From elombrozo at gmail.com Sat Aug 1 04:29:24 2015 From: elombrozo at gmail.com (Eric Lombrozo) Date: Fri, 31 Jul 2015 21:29:24 -0700 Subject: [Lightning-dev] OP_CHECKSPVPROOFVERIFY In-Reply-To: References: <5B9604FB-B266-4EC8-81DE-3DC1C120F762@gmail.com> <87twsmo31o.fsf@rustcorp.com.au> Message-ID: <9D812E3E-FEF0-4963-A780-148E3A547942@gmail.com> Minor script corrections: OP_IF OP_IF OP_HASH160 OP_EQUALVERIFY OP_ELSE OP_CHECKSPVPROOFVERIFY OP_DROP OP_DROP OP_DROP OP_ENDIF OP_CHECKSIG OP_ELSE OP_CHECKLOCKTIMEVERIFY OP_DROP OP_CHECKSIG OP_ENDIF > On Jul 30, 2015, at 5:18 AM, Eric Lombrozo wrote: > > Let me elaborate more on the way I see this working in practice. I?ll ignore fees for now. Given that sending the proof on the blockchain is expensive, the parties need to negotiate how they split the risk. Moreover, once revoked, we want to encourage the second outputs to be claimed using the revocation secret, not the SPV proof?but we?ll ignore this detail for now. > > We have two parties, Prover and Verifier. Verifier wants to pay Prover one currency unit for an SPV proof. Assume they have an open channel with each party having 10 currency units. > > > Here are the commitment transactions: > > Verifier Commitment Transaction > ========================= > 10 ProverSig > 1 ProverSig + VerifierRevocation || ProverSig + SPV proof || VerifierSig + timeout > 9 ProverSig + VerifierRevocation || VerifierSig + timeout > > Prover Commitment Transaction > ========================= > 9 VerifierSig > 1 VerifierSig + ProverRevocation || ProverSig + SPV proof || VerifierSig + timeout > 10 VerifierSig + ProverRevocation || ProverSig + timeout > > > A script for [ProverSig + VerifierRevocation || ProverSig + SPV proof || VerifierSig + timeout] could look like: > > OP_IF > OP_IF > OP_HASH160 OP_EQUALVERIFY > OP_ELSE > OP_CHECKSPVPROOFVERIFY OP_DROP > OP_ENDIF > OP_CHECKSIG > OP_ELSE > OP_CHECKLOCKTIMEVERIFY OP_DROP > OP_CHECKSIG > OP_ENDIF > > > To redeem this output using the SPV proof, the Prover uses: > > <0> <1> > > > Once the commitment transactions are created, the Prover gives the Verifier the SPV proof, then they negotiate settlement transactions and exchange revocations. > > Would something like this work? > >> On Jul 29, 2015, at 11:38 PM, Eric Lombrozo wrote: >> >> I?m not entirely clear on how you intended to use OP_CAT. >> >> I was thinking something along the lines of >> >> OP_CHECKSPVPROOFVERIFY OP_DROP >> >> >> >> - Eric >> >> >>> On Jul 29, 2015, at 6:19 PM, Rusty Russell wrote: >>> >>> Eric Lombrozo writes: >>>> I don?t know if anyone has done any research or published anything in >>>> this regard, but one of the major issues with bitcoin I?ve been trying >>>> to solve is how to properly incentivize nodes to construct SPV proofs. >>> >>> This can almost be done via P2SH, but not quite: >>> >>> 1) OP_CAT is disabled :( >>> 2) The txlen limit might bite, I'd have to do the maths. >>> >>> Cheers, >>> Rusty. >> > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: