path: root/ea/33de9273f6bb28ab31f27fb0d874293f0a469c

Return-Path: <rsomsen@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 06FCAC7C
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon, 17 Dec 2018 15:48:29 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com
	[209.85.221.49])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 379D07A4
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon, 17 Dec 2018 15:48:28 +0000 (UTC)
Received: by mail-wr1-f49.google.com with SMTP id v13so12771137wrw.5
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon, 17 Dec 2018 07:48:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=mime-version:references:in-reply-to:from:date:message-id:subject:to
	:content-transfer-encoding;
	bh=x7AHeRYUXmnUnlfodb/Nx4WCJZO1R3QK+ULt352ct0w=;
	b=BU9btPD6bhmQmXYjYIbd5ROQATOJMtu0caCGaoxm87j41pcGoC39/M/YnhH1O6RJSu
	fLHOSYEQg1dXAZg+oNx+sjgPdTrVWZmRzKWXyxm7zlLoVgORIhfwFq7L4FtS3H2nv8JW
	oo8Erao+glilpvxwwmOw+c1PrVm5EXhmjLJTFV7cLnbZeIK6a8Kalh7eYgJ+fI+vEhX9
	A23vdZhTbUw2Nb20fWpQ68+CrKOSHy4CZZkQBL1aLC4k0FoizFAvQUJQZ8u7v3ht3CGP
	H7OxNsaBveB5xPRA1EaICyFhN/MeUrweRHsjcX2BZXC/pgCkYpHjFgZqNvFae0N1q79z
	SqFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-transfer-encoding;
	bh=x7AHeRYUXmnUnlfodb/Nx4WCJZO1R3QK+ULt352ct0w=;
	b=SlYxUMh4KO49ckdZMkLS7MKobfCbsJwg3rxJ8hk8Hs2g3vCEfjQ1xj8/L0nWPmK3SW
	e9iRzuK6zutnVsFVijM/AgMNkhVtpO/X2s/N2UCWjd4Pz8kxocP+haBqNRQ2bwD7vyHh
	2V6/e48O5E783ART/1lYmNCOrSw3oNg2pRdUoa/shTfbpMNHxlkJgDsah11ONthK1qzG
	N4R7vFe+TsI4Mdx/P3ZsgS5vrq4BxLouUPyRKqJld0OLsqckzO+djh3KDSYJUCHzUreB
	n51pPcNtad2Rof391Tvetbu4K+0wyflgf3zDw8uTbqLiNxCLGoKBlt/P9JnFg/BOuVMO
	AD4Q==
X-Gm-Message-State: AA+aEWaGHRWg3BlKBggs1Oh5KFhYzH7aFO4t9/zva3vWfkmIlmrf3J9j
	SWOsIho6ull1WD6ag/2Vk8K71YQEPFxzJc3TqvbvZLaO
X-Google-Smtp-Source: AFSGD/XHqUnGPMhJE6fnVeJIw7DglHIqQVq5X3hFP3rgZHsTlCYm1AtegMgqgQxUvu6vBaYactpcVHlqpHXjJZo2+eQ=
X-Received: by 2002:adf:8143:: with SMTP id 61mr10780834wrm.47.1545061706657; 
	Mon, 17 Dec 2018 07:48:26 -0800 (PST)
MIME-Version: 1.0
References: <9F8C0789-48E9-448A-A239-DB4AFB902A00@xbt.hk>
In-Reply-To: <9F8C0789-48E9-448A-A239-DB4AFB902A00@xbt.hk>
From: Ruben Somsen <rsomsen@gmail.com>
Date: Tue, 18 Dec 2018 00:48:15 +0900
Message-ID: <CAPv7TjYRVUGWCyFweootbMCJEkyFG4YOJ+M_N_N4j_t043bUfw@mail.gmail.com>
To: Johnson Lau <jl2012@xbt.hk>, 
	Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Mon, 17 Dec 2018 16:09:42 +0000
Subject: Re: [bitcoin-dev] Safer NOINPUT with output tagging
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Dec 2018 15:48:29 -0000

Hi Johnson,

The design considerations here seem similar to the ML discussion of
whether Graftroot should be optional [1].

>While this seems fully compatible with eltoo, is there any other proposals=
 require NOINPUT, and is adversely affected by either way of tagging?

As far as I can tell it should be compatible with Statechains [2],
since it pretty much mirrors Eltoo in setup.

My understanding is somewhat lacking, so perhaps I am missing the
mark, but it is not completely clear to me how this affects
fungibility if taproot gets added and the setup and trigger tx for
Eltoo get combined into a single transaction. Would the NOINPUT
spending condition be hidden inside the taproot commitment?

Cheers,
Ruben Somsen

[1] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-May/016006=
.html
[2]  https://www.reddit.com/r/Bitcoin/comments/9nhjea/eli51525faq_for_state=
chains_offchain_transfer_of/

On Mon, Dec 17, 2018 at 8:20 PM Johnson Lau via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> NOINPUT is very powerful, but the tradeoff is the risks of signature repl=
ay. While the key holders are expected not to reuse key pair, little could =
be done to stop payers to reuse an address. Unfortunately, key-pair reuse h=
as been a social and technical norm since the creation of Bitcoin (the firs=
t tx made in block 170 reused the previous public key). I don=E2=80=99t see=
 any hope to change this norm any time soon, if possible at all.
>
> As the people who are designing the layer-1 protocol, we could always bla=
me the payer and/or payee for their stupidity, just like those people laugh=
ed at victims of Ethereum dumb contracts (DAO, Parity multisig, etc). The e=
xisting bitcoin script language is so restrictive. It disallows many useful=
 smart contracts, but at the same time prevented many dumb contracts. After=
 all, =E2=80=9Csmart=E2=80=9D and =E2=80=9Cdumb=E2=80=9D are non-technical =
judgement. The DAO contract has always been faithfully executed. It=E2=80=
=99s dumb only for those invested in the project. For me, it was just a com=
edy show.
>
> So NOINPUT brings us more smart contract capacity, and at the same time w=
e are one step closer to dumb contracts. The target is to find a design tha=
t exactly enables the smart contracts we want, while minimising the risks o=
f misuse.
>
> The risk I am trying to mitigate is a payer mistakenly pay to a previous =
address with the exactly same amount, and the previous UTXO has been spent =
using NOINPUT. Accidental double payment is not uncommon. Even if the payee=
 was honest and willing to refund, the money might have been spent with a r=
eplayed NOINPUT signature. Once people lost a significant amount of money t=
his way, payers (mostly exchanges) may refuse to send money to anything oth=
er than P2PKH, native-P2WPKH and native-P2WSH (as the only 3 types without =
possibility of NOINPUT)
>
> The proposed solution is that an output must be =E2=80=9Ctagged=E2=80=9D =
for it to be spendable with NOINPUT, and the =E2=80=9Ctag=E2=80=9D must be =
made explicitly by the payer. There are 2 possible ways to do the tagging:
>
> 1. A certain bit in the tx version must be set
> 2. A certain bit in the scriptPubKey must be set
>
> I will analyse the pros and cons later.
>
> Using eltoo as example. The setup utxo is a simple 2-of-2 multisig, and s=
hould not be tagged. This makes it indistinguishable from normal 1-of-1 utx=
o. The trigger tx, which spends the setup utxo, should be tagged, so the up=
date txs could spend the trigger utxo with NOINPUT. Similarly, all update t=
xs should be tagged, so they could be spent by other update txs and settlem=
ent tx with NOINPUT. As the final destination, there is no need to tag in t=
he settlement tx.
>
> In payer=E2=80=99s perspective, tagging means =E2=80=9CI believe this add=
ress is for one-time-use only=E2=80=9D Since we can=E2=80=99t control how o=
ther people manage their addresses, we should never do tagging when paying =
to other people.
>
> I mentioned 2 ways of tagging, and they have pros and cons. First of all,=
 tagging in either way should not complicate the eltoo protocol in anyway, =
nor bring extra block space overhead.
>
> A clear advantage of tagging with scriptPubKey is we could tag on a per-o=
utput basis. However, scriptPubKey tagging is only possible with native-seg=
wit, not P2SH. That means we have to disallow NOINPUT in P2SH-segwit (Other=
wise, *all* P2SH addresses would become =E2=80=9Crisky=E2=80=9D for payers)=
 This should be ok for eltoo, since it has no reason to use P2SH-segwit in =
intermediate txs, which is more expensive.
>
> Another problem with scriptPubKey tagging is all the existing bech32 impl=
ementations will not understand the special tag, and will pay to a tagged a=
ddress as usual. An upgrade would be needed for them to refuse sending to t=
agged addresses by default.
>
> On the other hand, tagging with tx version will also protect P2SH-segwit,=
 and all existing wallets are protected by default. However, it is somewhat=
 a layer violation and you could only tag all or none output in the same tx=
. Also, as Bitcoin Core has just removed the tx version from the UTXO datab=
ase, adding it back could be a little bit annoying, but doable.
>
> There is an extension to the version tagging, which could make NOINPUT ev=
en safer. In addition to tagging requirement, NOINPUT will also sign the ve=
rsion of the previous tx. If the wallet always uses a randomised tx version=
, it makes accidental replay very unlikely. However, that will burn a few m=
ore bits in the tx version field.
>
> While this seems fully compatible with eltoo, is there any other proposal=
s require NOINPUT, and is adversely affected by either way of tagging?
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev