path: root/a4/403520728881c269a182d150b406006c870d11

Return-Path: <thibaut-leguilly@garage.co.jp>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 20257C000B
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon,  7 Feb 2022 02:30:55 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp2.osuosl.org (Postfix) with ESMTP id 016D340201
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon,  7 Feb 2022 02:30:55 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level: 
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from smtp2.osuosl.org ([127.0.0.1])
 by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id DztdBQlfUZjU
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon,  7 Feb 2022 02:30:53 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
Received: from mta32.mta.hdems.com (mta32.mta.hdems.com [52.198.247.255])
 by smtp2.osuosl.org (Postfix) with ESMTPS id F0D05400CE
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon,  7 Feb 2022 02:30:52 +0000 (UTC)
Received: from mo.hdems.com (unknown [10.5.84.10])
 by mta32.mta.hdems.com ('HDEMS') with ESMTPSA id 4JsVVx6l1gzlfbkY
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon,  7 Feb 2022 02:30:49 +0000 (UTC)
X-HDEMS-MO-TENANT: garage.co.jp
Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com.
 [209.85.208.71]) by gwsmtp.prod.mo.hdems.com with ESMTPS id
 gwsmtpd-trans-a11ee894-c0de-4e53-bcd0-62566e736699
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 07 Feb 2022 02:30:45 +0000
Received: by mail-ed1-f71.google.com with SMTP id
 ed6-20020a056402294600b004090fd8a936so6744575edb.23
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Sun, 06 Feb 2022 18:30:44 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=5rETRZ8fjeF4qnYiQR7a9jJSHXPa9y5J9tjc4simpik=;
 b=GA30oHhwOWuBjrs103GJ6iHTg9opTwx1GFs4z5toRCA0p0NXFbpRCGmzx45MOS6Xsb
 wSdHZ8wHRi/rugPRz90gobFrOs9beuSGkfq0ArwWdVC990CQGFFSSCDhX/di/bU5bpt7
 GCh1WNEiifhmZ1wUj+t2Yk4ieQA/+Wb+RuZTmXPtVGLkeg24S4/kzEmfC3eZWIEQVvv6
 m4gLZAK303IU601DitOTfgtWO8vBcns27+U7QeTkRYZKHDvMI76Fg7bnqQXldRLnbaCX
 E4fDVvyCNV/RRcvb83RHGPOGO/8ET6QJjYIAs7DQ9BdIQdoanNNjO5TwynI8ZchhLOc7
 n1tQ==
X-Gm-Message-State: AOAM531A/6kAUBqhWSrVp+Vxk3B/VE9KiOL5nhJiEyrkUykTlEF/Jvlz
 KOLlNVPWy3oIVOk7vsYKbQo8L3Pn5DKoAsvo3GO8HHMW/BdAvJB+l0O2tb+9nrpQYAtES9hWn4m
 lZPCBUfeMu7sd227K0OIOAFsu41LNcA4p/tmUAHHXgoSRmK+1gFbKxksZyp5YNIQOhvLJIy6Rs1
 rmCBlHGsYNL5de/iYDyO8vgEgnP2fXIFYDVFGnblzo0H536Hufvxz57gswMvLXlEZbnozhq980h
 ef4RFrzV87aMQDPWRIIN9W5vhGSomlVWX7khpTkweEXRq3z2vdxyVac1hciT1GGykIiEtw0etEb
 QxXrO97qs8s79KWgJyjlFK1gC1M=
X-Received: by 2002:a05:6402:26c8:: with SMTP id
 x8mr11927726edd.80.1644201044254; 
 Sun, 06 Feb 2022 18:30:44 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxepvuJrWrFllE936RPr4l8cqbb05/ZdHuv4ObndgddSliVn2cXTTzEN92stuBVLKO8tM0OJH2/iu0r6S2mkNQ=
X-Received: by 2002:a05:6402:26c8:: with SMTP id
 x8mr11927710edd.80.1644201043992; 
 Sun, 06 Feb 2022 18:30:43 -0800 (PST)
MIME-Version: 1.0
References: <CAH5Bsr2vxL3FWXnJTszMQj83jTVdRvvuVpimEfY7JpFCyP1AZA@mail.gmail.com>
 <CAD5xwhiJiopwH87Bn+yq_0-XXSJYOtNzUg4JCaYwuj=oo9CacA@mail.gmail.com>
 <CAH5Bsr1d0_xaVW59i+pzKtU2yb1FFMG7CJZgTueJwEO7XmkdYw@mail.gmail.com>
 <CAD5xwhhL_+wdUboJZ6i-WvJou7LQHq043ELr1ogOq5OH12iuNQ@mail.gmail.com>
In-Reply-To: <CAD5xwhhL_+wdUboJZ6i-WvJou7LQHq043ELr1ogOq5OH12iuNQ@mail.gmail.com>
From: Thibaut Le Guilly <thibaut@cryptogarage.co.jp>
Date: Mon, 7 Feb 2022 11:30:32 +0900
Message-ID: <CABPZDUwSF_3Y1zs0=w3Uri1+W3svLNOh2Jt5ncwaLQGv35OWqg@mail.gmail.com>
To: Jeremy Rubin <jeremy.l.rubin@gmail.com>, 
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="0000000000002ab1dc05d7646399"
X-Mailman-Approved-At: Mon, 07 Feb 2022 02:37:35 +0000
Cc: dlc-dev@mailmanlists.org
Subject: Re: [bitcoin-dev] CTV dramatically improves DLCs
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 02:30:55 -0000

--0000000000002ab1dc05d7646399
Content-Type: text/plain; charset="UTF-8"

Hi all,

A lot is being discussed but just wanted to react on some points.

# CSFS

Lloyd, good point about CSFS not providing the same privacy benefits, and
OP_CAT being required in addition. And thanks Philipp for the link to your
post, it was an interesting read!

Jeremy
>CSFS might have independent benefits, but in this case CTV is not being
used in the Oracle part of the DLC, it's being used in the user generated
mapping of Oracle result to Transaction Outcome.

My point was that CSFS could be used both in the oracle part but also in
the transaction restriction part (as in the post by Philipp), but again it
does not really provide the same model as DLC as pointed out by Lloyd.

# Performance

Regarding how much performance benefit this CTV approach would provide,
without considering the benefit of not having to transmit and store a large
number of adaptor signatures, and without considering any further
optimization of the anticipation points computation, I tried to get a rough
estimate through some benchmarking. Basically, if I'm not mistaken, using
CTV we would only have to compute the oracle anticipation points, without
needing any signing or verification. I've thus made a benchmark comparing
the current approach with signing + verification with only computing the
anticipation points, for a single oracle with 17 digits and 10000 varying
payouts (between 45000 and 55000). The results are below.

Without using parallelization:
baseline:                            [7.8658 s 8.1122 s 8.3419 s]
no signing/no verification:  [321.52 ms 334.18 ms 343.65 ms]

Using parallelization:
baseline:                            [3.0030 s 3.1811 s 3.3851 s]
no signing/no verification:  [321.52 ms 334.18 ms 343.65 ms]

So it seems like the performance improvement is roughly 24x for the serial
case and 10x for the parallel case.

The two benchmarks are available (how to run them is detailed in the README
in the same folder):
*
https://github.com/p2pderivatives/rust-dlc/blob/ctv-bench-simulation-baseline/dlc-manager/benches/benchmarks.rs#L290
*
https://github.com/p2pderivatives/rust-dlc/blob/ctv-bench-simulation/dlc-manager/benches/benchmarks.rs#L290

Let me know if you think that's a fair simulation or not. One thing I'd
like to see as well is what will be the impact of having a very large
taproot tree on the size of the witness data when spending script paths
that are low in the tree, and how it would affect the transaction fee. I
might try to experiment with that at some point.

Cheers,

Thibaut

On Mon, Feb 7, 2022 at 2:56 AM Jeremy Rubin via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> I'm not sure what is meant concretely by (5) but I think overall
> performance is ok here. You will always have 10mins or so to confirm the
> DLC so you can't be too fussy about performance!
>
>
> I mean that if you think of the CIT points as being the X axis (or
> independent axes if multivariate) of a contract, the Y axis is the
> dependent variable represented by the CTV hashes.
>
>
> For a DLC living inside a lightning channel, which might be updated
> between parties e.g. every second, this means you only have to recompute
> the cheaper part of the DLC only if you update the payoff curves (y axis)
> only, and you only have to update the points whose y value changes.
>
> For on chain DLCs this point is less relevant since the latency of block
> space is larger.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

--0000000000002ab1dc05d7646399
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi all,<div><br></div><div>A lot is being discussed but ju=
st wanted to react on some points.</div><div><br></div><div># CSFS</div><di=
v><br></div><div>Lloyd, good point about CSFS not providing the same privac=
y benefits, and OP_CAT being required in addition. And thanks Philipp for t=
he link to your post, it was an interesting read!</div><div><br></div><div>=
Jeremy</div><div>&gt;<span style=3D"color:rgb(0,0,0);font-family:arial,helv=
etica,sans-serif">CSFS might have independent benefits, but in this case CT=
V is not being used in the Oracle part of the DLC, it&#39;s being used in t=
he user generated mapping of Oracle result to Transaction Outcome.</span></=
div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-=
serif;color:rgb(0,0,0)"><br></div><div class=3D"gmail_default" style=3D"fon=
t-family:arial,helvetica,sans-serif;color:rgb(0,0,0)">My point was that CSF=
S could be used both in the oracle part but also in the transaction restric=
tion part (as in the post by Philipp), but again it does not really provide=
 the same model as DLC as pointed=C2=A0out by Lloyd.</div><div class=3D"gma=
il_default" style=3D"font-family:arial,helvetica,sans-serif;color:rgb(0,0,0=
)"><br></div><div class=3D"gmail_default" style=3D"font-family:arial,helvet=
ica,sans-serif;color:rgb(0,0,0)"># Performance</div><div class=3D"gmail_def=
ault" style=3D"font-family:arial,helvetica,sans-serif;color:rgb(0,0,0)"><br=
></div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sa=
ns-serif;color:rgb(0,0,0)">Regarding how much performance benefit this CTV =
approach would provide, without considering the benefit of not having to tr=
ansmit and store a large number of adaptor signatures, and without consider=
ing any further optimization of the anticipation points computation, I trie=
d to get a rough estimate through some benchmarking. Basically, if I&#39;m =
not mistaken, using CTV we would only have to compute the oracle anticipati=
on points, without needing any signing or verification. I&#39;ve thus made =
a benchmark comparing the current approach with signing=C2=A0+ verification=
 with only computing the anticipation points, for a single oracle with 17 d=
igits and 10000 varying payouts (between 45000 and 55000). The results are =
below.</div><div class=3D"gmail_default" style=3D"font-family:arial,helveti=
ca,sans-serif;color:rgb(0,0,0)"><br></div><div class=3D"gmail_default" styl=
e=3D"font-family:arial,helvetica,sans-serif;color:rgb(0,0,0)">Without using=
 parallelization:</div><div class=3D"gmail_default" style=3D"font-family:ar=
ial,helvetica,sans-serif;color:rgb(0,0,0)">baseline:=C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 [7.8658 s 8.1122 s 8.3419 s]=C2=A0</div><div class=3D"gmail_default" st=
yle=3D"font-family:arial,helvetica,sans-serif;color:rgb(0,0,0)">no signing/=
no verification:=C2=A0 [321.52 ms 334.18 ms 343.65 ms]=C2=A0</div><div clas=
s=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;color:r=
gb(0,0,0)"><br></div><div class=3D"gmail_default" style=3D"font-family:aria=
l,helvetica,sans-serif;color:rgb(0,0,0)">Using parallelization:</div><div c=
lass=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;colo=
r:rgb(0,0,0)">baseline:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [3.0030 s 3.1811 s 3.3851 s]<=
/div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans=
-serif;color:rgb(0,0,0)"><div class=3D"gmail_default">no signing/no verific=
ation:=C2=A0 [321.52 ms 334.18 ms 343.65 ms]</div><div class=3D"gmail_defau=
lt"><br></div><div class=3D"gmail_default">So it seems like the performance=
 improvement is roughly 24x for the serial case and 10x for the parallel ca=
se.</div><div class=3D"gmail_default"><br></div><div class=3D"gmail_default=
">The two benchmarks are available (how to run them is detailed in the READ=
ME in the same folder):</div><div class=3D"gmail_default">*=C2=A0<a href=3D=
"https://github.com/p2pderivatives/rust-dlc/blob/ctv-bench-simulation-basel=
ine/dlc-manager/benches/benchmarks.rs#L290">https://github.com/p2pderivativ=
es/rust-dlc/blob/ctv-bench-simulation-baseline/dlc-manager/benches/benchmar=
ks.rs#L290</a></div><div class=3D"gmail_default">*=C2=A0<a href=3D"https://=
github.com/p2pderivatives/rust-dlc/blob/ctv-bench-simulation/dlc-manager/be=
nches/benchmarks.rs#L290">https://github.com/p2pderivatives/rust-dlc/blob/c=
tv-bench-simulation/dlc-manager/benches/benchmarks.rs#L290</a></div><div cl=
ass=3D"gmail_default"><br></div><div class=3D"gmail_default">Let me know if=
 you think that&#39;s a fair simulation or not. One thing I&#39;d like to s=
ee as well is what will be the impact of having a very large taproot tree o=
n the size of the witness data when spending script paths that are low in t=
he tree,=C2=A0and how it would affect the transaction fee. I might try to e=
xperiment with that at some point.</div><div class=3D"gmail_default"><br></=
div><div class=3D"gmail_default">Cheers,</div><div class=3D"gmail_default">=
<br></div><div class=3D"gmail_default">Thibaut=C2=A0<br></div></div></div><=
br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon,=
 Feb 7, 2022 at 2:56 AM Jeremy Rubin via bitcoin-dev &lt;<a href=3D"mailto:=
bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.or=
g</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin=
:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"=
><div dir=3D"auto"><div style=3D"color:rgb(80,0,80);font-size:12.8px" dir=
=3D"auto"><div dir=3D"auto"><blockquote style=3D"margin:0px 0px 0px 0.8ex;b=
order-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><d=
iv><div>I&#39;m not sure what is meant concretely by (5) but I think overal=
l performance is ok here. You will always have 10mins or so to confirm the =
DLC so you can&#39;t be too fussy about performance!<br></div></div></div><=
/blockquote></div><div dir=3D"auto"><br></div></div><div dir=3D"auto" style=
=3D"font-size:12.8px">I mean that if you think of the CIT points as being t=
he X axis (or independent axes if multivariate) of a contract, the Y axis i=
s the dependent variable represented by the CTV hashes.=C2=A0</div><div dir=
=3D"auto" style=3D"font-size:12.8px"><br></div><div dir=3D"auto" style=3D"f=
ont-size:12.8px"><br></div><div dir=3D"auto" style=3D"font-size:12.8px">For=
 a DLC living inside a lightning channel, which might be updated between pa=
rties e.g. every second, this means you only have to recompute the cheaper =
part of the DLC only if you update the payoff curves (y axis) only, and you=
 only have to update the points whose y value changes.</div><div dir=3D"aut=
o" style=3D"font-size:12.8px"><br></div><div dir=3D"auto" style=3D"font-siz=
e:12.8px">For on chain DLCs this point is less relevant since the latency o=
f block space is larger.=C2=A0</div></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>

--0000000000002ab1dc05d7646399--