From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 6EDCBC000B for ; Fri, 28 Jan 2022 19:38:45 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 51F58405B4 for ; Fri, 28 Jan 2022 19:38:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: 1.269 X-Spam-Level: * X-Spam-Status: No, score=1.269 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_GMAIL_RCVD=1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MALFORMED_FREEMAIL=1.346, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Authentication-Results: smtp2.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XD8XFb8XMAHM for ; Fri, 28 Jan 2022 19:38:43 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) by smtp2.osuosl.org (Postfix) with ESMTPS id 5A13440106 for ; Fri, 28 Jan 2022 19:38:43 +0000 (UTC) Received: by mail-lf1-x12d.google.com with SMTP id o12so13742799lfg.12 for ; Fri, 28 Jan 2022 11:38:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:cc; bh=foTdXSDuouUcImAUB50DpaB/7X1aFIHGtpNB6OI+FTc=; b=K63/IbF3fuKlTrB0b3M+VVN4oq5SWrWr5GaXVRUP0hNNqMXSku+pVUN7Y6D7l+N+xo tcEI1AqTe7pD/V/Hno4mmq8qHWGCGg21ZEFDpTTFRqN7Gk1auIhrNcH8LPvnbK51jscJ HzvDkFiGm6sDcVw4pMqaMXSLAy7EcT5wCQLpeZfeA8FKLCSHXU6zaP7JebwO3ua/ZQ3q j6fKbFti+R1O0xeTK3NllmfWcl5hLAS8oWevLuf0ueqJyG8gMVY+mgjRtF0ZryTKn7iw SRgN8/s9e4nmBu0NbdBCUgzsQ3YKmuOFeF3oLM47Ds81Mn3TMNElz+sJsMgiBjCXxWUi pNpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:cc; bh=foTdXSDuouUcImAUB50DpaB/7X1aFIHGtpNB6OI+FTc=; b=CX/b5kJD/tOsaFGvZBz8UUNvIvC5WNrX4AYUNhiweh6ev3H68Bjh8lmpe54/3ARR/Q COalNO3/W7HTl4yGj2lIuEvfDvHZZuZr37TM35QfNoIT+pG0iomqsgM2B3KXjnZWCjmp JAfO4ViVmU5/aUFF4mFCh9af6OW2/o53qGbOepK9tmYqrfXKYiu7zAOQcpsm7Iy25OIa 8Tqke5dIzzReVXWys/4YoEhG0YCplNipHP6lO5ZS6PGc3VtmVhUC3JcKTsc5scRLc/JD ScC2LSoT/KlR5Uv1CphDzzxSVzbmO0BjvcSVUmmRoG1fxcfAK2kBTgB4S6yp9ONulnXV 7l5A== X-Gm-Message-State: AOAM532uEW0aqR3OEadbOogQ5FdhYJW/HnYXCpwsgVGhc+qU+u8C2x4O xDdQQT214w47mmXxPr0HH3jBt4wOcfwWnujEf9m9KTs2 X-Received: by 2002:ac2:5fc7:: with SMTP id q7mt3148962lfg.175.1643398720707; Fri, 28 Jan 2022 11:38:40 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Jeremy Rubin Date: Fri, 28 Jan 2022 11:38:29 -0800 Message-ID: Content-Type: multipart/alternative; boundary="000000000000fa8e5a05d6a994d7" Cc: Bitcoin Protocol Discussion , dlc-dev@mailmanlists.org Subject: Re: [bitcoin-dev] CTV dramatically improves DLCs X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2022 19:38:45 -0000 --000000000000fa8e5a05d6a994d7 Content-Type: text/plain; charset="UTF-8" Apologies for the double post*, but I just had a follow up idea that's pretty interesting to me. You can make the close portion of a DLC be an "optimistic" execution with a choice of justice scheme. This enables closing a DLC somewhat securely without exposing the oracles on-chain at all. Assuming honest oracles, the only cost of this mechanism over previous is that you have to do a script path spend (but it can be a top-level branch, since it's the "most likely" one). For every DLC branch like: * CHECKTEMPLATEVERIFY CHECKSIG CHECKSIGADD CHECKSIGADD 2 EQUAL* add a 2 branches: * CHECKTEMPLATEVERIFY CHECKSIG * * CHECKTEMPLATEVERIFY CHECKSIG* This enables Alice or Bob to "lock in" a redemption of the contract that becomes spendable by them after . CET-hash-* should include a nLockTime/nSequence such that it is at the same time as the attestation points should be known. Where CET-hash-T sends funds to a DLC that has the following conditions: (cooperate): *pk_internal=musig(Alice, Bob)* or (unilateral timeout) * Checksig <2 weeks> CSV* or (show oracles for this outcome) * CHECKTEMPLATEVERIFY* * CHECKSIG CHECKSIGADD CHECKSIGADD 2 EQUAL* or (justice with no punishment), forall j !=i: * CHECKTEMPLATEVERIFY* * CHECKSIG CHECKSIGADD CHECKSIGADD 2 EQUAL* or (justice with punishment), forall j!=i: * CHECKTEMPLATEVERIFY* * CHECKSIG CHECKSIGADD CHECKSIGADD 2 EQUAL* Justice with punishment seems to me to be the better option since T is actively choosing this resolution (the CTV transition is signed), but justice with no punishment might be better if you think the oracles might screw you over and collude to steal. One interesting question is if the justice transactions can be "compressed" to be fewer for a given outcome. I.e., if Bob has claimed that the outcome is 35, and there are 100 total outcomes, do we need 99 justice paths or is there a way to make fewer of them? Intuitively, it would seem so, because if we have a 8-10 threshold for picking a path, a 3-10 proof would be sufficient to prove Bob claimed to know the 8-10 falsely. However, that then means 3-10 could collude, v.s. the fraud proof requiring a full 8-10 counter. Things to think about! Best, Jeremy * this might actually be a triple or quadruple post depending on how you count, I adjusted which email was the subscriber on my mailing list account and resultantly sent from the old address... sincere apologies if you are seeing this message >1 times to those who were on the CC. -- @JeremyRubin On Fri, Jan 28, 2022 at 9:21 AM Jeremy wrote: > Lloyd, > > This is an excellent write up, the idea and benefits are clear. > > Is it correct that in the case of a 3/5th threshold it is a total 10x * > 30x = 300x improvement? Quite impressive. > > I have a few notes of possible added benefits / features of DLCs with CTV: > > 1) CTV also enables a "trustless timeout" branch, whereby you can have a > failover claim that returns funds to both sides. > > There are a few ways to do this: > > A) The simplest is just an oracle-free CTV whereby the > timeout transaction has an absolute/relative timelock after the creation of > the DLC in question. > > B) An alternative approach I like is to have the base DLC have a branch > ` CTV` which pays into a DLC that is the exact same > except it removes the just-used branch and replaces it with ` tx)> CTV` which contains a relative timelock R for the desired amount of > time to resolve. This has the advantage of always guaranteeing at least R > amount of time since the Oracles have been claimed to be non-live to > "return funds" to parties participating > > > 2) CTV DLCs are non-interactive asynchronously third-party unilaterally > creatable. > > What I mean by this is that it is possible for a single party to create a > DLC on behalf of another user since there is no required per-instance > pre-signing or randomly generated state. E.g., if Alice wants to create a > DLC with Bob, and knows the contract details, oracles, and a key for Bob, > she can create the contract and pay to it unilaterally as a payment to Bob. > > This enables use cases like pay-to-DLC addresses. Pay-to-DLC addresses can > also be constructed and then sent (along with a specific amount) to a third > party service (such as an exchange or Lightning node) to create DLCs > without requiring the third party service to do anything other than make > the payment as requested. > > > 3) CTV DLCs can be composed in interesting ways > > Options over DLCs open up many exciting types of instrument where Alice > can do things like: > A) Create a Option expiring in 1 week where Bob can add funds to pay a > premium and "Open" a DLC on an outcome closing in 1 year > B) Create an Option expiring in 1 week where one-of-many Bobs can pay the > premium (on-chain DEX?). > > See https://rubin.io/bitcoin/2021/12/20/advent-23/ for more concrete > stuff around this. > > There are also opportunities for perpetual-like contracts where you could > combine into one logical DLC 12 DLCs closing 1 per month that can either be > payed out all at once at the end of the year, or profit pulled out > partially at any time earlier. > > 4) This satisfies (I think?) my request to make DLCs expressible as Sapio > contracts in https://rubin.io/bitcoin/2021/12/20/advent-23/ > > 5) An additional performance improvement can be had for iterative DLCs in > Lightning where you might trade over a fixed set of attestation points with > variable payout curves (e.g., just modifying some set of the CTV points). > Defer to you on performance, but this could help enable some more HFT-y > experiences for DLCs in LN > > Best, > > Jeremy > > -- > @JeremyRubin > > > On Mon, Jan 24, 2022 at 3:04 AM Lloyd Fournier via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > >> Hi dlc-dev and bitcoin-dev, >> >> tl;dr OP_CTV simplifies and improves performance of DLCs by a factor of *a lot*. >> >> >> --000000000000fa8e5a05d6a994d7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Apologies for the double post*, but I just had a follow up idea that= 9;s=C2=A0pretty interesting to me.

You can make the close portion of a DLC be= an "optimistic" execution with a choice of justice scheme. This = enables closing a DLC somewhat securely without exposing the oracles on-cha= in at all.

Assuming=C2=A0honest oracles, the only cost of this mechanism over= previous is that you have to do a script path spend (but it can be a top-l= evel branch, since it's the "most likely" one).


For every DLC branch like:

<CET-hash-i> CHECKTEMPL=
ATEVERIFY
<attestation-point1> CHECKSIG
<attestation-point2> CHECKSIGADD
<attestation-point3> CHECKSIGADD
2 EQUAL

add a 2 =
branches:

<CET-hash-A> CHECKTEMPLATEVERIFY
<Alice> CHECKSIG
<CET-hash-B> CHECKTEMPLATEVERIFY
<Bob> CHECKSIG

This enables Alice or Bob to "lock in" a r=
edemption of the contract that becomes spendable by them after <period&g=
t;. CET-hash-* should include a nLockTime/nSequence such that it is at the =
same time as the attestation points should be known.

Where C=
ET-hash-T sends funds to a DLC that has the following conditions:

=
(cooperate):
pk_internal=3Dmusig(Alice, Bob)
or (uni=
lateral timeout)
<T> Checksig <2 weeks> CSV
or= (show oracles for this outcome)
<CET-hash-i> CHECKTEMPLATEVE=
RIFY
<attestation-point1&=
gt; CHECKSIG
<attestation-point2> CHECKSIGADD
<attestation-point3> CHECKSIGADD
2 EQUAL
or (justice with no punishment), forall j !=3Di:
<CET-hash-j> CHECKTEMPLATEVERIFY
<attestation-point1> CHECKSIG
<attestation-point2> CHECKSIGADD
<attestation-point3> CHECKSIGADD
2 EQUAL
or (justice with punishment), forall j!=3Di:<=
/pre>
<CET-hash-punish-j, send fun=
ds to not-T> CHECKTEMPLATEVERIFY
<attestation-point1> CHECKSIG
<attestation-point2> CHECKSIGADD
<attestation-point3> CHECKSIGADD
2 EQUAL

Justice with punishment seems to me to be=
 the better option since T is actively choosing this resolution (the CTV tr=
ansition is signed), but justice with no punishment might be better if you =
think the oracles might screw you over and collude to steal.
One inter=
esting question is if the justice transactions can be "compressed"=
; to be fewer for a given outcome. I.e., if Bob has claimed that the outcom=
e is 35, and there are 100 total outcomes, do we need 99 justice paths or i=
s there a way to make fewer of them? Intuitively, it would seem so, because=
 if we have a 8-10 threshold for picking a path, a 3-10 proof would be suff=
icient to prove Bob claimed to know the 8-10 falsely. However, that then me=
ans 3-10 could collude, v.s. the fraud proof requiring a full 8-10 counter.=
 Things to think about!

=
Best,

Jeremy

* this might actually =
be a triple or quadruple post depending on how you count, I adjusted which =
email was the subscriber on my mailing list account and resultantly sent fr=
om the old address... sincere apologies if you are seeing this message >=
1 times to those who were on the CC.


On Fri, Jan 28, 2022 at 9:21 AM Jeremy <jlrubin@mit.edu> wrote:
<= blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l= eft-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);pa= dding-left:1ex">
Lloyd,

This is an excellent write up, the idea and b= enefits are clear.

Is it correct that in the case of a 3/5th th= reshold it is a total 10x * 30x =3D 300x improvement? Quite impressive.

I have a few notes of possible added benefits / features of DLCs w= ith CTV:

1) CTV also enables a "trustless timeout" br= anch, whereby you can have a failover claim that returns funds to both side= s.

There are a few ways to do this:

A) The simplest= is just an oracle-free <STH(timeout tx)> CTV whereby the timeout=C2= =A0transaction=C2=A0has an absolute/relative timelock after the creation of= the DLC in question.

B) An alternative approach I like is to h= ave the base DLC have a branch `<STH(begin timeout)> CTV` which pays = into a DLC that is the exact same except it removes the just-used branch an= d replaces it with `<STH(timeout tx)> CTV` which contains a relative = timelock R for the desired amount of time to resolve. This has the advantag= e of always guaranteeing at least R amount of time since the Oracles have b= een claimed to be non-live to "return funds" =C2=A0to parties par= ticipating


2) CTV= DLCs are non-interactive asynchronously third-party unilaterally creatable= .

What I mean by this is that it is possible for a single party= to create a DLC on behalf of another user since there is no required per-i= nstance pre-signing or randomly generated state. E.g., if Alice wants to cr= eate a DLC with Bob, and knows the contract details, oracles, and a key for= Bob, she can create the contract and pay to it unilaterally as a payment t= o Bob.

This enables use cases like pay-to-DLC addresses. Pay-to= -DLC addresses can also be constructed and then sent (along with a specific= amount) to a third party service (such as an exchange or Lightning node) t= o create DLCs without requiring the third party service to do anything othe= r than make the payment as requested.


3) CTV DLCs can be composed in interesting ways
<= div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif= ;font-size:small;color:rgb(0,0,0)">
Options over DLCs open up many exciting types of instrument where Ali= ce can do things like:
A) Create a= Option expiring in 1 week where Bob can add funds to pay a premium and &qu= ot;Open" a DLC on an outcome closing in 1 year
B) Create an Option expiring in 1 week where one-of-many = Bobs can pay the premium (on-chain DEX?).

=C2=A0Se= e=C2=A0https://rubin.io/bitcoin/2021/12/20/advent-23/ for more concre= te stuff around this.

There are also opportunities for perp= etual-like contracts where you could combine into one logical DLC 12 DLCs c= losing 1 per month that can either be payed out all at once at the end of t= he year, or profit pulled out partially at any time earlier.

4)= This satisfies (I think?) my request to make DLCs expressible as Sapio con= tracts in https://rubin.io/bitcoin/2021/12/20/advent-23/

5) An additional performance improvement can be had for iterative DLCs in= Lightning where you might trade over a fixed set of attestation points wit= h variable payout curves (e.g., just modifying some set of the CTV points).= Defer to you on performance, but this could help enable some more HFT-y ex= periences for DLCs in LN

Best,

Jeremy



On Mo= n, Jan 24, 2022 at 3:04 AM Lloyd Fournier via bitcoin-dev <bitcoin-dev@l= ists.linuxfoundation.org> wrote:
Hi dlc-dev and bitcoin-dev,

tl;dr OP_CTV simplifies and improves performance of DLCs by a factor of *a =
lot*.

--000000000000fa8e5a05d6a994d7--