From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 950A3C0052 for ; Tue, 1 Dec 2020 14:20:05 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 83BC8879C2 for ; Tue, 1 Dec 2020 14:20:05 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0qztOYjfUMgX for ; Tue, 1 Dec 2020 14:20:03 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mail-40133.protonmail.ch (mail-40133.protonmail.ch [185.70.40.133]) by whitealder.osuosl.org (Postfix) with ESMTPS id CA21787932 for ; Tue, 1 Dec 2020 14:20:02 +0000 (UTC) Date: Tue, 01 Dec 2020 14:19:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gnet.me; s=protonmail; t=1606832399; bh=ChY2JTV50BC9/SBChCMc6E5jT3plg7CrwSXPiQJ9kyU=; h=Date:To:From:Reply-To:Subject:In-Reply-To:References:From; b=IMhTpmPjGW9G+AOdl0JqrCkE4Exz4eZDeFj8392Hwg+r12HYC/Tqdy9PuWcvfDn5b le0H+VTnfr1JySSIBIUr4emgP3vQQw9QxXavnAPksUk9I8SpDEMAjFreq5fDTlF3/v U0uA6NIBG7VkGK9Iswe38QxVwurNbAUZ4zg3HkvE= To: eric@voskuil.org, 'Bitcoin Protocol Discussion' From: Sebastian Geisler Reply-To: Sebastian Geisler Message-ID: <3f172428-fb03-755f-3020-43817fdb1897@gnet.me> In-Reply-To: <00e301d6c77e$2a4eeab0$7eecc010$@voskuil.org> References: <9a068476-855e-0dd7-4c9c-264d5d8bf60a@gnet.me> <00e301d6c77e$2a4eeab0$7eecc010$@voskuil.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Tue, 01 Dec 2020 14:45:01 +0000 Subject: Re: [bitcoin-dev] Out-of-band transaction fees X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2020 14:20:05 -0000 Hi Eric, > In paying fees externally one must find another way to associate a fee wi= th its transaction. This of course increases the possibility of taint, as y= ou describe in part here: I'm not sure I follow, do you see a problem beyond the facts that miners would need to authenticate somehow? This can be done in a privacy preserving way per block. I don't think transactions would need to change in any way. The bounty-transaction link is upheld by a third party service which the miners have to trust that it will pay out if the transaction is included (not perfect, but a business decision they can make). > It is also the case that the "bounty" must be associated with the transac= tion. Even with miner and payer mutual anonymity, the fee inputs and output= s will be associated with the transaction inputs and outputs by the miner, = rendering the proposal counterproductive. > Total transaction sizing is not reduced by paying fees externally, in fac= t it would be increased. The only possible reduction would come from aggreg= ation of fees. Yet it is not clear how that aggregation would occur private= ly in less overall block space. At least with integral fees, it's *possible= * to spend and pay a fee with a single input and output. That is not the ca= se with externalized fees. I should have made this more clear, I don't imagine anyone to pay these fees with L1 transactions, but rather some L2 system like Lightning or a BTC backed chaumian token issued for that purpose by the bounty service provider. Even Lightning would be far more private for the use cases I described that don't allow fee deduction from inputs. But if one accepts more counter party risk with e.g. some centrally pegged chaumian token it can be anonymous. I see that this might not be very useful today, but I imagine a future in which Bitcoin is mostly a settlement and reserve layer. This would make it feasible to keep most UTXOs in common sizes. Only large, round transactions happen on-chain, the rest can happen on L2. This would allow tumbling these already evenly-sized UTXOs on spend without toxic waste if we can somehow tackle the fee payment problem. I know of the following solutions: * everyone has to add a second UTXO per input * Someone is chosen fairly at random to pay the total fee * pay a service on L2 to add an input/output for fee payment * out-of-band L2 fee payments Only L2 fee payments can hide who is involved in such a tumbling operation as additional fee inputs that get reused would indicate the same entity was present in two tumbling operations. The out-of-band approach saves one input and one output and appears more general (e.g. could be used like rbf). This is also not a general solution for fee payments. In many cases it will still be preferable to pay on-chain fees. But having the option to avoid that in a standardized way could help some protocols imo. Best, Sebastian > -----Original Message----- > From: bitcoin-dev On Beha= lf Of Sebastian Geisler via bitcoin-dev > Sent: Monday, November 30, 2020 3:03 PM > To: bitcoin-dev@lists.linuxfoundation.org > Subject: [bitcoin-dev] Out-of-band transaction fees >=20 > Hi all, >=20 > the possibility of out of band transaction fee payments is a well known f= act. Yet it has been mostly discussed as an annoying inevitability that can= be problematic if on-chain fees are to be used as a consensus parameter. T= he potential use cases have seen little interest though (please correct me = if I'm wrong). >=20 > One such use case is sending UTXOs "intact". Let's assume we get to a poi= nt where Bitcoin is primarily a settlement layer for L2 systems. > These L2 systems might want to protect their privacy and keep UTXOs of a = common sizes (e.g. 1 BTC, 10 BTC, =E2=80=A6). For certain settlement applic= ations these can be transferred as a whole, but currently fee requirements = force the system to add another input for fees which will introduce taint (= because it's used repeatedly). If instead a fee could be paid out of band i= n a privacy preserving way the TXO chain would leak little about the interm= ediate holders. >=20 > Taking this concept even further CoinJoin-like protocols could also be us= ed to introduce further ambiguity without leaking that a certain entity too= k part in the CJ (which fee inputs/reused "toxic waste" > inevitably do afaik). Such a mechanism would probably also make CJ transa= ctions much smaller as _no_ fee inputs had to be provided (assuming the inp= uts already have the right size). >=20 > Out-of-band transaction "accelerators" already exist and taking fee payme= nt out-of-band can not be effectively prevented. So even though any such pr= oposal will probably have slight centralizing effects I believe that having= a standard for it is preferable to having every pool implement their own A= PI making it harder for small pools to get into the market. >=20 > Imo the central questions are: > * how to build such a out-of-band "transaction bounty" system > * how to standardized it > * how can the centralizing effects from it be mitigated >=20 > Imo fees are small enough to not really care about counter party risk tha= t much. It's more important that it is easy to run so that there is some ch= oice for users and miners. In that sense I consider single-operator service= s providing both standardized user and miner APIs as well as an optional UI= suitable. I would still take into account that this could change and might= consider the needs of federated services in the protocol. >=20 > Each such service would need to announce which means of payment it suppor= ts and allow users and miners to choose when paying/redeeming fees. Users s= hould be able to submit transactions and either be presented with a single = payment method dependent "invoice" or one per input (for the CoinJoin use c= ase). As soon as all invoices are paid the bounty goes live and is visible = to miners through an API. >=20 > Miners that included a transaction need a way to authenticate when claimi= ng the bounty. One possibility would be to optionally include a unique publ= ic key e.g. in the coinbase scriptsig after the height push (is this feasib= le?). This could be used to claim any bounties after 100, 120, or even a us= er-defined confirmation threshold is met. If the key is unique for every bl= ock there won't be a problem with pool accountability which might become a = risk down the road (so this should also be enforced at least in the bounty = protocol to avoid lazy implementations leading to dangerous precedents). >=20 > Any feedback is welcome :) >=20 > tl;dr Out-of-band fee payment services are inevitable and useful, so we s= hould at least standardize them and mitigate negative effects as much as po= ssible. >=20 > Best, > Sebastian >=20 > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >=20