From rusty at rustcorp.com.au  Tue Jul 14 05:56:57 2015
From: rusty at rustcorp.com.au (Rusty Russell)
Date: Tue, 14 Jul 2015 15:26:57 +0930
Subject: [Lightning-dev] [RFC] Anchor (funding) transactions without
	segregated witness
In-Reply-To: <20150713222659.GA4548@lightning.network>
References: <874mlgebx8.fsf@rustcorp.com.au>
	<20150713222659.GA4548@lightning.network>
Message-ID: <874ml78eom.fsf@rustcorp.com.au>

Joseph Poon <joseph at lightning.network> writes:
> On Tue, Jul 07, 2015 at 03:39:39PM +0930, Rusty Russell wrote:
>> Feedback, optimizations, horrible holes?
>
> I think this model works! As soon as OP_CHECKLOCKTIMEVERIFY soft-forks
> into bitcoin, a basic lightning implementation may be theoretically
> possible in real bitcoin (with some significant caveats)!

We could.  I think OP_CHECKSEQUENCEVERIFY (ie. relative CTLV) would
reduce those caveats enough that we should assume that, too (if that
proves too optimistic, we can return to global timeous and OP_CLTV).

[ BTW, Joseph and I had a deep and complex discussion over the last week
  via private email.  I'm summarizing here. ]

It *almost* works, but once you drew my attention to the malleability
issue, it's clear that the escape transaction(s) can be malleated[1],
causing the commitment transaction to be useless.

Then I came up with another variant, which Joseph approved of.  And
then, of course, improved upon!  I'm writing up final result now.

Thanks!
Rusty.