1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
|
Return-Path: <antoine.riard@gmail.com>
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
by lists.linuxfoundation.org (Postfix) with ESMTP id 16773C0052
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 5 Sep 2020 01:10:53 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by whitealder.osuosl.org (Postfix) with ESMTP id 0161E86DE4
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 5 Sep 2020 01:10:53 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id HQIc+4Aeb-Li
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 5 Sep 2020 01:10:51 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com
[209.85.221.46])
by whitealder.osuosl.org (Postfix) with ESMTPS id 2AC87869CA
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 5 Sep 2020 01:10:51 +0000 (UTC)
Received: by mail-wr1-f46.google.com with SMTP id j2so9155542wrx.7
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 04 Sep 2020 18:10:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=/b4zIuRGimEslQqZzz/Luc6+bLzkDgNNWOPb5jwr0is=;
b=Xp1U352LZkonva8Rqn4WCQyAoyrdbGDZQJb4nyoGPLLAEayhvyApiZ+2i2SYxgaYx9
/Q61WNx16iYa6g8iW+YPjsu/3A0KfGjShe6T+aOd2s0KWFP5Liym+1PNYvAbJ/JpKDX/
xrmVRVYw81ynGJ87UsN6eqVJNBWa85JY50jdazZqRwj9m3QM2C8apup5wmhnWN+yy8A6
mhdMEZtiJPNHQMBHEggNO/G4naXwcIFKbIsenVEoKSU9HF9FyjMj1Mbo4inZi2aK3Wx0
1a73F5gP6kyXsTf2srHGmyCcyEnbWcgEbq0HftEe3hEmi/+Z+VAdfWV5dJGyNg6jx0AX
TLoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=/b4zIuRGimEslQqZzz/Luc6+bLzkDgNNWOPb5jwr0is=;
b=Hexc9ht2TDy59suT1upPUF5GGHX1Eei65igsI+QWW4fVo85rGevght2c99koWSulax
oxxbCU//ons9zkYRDil0JOifHxJ700pXjmCBS26pH4n+86B+cnDnIQhG1GgKzKDCppRo
M0gByuSmFQBXRjdgWqAfhyADeMyA0e6sVQm/Q7dQTDq21SXjRsHqEcf092yxjR7BDtVm
5DciYN+fbOzA+Q5cuVpyd5sa6zdKRilpy/0L9CCCmsoWuXYmDtZe70DiWcwGDChGJHV9
MWRddRCQAiSbF7m3bXs0NGp2VU+CTdZ2A7YIEDwdQtmifxCAqPH66UXhJUvBg4Qk7YbM
bCYA==
X-Gm-Message-State: AOAM531O/pprAUjecwGSGH6/ZAaBq3lHeULdvxEAD+fur9g8dh5mlIs/
QwBZlN3xqb94llVHtxkiwzBXx2KhxMtKffZDDYk=
X-Google-Smtp-Source: ABdhPJyH5Yvptu+Zq+MEGL20xrMPcfTqU/BHBzPV3dfBMwELAmVBWx7oPlVX1QauRPaCRXg5xNKcbOgO5F8Xt1hp7x0=
X-Received: by 2002:adf:f88b:: with SMTP id u11mr9689239wrp.376.1599268249613;
Fri, 04 Sep 2020 18:10:49 -0700 (PDT)
MIME-Version: 1.0
References: <813e51a1-4252-08c0-d42d-5cef32f684bc@riseup.net>
<CALZpt+GxKDEDAGUH3Jb3rcZdh_jy_depLRE5KzGTpkZOLVH+QA@mail.gmail.com>
<VpsctPiYOV704v9wZiSROdRggid7uRv2mZVnCIILEPL4_VmwKhMVdNMPBj9XaF73-39jFLl3cq1o2tSk8h45tMuWM9W_i4_MQHKoJdYh9ew=@protonmail.com>
In-Reply-To: <VpsctPiYOV704v9wZiSROdRggid7uRv2mZVnCIILEPL4_VmwKhMVdNMPBj9XaF73-39jFLl3cq1o2tSk8h45tMuWM9W_i4_MQHKoJdYh9ew=@protonmail.com>
From: Antoine Riard <antoine.riard@gmail.com>
Date: Fri, 4 Sep 2020 21:10:36 -0400
Message-ID: <CALZpt+F0LDTERsPv7nZuuc34oyCPN-gMPspfxTM5kKqz4mSJqg@mail.gmail.com>
To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Content-Type: multipart/alternative; boundary="000000000000eb39cb05ae86a712"
X-Mailman-Approved-At: Sat, 05 Sep 2020 06:58:07 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Detailed protocol design for routed
multi-transaction CoinSwap
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Sep 2020 01:10:53 -0000
--000000000000eb39cb05ae86a712
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Zeeman,
I think one of the general problems for any participant in an
interdependent chain of contracts like Lightning or CoinSwap is to avoid a
disequilibrium in its local HTLC ledger. Concretely sending forward more
than you receive backward. W.r.t, timelocks delta aim to enforce order of
events, namely that a forward contract must be terminated before any
backward contract to avoid a discrepancy in settlement. Order of events can
be enforced by a) absolute timelocks and thus linearized on the same scale
by blockchain ticks or b) by a counterparty to two relative-time locked
contracts which observe the broadcast of the backward transaction and thus
manually trigger the kickoff of forward timelock by broadcasting the
corresponding transaction.
With this rough model in mind, pinning an absolute or relative timelocked
transaction produce the same effect, i.e breaking contracts settlement
order.
> This can be arranged by having one side offer partial signatures for the
transaction of the other, and once completing the signature, not sharing it
with the other until we are ready to actually broadcast the transaction of
our own volition.
> There is no transaction that both participants hold in completely-signed
form
I don't think that's different from the current model where you have either
a valid HTLC-timeout or HTLC-Sucess tx to solve a HTLC output but never
full witness material to build both ?
I see a theoretical issue with RBF-range, if you're likely to lose the
balance, you can broadcast your highest-RBF version thus incentivizing
miners to censor counterparty claim tx. Kind of a "nothing at stake" issue.
As of today, you have to take this fee out of your pocket if you want to
incentivize miners to act so, not promising a fee from an ongoing disputed
balance.
> Private key turnover is still useful even in an absolute-timelock world.
The way I understand the either-HTLC-or-private-key-turnover construction
in CoinSwap is for the HTLC to serve as a security backup in case the
cooperative key turnover fails. Lightning don't have this model as you
don't switch funding transaction ownership.
> To reduce this risk, A can instead first swap A->B->A, then when that
completes, A->C->A.
This limits its funding lockup to 1 week.
Okay I think I understand your point. So by intermediating the chain with
the taker you ensure that in case of previous hop failure, taker funds are
only timelocked for the delta of this faulting hop not the whole route. But
still not anchoring onchain the next route segment means that any moment
the next maker can exit from the proposed position ?
That's interesting, so a) you require all takers to lock their funds
onchain before initiating the whole routing and you will pay more in
service fees or b) you only lock them step by step but you increase risk of
next hop default and thus latency. Roughly.
It might be an interesting construction to explore on its own, minus the
downside of producing weird spend patterns due to next hop maker bidding
with another party.
Cheers,
Antoine
Le lun. 24 ao=C3=BBt 2020 =C3=A0 23:16, ZmnSCPxj <ZmnSCPxj@protonmail.com> =
a =C3=A9crit :
>
> Good morning Antoine,
>
>
> > Note, I think this is independent of picking up either relative or
> absolute timelocks as what matters is the block delta between two links.
>
> I believe it is quite dependent on relative locktimes.
> Relative locktimes *require* a contract transaction to kick off the
> relative locktime period.
> On the other hand, with Scriptless Script (which we know how to do with
> 2p-ECDSA only, i.e. doable pre-Taproot), absolute locktimes do not need a
> contract transaction.
>
> With absolute locktimes + Scriptless SCript, in a single onchain PTLC, on=
e
> participant holds a completely-signed timelock transaction while the othe=
r
> participant holds a completely-signed pointlock transaction.
> This can be arranged by having one side offer partial signatures for the
> transaction of the other, and once completing the signature, not sharing =
it
> with the other until we are ready to actually broadcast the transaction o=
f
> our own volition.
> There is no transaction that both participants hold in completely-signed
> form.
>
> This should remove most of the shenanigans possible, and makes the 30xRBF
> safe for any range of fees.
> I think.
>
> Since for each PTLC a participant holds only its "own" transaction, it is
> possible for a participant to define its range of fees for the RBF versio=
ns
> of the transaction it owns, without negotiation with the other participan=
t.
> Since the fee involved is deducted from its own transaction, each
> participant can define this range of RBFed fees and impose it on the
> partial signatures it gets from the other participant.
>
> --
>
> Private key turnover is still useful even in an absolute-timelock world.
>
> If we need to bump up the block delta between links, it might be
> impractical to have the total delta of a multi-hop swap be too long at th=
e
> taker.
>
> As a concrete example, suppose A is a taker who wants to route over maker=
s
> B and C.
> However, B and C require a CLTV delta of 1 week.
>
> If A wants to route "directly" A->B->C->A, then if something bad happens,
> it could be looking at having its funds locked for two weeks.
>
> To reduce this risk, A can instead first swap A->B->A, then when that
> completes, A->C->A.
> This limits its funding lockup to 1 week.
>
> Private key turnover is useful since as soon as the A->B->A swap
> completes, it can directly fund the A->C->A swap from the B-side funding
> transaction of the A->B->A swap.
>
> | A->B->A | A->C->A |
> : : :
> A -:->funding A&B--> B : :
> : : :
> B -:->funding A&B -----:--> funding A&C --> C :
> : : :
> : :C-> funding A&C ------:-> to-cold A -->
> : : :
>
> This increases the number of transactions by 1 per swap beyond the first,
> compared to a direct routing A->B->C->A, but this may be worth it for A i=
f
> the timelocks involved are too big for A.
>
> With 2p-ECDSA, a funding A&C looks exactly the same as a to-cold A, so B
> is unable to reliably determine if it is the last hop in the route.
>
> Without private key turnover, A would have:
>
> **NO** private key turnover!
>
> | A->B->A | A->C->A |
> : : :
> A -:->funding A&B--> B : :
> : : :
> B -:->funding A&B -----:--> claim A -> funding A&C --> C :
> : : :
> : : C-> funding A&C ------:->
> to-cold A -->
> : : :
>
> So if timelock-deltas are possibly-high (to reduce the probability of the
> MAD-HTLC argument, and other attacks, succeeding), takers might prefer to
> route by completing one swap first before starting the next one, and
> private key turnover is useful by reducing blockspace required by each ho=
p.
>
> For reference, this is how it looks like with a single A->B->C->A swap
> with private key turnover:
>
> | A->B->C->A |
> : :
> A -:->funding A&B--> B :
> : :
> B -:->funding B&C -> C :
> : :
> C -:->funding A&C -----:-> to-cold A -->
> : :
>
> This is still smaller than in the A->B->A, A->C->A with private key
> turnover, by one funding tx per hop.
> However, A risks a much higher timelock (twice the timelock).
> Thus, A might prefer a lower timelock in exchange for paying for an
> additional transaction.
>
> Regards,
> ZmnSCPxj
>
--000000000000eb39cb05ae86a712
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hi Zeeman,<br><br>I think one of the general problems for =
any participant in an interdependent chain of contracts like Lightning or C=
oinSwap is to avoid a disequilibrium in its local HTLC ledger. Concretely s=
ending forward more than you receive backward. W.r.t, timelocks delta aim t=
o enforce order of events, namely that a forward contract must be terminate=
d before any backward contract to avoid a discrepancy in settlement. Order =
of events can be enforced by a) absolute timelocks and thus linearized on t=
he same scale by blockchain ticks or b) by a counterparty to two relative-t=
ime locked contracts which observe the broadcast of the backward transactio=
n and thus manually trigger the kickoff of forward timelock by broadcasting=
the corresponding transaction.<br><br>With this rough model in mind, pinni=
ng an absolute or relative timelocked transaction produce the same effect, =
i.e breaking contracts settlement order.<br><br>> This can be arranged b=
y having one side offer partial signatures for the transaction of the other=
, and once completing the signature, not sharing it with the other until we=
are ready to actually broadcast the transaction of our own volition.<br>&g=
t; There is no transaction that both participants hold in completely-signed=
form<br><br>I don't think that's different from the current model =
where you have either a valid HTLC-timeout or HTLC-Sucess tx to solve a HTL=
C output but never full witness material to build both ?<br><br>I see a the=
oretical issue with RBF-range, if you're likely to lose the balance, yo=
u can broadcast your highest-RBF version thus incentivizing miners to censo=
r counterparty claim tx. Kind of a "nothing at stake" issue. As o=
f today, you have to take this fee out of your pocket if you want to incent=
ivize miners to act so, not promising a fee from an ongoing disputed balanc=
e.<br><br>> Private key turnover is still useful even in an absolute-tim=
elock world.<br><br>The way I understand the either-HTLC-or-private-key-tur=
nover construction in CoinSwap is for the HTLC to serve as a security backu=
p in case the cooperative key turnover fails. Lightning don't have this=
model as you don't switch funding transaction ownership.<br><br>> T=
o reduce this risk, A can instead first swap A->B->A, then when that =
completes, A->C->A.<br>This limits its funding lockup to 1 week.<br><=
br>Okay I think I understand your point. So by intermediating the chain wit=
h the taker you ensure that in case of previous hop failure, taker funds ar=
e only timelocked for the delta of this faulting hop not the whole route. B=
ut still not anchoring onchain the next route segment means that any moment=
the next maker can exit from the proposed position ?<br><br>That's int=
eresting, so a) you require all takers to lock their funds onchain before i=
nitiating the whole routing and you will pay more in service fees or b) you=
only lock them step by step but you increase risk of next hop default and =
thus latency. Roughly.<br>=C2=A0<br>It might be an interesting construction=
to explore on its own, minus the downside of producing weird spend pattern=
s due to next hop maker bidding with another party.<br><br>Cheers,<br><br>A=
ntoine<br></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gm=
ail_attr">Le=C2=A0lun. 24 ao=C3=BBt 2020 =C3=A0=C2=A023:16, ZmnSCPxj <<a=
href=3D"mailto:ZmnSCPxj@protonmail.com">ZmnSCPxj@protonmail.com</a>> a =
=C3=A9crit=C2=A0:<br></div><blockquote class=3D"gmail_quote" style=3D"margi=
n:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex=
"><br>
Good morning Antoine,<br>
<br>
<br>
> Note, I think this is independent of picking up either relative or abs=
olute timelocks as what matters is the block delta between two links.<br>
<br>
I believe it is quite dependent on relative locktimes.<br>
Relative locktimes *require* a contract transaction to kick off the relativ=
e locktime period.<br>
On the other hand, with Scriptless Script (which we know how to do with 2p-=
ECDSA only, i.e. doable pre-Taproot), absolute locktimes do not need a cont=
ract transaction.<br>
<br>
With absolute locktimes + Scriptless SCript, in a single onchain PTLC, one =
participant holds a completely-signed timelock transaction while the other =
participant holds a completely-signed pointlock transaction.<br>
This can be arranged by having one side offer partial signatures for the tr=
ansaction of the other, and once completing the signature, not sharing it w=
ith the other until we are ready to actually broadcast the transaction of o=
ur own volition.<br>
There is no transaction that both participants hold in completely-signed fo=
rm.<br>
<br>
This should remove most of the shenanigans possible, and makes the 30xRBF s=
afe for any range of fees.<br>
I think.<br>
<br>
Since for each PTLC a participant holds only its "own" transactio=
n, it is possible for a participant to define its range of fees for the RBF=
versions of the transaction it owns, without negotiation with the other pa=
rticipant.<br>
Since the fee involved is deducted from its own transaction, each participa=
nt can define this range of RBFed fees and impose it on the partial signatu=
res it gets from the other participant.<br>
<br>
--<br>
<br>
Private key turnover is still useful even in an absolute-timelock world.<br=
>
<br>
If we need to bump up the block delta between links, it might be impractica=
l to have the total delta of a multi-hop swap be too long at the taker.<br>
<br>
As a concrete example, suppose A is a taker who wants to route over makers =
B and C.<br>
However, B and C require a CLTV delta of 1 week.<br>
<br>
If A wants to route "directly" A->B->C->A, then if somet=
hing bad happens, it could be looking at having its funds locked for two we=
eks.<br>
<br>
To reduce this risk, A can instead first swap A->B->A, then when that=
completes, A->C->A.<br>
This limits its funding lockup to 1 week.<br>
<br>
Private key turnover is useful since as soon as the A->B->A swap comp=
letes, it can directly fund the A->C->A swap from the B-side funding =
transaction of the A->B->A swap.<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0|=C2=A0 =C2=A0A->B->A=C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0|=C2=A0 =C2=A0 A->C->A=C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0|<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :<br>
=C2=A0 =C2=A0 =C2=A0 A -:->funding A&B--> B :=C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :<br>
=C2=A0 =C2=A0 =C2=A0 B -:->funding A&B -----:--> funding A&C =
--> C :<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:C-> funding A&C ------:-> to-cold=
=C2=A0 A --><br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 :<br>
<br>
This increases the number of transactions by 1 per swap beyond the first, c=
ompared to a direct routing A->B->C->A, but this may be worth it f=
or A if the timelocks involved are too big for A.<br>
<br>
With 2p-ECDSA, a funding A&C looks exactly the same as a to-cold A, so =
B is unable to reliably determine if it is the last hop in the route.<br>
<br>
Without private key turnover, A would have:<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 **NO** private key turnover!<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0|=C2=A0 =C2=A0A->B->A=C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0|=C2=A0 =C2=A0 A->C->A=C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 |<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0:<br>
=C2=A0 =C2=A0 =C2=A0 A -:->funding A&B--> B :=C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0:<br>
=C2=A0 =C2=A0 =C2=A0 B -:->funding A&B -----:--> claim A -> fu=
nding A&C --> C :<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0C-=
> funding A&C ------:-> to-cold=C2=A0 A --><br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0:<br>
<br>
So if timelock-deltas are possibly-high (to reduce the probability of the M=
AD-HTLC argument, and other attacks, succeeding), takers might prefer to ro=
ute by completing one swap first before starting the next one, and private =
key turnover is useful by reducing blockspace required by each hop.<br>
<br>
For reference, this is how it looks like with a single A->B->C->A =
swap with private key turnover:<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0|=C2=A0 =C2=A0A->B->C->A=C2=A0 =
=C2=A0 =C2=A0 |<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:<br>
=C2=A0 =C2=A0 =C2=A0 A -:->funding A&B--> B :<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:<br>
=C2=A0 =C2=A0 =C2=A0 B -:->funding B&C -> C :<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:<br>
=C2=A0 =C2=A0 =C2=A0 C -:->funding A&C -----:-> to-cold A --><=
br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:<br>
<br>
This is still smaller than in the A->B->A, A->C->A with private=
key turnover, by one funding tx per hop.<br>
However, A risks a much higher timelock (twice the timelock).<br>
Thus, A might prefer a lower timelock in exchange for paying for an additio=
nal transaction.<br>
<br>
Regards,<br>
ZmnSCPxj<br>
</blockquote></div>
--000000000000eb39cb05ae86a712--
|
