path: root/c8/b36b0680fcc484d17453063b4d7f40593af0ff

Return-Path: <antoine.riard@gmail.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id E315DC0032
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu,  5 Oct 2023 01:13:20 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id AC08282B34
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu,  5 Oct 2023 01:13:20 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org AC08282B34
Authentication-Results: smtp1.osuosl.org;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.a=rsa-sha256 header.s=20230601 header.b=OoBS6cyw
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level: 
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id hUUZykxq2IJg
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu,  5 Oct 2023 01:13:18 +0000 (UTC)
Received: from mail-il1-x12a.google.com (mail-il1-x12a.google.com
 [IPv6:2607:f8b0:4864:20::12a])
 by smtp1.osuosl.org (Postfix) with ESMTPS id 99D1782ACA
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu,  5 Oct 2023 01:13:18 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 99D1782ACA
Received: by mail-il1-x12a.google.com with SMTP id
 e9e14a558f8ab-35135f69de2so1675475ab.2
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 04 Oct 2023 18:13:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1696468397; x=1697073197;
 darn=lists.linuxfoundation.org; 
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:from:to:cc:subject:date:message-id:reply-to;
 bh=f7MvmYHPJHS30zxtX8Jp0CcDqdpovRQyVyIHigVih80=;
 b=OoBS6cyw0Si4igtdt2Cihuw8UrF1Gxq2+Td7kopkHs+tIliQXA6V1lLtxSvO+nKKEY
 0qd7BSAFjuzpnDR3rhLQ0Bc77h82RgFtvsyuRAR/tTAhHQdEiLMxr7ZAYgnfSjaS/Y9l
 pkOEXZQ54vqGbWT4eBYtqQ1dVCWS2WGcgp+ddwQVrl4jGXKcBP/f6uUGUanKdPKUJdbI
 iZEap+HWrYmK4FU01tj0xxvjzh4fJIa/gNeyX6vDcJyQtIYnz4zQI6eVN9p8dLA63TEM
 GVNeReX2PzW8MfSppkI81zKK/8WYEtZerh1cvmXABcAtrXAmwNCQzrUvIIyhtn4Tdz3O
 igTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1696468397; x=1697073197;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=f7MvmYHPJHS30zxtX8Jp0CcDqdpovRQyVyIHigVih80=;
 b=bw0KungNmjva8kuz3H3pLUIMOIeB/+3GZYcYKmaG/ivU6fDIVa3vqHfx1B47uN3sbF
 BOL9t2NDGb1p718C2kgZku71wWxNz9MX1EI2/n7VnaQpeEAd1TwL7eVH0caISkREnANZ
 KZcHJCa8rv2K9Px7JlpKFaR7KDh2BJvH9jnO0AzvspJUhIJYeXGrpd9M1aDitQMFPjPA
 vJyLUoXvAKS3uxfJQ3brAFAGZ9NicrFsbILejUIivRv9zyzOG7A8MUTOixoS4FhCZkig
 7UNWo6llZ0Y4bd0A8bpHUqFFeFxdm/fHhG6zFOFCtbxD/Kw6TQETHwd40bbY4Q/cYfcf
 M/KQ==
X-Gm-Message-State: AOJu0YznuR8egTQx2wkcZrr3Lr1/wBIUea9INeaIOdrYs05KShzaZtNv
 0ZSWnfreGvJyXjt1a7QvrQl52urdvLeND886gws=
X-Google-Smtp-Source: AGHT+IEWmeJ96BtmFYtEu8R5jN5Sfo6DcKheQiU7J3m83k6dvzfG8z4tDgab60ORGbgb+G6miXFU3DDBn9yKvHj1Bd0=
X-Received: by 2002:a05:6e02:1c08:b0:34f:6dcf:4100 with SMTP id
 l8-20020a056e021c0800b0034f6dcf4100mr4279365ilh.11.1696468397415; Wed, 04 Oct
 2023 18:13:17 -0700 (PDT)
MIME-Version: 1.0
References: <CALZpt+F26bArqU7aZj8VN-zDN-3_VZS1K1ibaJOeCrsLDL2_4Q@mail.gmail.com>
 <OUAbM8ii-HE8M-kRAkMvdDkbiwKuG_wcYlrvC276eIsKXcW6Yh6iNcxy_PtchHNL3jIIc-nz-ucv2H11EznrZbYhKqyVPhE8__GeIDLxPNw=@protonmail.com>
 <CALZpt+Gyo1STD4zrge3yiuC1j_NpJ8ZDYzzzAGCcZpjKw0_9-w@mail.gmail.com>
 <CAD3i26DpcfZJ4M0bjrOnGg6bcQ0Lg0hO-13cihzP2CjnCOq=EQ@mail.gmail.com>
In-Reply-To: <CAD3i26DpcfZJ4M0bjrOnGg6bcQ0Lg0hO-13cihzP2CjnCOq=EQ@mail.gmail.com>
From: Antoine Riard <antoine.riard@gmail.com>
Date: Thu, 5 Oct 2023 02:13:06 +0100
Message-ID: <CALZpt+FT3qwP5MaZT4hbGYXvbECsAn7LvNbZC5vP-jGkbpOGVA@mail.gmail.com>
To: =?UTF-8?Q?Johan_Tor=C3=A5s_Halseth?= <johanth@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000003362da0606edd47f"
X-Mailman-Approved-At: Thu, 05 Oct 2023 01:34:38 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Solving CoinPool high-interactivity issue with
 cut-through update of Taproot leaves
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Oct 2023 01:13:21 -0000

--0000000000003362da0606edd47f
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Johan,

Thanks for the insight.

From the proposed semantics of OP_CHECKCONTRACTVERIFY iirc:

<data> <index> <pk> <taptree> <flags>

I think this is not yet indicated how the participant's pubkeys and
balances can be disaggregated from <data>, a partial subset push on the
stack and verifying that corresponding signatures are valid.

One requirement of a cut-through update of taproot leaves is to verify the
authentication of the fan-out balances and pubkeys towards the "online"
partition. This subset is not known at pool setup, even if the contract or
tree construct can be equilibrated with some expectation.

Otherwise, it sounds OP_CHECKCONTRACTVERIFY could be used to architect the
proposed design of coinpool and its cut-through mechanism. One hard issue
sounds to be efficient traversal, inspection and modification of the
contract <data>.

Best,
Antoine

Le mar. 3 oct. 2023 =C3=A0 12:24, Johan Tor=C3=A5s Halseth <johanth@gmail.c=
om> a
=C3=A9crit :

> Hi, Antoine.
>
> It sounds like perhaps OP_CHECKCONTRACTVERIFY can achieve what you are
> looking for:
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-May/021719.h=
tml
>
> By committing the participants' pubkeys and balances in the dynamic
> data instead of the taptree one can imagine a subset of online users
> agreeing to pool their aggregated balances in a new output, while the
> offline users' funds would remain inaccessible by them in a second
> output.
>
> The way this would work is by spending the coinpool utxo with a
> transaction having two outputs: one output that is the "remainder" of
> the previous coinpool (the offline users), and the second output the
> new coinpool among the online users*.
>
> When the offline users are back online, they could all agree to
> continue using the original coinpool utxo.
>
> * assuming Eltoo in case an offline user comes back online and double
> spends the UTXO.
>
> - Johan
>
>
> On Wed, Sep 27, 2023 at 12:08=E2=80=AFPM Antoine Riard via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >
> > Hi Zeeman,
> >
> > See my comments at the time of OP_EVICT original publication.
> >
> >
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-February/019=
939.html
> >
> > "I think in the context of (off-chain) payment pool, OP_EVICT requires
> > participant cooperation *after* the state update to allow a single
> > participant to withdraw her funds.
> >
> > I believe this is unsafe if we retain as an off-chain construction
> security
> > requirement that a participant should have the unilateral means to
> enforce
> > the latest agreed upon state at any time during the construction
> lifetime".
> >
> > I think this level of covenant flexibility is still wished for CoinPool
> as a fundamental property, and this is offered by TLUV or MERKLESUB.
> > On the other hand, I think OP_EVICT introduces this idea of *subgroup
> novation* (i.e `K-of-N`) of a PT2R scriptpubkey.
> >
> > To the best of my understanding, I think there is not yet any sound
> covenant proposal aiming to combine TLUV and EVICT-like semantics in a
> consistent set of Script primitives to enable "cut-through" updates, whil=
e
> still retaining the key property of unilateral withdraw of promised
> balances in any-order.
> >
> > I might go to work on crafting one, though for now I'm still interested
> to understand better if on-chain "cut-through" is the best direction to
> solve the fundamental high interactivity issue of channel factory and
> payment pool over punishment-based ideas.
> >
> > Best,
> > Antoine
> >
> > Le mar. 26 sept. 2023 =C3=A0 07:51, ZmnSCPxj <ZmnSCPxj@protonmail.com> =
a
> =C3=A9crit :
> >>
> >> Good morning Antoine,
> >>
> >> Does `OP_EVICT` not fit?
> >>
> >>
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-February/019=
926.html
> >>
> >> Regards,
> >> ZmnSCPxj
> >>
> >>
> >> Sent with Proton Mail secure email.
> >>
> >> ------- Original Message -------
> >> On Monday, September 25th, 2023 at 6:18 PM, Antoine Riard via
> bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >>
> >>
> >> > Payment pools and channel factories are afflicted by severe
> interactivity constraints worsening with the number of users owning an
> off-chain balance in the construction. The security of user funds is
> paramount on the ability to withdraw unilaterally from the off-chain
> construction. As such any update applied to the off-chain balances requir=
es
> a signature contribution from the unanimity of the construction users to
> ensure this ability is conserved along updates.
> >> > As soon as one user starts to be offline or irresponsive, the update=
s
> of the off-chain balances must have to be halted and payments progress ar=
e
> limited among subsets of 2 users sharing a channel. Different people have
> proposed solutions to this issue: introducing a coordinator, partitioning
> or layering balances in off-chain users subsets. I think all those
> solutions have circled around a novel issue introduced, namely equivocati=
on
> of off-chain balances at the harm of construction counterparties [0].
> >> >
> >> > As ZmnSCPxj pointed out recently, one way to mitigate this
> equivocation consists in punishing the cheating pre-nominated coordinator
> on an external fidelity bond. One can even imagine more trust-mimized and
> decentralized fraud proofs to implement this mitigation, removing the nee=
d
> of a coordinator [1].
> >> >
> >> > However, I believe punishment equivocation to be game-theory sound
> should compensate a defrauded counterparty of the integrity of its lost
> off-chain balance. As one cheating counterparty can equivocate in the
> worst-case against all the other counterparties in the construction, one
> fidelity bond should be equal to ( C - 1 ) * B satoshi amount, where C is
> the number of construction counterparty and B the initial off-chain balan=
ce
> of the cheating counterparty.
> >> >
> >> > Moreover, I guess it is impossible to know ahead of a partition or
> transition who will be the "honest" counterparties from the "dishonest"
> ones, therefore this ( C - 1 ) * B-sized fidelity bond must be maintained
> by every counterparty in the pool or factory. On this ground, I think thi=
s
> mitigation and other corrective ones are not economically practical for
> large-scale pools among a set of anonymous users.
> >> >
> >> > I think the best solution to solve the interactivity issue which is
> realistic to design is one ruling out off-chain group equivocation in a
> prophylactic fashion. The pool or factory funding utxo should be edited i=
n
> an efficient way to register new off-chain subgroups, as lack of
> interactivity from a subset of counterparties demands it.
> >> >
> >> > With CoinPool, there is already this idea of including a user pubkey
> and balance amount to each leaf composing the Taproot tree while preservi=
ng
> the key-path spend in case of unanimity in the user group. Taproot leaves
> can be effectively regarded as off-chain user accounts available to reali=
ze
> privacy-preserving payments and contracts.
> >> >
> >> > I think one (new ?) idea can be to introduce taproot leaves
> "cut-through" spends where multiple leaves are updated with a single
> witness, interactively composed by the owners of the spent leaves. This
> spend sends back the leaves amount to a new single leaf, aggregating the
> amounts and user pubkeys. The user leaves not participating in this
> "cut-through" are inherited with full integrity in the new version of the
> Taproot tree, at the gain of no interactivity from their side.
> >> >
> >> > Let's say you have a CoinPool funded and initially set with Alice,
> Bob, Caroll, Dave and Eve. Each pool participant has a leaf L.x committin=
g
> to an amount A.x and user pubkey P.x, where x is the user name owning a
> leaf.
> >> >
> >> > Bob and Eve are deemed to be offline by the Alice, Caroll and Dave
> subset (the ACD group).
> >> >
> >> > The ACD group composes a cut-through spend of L.a + L.c + L.d. This
> spends generates a new leaf L.(acd) leaf committing to amount A.(acd) and
> P.(acd).
> >> >
> >> > Amount A.(acd) =3D A.a + A.c + A.d and pubkey P.(acd) =3D P.a + P.c =
+ P.d.
> >> >
> >> > Bob's leaf L.b and Eve's leaf L.e are left unmodified.
> >> >
> >> > The ACD group generates a new Taproot tree T' =3D L.(acd) + L.b + L.=
e,
> where the key-path K spend including the original unanimity of pool
> counterparties is left unmodified.
> >> >
> >> > The ACD group can confirm a transaction spending the pool funding
> utxo to a new single output committing to the scriptpubkey K + T'.
> >> >
> >> > From then, the ACD group can pursue off-chain balance updates among
> the subgroup thanks to the new P.(acd) and relying on the known Eltoo
> mechanism. There is no possibility for any member of the ACD group to
> equivocate with Bob or Eve in a non-observable fashion.
> >> >
> >> > Once Bob and Eve are online and ready to negotiate an on-chain pool
> "refresh" transaction, the conserved key-path spend can be used to
> re-equilibrate the Taproot tree, prune out old subgroups unlikely to be
> used and provision future subgroups, all with a compact spend based on
> signature aggregation.
> >> >
> >> > Few new Taproot tree update script primitives have been proposed, e.=
g
> [2]. Though I think none with the level of flexibility offered to generat=
e
> leaves cut-through spends, or even batch of "cut-through" where M subgrou=
ps
> are willing to spend N leaves to compose P new subgroups fan-out in Q new
> outputs, with showing a single on-chain witness. I believe such a
> hypothetical primitive can also reduce the chain space consumed in the
> occurrence of naive mass pool withdraws at the same time.
> >> >
> >> > I think this solution to the high-interactivity issue of payment
> pools and factories shifts the burden on each individual user to pre-comm=
it
> fast Taproot tree traversals, allowing them to compose new pool subgroups
> as fluctuations in pool users' level of liveliness demand it. Pool
> efficiency becomes the sum of the quality of user prediction on its
> counterparties' liveliness during the construction lifetime. Recursive
> taproot tree spends or more efficient accumulator than merkle tree sounds
> ideas to lower the on-chain witness space consumed by every pool in the
> average non-interactive case.
> >> >
> >> > Cheers,
> >> > Antoine
> >> >
> >> > [0]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020370=
.html
> >> > [1]
> https://lists.linuxfoundation.org/pipermail/lightning-dev/2023-August/004=
043.html
> >> > [2]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-September/01=
9420.html
> >
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

--0000000000003362da0606edd47f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi Johan,<div><br></div><div>Thanks for the insight.</div>=
<div><br></div><div>From the proposed semantics of OP_CHECKCONTRACTVERIFY i=
irc:</div><div><br></div><div>&lt;data&gt; &lt;index&gt; &lt;pk&gt; &lt;tap=
tree&gt; &lt;flags&gt;</div><div><br></div><div>I think this is not yet ind=
icated how the participant&#39;s pubkeys and balances can be disaggregated =
from &lt;data&gt;, a partial subset push on the stack and verifying that co=
rresponding signatures are valid.</div><div><br></div><div>One requirement =
of a cut-through update of taproot leaves is to verify the authentication o=
f the fan-out balances and pubkeys towards the &quot;online&quot; partition=
. This subset is not known at pool setup, even if the contract or tree cons=
truct can be equilibrated with some expectation.</div><div><br></div><div>O=
therwise, it sounds OP_CHECKCONTRACTVERIFY could be used to architect the p=
roposed design of coinpool and its cut-through mechanism. One hard issue so=
unds to be efficient traversal, inspection and modification of the contract=
 &lt;data&gt;.</div><div><br></div><div>Best,</div><div>Antoine</div></div>=
<br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">Le=C2=
=A0mar. 3 oct. 2023 =C3=A0=C2=A012:24, Johan Tor=C3=A5s Halseth &lt;<a href=
=3D"mailto:johanth@gmail.com">johanth@gmail.com</a>&gt; a =C3=A9crit=C2=A0:=
<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8=
ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,=
204,204);padding-left:1ex">Hi, Antoine.<br>
<br>
It sounds like perhaps OP_CHECKCONTRACTVERIFY can achieve what you are<br>
looking for: <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin=
-dev/2023-May/021719.html" rel=3D"noreferrer" target=3D"_blank">https://lis=
ts.linuxfoundation.org/pipermail/bitcoin-dev/2023-May/021719.html</a><br>
<br>
By committing the participants&#39; pubkeys and balances in the dynamic<br>
data instead of the taptree one can imagine a subset of online users<br>
agreeing to pool their aggregated balances in a new output, while the<br>
offline users&#39; funds would remain inaccessible by them in a second<br>
output.<br>
<br>
The way this would work is by spending the coinpool utxo with a<br>
transaction having two outputs: one output that is the &quot;remainder&quot=
; of<br>
the previous coinpool (the offline users), and the second output the<br>
new coinpool among the online users*.<br>
<br>
When the offline users are back online, they could all agree to<br>
continue using the original coinpool utxo.<br>
<br>
* assuming Eltoo in case an offline user comes back online and double<br>
spends the UTXO.<br>
<br>
- Johan<br>
<br>
<br>
On Wed, Sep 27, 2023 at 12:08=E2=80=AFPM Antoine Riard via bitcoin-dev<br>
&lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_bla=
nk">bitcoin-dev@lists.linuxfoundation.org</a>&gt; wrote:<br>
&gt;<br>
&gt; Hi Zeeman,<br>
&gt;<br>
&gt; See my comments at the time of OP_EVICT original publication.<br>
&gt;<br>
&gt; <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/202=
2-February/019939.html" rel=3D"noreferrer" target=3D"_blank">https://lists.=
linuxfoundation.org/pipermail/bitcoin-dev/2022-February/019939.html</a><br>
&gt;<br>
&gt; &quot;I think in the context of (off-chain) payment pool, OP_EVICT req=
uires<br>
&gt; participant cooperation *after* the state update to allow a single<br>
&gt; participant to withdraw her funds.<br>
&gt;<br>
&gt; I believe this is unsafe if we retain as an off-chain construction sec=
urity<br>
&gt; requirement that a participant should have the unilateral means to enf=
orce<br>
&gt; the latest agreed upon state at any time during the construction lifet=
ime&quot;.<br>
&gt;<br>
&gt; I think this level of covenant flexibility is still wished for CoinPoo=
l as a fundamental property, and this is offered by TLUV or MERKLESUB.<br>
&gt; On the other hand, I think OP_EVICT introduces this idea of *subgroup =
novation* (i.e `K-of-N`) of a PT2R scriptpubkey.<br>
&gt;<br>
&gt; To the best of my understanding, I think there is not yet any sound co=
venant proposal aiming to combine TLUV and EVICT-like semantics in a consis=
tent set of Script primitives to enable &quot;cut-through&quot; updates, wh=
ile still retaining the key property of unilateral withdraw of promised bal=
ances in any-order.<br>
&gt;<br>
&gt; I might go to work on crafting one, though for now I&#39;m still inter=
ested to understand better if on-chain &quot;cut-through&quot; is the best =
direction to solve the fundamental high interactivity issue of channel fact=
ory and payment pool over punishment-based ideas.<br>
&gt;<br>
&gt; Best,<br>
&gt; Antoine<br>
&gt;<br>
&gt; Le mar. 26 sept. 2023 =C3=A0 07:51, ZmnSCPxj &lt;<a href=3D"mailto:Zmn=
SCPxj@protonmail.com" target=3D"_blank">ZmnSCPxj@protonmail.com</a>&gt; a =
=C3=A9crit :<br>
&gt;&gt;<br>
&gt;&gt; Good morning Antoine,<br>
&gt;&gt;<br>
&gt;&gt; Does `OP_EVICT` not fit?<br>
&gt;&gt;<br>
&gt;&gt; <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev=
/2022-February/019926.html" rel=3D"noreferrer" target=3D"_blank">https://li=
sts.linuxfoundation.org/pipermail/bitcoin-dev/2022-February/019926.html</a>=
<br>
&gt;&gt;<br>
&gt;&gt; Regards,<br>
&gt;&gt; ZmnSCPxj<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; Sent with Proton Mail secure email.<br>
&gt;&gt;<br>
&gt;&gt; ------- Original Message -------<br>
&gt;&gt; On Monday, September 25th, 2023 at 6:18 PM, Antoine Riard via bitc=
oin-dev &lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=
=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a>&gt; wrote:<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; &gt; Payment pools and channel factories are afflicted by severe i=
nteractivity constraints worsening with the number of users owning an off-c=
hain balance in the construction. The security of user funds is paramount o=
n the ability to withdraw unilaterally from the off-chain construction. As =
such any update applied to the off-chain balances requires a signature cont=
ribution from the unanimity of the construction users to ensure this abilit=
y is conserved along updates.<br>
&gt;&gt; &gt; As soon as one user starts to be offline or irresponsive, the=
 updates of the off-chain balances must have to be halted and payments prog=
ress are limited among subsets of 2 users sharing a channel. Different peop=
le have proposed solutions to this issue: introducing a coordinator, partit=
ioning or layering balances in off-chain users subsets. I think all those s=
olutions have circled around a novel issue introduced, namely equivocation =
of off-chain balances at the harm of construction counterparties [0].<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; As ZmnSCPxj pointed out recently, one way to mitigate this eq=
uivocation consists in punishing the cheating pre-nominated coordinator on =
an external fidelity bond. One can even imagine more trust-mimized and dece=
ntralized fraud proofs to implement this mitigation, removing the need of a=
 coordinator [1].<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; However, I believe punishment equivocation to be game-theory =
sound should compensate a defrauded counterparty of the integrity of its lo=
st off-chain balance. As one cheating counterparty can equivocate in the wo=
rst-case against all the other counterparties in the construction, one fide=
lity bond should be equal to ( C - 1 ) * B satoshi amount, where C is the n=
umber of construction counterparty and B the initial off-chain balance of t=
he cheating counterparty.<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; Moreover, I guess it is impossible to know ahead of a partiti=
on or transition who will be the &quot;honest&quot; counterparties from the=
 &quot;dishonest&quot; ones, therefore this ( C - 1 ) * B-sized fidelity bo=
nd must be maintained by every counterparty in the pool or factory. On this=
 ground, I think this mitigation and other corrective ones are not economic=
ally practical for large-scale pools among a set of anonymous users.<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; I think the best solution to solve the interactivity issue wh=
ich is realistic to design is one ruling out off-chain group equivocation i=
n a prophylactic fashion. The pool or factory funding utxo should be edited=
 in an efficient way to register new off-chain subgroups, as lack of intera=
ctivity from a subset of counterparties demands it.<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; With CoinPool, there is already this idea of including a user=
 pubkey and balance amount to each leaf composing the Taproot tree while pr=
eserving the key-path spend in case of unanimity in the user group. Taproot=
 leaves can be effectively regarded as off-chain user accounts available to=
 realize privacy-preserving payments and contracts.<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; I think one (new ?) idea can be to introduce taproot leaves &=
quot;cut-through&quot; spends where multiple leaves are updated with a sing=
le witness, interactively composed by the owners of the spent leaves. This =
spend sends back the leaves amount to a new single leaf, aggregating the am=
ounts and user pubkeys. The user leaves not participating in this &quot;cut=
-through&quot; are inherited with full integrity in the new version of the =
Taproot tree, at the gain of no interactivity from their side.<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; Let&#39;s say you have a CoinPool funded and initially set wi=
th Alice, Bob, Caroll, Dave and Eve. Each pool participant has a leaf L.x c=
ommitting to an amount A.x and user pubkey P.x, where x is the user name ow=
ning a leaf.<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; Bob and Eve are deemed to be offline by the Alice, Caroll and=
 Dave subset (the ACD group).<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; The ACD group composes a cut-through spend of L.a + L.c + L.d=
. This spends generates a new leaf L.(acd) leaf committing to amount A.(acd=
) and P.(acd).<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; Amount A.(acd) =3D A.a + A.c + A.d and pubkey P.(acd) =3D P.a=
 + P.c + P.d.<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; Bob&#39;s leaf L.b and Eve&#39;s leaf L.e are left unmodified=
.<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; The ACD group generates a new Taproot tree T&#39; =3D L.(acd)=
 + L.b + L.e, where the key-path K spend including the original unanimity o=
f pool counterparties is left unmodified.<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; The ACD group can confirm a transaction spending the pool fun=
ding utxo to a new single output committing to the scriptpubkey K + T&#39;.=
<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; From then, the ACD group can pursue off-chain balance updates=
 among the subgroup thanks to the new P.(acd) and relying on the known Elto=
o mechanism. There is no possibility for any member of the ACD group to equ=
ivocate with Bob or Eve in a non-observable fashion.<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; Once Bob and Eve are online and ready to negotiate an on-chai=
n pool &quot;refresh&quot; transaction, the conserved key-path spend can be=
 used to re-equilibrate the Taproot tree, prune out old subgroups unlikely =
to be used and provision future subgroups, all with a compact spend based o=
n signature aggregation.<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; Few new Taproot tree update script primitives have been propo=
sed, e.g [2]. Though I think none with the level of flexibility offered to =
generate leaves cut-through spends, or even batch of &quot;cut-through&quot=
; where M subgroups are willing to spend N leaves to compose P new subgroup=
s fan-out in Q new outputs, with showing a single on-chain witness. I belie=
ve such a hypothetical primitive can also reduce the chain space consumed i=
n the occurrence of naive mass pool withdraws at the same time.<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; I think this solution to the high-interactivity issue of paym=
ent pools and factories shifts the burden on each individual user to pre-co=
mmit fast Taproot tree traversals, allowing them to compose new pool subgro=
ups as fluctuations in pool users&#39; level of liveliness demand it. Pool =
efficiency becomes the sum of the quality of user prediction on its counter=
parties&#39; liveliness during the construction lifetime. Recursive taproot=
 tree spends or more efficient accumulator than merkle tree sounds ideas to=
 lower the on-chain witness space consumed by every pool in the average non=
-interactive case.<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; Cheers,<br>
&gt;&gt; &gt; Antoine<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; [0] <a href=3D"https://lists.linuxfoundation.org/pipermail/bi=
tcoin-dev/2022-April/020370.html" rel=3D"noreferrer" target=3D"_blank">http=
s://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020370.html<=
/a><br>
&gt;&gt; &gt; [1] <a href=3D"https://lists.linuxfoundation.org/pipermail/li=
ghtning-dev/2023-August/004043.html" rel=3D"noreferrer" target=3D"_blank">h=
ttps://lists.linuxfoundation.org/pipermail/lightning-dev/2023-August/004043=
.html</a><br>
&gt;&gt; &gt; [2] <a href=3D"https://lists.linuxfoundation.org/pipermail/bi=
tcoin-dev/2021-September/019420.html" rel=3D"noreferrer" target=3D"_blank">=
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-September/0194=
20.html</a><br>
&gt;<br>
&gt; _______________________________________________<br>
&gt; bitcoin-dev mailing list<br>
&gt; <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_bl=
ank">bitcoin-dev@lists.linuxfoundation.org</a><br>
&gt; <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-=
dev" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org=
/mailman/listinfo/bitcoin-dev</a><br>
</blockquote></div>

--0000000000003362da0606edd47f--