Hi Jeremy,
For the records, I didn't know between Greg and you was at the origin of payment pools. Thanks for your pioneer work here, obviously this draws inspiration from OP_CTV use cases and Channel Factories works, even if we picked up different assumptions and tried to address another set of issues.
With regards to scalability, I hit it on my own while inquiring covenanted-Bitcoin contracts for international trade. I mentioned the any-order issue on such multi-party complex contracts in a talk last summer (
https://github.com/ariard/talk-slides/blob/master/advanced-contracts.pdf).
> All of these channels can be constructed and set up non-interatively using
> CTV, and updated interactively. By default payments can happen with minimal
> coordination of parties by standard lightning channel updates at the leaf
> nodes, and channels can be rebalanced at higher layers with more
> participation.
Side review note on OP_CTV: I think it would be great to define non-interactivity better, namely at least between 3 phases: establishment, operation, closing.
Even OP_CTV protocols assume interactivity at establishment, at least 1) to learn payees pubkeys endpoint (and internal leaves pubkeys if you want update at operation) 2) validate transaction tree correctness between participants.
At operation, it depends if participants want to dynamically rebalance value across channels or not. If you desire dynamically rebalancing, assume internal leaves scriptpubkeys are (multisig-all OR OP_CTV'ed merkle_tree). Using OP_CTV is a saving in message rounds for every constant expression across tree updates.
At closing, depends again if participants have committed update keys or not. If dynamic update, you can prune the whole tree and just commit final balances onchain, either with a O(N) fan-out transaction (N outputs) or a O(log(N)) congestion tree (N transactions).
So I would say the originality of a hashchain covenant like OP_CTV is to provide onchain *immutability* (unforgeability?) of the offchain transaction tree and thus provides instant finality to payees. You can get the same semantic with off-chain covenant, pre-signed set of transactions, assuming more communications rounds and performance hit.
That said, IMO, immutability comes with a security trade-off, namely if any payout key committed in your OP_CTV tree gets compromised your funds are at stake. And you can't update the tree anymore at the root to rotate keys. I think this should be weighted by anyone designing covenant protocols, especially vaults.
> I don't think the following requirement: "A
> CoinPool must satisfy the following *non-interactive any-order withdrawal*
> property: at any point in time and any possible sequence of previous
> CoinPool events, a participant should be able to move their funds from the
> CoinPool to any address the participant wants without cooperation with
> other CoinPool members." is desirable in O(1) space.
With current design (Pool_tx+Split_tx) it's O(2) space. Pool_tx is similar to a commitment tx and thus enables off-chain novation of pool distribution.
> Let's be favorable to Accumulators and assume O(1), but keep in mind constant may
> be somewhat large/operations might be expensive in validation for updates.
Using a Merkle Tree as an accumulator should be constant-size in space, but likely it has to be O(log(N) in computation (N set elements). This overhead in computation should be accounted for in accumulator sigops to avoid network validation resources free-riding, but I think it's a better trade-off minimizing chain footprint.
> So in this context, CTV Pool has a clear benefit. The last recipient can
> always clear in Log(N) time whereas in the accumulator pool, the last
> recipient has to wait much much longer. There's no asymptotic difference in
> Tx Size, but I suspect that CTV is at least as good or cheaper since it's
> just one tx hash and doesn't depend on implementation.
Yes I agree CTV pool performs better in the worst-case scenario. In my opinon what we should really look on is the probability of withdrawal scenarios. I see 2 failure cases:
* a pool participant being offline, thus halting the pool
* a pool participant with external protocol requirement to fulfill, like a HTLC to timeout onchain
With regards to 1) we assume that watchtower infra are likely to become ubiquitous in the future (if you want a secure LN experience), so user uptime should be near to 100%. Of course, it's a new architecture which comes with trade-offs, but interesting to explore.
With regards to 2) as of today channel-failure-rate (like unilateral close) it's still quite important (30% IIRC) so it plays in favor of OP_CTV pool but in the future I expect single-digit
therefore making CoinPool far more competitive. Do we envision protocol more time-sensitive than LN in the future (atomic swaps...) ? Hard to gauge.
Do you see other ways to refine model, like integrating out-of-pool liquidity needs rate ?
Note, I think for OP_CTV tree, increasing radix increases cooperation requirement and failure, so there should be optimum somewhere.
> If your group is not cooperating because one
> person is permanently offline, then Accumulator pools *guarantee* you need
> to go through a full on-chain redemption.
That's right, that's a current shortcoming of this strawman design, I think you can avoided by adding some timelocks, "if Alice doesn't anwser after X days, initiate a kick-out", thus avoiding full onchain unrolling.
> But I'm unclear how
> to make this safe w.r.t. updated states. You could also allow, perhaps, any
> number of operators to simultaneously leave in a tx. Also not sure how to
> do that.
I'm still thinking on this too, especially in LN-context, ideally you do want the same thing to kick-out a HTLC of your HTLC-tree while preserving the rest of them. Technically it works, if you assume CSV delay on the commitment/pool_tx and locktime on the HTLC, which is Eltoo tradeoff.
> With Accumulator pools, you need all parties online to make payments.
I think that our shortcoming here, but technically with protocol rebinding on any withdrawal output of Split_tx, you can have M-of-N channels between pool participants. Also we should aim to support any kind of protocol at the leaves.
> Because Accumulator pools always require N signers, it's possible to build
> a better privacy model where N parties are essentially managing a chaumian
> ecash like server for updates, giving good privacy of who initiated
> payments.
Yes that what I've in mind is something with blind signatures or any obfuscation of pool tree construction as privacy optimization. Still you will leak value weight of leaves to an in-pool observer.
> Both protocols require new features in Bitcoin. CTV is relatively simple, I
> would posit that accumulators + sighashnoinput are relatively not simple.
I agree design, review, deployment costs are an order of magnitude higher. That said they are more powerful primitives which would cover use cases beyond pools. A concern with OP_CTV is if we want semantic extensions we may realize they don't rank that well compared to more generic "base" primitives.
> In both designs, the payment pool can be created non-interactively. This is
> *super* important as it means third parties (e.g., an exchange) can
> withdraw users funds *into* a payment pool.
See my point above, I think we need a better definition of non-interactivity.
Thanks for the high-quality review of CoinPool !
Antoine