From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id D833AC004C for ; Mon, 3 Aug 2020 21:16:51 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id BA55A203AC for ; Mon, 3 Aug 2020 21:16:51 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id etTTQL5-ZdkX for ; Mon, 3 Aug 2020 21:16:50 +0000 (UTC) X-Greylist: delayed 01:49:22 by SQLgrey-1.7.6 Received: from mail-pf1-f227.google.com (mail-pf1-f227.google.com [209.85.210.227]) by silver.osuosl.org (Postfix) with ESMTPS id 7695320003 for ; Mon, 3 Aug 2020 21:16:50 +0000 (UTC) Received: by mail-pf1-f227.google.com with SMTP id d188so12919543pfd.2 for ; Mon, 03 Aug 2020 14:16:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotenna-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VhCmZOxsUsNQyL5iN19Xf4D9GsZTbdWYzIV5HaoE6So=; b=AXiNR75P8QfjVlNBLAKXFnGxryDNafG7rKA+dnl6u7/7sTadXQ1FSaSqsG96lHLMyn 5HJJM76JMeIGDqYmwjIhhjh/p7otWMnujIsZdv3U0FEmHvlJGinAeNAO9/VgBCHhZ56k DwUYS4XH/pHRccVzfaowQtv6nQD3+95uVfDs1kBNURuuj8gSLPtaZ8b0+lVrTsul+m8W GdTHOErGpylmlvkqEDng+NUEEQ7JKaJ+Yl/NB+ypREE12rhaV2ndYbc1AF6pj5R0X1cz MRyGOdGxN4mtfF/mVSN6IaFp5LEYT+ce6gEChmCS4D+fWGkZe8slzecNnuuTBETEWnCB l0TA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VhCmZOxsUsNQyL5iN19Xf4D9GsZTbdWYzIV5HaoE6So=; b=HZmOxf/1+ALPCONn08c06D61MCzcQ26A9RK11ZMC49ChPg3E2T4BNNZSJ8QqsDitkN zQWiIH1R2dJz3Y8iteWrGbuzF6urjKGUpwUwk+piUncytqQumMwDZjwhMo+Ibnu3ZepG qZ9WAAccbhVjyk0gb4BINleFWRBeO4vPE7lHr5snxLbvDx3lK3CtHoP4BX0JRhhoEtnv w8CNbUaJ+JPBU5uHMqHaxsK2WOL9433Ea/VrpUWUCDKjljxH7TB6b0VqNy6ilq+vqQmY tSW2T65DHyi0UXYE6cELXM2kGBQEzzU40lavnHX4raoLzdYVagM+BoxICHbNeo7m24dY 0u6g== X-Gm-Message-State: AOAM533nMa64RjPl0swdvuOHPbQ8brLiDJ/3M7yZ36fYrY+375nP7DCs BeF3zPyRQdnL7Udz83CyYcJ4UtYLA+yNYMcaMsqGvqTZzgKwpQ== X-Google-Smtp-Source: ABdhPJygUjt8RYbtBg0nOtnfJpI+B/Tu5ebx8qM/dJdpwl9vOU5i850SjIiU4UMmClY9afj/IlCXo236cvZs X-Received: by 2002:a62:19c4:: with SMTP id 187mr16890917pfz.312.1596482847755; Mon, 03 Aug 2020 12:27:27 -0700 (PDT) Received: from us2.smtp.exclaimer.net (us2.smtp.exclaimer.net. [104.209.35.28]) by smtp-relay.gmail.com with ESMTPS id z6sm44293pjq.17.2020.08.03.12.27.27 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 03 Aug 2020 12:27:27 -0700 (PDT) X-Relaying-Domain: gotenna.com Received: from mail-ed1-f71.google.com (209.85.208.71) by us2.smtp.exclaimer.net (104.209.35.28) with Exclaimer Signature Manager ESMTP Proxy us2.smtp.exclaimer.net (tlsversion=TLS12, tlscipher=TLS_ECDHE_WITH_AES256_SHA1); Mon, 3 Aug 2020 19:27:27 +0000 X-ExclaimerHostedSignatures-MessageProcessed: true X-ExclaimerProxyLatency: 12673289 X-ExclaimerImprintLatency: 399986 X-ExclaimerImprintAction: 751862e0a47d4a9b9b4454b05a805c31 Received: by mail-ed1-f71.google.com with SMTP id cz26so968140edb.7 for ; Mon, 03 Aug 2020 12:27:26 -0700 (PDT) X-Received: by 2002:a17:906:4acd:: with SMTP id u13mr18030509ejt.4.1596482844592; Mon, 03 Aug 2020 12:27:24 -0700 (PDT) X-Received: by 2002:a17:906:4acd:: with SMTP id u13mr18030494ejt.4.1596482844341; Mon, 03 Aug 2020 12:27:24 -0700 (PDT) MIME-Version: 1.0 References: <20200709214048.27mycsi5h2bnv3cc@erisian.com.au> In-Reply-To: From: Richard Myers Date: Mon, 3 Aug 2020 21:27:13 +0200 Message-ID: To: ZmnSCPxj , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="000000000000d3fcb605abfe20af" X-Mailman-Approved-At: Mon, 03 Aug 2020 21:33:51 +0000 Subject: Re: [bitcoin-dev] BIP 118 and SIGHASH_ANYPREVOUT X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Aug 2020 21:16:52 -0000 --000000000000d3fcb605abfe20af Content-Type: text/plain; charset="UTF-8" Thanks AJ for the updated BIP - very exciting! I'm also interested in this in the context of a Taproot version of Decker-Russell-Osuntokun (eltoo). Thanks ZmnSCPxj for summarizing your thoughts on how this would work. I have had some difficulty understanding when someone might want to use ANYPREVOUT vs. ANYPREVOUTANYSCRIPT and this is a clever demonstration of how the differences can be exploited. I sketched out the protocol you described to help my understand it (below) and some questions came to mind: 1) If you do a collaborative close, would you need to use script-path spending, or could you use key-path spending instead to improve privacy? 2) You mention 1.5 round trips for the (two party) MuSig signing session. Must there be separate 1.5 round trips for each of the two signatures produced (update, settlement) for each state update? 3) A related question: can the 1.5 round trips for signing be combined with the 1.5 round trips required to update the channel (ie. A signs settlement tx, B signs settlement & update txs, A signs update tx)? Perhaps something like this: -> A provides partial signature for settlement tx <- B provides complete signature for settlement tx and partial signature for update tx -> A provides complete signature for update tx 4) I'm not sure why AJ's formulation included an addition sig(X), but otherwise is it similar to what you're suggesting? https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-May/001996.html All the best, -- Richard ------- my interpretation of your scheme ---- [Fund Channel] | | | v P=Musig(A,B)+scripts (Taproot internal key, aka script path key?) Q=Musig(A,B) (Taproot output key, aka root key?) OR ----------- [Cooperative Close] ||| Sig(Q) -----+ ||| |----> Sig(A)... ||| | ||| |----> Sig(B)... ||| ||| ||+-->[Update(n)] || nlocktime/state > n || Sig(P)+ANYPREVOUTANYSCRIPT || || OR ---------->[Settle(n)] [Uncooperative Close @ state n] || | Sig(P)+ANYPREVOUT || | csv [delay] --------+---> Sig(A)... [HTLCs & Settled || | | Outputs ] || | |---> Sig(B)... || v |+---->[Update(n+1)] | nlocktime/state > n+1 | Sig(P)+ANYPREVOUTANYSCRIPT | | OR ----------->[Settle(n+1)] [Uncooperative Close @ state n+1] | | Sig(P)+ANYPREVOUT | | csv [delay] -------+---> Sig(A)... [HTLCs & Settled | | | Outputs ] v v |---> Sig(B)... On Fri, Jul 10, 2020 at 5:30 AM ZmnSCPxj via bitcoin-dev wrote: ... > Slightly off-topic, but I suppose a Decker-Russell-Osuntokun construction > could, in theory, have only a single internal taproot pubkey, `P = MuSig(A, > B)` for a channel between A and B. > > So the funding outpoint would be spent with a taprooted P + a single > tapscript `<1> OP_CHECKSIG`. > > Update transactions would be signed with the internal taproot pubkey using > `SIGHASH_ANYPREVOUTANYSCRIPT`. > The update transaction output would be spendable with a taprooted P + a > single tapscript ` OP_CHECKLOCKTIMEVERIFY OP_DROP <1> > OP_CHECKSIG`. > Each update transaction would have a monotonically-increasing `nLockTime`, > i.e. the above `index`. > > Then a state transaction would be signed with the internal taproot pubkey > using `SIGHASH_ANYPREVOUT`, which commits to the exact script including > ``, which is unique for each update transaction. > Thus a state transaction can only spend the specific update transaction, > but the update transaction can spend the funding outpoint or any update > transaction outpoint. > State transaction input would have an `nSequence` requiring a relative > locktime of the agreed-upon unilateral close delay. > > The above assumes MuSig signing, which requires 1.5 round trips for a > channel, or three broadcast rounds for a multiparticipant (n >= 3) > construction. > > > Regards, > ZmnSCPxj > > --000000000000d3fcb605abfe20af Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks = AJ for the updated BIP - very exciting!

I'm also interested in t= his in the context of a Taproot version of Decker-Russell-Osuntokun (eltoo)= .=C2=A0Thanks ZmnSCPxj for summarizing your thoughts on how this would work= . I have had some difficulty understanding when someone might want to use A= NYPREVOUT vs. ANYPREVOUTANYSCRIPT and this is a clever demonstration of how= the=C2=A0differences can be exploited.

I sketched out the protocol you described to help my understand it (below= ) and some questions came to mind:

1) If you do a = collaborative close, would you need to use script-path spending, or could y= ou use key-path spending instead to improve privacy?

2) You mention 1.5 round trips for the (two party) MuSig signing session= . Must there be separate 1.5 round trips for each of the two signatures pro= duced (update, settlement) for each state update?

= 3) A related question: can the 1.5 round trips for signing be combined with= the 1.5 round trips required to update the channel (ie. A signs settlement= tx, B signs settlement & update txs, A signs update tx)?=C2=A0

Perhaps something like this:
=C2=A0-> A prov= ides partial signature for settlement tx
=C2=A0<- B provides c= omplete signature for settlement tx and partial signature for update tx
=C2=A0-> A provides complete signature for update tx
4) I'm not sure why AJ's formulation included an addit= ion sig(X), but otherwise is it similar to what you're suggesting?

All the = best,

=C2=A0 -- Richard

-= ------ my interpretation of your scheme ----=C2=A0

                                                                       =
                 =20
  [Fund Channel]                                                           =
             =20
    |                                                                      =
             =20
    |                                                                      =
             =20
    |                                                                      =
             =20
    v                                                                      =
             =20
   P=3DMusig(A,B)+scripts (Taproot internal key, aka script path key?)     =
               =20
   Q=3DMusig(A,B) (Taproot output key, aka root key?)                      =
               =20
                                                                           =
             =20
   OR ----------- [Cooperative Close]                                      =
             =20
   |||            Sig(Q) -----+                                            =
             =20
   |||                        |----> Sig(A)...                          =
                =20
   |||                        |                                            =
             =20
   |||                        |----> Sig(B)...                          =
                =20
   |||                                                                     =
             =20
   |||                                                                     =
             =20
   ||+-->[Update(n)]                                                    =
                =20
   ||    nlocktime/state > n                                            =
                =20
   ||    Sig(P)+ANYPREVOUTANYSCRIPT                                        =
             =20
   ||                                                                      =
             =20
   ||     OR ---------->[Settle(n)]           [Uncooperative Close @ sta=
te n]           =20
   ||      |            Sig(P)+ANYPREVOUT                                  =
             =20
   ||      |            csv [delay] --------+---> Sig(A)...    [HTLCs &a=
mp; Settled         =20
   ||      |                                |                   Outputs ]  =
             =20
   ||      |                                |---> Sig(B)...             =
                =20
   ||      v                                                               =
             =20
   |+---->[Update(n+1)]                                                 =
                =20
   |      nlocktime/state > n+1                                         =
                =20
   |      Sig(P)+ANYPREVOUTANYSCRIPT                                       =
             =20
   |                                                                       =
             =20
   |      OR ----------->[Settle(n+1)]        [Uncooperative Close @ sta=
te n+1]         =20
   |       |             Sig(P)+ANYPREVOUT                                 =
             =20
   |       |             csv [delay] -------+---> Sig(A)...    [HTLCs &a=
mp; Settled         =20
   |       |                                |                   Outputs ]  =
             =20
   v       v                                |---> Sig(B)...             =
                 
=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0
On Fri, Jul 10, 2020 at 5:30 AM ZmnSCPxj via bitcoin-dev <=
;bitcoin-dev@lists.=
linuxfoundation.org> wrote:
...
Slightly off-topic, but I suppose a Decker-Russell-Osuntokun construction c= ould, in theory, have only a single internal taproot pubkey, `P =3D MuSig(A= , B)` for a channel between A and B.

So the funding outpoint would be spent with a taprooted P + a single tapscr= ipt `<1> OP_CHECKSIG`.

Update transactions would be signed with the internal taproot pubkey using = `SIGHASH_ANYPREVOUTANYSCRIPT`.
The update transaction output would be spendable with a taprooted P + a sin= gle tapscript `<index + 1> OP_CHECKLOCKTIMEVERIFY OP_DROP <1> O= P_CHECKSIG`.
Each update transaction would have a monotonically-increasing `nLockTime`, = i.e. the above `index`.

Then a state transaction would be signed with the internal taproot pubkey u= sing `SIGHASH_ANYPREVOUT`, which commits to the exact script including `<= ;index + 1>`, which is unique for each update transaction.
Thus a state transaction can only spend the specific update transaction, bu= t the update transaction can spend the funding outpoint or any update trans= action outpoint.
State transaction input would have an `nSequence` requiring a relative lock= time of the agreed-upon unilateral close delay.

The above assumes MuSig signing, which requires 1.5 round trips for a chann= el, or three broadcast rounds for a multiparticipant (n >=3D 3) construc= tion.


Regards,
ZmnSCPxj

--000000000000d3fcb605abfe20af--