From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 00AE41869 for ; Tue, 1 Oct 2019 15:35:43 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-40136.protonmail.ch (mail-40136.protonmail.ch [185.70.40.136]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id A2FEC8B8 for ; Tue, 1 Oct 2019 15:35:41 +0000 (UTC) Date: Tue, 01 Oct 2019 15:35:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1569944139; bh=V52aUFvS5iRvusIVEB0CRsakTfeuQBP34agYuMf7VEs=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=e+G4FGTKSNpNecwaC+DrpKRku8OSAH3lgOkdYx/lmhjyTx3l5d188qxIFKsi5EMo+ 9ck5+3fr7OE8oQRP6G9gJNxj/jo83ZvaGmnzlkDaOUYo25+1eGrQNTZBEw52JhNsGK ry7kPTornlzNgV37yZPnYgfpgzsrmva+F2mLqWmc= To: Christian Decker From: ZmnSCPxj Reply-To: ZmnSCPxj Message-ID: <4zx7e_vHQr58myY5w_-bAjTk04LTGNknZudZs4wbUiOIoVKhL69M7k1eELCSuoBND2CtVXXzDFBHW4351cttIh80eP8jiaoO8cmbSefZmj4=@protonmail.com> In-Reply-To: <87tv8s7djq.fsf@gmail.com> References: <87wodp7w9f.fsf@gmail.com> <-5H29F71ID9UFqUGMaegQxPjKZSrF1mvdgfaaYtt_lwI7l1OTmN_8OgcooyoMt2_XuyZ5aDljL6gEup9C7skF8iuP_NbMW_81h0tJIGbJno=@protonmail.com> <87tv8s7djq.fsf@gmail.com> Feedback-ID: el4j0RWPRERue64lIQeq9Y2FP-mdB86tFqjmrJyEPR9VAtMovPEo9tvgA0CrTsSHJeeyPXqnoAu6DN-R04uJUg==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DOS_RCVD_IP_TWICE_B, FREEMAIL_FROM, FROM_LOCAL_NOVOWEL, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Bitcoin Protocol Discussion , "lightning-dev\\@lists.linuxfoundation.org" Subject: Re: [bitcoin-dev] Continuing the discussion about noinput / anyprevout X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Oct 2019 15:35:43 -0000 Good morning Christian, > > - A standard MuSig 2-of-2 bip-schnorr SegWit v1 Funding Transaction O= utput, confirmed onchain > > - A "translator transaction" spending the above and paying out to a S= egWit v16 output-tagged output, kept offchain. > > - Decker-Russell-Osuntokun update transaction, signed with `SIGHASH_N= OINPUT` spending the translator transaction output. > > - Decker-Russell-Osuntokun state transaction, signed with `SIGHASH_NO= INPUT` spending the update transaction output. > > That is very much how I was planning to implement it anyway, using a > trigger transaction to separate timeout start and the actual > update/settlement pairs (cfr. eltoo paper Section 4.2). So for eltoo > there shouldn't be an issue here :-) My understanding is that a trigger transaction is not in fact necessary for= Decker-Russell-Osuntokun: any update transaction could spend the funding t= ransaction output directly, and thereby start the relative timelock. At least, if we could arrange the funding transaction output to be spendabl= e directly using `SIGHASH_NOINPUT` or variants thereof. > > Again, the more important point is that special blockchain > > constructions should only be used in the "bad" unilateral close case. > > In the cooperative case, we want to use simple plain > > bip-schnorr-signed outputs getting spent to further bip-schnor/Taproot > > SegWit v1 addresses, to increase the anonymity set of all uses of > > Decker-Russell-Osuntokun and other applications that might use > > `SIGHASH_NOINPUT` in some edge case (but which resolve down to simple > > bip-schnorr-signed n-of-n cases when the protocol is completed > > successfully by all participants). > > While I do agree that we should keep outputs as unidentifiable as > possible, I am starting to question whether that is possible for > off-chain payment networks since we are gossiping about the existence of > channels and binding them to outpoints to prove their existence anyway. * Lightning supports unpublished channels, so we do not gossip some outpoin= ts even though they are in fact channels underneath. * I confess the existence of unpublished channels in the spec fails to su= mmon any reaction other than incredulity from me, but they exist nonetheles= s, my incredulity notwithstanding. * Historical channels that have been cooperatively closed are no longer nor= mally gossiped, so the fact that they used to be channels is no longer wide= ly broadcast, and may eventually be forgotten by most or all of the network= . * This means anyone who wants to record the historical use of Lightning w= ill have to retain the information themselves, rather than delegating it to= fullnodes everywhere. > > Not the strongest argument I know, but there's little point in talking > ideal cases when we need to weaken that later again. The point of ideal cases is to strive to approach them, not necessarily ach= ieve them. Just as a completely unbiased rational reasoner is almost impossible to ach= ieve, does not mean we should give up all attempts to reduce bias. Outpoints that used to be channels, but have now been closed using cooperat= ive closes, will potentially no longer be widely gossiped as having once be= en channels, thus it may happen that they will eventually be forgotten by m= ost of the network as once having been channels. But if the outpoints of those channels are specially marked, then that cann= ot be forgotten, as the initial block download thereafter will have that hi= story indelibly etched forevermore. Regards, ZmnSCPxj