From: "Jose Femenías Cañuelo" <jose.femenias@gmail.com>
To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Cc: Bitcoin Protocol Discussion
<bitcoin-dev@lists.linuxfoundation.org>,
bitcoin-dev-request@lists.linuxfoundation.org
Subject: Re: [bitcoin-dev] easypaysy - A layer-two protocol to send payments without addresses
Date: Fri, 6 Dec 2019 19:47:38 +0100 [thread overview]
Message-ID: <6CB7E73C-57C9-428B-83E6-36113B619BFB@gmail.com> (raw)
In-Reply-To: <Qul4dCoKs2JEQgCYkvdn_QYjgQ5ucpwHZCHdU7qOZ5DGYOGB7p37-s7GN6Jg_NKDzsLlGv-WkOU_mY-a1A_tygRlnhOVnJBK9nvAJ3Gs-bE=@protonmail.com>
Hi ZmnSCPxj,
>> It seems possible, that, I do not.
Haha, I’am starting to believe that’s not a joke ...
>>
>> This does not seem to mesh well with the other non-Master parts of the protocol, where further updates on the single account backed by a funding TXO are performed by spending the funding TXO and creating a transaction with `OP_RETURN`.
>>
>>
You are right. The lifecycle of a regular easypaysy account states that you spend its TXO circularly as many times as you want, specifying changes in its OP_RETURN (you can’t change the Identity or Value key).
When you want to revoke an account, you simply spend its last update (if any) to a different address (not the one it was funded originally with).
> How about control transactions on top of the funding txo?
> Who is able to make further control transactions?
> If the service provider gives the user full control of the control transactions on top of the funding txo, then it outright loses the money it put in the funding txo and might as well operate as a full exchange.
Nope, he will keep control of the TXO keys.
> If the service provider retains even partial control, then it can refuse to cooperate with the user and the user will be unable to update his or her account.
>
> This is not fixable by the use of mirror servers.
You are right about that too… (I wonder if some kind of MAST smart contract could fix this, maybe you have a suggestion for this; I am thinking K of M users can override the service provider if he misbehaves)
What I have in mind, but haven’t completely figured out, in case of an uncooperative service provider -or just because one user decides to fly solo- is the possibility for a sub-account to ‘detach’ itself from the master account.
The sub-account holder would do so by:
a) Funding the multisig 2-of-2 address composed of his Id_key + Value_key, included in the common JSON file, not the Master TX. (And yes, in this event he will need to buy some btc, because life is hard...)
b) Publishing his own update, much like a regular easypaysy account does.
In any case, the account ID never changes, it would always keep pointing to the original place where it appeared on the blockchain.
User wallets would have to query for the multisig address of a particular account to check whether the account is detached or not.
As as side note, I expect most easypaysy accounts to choose only non-interactive payments, since they have fewer requirements than their interactive counterparts; so -in most cases- the majority of users won’t ever have to update their accounts.
So, even if the ‘service provider’ goes away or becomes uncooperative, it is just business as usual for the sub-account owners, and they can work just fine with the mirrors.
(Again, all of these is speculative for now. I hope scalability will become an issue for easypaysy one day, but I think we’ll have time to work out the best solution by then)
>> In addition, I would like to suggest as well that instead of `OP_RETURN`, you could instead use "sign-to-contract”….
I really need to study this further before I can express an informed opinion on your suggestion.
On the other hand, for Master accounts I don’t think cost or space should be a problem, since both can be shared among up to 2048 sub-accounts.
For regular accounts, it could be.
But, based on the private feedback I am having from two prominent figures in the space, making sure the protocol is easy to implement for SPV wallets is essential to encourage wallet adoption.
A separate transport layer doesn’t fit well with this.
So, maybe your suggestion will become more applicable in future iterations of the protocol. I may request your help for further clarification about this issue, if you are so kind (as you always are).
>> d) Regarding your comments on the possibility of adding the output index in the account ID, I still don’t see the need for the use case of easypaysy (since, by definition, easypaysy accounts must have exactly one input and two outputs).
>
> Do you mean, that if the user makes a control transaction to change the details of the account, then the user is forced to change the easypaysy identifier?
>
> My initial reading of your whitepaper is that the easypaysy identifier refers to the funding txo that roots the further control transactions.
> If so, the funding txo is not necessarily a one-input two-output transaction.
>
The easypaysy identifier doesn’t point to the funding TXO. Instead it points to the first transaction that spends the funding TXO (the TX with the OP_RETURN containing the ‘Rendezvous descriptor’)
So, you are right in that the funding TXO doesn’t need to be a one-input, two-output transaction.
> If not, then each time a control transaction changes the details of the easypaysy identifier, the identifier itself is changed.
Nope. The easypaysy identifier always points the placement in the blockchain of the first transaction that spends the funding TXO, not the TXO itself (please read page 3, ‘2.3 Account ID’).
Further updates (performed by spending its single non-zero output to the same address) must be verified by wallets (by asking for the payment history of the funding address; but they never change the account ID, by convention).
So, for example, (I’m following the example in page 13 of the white paper):
a) TX #3b00367…4af, in block 859253, that has j outputs and k outputs, has an output (k) that sends funds to the 2-of-2 multisig address ‘3NhgE9…bqs’.
This is the address that the Identity_key + Value_key can spend.
b) Several blocks later, TX #2a01fe…aab2, in its single input, spends the TXO with another TXO the same address ‘3NhgE9…bqs’.
It sends all of the funds (minus the fee) in its first output (the 2nd is the OP_RETURN).
This TX (called the ep_root_tx in the protocol) appears in block 859368 at, let’s say position 349. So its permanent ID will be (obviating the checksum):
btc@859368.349
This is the ID you share with your potential payers. Whenever they want to send funds to you, they will look up the 349th transaction at block 859368.
They don’t need to check the funding TX at all. They only have to check the signature of the ep_root_tx, because that’s the part of the TX where they can find both the Identity_key and the Value_key.
Since this TX, by definition of the protocol, can only have a single input, there will be a single signature in it, so there is no need for its easypaysy ID to include a pointer to the input in the TX.
c) A few more blocks later, appears TX #72f1ed…bade8 a similar 1-input 2-output TX, that updates its OP_RETURN with a new ‘Rendezvous descriptor’ (in the example, it changes the email endpoint)
d) Finally, the user revokes the account by spending the output in c) to a different address (17He...A45n).
>> If you are interested, please contact me, preferably privately since I wouldn’t want to become much too off topic in this dev-list
>
> I still do not see why it would be off-topic to the devlist.
Since the easypaysy proposal is about a layer-2 protocol, I am not sure the developers in this list want to see this much detail about something that maybe doesn’t affect them at all.
Hopefully I am wrong and this is relevant for many of the list subscribers.
Again, thanks for your time and contributions.
Best regards,
Jose
> On 6 Dec 2019, at 18:16, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
>
> Good morning Jose,
>
>> Hi ZmnSCPxj,
>>
>> first of all: do you ever sleep? ;-)
>
> It seems possible, that, I do not.
>
>
>> b) Master accounts are included in the white paper as a feature for a future release.
>> The roadmap is not set yet, but I’d like to include a first release of the protocol that only covers the most basic features, to make it simpler and safer for wallet developers.
>> Master accounts aren’t a priority, since they are more oriented towards scaling the proposal, and that is far from being a problem yet.
>> So, this feature is not well defined for now. However, as presented in the white paper, the ‘service provider’ has really no control over your money.
>>
>> He would basically do a just a few things:
>>
>> - Aggregate the account info (up to 2048 individual accounts per master account).
>> - Hash every account info, sort them, and calculate the Merkle root of a tree containing them all.
>> - Create a JSON document containing the information of all the sub-accounts included in the pack.
>> - Make that JSON document publicly available, probably with a https: URL (That’s called an Authoritative server)
>> - Finally, create and publish a TX that contains a pointer to the Authoritative server, and the Merkle root of the set of accounts.
>>
>> The service provider would have NO control whatsoever of your funds, nor can he block payments, etc.
>> There is some sort of delegation, but no trust involved here. The Merkle root protects agains any attempt of tampering with the account data.
>
> This does not seem to mesh well with the other non-Master parts of the protocol, where further updates on the single account backed by a funding TXO are performed by spending the funding TXO and creating a transaction with `OP_RETURN`.
>
> In addition, I would like to suggest as well that instead of `OP_RETURN`, you could instead use "sign-to-contract".
>
> Sign-to-contract is simply that, when signing, instead of selecting a random `r` and computing `R` as `R = r * G`, you select a random `r` and a contract or other message `c`, and compute `R` as `R = r * G + h((r * G) | c) * G`.
> Then the user can provide the message `c` independently of the signature, via another mechanism, and reveal `r * G` and `c` and point to the signature as a commitment to the message `c`.
> Although, it does have the drawback that using sign-to-contract require a different layer / overlay network to broadcast messages `c`, but it does reduce the cost on the blockchain layer, which is always a good thing.
> Similar issues are faced by the RGB project, for instance, and defiads explicitly uses a separate overlay network when transmitting advertisements (both RGB and defiads use the opposite pay-to-contract, which tweaks the pubkey rather than the ephemeral `R`).
>
>>
>> The account’s TX won’t ever disappear from the blockchain, so your account info will always be there.
>> Worst case scenario, the service provider disappears and users can’t download the Json document containing your account information.
>>
>> To mitigate this issue, the white paper suggests the creation of mirror servers.
>
> How about control transactions on top of the funding txo?
> Who is able to make further control transactions?
> If the service provider gives the user full control of the control transactions on top of the funding txo, then it outright loses the money it put in the funding txo and might as well operate as a full exchange.
> If the service provider retains even partial control, then it can refuse to cooperate with the user and the user will be unable to update his or her account.
>
> This is not fixable by the use of mirror servers.
>
>
>> d) Regarding your comments on the possibility of adding the output index in the account ID, I still don’t see the need for the use case of easypaysy (since, by definition, easypaysy accounts must have exactly one input and two outputs).
>
> Do you mean, that if the user makes a control transaction to change the details of the account, then the user is forced to change the easypaysy identifier?
>
> My initial reading of your whitepaper is that the easypaysy identifier refers to the funding txo that roots the further control transactions.
> If so, the funding txo is not necessarily a one-input two-output transaction.
> If not, then each time a control transaction changes the details of the easypaysy identifier, the identifier itself is changed.0
>
>
>> If you are interested, please contact me, preferably privately since I wouldn’t want to become much too off topic in this dev-list
>
> I still do not see why it would be off-topic to the devlist.
>
> Regards,
> ZmnSCPxj
> On 6 Dec 2019, at 18:16, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
>
> Good morning Jose,
>
>> Hi ZmnSCPxj,
>>
>> first of all: do you ever sleep? ;-)
>
> It seems possible, that, I do not.
>
>
>> b) Master accounts are included in the white paper as a feature for a future release.
>> The roadmap is not set yet, but I’d like to include a first release of the protocol that only covers the most basic features, to make it simpler and safer for wallet developers.
>> Master accounts aren’t a priority, since they are more oriented towards scaling the proposal, and that is far from being a problem yet.
>> So, this feature is not well defined for now. However, as presented in the white paper, the ‘service provider’ has really no control over your money.
>>
>> He would basically do a just a few things:
>>
>> - Aggregate the account info (up to 2048 individual accounts per master account).
>> - Hash every account info, sort them, and calculate the Merkle root of a tree containing them all.
>> - Create a JSON document containing the information of all the sub-accounts included in the pack.
>> - Make that JSON document publicly available, probably with a https: URL (That’s called an Authoritative server)
>> - Finally, create and publish a TX that contains a pointer to the Authoritative server, and the Merkle root of the set of accounts.
>>
>> The service provider would have NO control whatsoever of your funds, nor can he block payments, etc.
>> There is some sort of delegation, but no trust involved here. The Merkle root protects agains any attempt of tampering with the account data.
>
> This does not seem to mesh well with the other non-Master parts of the protocol, where further updates on the single account backed by a funding TXO are performed by spending the funding TXO and creating a transaction with `OP_RETURN`.
>
> In addition, I would like to suggest as well that instead of `OP_RETURN`, you could instead use "sign-to-contract".
>
> Sign-to-contract is simply that, when signing, instead of selecting a random `r` and computing `R` as `R = r * G`, you select a random `r` and a contract or other message `c`, and compute `R` as `R = r * G + h((r * G) | c) * G`.
> Then the user can provide the message `c` independently of the signature, via another mechanism, and reveal `r * G` and `c` and point to the signature as a commitment to the message `c`.
> Although, it does have the drawback that using sign-to-contract require a different layer / overlay network to broadcast messages `c`, but it does reduce the cost on the blockchain layer, which is always a good thing.
> Similar issues are faced by the RGB project, for instance, and defiads explicitly uses a separate overlay network when transmitting advertisements (both RGB and defiads use the opposite pay-to-contract, which tweaks the pubkey rather than the ephemeral `R`).
>
>>
>> The account’s TX won’t ever disappear from the blockchain, so your account info will always be there.
>> Worst case scenario, the service provider disappears and users can’t download the Json document containing your account information.
>>
>> To mitigate this issue, the white paper suggests the creation of mirror servers.
>
> How about control transactions on top of the funding txo?
> Who is able to make further control transactions?
> If the service provider gives the user full control of the control transactions on top of the funding txo, then it outright loses the money it put in the funding txo and might as well operate as a full exchange.
> If the service provider retains even partial control, then it can refuse to cooperate with the user and the user will be unable to update his or her account.
>
> This is not fixable by the use of mirror servers.
>
>
>> d) Regarding your comments on the possibility of adding the output index in the account ID, I still don’t see the need for the use case of easypaysy (since, by definition, easypaysy accounts must have exactly one input and two outputs).
>
> Do you mean, that if the user makes a control transaction to change the details of the account, then the user is forced to change the easypaysy identifier?
>
> My initial reading of your whitepaper is that the easypaysy identifier refers to the funding txo that roots the further control transactions.
> If so, the funding txo is not necessarily a one-input two-output transaction.
> If not, then each time a control transaction changes the details of the easypaysy identifier, the identifier itself is changed.0
>
>
>> If you are interested, please contact me, preferably privately since I wouldn’t want to become much too off topic in this dev-list
>
> I still do not see why it would be off-topic to the devlist.
>
> Regards,
> ZmnSCPxj
>
next prev parent reply other threads:[~2019-12-06 18:47 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-05 20:00 [bitcoin-dev] easypaysy - A layer-two protocol to send payments without addresses Jose Femenías Cañuelo
2019-12-06 2:53 ` ZmnSCPxj
2019-12-06 7:56 ` Jose Femenías Cañuelo
2019-12-06 17:16 ` ZmnSCPxj
2019-12-06 18:47 ` Jose Femenías Cañuelo [this message]
2019-12-07 4:09 ` ZmnSCPxj
-- strict thread matches above, loose matches on Subject: below --
2019-12-02 21:25 Jose Femenías Cañuelo
[not found] <mailman.1377.1575015939.25512.bitcoin-dev@lists.linuxfoundation.org>
2019-12-02 14:00 ` Jose Femenias
2019-12-02 17:27 ` Tim Blokdijk
2019-12-02 21:10 ` ZmnSCPxj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6CB7E73C-57C9-428B-83E6-36113B619BFB@gmail.com \
--to=jose.femenias@gmail.com \
--cc=ZmnSCPxj@protonmail.com \
--cc=bitcoin-dev-request@lists.linuxfoundation.org \
--cc=bitcoin-dev@lists.linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox