From aj at erisian.com.au Mon Mar 18 06:38:56 2019 From: aj at erisian.com.au (Anthony Towns) Date: Mon, 18 Mar 2019 16:38:56 +1000 Subject: [Lightning-dev] More thoughts on NOINPUT safety In-Reply-To: <87mulx3bt3.fsf@gmail.com> References: <20190313014143.ifffshwdux2jt7w5@erisian.com.au> <20190313111050.qj3s6utpl2x34sam@erisian.com.au> <20190314072456.br2leoiae6zs2jv2@erisian.com.au> <87mulx3bt3.fsf@gmail.com> Message-ID: <20190318063856.w653ypgibypmss2v@erisian.com.au> On Thu, Mar 14, 2019 at 01:00:56PM +0100, Christian Decker wrote: > Anthony Towns writes: > > I'm thinking of tagged outputs as "taproot plus" (ie, plus noinput), > > so if you used a tagged output, you could do everything normal taproot > > address could, but also do noinput sigs for them. > > So you might have: > > funding tx -> cooperative claim > > funding tx -> update 3 [TAGGED] -> settlement 3 -> claim > > funding tx -> update 3 [TAGGED] -> > > update 4 [TAGGED,NOINPUT] -> > > settlement 4 [TAGGED,NOINPUT] -> > > claim [NOINPUT] > > In the cooperative case, no output tagging needed. > I might be missing something here, but how do you bind update 3 to the > funding tx output, when that output is not tagged? Do we keep each > update in multiple separate states, one bound to the funding tx output > and another signed with noinput? I don't know that "separate states" is a great description -- until it hits the blockchain "update N" is a template that can be filled out in a variety of ways -- in the above the ways are: - with a NOINPUT sig and a previous "update" tx as its input - or with a SINGLE|ANYONECANPAY sig and the funding tx as input The important thing is that approach means two sigs for each update tx. The above also has two sigs for each settlement tx (and likewise two sigs for each HTLC claim if using scriptless scripts) -- one using NOINPUT in case multiple update tx's make it to the blockchain, and one assuming everything works as expected that can just use direct key path spending. I think you can do SINGLE,ANYCANPAY and combine multiple channel closures if you're directly spending the funding tx, but can't do that if you're using a NOINPUT sig, because the NOINPUT sig would commit to the tx's locktime and different channel's states will generally have different locktimes. You still probably want SINGLE,ANYCANPAY in that case so you can bump fees though. > If that's the case we just doubled our > storage and communication requirements for very little gain. There's three potential gains: * it lets us make a safer version of NOINPUT * it makes the common paths give fewer hints that you're using eltoo * it puts less data/computation load on the blockchain With tagged outputs your update tx already indicates you're maybe going to use NOINPUT, so that probably already gives away that you're using eltoo, so, at least with output tagging, the second benefit probably doesn't exist. Using a key path spend (without a script) is probably going to be cheaper on the blockchain though. But while I think output tagging is probably better than nothing, requiring a non-NOINPUT signature seems a better approach to me. With that one, having a dedicated sig for the normal "publish the latest state spending the funding tx" case, reduces a unilateral close to only being special due to the settlement tx having a relative timelock, and the various tx's using SINGLE|ANYCANPAY, which seems like a win. In that scenario, just using a single sig is much cheaper than revealing a taproot point, a pubkey or two, and using two sigs and a CLTV check of course. It does goes from 1+n signatures per update today to 4+n signatures, if you're using scriptless scripts. If you don't mind revealing the HTLCs are HTLCs, and could do them with actual scripts, that reduces to 4 signatures. You could reduce it to 2 signatures by also always posting "funding tx -> update 0 -> update N -> settlement N", or you could reduce it to 2+2/k signatures by only doing the non-NOINPUT sigs for every k'th state (or no more often than every t seconds or similar). > An > alternative is to add a trigger transaction that needs to be published > in a unilateral case, but that'd increase our on-chain footprint. (The above essentially uses update tx's as optional trigger tx's) Also, I'd expect the extra latency introduced by the interactive signing protocol for muSig would be more of a hit (share the nonce hash, share the nonce, calculate the sig). Particularly if you're doing multiparty channels with many participants, rather than just two. Cheers, aj