From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id E3E58CDAF for ; Sat, 9 Feb 2019 16:52:10 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id A20BE13A for ; Sat, 9 Feb 2019 16:52:09 +0000 (UTC) Received: by mail-wm1-f51.google.com with SMTP id m1so9132642wml.2 for ; Sat, 09 Feb 2019 08:52:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:cc:references:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=0Re38hR+oTFytHEI0rUObc7cDw6EkDswA9OupWstMKo=; b=QgeQDparigLcNlaJr+VSMvtGVI0mWzdqBbYsFNODXKukveYWj0ZIyvxovsPllmsBs5 PXvA7xC1OHCeJvW1gYJDuso/RmIZwI+J/vHmjgBUeRLdxidErJ3R/bsxcc1lkvxOWSS/ 4eXSPG0lXgiBolNWfx0ZXXAsrgEWmTcxoxQxSQB+Zln6mYIjTE6/rc2Pb1gYG2G0ymrX BT8739OyOsjdzTy06XoSmocQa3xR7hNcRiZw112Z/iIOAPj0WffCkUn6ijJKfkLgWfEp fnNCTODONlrwxm5YDFa3Oia2VLxBvw9AhST/1B1AhNwQLwPGdQBLyEd3TUMSI5b3uiwv kFxQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:cc:references:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=0Re38hR+oTFytHEI0rUObc7cDw6EkDswA9OupWstMKo=; b=Kub8NIAl0zpGq7pEoLVxld9DyRhMGeEHyGol7bF0V/Cg02LX5cI2CKlvjqchuqfs4D OwAWHb4aQ9mcs4gksgIiTZ1UjC9Oip+HjNCHQiWhtBlECcpsx6Gey2/+zppdEgpa48Zk p4BTd/BZSWQl7Ps8hm4K6GfaT4NvL+UQm3KSLCKhyicmVtKhGFSUCsuEuSRAzfTvrZQ/ 8PI1FjObIyj/0WhkNyhHNP4SqkUfPegymc34k9QJW1rsla1SqlWNUKuFl4Q5CIIUNmfS WcV53a2V4YscbwlOewbNTq9O4k4yzAp3XQmYNFhYf5kNXxLnbsk9TKS+51ZKsvGeueaO sEdQ== X-Gm-Message-State: AHQUAuayUUV3dHloFWHEAKpuFeMfIPkkq7l4iG9tms+mDXz5UV1qygCF fH45fDUClJ9DnKURtEUasOwZOUnZU14= X-Google-Smtp-Source: AHgI3IaFyx2pYGI4ymuuBka67B9AmHdSJQ21fWhCo/lDNRW8h6KfCorKOq9VwmcEF0ln2luZM8Zn0A== X-Received: by 2002:adf:ba84:: with SMTP id p4mr6306567wrg.156.1549731127510; Sat, 09 Feb 2019 08:52:07 -0800 (PST) Received: from [10.12.10.3] ([62.112.9.165]) by smtp.googlemail.com with ESMTPSA id h4sm3049579wre.5.2019.02.09.08.52.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 09 Feb 2019 08:52:06 -0800 (PST) From: Jonas Nick X-Google-Original-From: Jonas Nick To: Johnson Lau References: <9F8C0789-48E9-448A-A239-DB4AFB902A00@xbt.hk> <9bae18fa-3266-61ce-0b62-6ee429198260@gmail.com> Openpgp: preference=signencrypt Autocrypt: addr=jonasd.nick@gmail.com; prefer-encrypt=mutual; keydata= mQINBFQ2o3oBEACv5N5WajlYk+i/4B8FmniipCB4biIKg38spMNt1EYM6RzTu+hbOrVOlJW8 fq/ih+dvlpreGxRPQlX4jr75kwoJCykd3geywTUl3KPLeJ/JRQJ8fVkine4Wr5qB5Jwo3+wt inDVooaaF32Y0HolNacXVzT1x9uwn83Bz/ifg+iGATn/e1Si3ga/ytY5wYDzFz6aUDRW8ulu DcG8ARMAgtzmi66EuyQyIWwSyoWFU8wJ98slU9LKuTu23r6HdxFuV+P2H1omJm+z8cd4QBMj I23uHst0Wx1MyTeVhZCnQAghyasA3oopwzqRf5wwECAui1oZhr59R4R1DHJjn0PeWZXBSnOo XPQ1ERjz4nQrODiIDEabD5DClPHZ1bte0tswm1aYBtD8/me9ck+SJdoH5r0DJrXCTtNl1XG1 9TTUINQe0eaQUOTakZmVaneCeSrw/pKOknkzudOCNCbmngKa2oJQOynrdsBuoigIYY+NQdot fk1nJljrBzyTh4sFktbHyA24x/hCykMX6FnIQxDnsGR+S3I+vzADBLBBMQQtZsUA+xnvPu4l 6You5SZMVhgprQy38bKybeIGxSZtmPNtBf8ouKhAUpbIfOaq6BoP4EtueXk/vyieFxXiIkbF N6b3pjhkG7wVG17HqCqeVeHz1ZAQJUPcqDQAPaelBf38RXPbeQARAQABtCJKb25hcyBOaWNr IDxqb25hc2Qubmlja0BnbWFpbC5jb20+iQI/BBMBAgApAhsDBwsJCAcDAgEGFQgCCQoLBBYC AwECHgECF4AFAlu1I0QFCQtA5soACgkQsacOT43NA2Y5zA/9G1kt1ECa6zPhpEBV5iqD1omt ABdrZSxD8gBsZOMt2nLE1f4J0Oqy9LfMzKFzC8Kyd7usu6HVA8XM3fjVgqi+cDlEhaE+RqFi FVJjai7Fo1EqQGoD8QKTHDpGMNAmkfiQI7yc7OOxJ7X/nRpI8EnUsHG0slw3ieG6krrwLMfi rdJz5xA3P0tjdz/gRsG1IkwaB1bWnrIyh4oS9MiTSO1GZzHdRrhYZPFnJa7XiQsDWTvtTf4o fkbDAxqsKSqJhh99Gl79dXjJ1X9c6YfmxdOWuHZwtpJRgTFXSavaojkjPdnx4/f8lsgQg0tI BEaZnfroAvJCkYCqxNAPS5pSCaRaZbm+eoBl9848eFQztds/xfG3xIpn6VaOSdDNCD0+kSiO LrqghKLN3nPWOfCU0zPlkFuNsWX0ALvAJj6UKGbvMRfR6uj5NPZuHbA2FK9/1pOfKLjm6bHI 2HtXeS5B0+eoAjHzoF9w/2DM4+DLU8Qbn63CpDZ3dodqK3Z7PHLv9oiiCVUFxia0J9YUZJru 1jFHc3BA/Ado4LSxjyUbG0kDQjddvBEmQIkW5c2VrkczYv8gCOLwiUF+RPqc8PxGRs5I5SqJ RzcEN9nIaFcP5MTPrabbkXKLw6ZhHqc3J85qMOLoxThP5SCWM7I1SwLYIGgcWGFtL27U9IXe /wzNH4aerKe5Ag0EWVExqgEQAL1iVOraDIRX7bI1bres6PsbkNwz56OqIRbfSACch82x4NAK Jd9Gdabhv7mjX9bUGBwH79YUjpxOo2nh8Sp48SYThe9lWOmU6wo2T1ZyzuhoQp8jRtcll59Q o2zbfQdWt8DdRhCNzma/qjhDaAOveKa13jtXasVVqR4UdK2ZG/nIRQhPDslYq+hutV/7kTrd sk12GETBOrUQDh5WLbG5AbKGK/CQ3kXZWvyhSVD2I20ze18qsMrL88shgx+Tf0S9H+snQNQi WsB8DVe/VQj7nfam+LTVoIWpYOgTW+Y7/bU+UylMyFNUlFBykAguSCZ1JTSCxM2W9Q6zOf8u v9N+ht5TpTPiXvbx4mTA9UWu4Mksa7deqwy59MViuqRgBQwcH6WYgT202PYbMQzpxQSPBO4v N7e/ScVpAlfTT52ygwURb89+A4LQzF0tKWsRC5ZON5FfVbLg1NMplECOr1gPpruUNlbNbLOY nVd6nu1j/vLKvYiQL/BzoHJ4X5EvRm7BhktgdCuE5ce7eaNUGZKd9kUHNqhznKV+PeYCI78E ARAYNORbD09V+40wBtv5+VYPv9XMBBVYqofMOFIPbt0pT4ssbhH8UMnQcZbrtzOPxE6405Hy pT3gA85CSSpZXm3ziFdKodNyaYtb+eHwIGUQaC3pl3AdP8IpgVQL8K8CYNNhABEBAAGJBHIE GAEIACYWIQQ2xxo3ydmIveglCNmxpw5Pjc0DZgUCWVExqgIbAgUJA8JnAAJACRCxpw5Pjc0D ZsF0IAQZAQgAHRYhBEu7hFpvWmWmnfrsI0hh2/JiEjYFBQJZUTGqAAoJEEhh2/JiEjYFLUYP /2nglwU8kOJqf97M8y/apivcw8D7X1KRK6PfEf3pAUwmJ58RBL9oNmPDky3D3NYi9iVmOJHz mwVGVujO/PqnMxBfxjUwZDlYHM01q6De1PI+CHF6XLqo8DLZS++hMxpiNQwGulHDq/5QLTrD ma3MTdfZBrQW6J41Oj3ma806jLo8QkqEebbeIHTJNtOHevuQZiV3AerrK/OS+AwwFxpq1F0c nJlzIGU9fvMs5oSBHKRAesnLaKkUIMBdJxgqria8bpraTINT50b4fWyWtb/ipinwjSabVzyY ec5qeLVcweltEnZCsRJaIsuyv1AzlXjrXYSNhXKLowv4EY201NFE0ltDD7jOCPmfpXzwmc8J WFiwIMm3yC/RSneYVRdV3M+x6JpqncdLzd02J6ACG8Q1foKpM1VR0Ty5OgQCuzcJeuAYk8fc GWACsH+I15et9iQ8RR/MqzX5508GDpmh4LMRlselnj1br0A71horFajMt7rzZvPuP/ITKiNR Y07QS3zOEZDExGyMyZ6oP4j3bsyCn/TyMUfMJ2K9Y/FicaunRrjM0SN99lJlhTkZIG7PkmZ2 dmcHsdGmnkIWT9f2b8J41L3VbcZveoQFGVnjdd1uqZRBdeJu02M5An4XlhABLZ0ioci8fs4J Xl45RZzJwjDwYz721P8ScWLpHYNg7XL9AqAa1fUQAJjuBn22R4YPrsn+60c/MnSB7h6xCTnO irSZhqbMMg6YsTzLgN5WKqJuSsUqDPjsTbm9FJRGJLaZIeTWYbCV1i7J5ftdATHY0TTxx2/R pbBNVkTyrYbsSdxzzGQhNcTFnH3PJde2mzXE+im60ab7RMdtryCNQKdoJSRQ9T1+bkloyLcl XeTh55D261nGfxo/KhI54BQCgn0tS3raz9Yd2EOKHUKiCwq70+drBTMgunbWZ07b4zOLItTq CRTdXceNjZVBV7YAYd/qeu5sLSCpAhQeRzQby49ILkKuU7pPba0QGy8mD5m5kmXOVmDj9LKK 8Q0jAd+eROcplK8B72hA6wYfzctwFxofu4oPKZZ54z1Drm5k17bZM2FO+6Oxk5iqWzB/lAKJ nVGq+T/2yMWnY/2BPBljp4ks3uf7Ozxx2cfa4h/V3++HDPntA20RAuDR5eFhsHOGX+Z7dfei zCB/skqCW9T37S0w564pvPx9py5OvwEd48sV9UQsL8W6IUb1OfMP+x2pkJicMs1TmBhMZI8/ Sxoi6lRdHrYabU1GJ4sN550wO+JLtxav0T3gGm0/JxTX18V7GKaGOrcbriVhImQkC2VQVcqk MpciyF95IGc7lvxTpof5ZDbwO2z8U7RcYcJHjj7KwImefQC8agNUhPSBVwsvTjeuR1/F+7d3 oDqduQINBFlRMd4BEADB+3Vb1kfonWBHtzlQ2P0lVfNMI3zntc0w0zkPqgfA+RYp/O790abf MtEcVt2OBW5Y6Iut+Y4SaN/zKEx72UnrOtS25z81I0XmJiKjGKayeR0hfiJLJFvROT9O/Bus CNoccI0V14OMvmfqGJNwvBgR9RI47Not5ZmCDwAjFCg22tumSLsZIyuTgd7WR5kzrmESfXj+ SpbUg+D+mOmU4A5b1KUHiWtMOdgOHTkAEZsig4hiec/sfIEngityK2Fsre/Xrd+uEUlmRuKR Y9+H5xyHBz3m8DjF+oDGXTyMijcWk8AOtoJ0KeZaCaCSVE7IEk0jltQ87448Zv+IljNh5Uuj U9H/NH0sNRp3yMUkj68dheCMIPHJAFs8vxGHBq+/qRydvAFVTeKtBBv/Vr07C/YjPWam8PXC PX2g0w7iX2LXMSKKzIJJgxeLteBhXc0rMeZaEzvv+1RWYRQyywgtXhwszry4xxYPvV6UdDe3 gK6Q4mAVjxVgVbYR7W+ibl6gFsmftC2WcNiRjOP4M1HRa/tRc5yV9TKrZcLawIIDOMaz5ZyH +KsC+gdO+La9NL86+GCM5dBVBrYvUMfsaM6njtjZipbV5nwWHwSWXZ32p1R6fFzA0vs+wlSg szJJp7sidEK2NIyVQMTr5cC0Mt+tzZOaUaa6x52tkdvmbE6n/AsN3QARAQABiQI8BBgBCAAm FiEENscaN8nZiL3oJQjZsacOT43NA2YFAllRMd4CGwwFCQPCZwAACgkQsacOT43NA2YHlhAA nz+dln8j1FjIPJmWsfN+E1v0RgWlIvSkGXNLUV/JQ67A+Nmrp0xfvL2vLeP78OAn8pJaC/uZ nM/aK1s6fvWFTvfFNDtrO+sw08QSCQuaafGUaKgmW0YQ9sOwwTcYGs3goQprEpgA5/95LZAM 7UyPfSP8Wv4u/z4VSp/zECWf78xTsHb8WlWq/Fu47Fp88ONwxTFSFclq8F3gWilRXrwcL55b b25jcr8fC/t1tHTz+G4lbAm0+hbXpIvvnN16AKKArre5XfcD9KDYmFFBTEndqxBK3UBz52kx opfygDtgTEBG3Al2w1+y/T1+q46Jz8ECG2j98zW7kX2Y/C0Ss8+4ofoDiUTDxhmF9XjFFV8K IvBEHqHyzO8JjkIpF5Q21UdGt/pCo/4OsirARb0W7Use9w3i4NmaeBKHaFJxf9Ft1SamQlni O/eJH5OjRbyip9Ri38Xco/NsIqs8wjRZ2Huh+Je/JBgmexNMoNLtDNJAo7Q3wZcRya9RQ21n 93uMl++kMMbEMEecomPZqVlqOmelxQ09ic+h0F+8vaCYVf3C8gDM1c92OwUi5vbV+f6V9U4z gu47BAQT2BZNV8i0PiKemU9E2ce51zaBdPBoU1xSy8e7Ujc8dSBPhqNBV3ANL5mFMhMffNUH iSJxMac5w2Ar8e6R1NT8yJl3Ei81s6kfAJ8= Message-ID: <3567673f-e12b-c107-2a33-0b23b5518c96@gmail.com> Date: Sat, 9 Feb 2019 16:52:07 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US-large Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sat, 09 Feb 2019 18:49:52 +0000 Cc: bitcoin-dev Subject: Re: [bitcoin-dev] Safer NOINPUT with output tagging X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Feb 2019 16:52:11 -0000 Johnson's modification solves the issue I pointed out. Moreover, as Johnson and I discussed in private, using different locktimes for X and Y is not necessary. They can have the same relative locktime. If A and B would only sign Y as soon as the update tx is confirmed, there is no risk of Y changing its txid and therefore invalidating updates built on it. On 2/9/19 10:15 AM, Johnson Lau wrote: > This is really interesting. If I get it correctly, I think the fungibility hit could be avoided, just by making one more signature, and not affecting the blockchain space usage. > > Just some terminology first. In a 3-party channel, “main channel” means the one requires all parties to update, and “branch channel” requires only 2 parties to update. > > By what you describe, I think the most realistic scenario is “C is going to offline soon, and may or may not return. So the group wants to keep the main channel open, and create a branch channel for A and B, during the absence of C”. I guess this is what you mean by being able to "predict in advance who will become absent” > > I call this process as “semi-cooperative channel closing” (SCCC). During a SCCC, the settlement tx will have 2 outputs: one as (A & B), one as (C). Therefore, a branch channel could be opened with the (A & B) output. The channel opening must use NOINPUT signature, since we don’t know the txid of the settlement tx. With the output tagging requirement, (A & B) must be tagged, and lead to the fungibility loss you described. > > However, it is possible to make 2 settlement txs during SCCC. Outputs of the settlement tx X are tagged(A&B) and C. Outputs of the settlement tx Y are untagged(A&B) and C. Both X and Y are BIP68 relative-time-locked, but Y has a longer time lock. > > The branch channel is opened on top of the tagged output of tx X. If A and B want to close the channel without C, they need to publish the last update tx of the main channel. Once the update tx is confirmed, its txid becomes permanent, so are the txids of X and Y. If A and B decide to close the channel cooperatively, they could do it on top of the untagged output of tx Y, without using NOINPUT. There won’t be any fungibility loss. Other people will only see the uncooperative closing of the main channel, and couldn’t even tell the number of parties in the main channel. Unfortunately, the unusual long lock time of Y might still tell something. > > If anything goes wrong, A or B could publish X before the lock time of Y, and settle it through the usual eltoo style. Since this is an uncooperative closing anyway, the extra fungibility loss due to tagging is next to nothing. However, it may suggest that the main channel was a multi-party one. > > For C, the last update tx of the main channel and the settlement tx Y are the only things he needs to get the money back. C has to sign tx X, but he shouldn’t get the complete tx X. Otherwise, C might have an incentive to publish X in order to get the money back earlier, at the cost of fungibility loss of the branch channel. > > To minimise the fungibility loss, we’d better make it a social norm: if you sign your tx with NOINPUT, always try to make all outputs tagged to be NOINPUT-spendable. (NOTE: you can still spend tagged outputs with normal signatures, so this won’t permanently taint your coins as NOINPUT-spendable) It makes sense because the use of NOINPUT signature strongly suggests that you don’t know the txid of the parent tx, so you may most likely want your outputs to be NOINPUT-spendable as well. I thought of making this a policy or consensus rule, but may be it’s just overkill. > > > >> On 9 Feb 2019, at 3:01 AM, Jonas Nick wrote: >> >> Output tagging may result in reduced fungibility in multiparty eltoo channels. >> If one party is unresponsive, the remaining participants want to remove >> the party from the channel without downtime. This is possible by creating >> settlement transactions which pay off the unresponsive party and fund a new >> channel with the remaining participants. >> >> When the party becomes unresponsive, the channel is closed by broadcasting the >> update transaction as usual. As soon as that happens the remaining >> participants can start to update their new channel. Their update signatures >> must use SIGHASH_NOINPUT. This is because in eltoo the settlement txid is not >> final (because update tx is not confirmed and may have to rebind to another >> output). Therefore, the funding output of the new channel must be NOINPUT >> tagged. Assuming the remaining parties later settle cooperatively, this loss >> of fungibility would not have happened without output tagging. >> >> funding output update output settlement outputs update output >> [ A & B & C ] -> ... -> [ (A & B & C & state CLTV) | (As & Bs & Cs) ] -> [ NOINPUT tagged: (A' & B'), -> ... >> C' ] >> If the expectation is that the unresponsive party returns, fungibility is >> not reduced due to output tagging because the above scheme can be used >> off-chain until the original channel can be continued. >> >> Side note: I was not able to come up with an similar, eltoo-like protocol that works >> if you can't predict in advance who will become absent. >> >> On 12/13/18 12:32 PM, Johnson Lau via bitcoin-dev wrote: >>> NOINPUT is very powerful, but the tradeoff is the risks of signature replay. While the key holders are expected not to reuse key pair, little could be done to stop payers to reuse an address. Unfortunately, key-pair reuse has been a social and technical norm since the creation of Bitcoin (the first tx made in block 170 reused the previous public key). I don’t see any hope to change this norm any time soon, if possible at all. >>> >>> As the people who are designing the layer-1 protocol, we could always blame the payer and/or payee for their stupidity, just like those people laughed at victims of Ethereum dumb contracts (DAO, Parity multisig, etc). The existing bitcoin script language is so restrictive. It disallows many useful smart contracts, but at the same time prevented many dumb contracts. After all, “smart” and “dumb” are non-technical judgement. The DAO contract has always been faithfully executed. It’s dumb only for those invested in the project. For me, it was just a comedy show. >>> >>> So NOINPUT brings us more smart contract capacity, and at the same time we are one step closer to dumb contracts. The target is to find a design that exactly enables the smart contracts we want, while minimising the risks of misuse. >>> >>> The risk I am trying to mitigate is a payer mistakenly pay to a previous address with the exactly same amount, and the previous UTXO has been spent using NOINPUT. Accidental double payment is not uncommon. Even if the payee was honest and willing to refund, the money might have been spent with a replayed NOINPUT signature. Once people lost a significant amount of money this way, payers (mostly exchanges) may refuse to send money to anything other than P2PKH, native-P2WPKH and native-P2WSH (as the only 3 types without possibility of NOINPUT) >>> >>> The proposed solution is that an output must be “tagged” for it to be spendable with NOINPUT, and the “tag” must be made explicitly by the payer. There are 2 possible ways to do the tagging: >>> >>> 1. A certain bit in the tx version must be set >>> 2. A certain bit in the scriptPubKey must be set >>> >>> I will analyse the pros and cons later. >>> >>> Using eltoo as example. The setup utxo is a simple 2-of-2 multisig, and should not be tagged. This makes it indistinguishable from normal 1-of-1 utxo. The trigger tx, which spends the setup utxo, should be tagged, so the update txs could spend the trigger utxo with NOINPUT. Similarly, all update txs should be tagged, so they could be spent by other update txs and settlement tx with NOINPUT. As the final destination, there is no need to tag in the settlement tx. >>> >>> In payer’s perspective, tagging means “I believe this address is for one-time-use only” Since we can’t control how other people manage their addresses, we should never do tagging when paying to other people. >>> >>> I mentioned 2 ways of tagging, and they have pros and cons. First of all, tagging in either way should not complicate the eltoo protocol in anyway, nor bring extra block space overhead. >>> >>> A clear advantage of tagging with scriptPubKey is we could tag on a per-output basis. However, scriptPubKey tagging is only possible with native-segwit, not P2SH. That means we have to disallow NOINPUT in P2SH-segwit (Otherwise, *all* P2SH addresses would become “risky” for payers) This should be ok for eltoo, since it has no reason to use P2SH-segwit in intermediate txs, which is more expensive. >>> >>> Another problem with scriptPubKey tagging is all the existing bech32 implementations will not understand the special tag, and will pay to a tagged address as usual. An upgrade would be needed for them to refuse sending to tagged addresses by default. >>> >>> On the other hand, tagging with tx version will also protect P2SH-segwit, and all existing wallets are protected by default. However, it is somewhat a layer violation and you could only tag all or none output in the same tx. Also, as Bitcoin Core has just removed the tx version from the UTXO database, adding it back could be a little bit annoying, but doable. >>> >>> There is an extension to the version tagging, which could make NOINPUT even safer. In addition to tagging requirement, NOINPUT will also sign the version of the previous tx. If the wallet always uses a randomised tx version, it makes accidental replay very unlikely. However, that will burn a few more bits in the tx version field. >>> >>> While this seems fully compatible with eltoo, is there any other proposals require NOINPUT, and is adversely affected by either way of tagging? >>> _______________________________________________ >>> bitcoin-dev mailing list >>> bitcoin-dev@lists.linuxfoundation.org >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >>> > >