C2=A0</d=
iv><div><br></div><div>What you could do is design a system where coins wou=
ld be combined in a single output, and then encumber that output with a scr=
ipt that allows a limited amount of coin be sent to a destination address a=
nd requires all other bitcoins be returned to sender in a new change output=
 that is also timelocked. That way, the new change output can&#39;t be used=
 again until the timelock expires (eg a week). However, to ensure this wall=
et works properly, any deposit into the wallet would have to also spend the=
 wallet&#39;s single output, so as to create a new single output at that ad=
dress. So 3rd parties wouldn&#39;t be able to arbitrarily send money in (or=
 rather, they could, but each output would have its own separate spending l=
imit).=C2=A0</div><div><br></div><div>&gt; such kind of restriction would b=
e extremely effective in thwarting the most damaging type of theft being th=
e one where all funds are swept in a single transaction</div><div><br></div=
><div>It would. However a normal wallet vault basically=C2=A0already has th=
is property - a thief can&#39;t simply sweep funds instantly, but instead t=
he victim will see an initiated transaction and will be able to reverse it =
within a delay time-window. I don&#39;t think adding a spending limit would=
 add meaningful security to a delayed-send wallet vault like that. But it c=
ould be used to increase the security of a wallet vault that can be instant=
ly spent from - ie if the attacker successfully steals funds, then the vict=
im has time to go gather their additional keys and move the remaining (unst=
olen) funds into a new wallet.=C2=A0</div><div><br></div><div>OP_CD could p=
otentially be augmented to allow specifying limit amounts for each destinat=
ion, which would allow you to create a wallet like this. It would be a bit =
of an awkward wallet to use tho, since you couldn&#39;t receive directly in=
to it from a 3rd party and you also couldn&#39;t keep separate outputs (whi=
ch is bad for privacy).=C2=A0</div><div><br></div><div>An alternate way of =
doing this that you don&#39;t need any new opcodes for would be to have a 3=
rd party service that signs multisig transactions from a wallet only up to =
a limit. The end-user could have additional keys such that the 3rd party ca=
n&#39;t prevent them from accessing that (if they turn uncooperative), and =
the 3rd party would only have a single key so they can&#39;t steal funds, b=
ut the user would sign a transaction with one key, and the 3rd party with a=
nother as long as the spending limit hasn&#39;t been reached. This wouldn&#=
39;t have much counterparty risk, but would be a less awkward wallet than w=
hat I described above - meaning anyone could send funds into the wallet wit=
hout defeating the spending limit, and privacy could be kept intact (minus =
the fact that the 3rd party would know what your outputs are).=C2=A0</div><=
/div><div dir=3D"ltr"><div><br></div><div>BT</div></div><br><div class=3D"g=
mail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Tue, Jul 27, 2021 at 4=
:18 AM Zac Greenwood &lt;<a href=3D"mailto:zachgrw@gmail.com" target=3D"_bl=
ank">zachgrw@gmail.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_q=
uote" style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-s=
tyle:solid;padding-left:1ex;border-left-color:rgb(204,204,204)"><div dir=3D=
"auto">Hi Billy,</div><div dir=3D"auto"><br></div><div dir=3D"auto">On the =
topic of wallet vaults, are there any plans to implement a way to limit the=
 maximum amount to be sent from an address?</div><div dir=3D"auto"><br></di=
v><div dir=3D"auto">An example of such limit might be: the maximum amount a=
llowed to send is max(s, p) where s is a number of satoshi and p a percenta=
ge of the total available (sendable) amount.</div><div dir=3D"auto"><br></d=
iv><div dir=3D"auto">A minimum value may be imposed on the percentage to en=
sure that the address can be emptied within a reasonable number of transact=
ions. The second parameter s allows a minimum permitted amount. (This is ne=
cessary because with only the percentage parameter the minimum permitted am=
ount converges to zero, making it impossible to empty the address).=C2=A0</=
div><div dir=3D"auto"><br></div><div dir=3D"auto">There may be other ways t=
oo. In my view, such kind of restriction would be extremely effective in th=
warting the most damaging type of theft being the one where all funds are s=
wept in a single transaction.</div><div dir=3D"auto"><br></div><div dir=3D"=
auto">Zac</div><div dir=3D"auto"><br></div><div><br><div class=3D"gmail_quo=
te"><div dir=3D"ltr" class=3D"gmail_attr">On Tue, 27 Jul 2021 at 03:26, Bil=
ly Tetrud via bitcoin-dev &lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoun=
dation.org" target=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a>&gt;=
 wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;bo=
rder-left-color:rgb(204,204,204)"><div dir=3D"ltr">Hey James,<div><br></div=
><div>In the examples you mentioned, what I was exploring was a mechanism o=
f attack by which the attacker could steal user A&#39;s key and use that ke=
y to send a transaction with the maximum possible fee. User B would still r=
eceive some funds (probably), but if the fee could be large, the attacker w=
ould either do a lot of damage to user B (griefing) or could make an agreem=
ent with a miner to give back some of the large fee (theft).=C2=A0</div><di=
v><br></div><div>But as for use cases, the proposal mentions <a href=3D"htt=
ps://github.com/fresheneesz/bip-efficient-bitcoin-vaults/blob/main/cd/bip-c=
onstraindestination.md#motivation" target=3D"_blank">a number of use cases<=
/a>=C2=A0and most overlap with the <a href=3D"https://utxos.org/uses/" targ=
et=3D"_blank">use cases of op_ctv</a>=C2=A0(Jeremy Rubin&#39;s website for =
op_ctv has a lot of good details, most of which are also relevant to op_cd)=
. The use case I&#39;m most interested=C2=A0in is wallet vaults. This opcod=
e can be used to create a wallet vault where the user only needs to use, fo=
r example, 1 key to spend funds, but the attacker must steal 2 or more keys=
 to spend funds. The benefits of a 2 key wallet vault like this vs a normal=
 2-of-2 multisig wallet are that not only does an attacker have to steal bo=
th keys (same level of security), but also the user can lose one key and st=
ill recover their funds (better redundancy) and also that generally the use=
r doesn&#39;t need to access their second key - so that can remain in a muc=
h more secure location (which would also probably make that key harder to s=
teal). The only time the second key only comes into play if one key is stol=
en and the attacker attempts to send a transaction. At that point, the user=
 would go find and use his second key (along with the first) to send a revo=
ke transaction to prevent the attacker from stealing their funds. This is s=
omewhat akin to a lightning watchtower scenario, where your wallet would wa=
tch the chain and alert you about an unexpected transaction, at which point=
 you&#39;d manually do a revoke (vs a watchtower&#39;s automated response).=
 You might be interested in taking a look at <a href=3D"https://github.com/=
fresheneesz/bip-efficient-bitcoin-vaults/blob/main/cd/op_cdWalletVault1.md"=
 target=3D"_blank">this wallet vault design</a> that uses OP_CD or even <a =
href=3D"https://github.com/fresheneesz/bip-efficient-bitcoin-vaults" target=
=3D"_blank">my full vision</a> of the wallet vault I want to be able to cre=
ate.</div><div><br></div><div>With a covenant opcode like this, its possibl=
e to create very usable and accessible but highly secure wallets that can a=
llow normal people to hold self custody of their keys without fear of loss =
or theft and without the hassle of a lot of safe deposit boxes (or other se=
cure seed storage locations).=C2=A0</div><div><br></div><div>Cheers,</div><=
div>BT</div><div><br></div><div><br></div><div><br></div><div><br></div></d=
iv><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On =
Mon, Jul 26, 2021 at 2:08 PM James MacWhyte &lt;<a href=3D"mailto:macwhyte@=
gmail.com" target=3D"_blank">macwhyte@gmail.com</a>&gt; wrote:<br></div><bl=
ockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-lef=
t-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(=
204,204,204)"><div dir=3D"ltr"><div dir=3D"ltr">Hi Billy!</div><div dir=3D"=
ltr"><br></div><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote"=
 style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:=
solid;padding-left:1ex;border-left-color:rgb(204,204,204)"><div dir=3D"ltr"=
><div><span>See above, but to break down that situation a bit further, thes=
e are the two situations I can think of:</span><br></div><div><div><ol><li =
style=3D"padding-bottom:0.6001em">The opcode limits user/group A to send th=
e output to user/group B</li><li style=3D"padding-bottom:0.6001em">The opco=
de limits user A to send from one address they own to another address they =
own.=C2=A0</li></ol></div></div></div></blockquote><div><span>I&#39;m tryin=
g to think of a good use case for this type of opcode. In these examples, a=
n attacker who compromises the key for user A can&#39;t steal the money bec=
ause it can only be sent to user B. So if the attacker wants to steal the f=
unds, they would need to compromise the keys of both user A and user B.</sp=
an></div><div><span><br></span></div><div><span>But how is that any better =
than a 2-of-2 multisig? Isn&#39;t the end result exactly=C2=A0the same?</sp=
an><br></div><div><span><br></span></div><div><span>James</span></div></div=
></div>
</blockquote></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div></div>
</blockquote></div>
</blockquote></div></div>

--000000000000abdd1105c827d37a--