1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
|
Return-Path: <dave@dtrt.org>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])
by lists.linuxfoundation.org (Postfix) with ESMTP id 9B9F8C002A
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 27 May 2023 20:36:51 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp1.osuosl.org (Postfix) with ESMTP id 7697681F85
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 27 May 2023 20:36:51 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 7697681F85
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.689
X-Spam-Level:
X-Spam-Status: No, score=-1.689 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, LOTS_OF_MONEY=0.001, MILLION_USD=0.001,
MONEY_NOHTML=2.499, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001,
RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
T_MONEY_PERCENT=0.01] autolearn=no autolearn_force=no
Received: from smtp1.osuosl.org ([127.0.0.1])
by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id v_dOD_acUtgd
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 27 May 2023 20:36:50 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 3019581F29
Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [208.79.240.5])
by smtp1.osuosl.org (Postfix) with ESMTPS id 3019581F29
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 27 May 2023 20:36:50 +0000 (UTC)
Received: from smtpauth.rollernet.us (localhost [127.0.0.1])
by smtpauth.rollernet.us (Postfix) with ESMTP id AE7A52800862;
Sat, 27 May 2023 13:36:47 -0700 (PDT)
Received: from webmail.rollernet.us (webmail.rollernet.us
[IPv6:2607:fe70:0:14::a])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(Client did not present a certificate)
by smtpauth.rollernet.us (Postfix) with ESMTPSA;
Sat, 27 May 2023 13:36:47 -0700 (PDT)
MIME-Version: 1.0
Date: Sat, 27 May 2023 10:36:47 -1000
From: "David A. Harding" <dave@dtrt.org>
To: Burak Keceli <burak@buraks.blog>
In-Reply-To: <558171558.1686821.1685102160441@eu1.myprofessionalmail.com>
References: <1300890009.1516890.1684742043892@eu1.myprofessionalmail.com>
<3c6c3b8b562bb56bbb855dc2b2b71f78@dtrt.org>
<558171558.1686821.1685102160441@eu1.myprofessionalmail.com>
User-Agent: Roundcube Webmail/1.4.10
Message-ID: <c78b9e621e994f3cf3500e4480b61b0e@dtrt.org>
X-Sender: dave@dtrt.org
Content-Type: text/plain; charset=US-ASCII;
format=flowed
Content-Transfer-Encoding: 7bit
X-Rollernet-Abuse: Contact abuse@rollernet.us to report. Abuse policy:
http://www.rollernet.us/policy
X-Rollernet-Submit: Submit ID 55ec.647269df.a342d.0
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Ark: An Alternative Privacy-preserving Second
Layer Solution
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 27 May 2023 20:36:51 -0000
Hi Burak,
Thanks for your response! I found it very helpful. I'm going to reply
to your email a bit out of order.
> 4. Alice places one input to her one-in, three-out transaction to
> supply funds to commitment output, connectors output, change
> output, and transaction fees.
You don't mention it in your reply, but was I correct in my earlier
email in assuming that Alice can claim any funds paid to a commitment
output after four weeks if its commitments haven't been published
onchain? E.g., that in the best case this allows a ~50 vbyte commitment
output that pays an arbitrary number of users to be spent as a ~100
vbyte input (P2TR scriptpath for pk(A) && older(4 weeks))?
> 1. Mixing coins.
> 2. Paying lightning invoices
> 3. Making internal transfers
If commitment outputs can't normally be spent by Alice for four weeks,
then Alice needs to keep enough capital on hand to pay out all amounts
involved in the activities listed above. I've seen many people make
this point, but I wanted to run some rough numbers to estimate the
extent of that capital load.
Let's say Alice has a million customers who each receive all of their
income and pay all of their expenses with her. In my country, the
median income is a bit less than $36,000 USD, or about $3,000 a month.
I imagine spending is not evenly distributed over time, so let's say
Alice needs to hold 3x the average to be prepared for a busy period.
That implies Alice's capital requirements are about $9 billion USD (3 *
3000 * 1e6).
At a hypothetical risk-free interest rate of 1.5% annual, that's about
$135 that will need to be recovered from each user per year (9e9 * 0.015
/ 1e6).
Additionally, if we assume the cost of an onchain transaction is $100
and the service creates one transaction per five seconds, that's $630 in
fee costs that will need to be recovered from each user per year ((60 /
5) * 60 * 24 * 365 * 100 / 1e6).
I'll come back to this financial analysis later.
> If we want to enable Lightning-style instant settlement assurances for
> the internal transfers, we need OP_XOR or OP_CAT on the base layer
> [...] https://eprint.iacr.org/2017/394.pdf
What do you mean by "instant"? Do you mean "settlement as soon as the
next onchain pool transaction is published"? For example, within 5
seconds if the coinjoining completes on time? That's significantly
slower than LN today, at least in the typical case for a well-connected
node.[1]
I think 5 seconds is fine for a lot of purposes (at both point-of-sale
terminals and on websites, I very often need to wait >5 seconds for a
credit card transaction to process), but I think it's worth noting the
speed difference in a technical discussion.
Additionally, I think the idea described significantly predates that
paper's publication, e.g.:
"Well while you can't prevent it you could render it insecure enabling
miners to take funds. That could work via a one-show signature
[...]"[2]
A problem with the idea of using one-show signatures as double-spend
protection is that miner-claimable fidelity bonds don't work as well
against adversaries that are not just counterparties but also miners
themselves. This same problem has been described for other ideas[3],
but to summarize:
Bob has something valuable. Alice offers him the output of an
unconfirmed transaction in exchange for that thing. She also provides a
bond that will pay its amount to any miner who can prove that Alice
double spent her input to the unconfirmed transaction.
If Alice is miner, she can privately create candidate blocks that double
spend the payment to Bob and which also claim the bond. If she fails to
find a PoW solution for those candidate blocks, she lets Bob have his
money. If she does find a PoW solution, she publishes the block, taking
Bob's money, securing her bond, and also receiving all the regular block
rewards (sans the fees from whatever space she used for her
transaction).
I haven't exactly[4] seen this mentioned before, but I think it's
possible to weaken Alice's position by putting a timelock on the
spending of the bond, preventing it from being spent in the same block
as the double-spend. For example, a one-block timelock (AKA: 1 CSV)
would mean that she would need to mine both the block containing her
unconfirmed transactions (to double spend them) and the next block (to
pay the fidelity bonds back to herself).
Ignoring fee-sniping (bond-sniping in this case), selfish mining, and
51% attacks, her chance of success at claiming the fidelity bond is
equal to her portion of the network hashrate, e.g. if she has 33%, she's
33% likely to succeed at double spending without paying a penalty. The
value of the fidelity bond can be scaled to compensate for that, e.g. if
you're worried about Alice controlling up to 50% of hashrate, you make
the fidelity bond at least 2x the base amount (1 / 50%). Let's again
assume that Alice has a million users making $3,000 USD of payments per
month (28 days), or about on average $75,000 per minute (1e6 * 3000 / 28
/ 24 / 60). If Alice bonds 2x the payment value and her bonds don't
expire for 6 blocks (which might take 3 hours), she needs an additional
$27 million worth of BTC on hand (75000 * 2 * (3 * 60)), which I admit
is trivial compared to the other capital requirements mentioned above.
* * *
Taken all together, it seems to me that Alice might need to keep several
billion dollars worth of BTC in a hot wallet in order to serve a million
users. The per-user cost in fees and capital service would be around
$1,000 per year. If we assume onchain transaction costs are about $100,
that would be equal to 10 channels that could be opened or closed by
each user for the same amount (i.e. an average of 5 channel rotations
per year).
Did I miss something in my analysis that would indicate the capital
costs would be significantly lower or that there wouldn't be other
tradeoffs (slower settlement than LN and a need to use a timelocked
fidelity bond)?
Thanks!,
-Dave
[1] https://twitter.com/Leishman/status/1661138737009442818
[2]
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2014-December/007038.html
[3]
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-June/018010.html
[4] Years ago, I think I saw a reply by Peter Todd to some idea about
paying money to miners in a fair way and he noted that it was
critical to pay miners far enough in the future that the current set
of miners wouldn't be incentivized to manipulate who got the money
by choosing which block to include the transaction in now. I wasn't
able to quickly find that post, but it definitely influenced my
thinking here.
|
