From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 2CAC6C0177 for ; Tue, 25 Feb 2020 19:16:20 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 19866203F8 for ; Tue, 25 Feb 2020 19:16:20 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MdXOzXa1NYgM for ; Tue, 25 Feb 2020 19:16:18 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-pf1-f193.google.com (mail-pf1-f193.google.com [209.85.210.193]) by silver.osuosl.org (Postfix) with ESMTPS id F1388203A0 for ; Tue, 25 Feb 2020 19:16:17 +0000 (UTC) Received: by mail-pf1-f193.google.com with SMTP id 2so30535pfg.12 for ; Tue, 25 Feb 2020 11:16:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qNvHBAT58c66CaeGs4fnNTWeDME7/hb8LIuGsXwFpwQ=; b=Ncza+vcba0aUOuX1McXYlkkxMslQ0Jx+AVDPfWqdYcl+cPJv59Qiha2pk+1HlHekWW l0wHcj/n0w+DogE0yd6i+GN1P8ksqY+Uzv5jopBj46D8ZIOQpvBXJJKpkAfhXX+UikpW vG2Z/gaAnetChaCZ9ll9KwEq+pvciasGTI8Y08BLscvc6dIb49WDQfnVSD2uPu0nYDAP mwxs+jRuBq+n498y9camjFApsQXg9srtOhLZDlAyT/GEuxjOIbWsd/C91th8SXuhbfSf fkw1IQy1PVIKeaqM/qlLeYd3zJ7FvQBQSedShUSlpcRSQ6pEm4doy9zBqEqhDzC8kMd6 J2oA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qNvHBAT58c66CaeGs4fnNTWeDME7/hb8LIuGsXwFpwQ=; b=KxQWrqgrwAzNra7pXO/DFdYBnFwOeNRPSn2VeDjipSk0jgH5gHIAI0xR+NSqC1NEZT lGbjkBftIIxvbcVXabCPy4Jm8phbENggZgwA7BQPsNaEj6V489MT8Owu+00t+W6dDYr5 8I/GICgydhBBjfKXwf7Rnj5RNNstvptMqc0mATtxmGchFhf2mnwAK0OGAtfyAtZK48hm YBjtEJv0c1to1OjeS2WicrHdZYwaWBWB2O63fjxFveYkD7QRWJxH4V6hiA3Br/6PYZBi PZeCSZvmSgv3Vw95/nWVLs06ARM7Hmz98zgcNobHgVie1yV3KumeQ0ca24S7Jsef5bOU 6LQA== X-Gm-Message-State: APjAAAVOtrGVpbA1tAWgLlkhsCfKsplIfrSbDyXZrDydkiSxE9Frg6nl Utr7NtayVS+cqyt63Y0w9Y3ML7bUMP1em5dyayY= X-Google-Smtp-Source: APXvYqzIxjxpMscLjoYYk7FSH3n2Or2ltodF995A7la8u4utYeW6iMDbEPuJY3fVv5kOKbyDwBFZD0pBk5jBAhz8VD8= X-Received: by 2002:a62:e111:: with SMTP id q17mr205190pfh.242.1582658177264; Tue, 25 Feb 2020 11:16:17 -0800 (PST) MIME-Version: 1.0 References: <2-MilNWxNU5sCVK81AtIN7LhLButGQNbxgkr50rzsCvd5FqrD3VHBKCWjlxeFXYbKzC1XX5jm8NpzQUR95TGyupYqL6ggL8rPObGYC0AYWE=@protonmail.com> In-Reply-To: <2-MilNWxNU5sCVK81AtIN7LhLButGQNbxgkr50rzsCvd5FqrD3VHBKCWjlxeFXYbKzC1XX5jm8NpzQUR95TGyupYqL6ggL8rPObGYC0AYWE=@protonmail.com> From: Antoine Riard Date: Tue, 25 Feb 2020 14:16:03 -0500 Message-ID: To: ZmnSCPxj Content-Type: multipart/alternative; boundary="00000000000074eda5059f6b5274" X-Mailman-Approved-At: Tue, 25 Feb 2020 19:23:12 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] LN & Coinjoin, a Great Tx Format Wedding X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Feb 2020 19:16:20 -0000 --00000000000074eda5059f6b5274 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Morning Zeeman, > I proposed before to consider splicing as a form of merged closing plus funding, rather than a modification of channel state; in particular we might note that, for compatibility with our existing system, a spliced channel would have to change its short channel ID > and channel ID, so it is arguably a different channel already. Yes but you may want alias to keep your channel routing-score across splicing, though how to do this is more LN-dev specific. > Emulating LN splices mildly makes ConJoinXT less desirable, however, as the mix takes longer and is more costly. Intuitively, a lot of Coinjoin traffic may be redirected in the future through LN when protocol matures, privacy properties may be better (though need careful analysis). Coinjoins would be only for high-amounts for which security/liquidity isn't offered by LN, and in this case time for increasing privacy is IMO an acceptable tradeoff. > Does not Electrum do RBF by default? Dunno, for more context on RBF and its controversies see https://bitcoincore.org/en/faq/optin_rbf/ (or Optech resources) > 1.5RTT with MuSig Yes right I meaned you don't need to assume latter interactivity if it's a multi-party tx construction you sign multiple RBF versions at same time. Still need to think about privacy-preserving fee bumping wrt to mempool observer > This can be mitigated if all participants contribute equal or nearly-equally to the fees, though that complicates single-funding, and may violate Initiator Pays Principle (the initiator of an action should pay all fees related to the action, as otherwise it may be possible to create a null operation that the acceptor of the action ends up paying fees for, which can be used as a financial attack to drain acceptors). Yes, but also you want the acceptor to pay for its inputs announced to avoid pouring the spending burden on the initiator only, or doing any free-ride aggregation . > There may be other protocols interested in this as well --- for instance "submarine swaps" and "lightning loops", which are the same thing. Yes good point, specially batched submarine swaps are good candidates, also DLCs (will enquiry on tx pattern of more bitcoin protocol) Le lun. 24 f=C3=A9vr. 2020 =C3=A0 18:36, ZmnSCPxj = a =C3=A9crit : > Good morning Antoine, > > > > > On mutual closes, we should probably set `nLockTime` to the current > blockheight + 1 as well. > > > This has greater benefit later in a Taproot world. > > > > I assume mutual closes would fall under the aforementioned tx > construction proposal, so a closing may be a batch to fund other channels= or > > splice existent ones. > > Ah, that is indeed of great interest. > I proposed before to consider splicing as a form of merged closing plus > funding, rather than a modification of channel state; in particular we > might note that, for compatibility with our existing system, a spliced > channel would have to change its short channel ID and channel ID, so it i= s > arguably a different channel already. > > > > > > A kind of non-equal-value CoinJoin could emulate a Lightning open + > close, but most Lightning channels will have a large number of blocks > (thousands or tens of thousands) between the open and the close; it seems > unlikely that a short-term channel will exist > that matches the > non-equal-value CoinJoin. > > > > That's a really acute point, utxo age and spending frequency may be > obvious protocol leaks. > > Yes; I am curious how JoinMarket reconciles how makers mix their coins vs= . > how takers do; presumably the tumbler.py emulates the behavior of a maker > somehow. > > > Splicing may help there because a LN node would do multiple chain write= s > during channel lifecycle for liquidity reasons but it's > > near-impossible to predict its frequency without deployment. > > Long ago, I proposed an alternative to splicing, which would today be > recognizable as a "submarine swap" or "lightning loop". > https://lists.linuxfoundation.org/pipermail/lightning-dev/2017-May/000692= .html > Perhaps the frequencies of those operations may hint as to how much > splicing would occur in practice in the future. > > > Even with this, I do fear an analysis gap between Coinjoin spending > delta and LN ones. A way to circumvent this would be for CoinjoinXT to > timelock its PTG > > transactions to mimick actively-spliced LN channels. That's where > adoption of a common format by other onchain transactions than LN ones > would help a lot. > > Well, one way to implement splice-in would be to have an output that is > first dedicated to the splice-in, and *then* a separate transaction which > actually does the splice-in. > This has a drawback of requiring an extra transaction, which wins us the > facility to continue operation of the channel even while the splice-in > transactions are being confirmed while retaining only one state. > (the latest proposal, I believe, does *not* use this construction, and > instead requires both sides to maintain two sets of states, with one stat= e > being a fallback in case the splice-in gets double spent; but in times of > high blockchain load this can lead to the channel having a two sets of > states until blockchain load reduces.) > > As it happens, my alternate proposal for CoinJoinXT is similar in that > there are "entry transactions" that introduce coins into the PTG, which a= re > needed to prevent participants from double-spending while the mix is > on-going. https://zmnscpxj.github.io/bitcoin/coinjoinxt.html > Note the proposal differs from the original by waxwing, which requires > backouts at each intermediate output, and the entry transactions are > potential watermarks on the CoinJoinXT protocol as well. > A Chaumian CoinJoinXT cannot use backouts at each intermediate output > since no participant should have any knowledge of how much each participa= nt > has contributed to each intermediate output, they only know they put so > many funds in and so should get so many funds out. > > Emulating LN splices mildly makes ConJoinXT less desirable, however, as > the mix takes longer and is more costly. > > > > > > Should always be on, even if we do not (yet) have a facility to > re-interact to bump fees higher. > > > While it is true that a surveillor can determine that a transaction > has in fact been replaced (by observing the mempool) and thus eliminate t= he > set of transactions that arose from protocols that mark RBF but do not > (yet) have a facility to bump fees higher, this > information is not > permanently recorded on all fullnodes and at least we force surveillors t= o > record this information themselves. > > > > Yes but if you do this for Core and given some merchants are refusing > RBF transactions for onchain payments, people are going to complain... > > Grumble grumble, all unconfirmed transaction are RBF because miners like > money, grumble grumble, flagged RBF is just a node relay policy, grumble > grumble, some humans sometimes, grumble grumble.... > > Does not Electrum do RBF by default? > Unless I have a lower-level agent that always enables RBF option when I > install new Electrums, hmmm, maybe I should check first. > > > Also see footnote on spurious-RBF about not-having facility to bump fee= s > higher (you can sign multiple RBF transactions in 1-RTT and agree to > broadcast them later to obfuscate mempool analysis). > > 1.5RTT with MuSig. > > An issue here is that if not all participants contribute to the fees > equally, then a participant who is paying lower fee or no fee has a mild > incentive to just broadcast the highest-fee version and be done with it: > forget the other transactions and just aim for the highest fee immediatel= y, > ignore the mempool state so you do not have to do all those calculations = or > even maintain a mempool, and so on. > This can be mitigated if all participants contribute equal or > nearly-equally to the fees, though that complicates single-funding, and m= ay > violate Initiator Pays Principle (the initiator of an action should pay a= ll > fees related to the action, as otherwise it may be possible to create a > null operation that the acceptor of the action ends up paying fees for, > which can be used as a financial attack to drain acceptors). > > > > > However, it seems to me that we need to as well nail down the details > of this format. > > > > Of course, just curious of people opinions right now but if it's a good > way to solve the described problem, will draft a spec. > > There may be other protocols interested in this as well --- for instance > "submarine swaps" and "lightning loops", which are the same thing. > > Regards, > ZmnSCPxj > > --00000000000074eda5059f6b5274 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Morning Zeeman,

> I proposed befo= re to consider splicing as a form of merged closing plus=20 funding, rather than a modification of channel state; in particular we=20 might note that, for compatibility with our existing system, a spliced=20 channel would have to change its short channel ID > and channel ID, so i= t=20 is arguably a different channel already.

Yes but you may want alias to keep your channel routing-score ac= ross splicing, though how to do this is more LN-dev specific.

> E= mulating LN splices mildly makes ConJoinXT less desirable, however, as the = mix takes longer and is more costly.

Intuitively, a lot of Coi= njoin traffic may be redirected in the future through LN when protocol matu= res, privacy properties may be better (though need careful analysis).
Coinjoins would be only for high-amounts for which security/liquid= ity isn't offered by LN, and in this case time for increasing privacy i= s IMO an acceptable tradeoff.

> Does not Electrum do RBF by defau= lt?

Dunno, for more context on RBF and its controversies = see https://bitcoinco= re.org/en/faq/optin_rbf/ (or Optech resources)

> 1.5RT= T with MuSig

Yes right I meaned you don't need to ass= ume latter interactivity if it's a multi-party tx construction you sign= multiple RBF versions at same time. Still need to think about privacy-pres= erving fee bumping wrt to mempool observer

> This can be mitigate= d if all participants contribute equal or=20 nearly-equally to the fees, though that complicates single-funding, and=20 may violate Initiator Pays Principle (the initiator of an action should=20 pay all fees related to the action, as otherwise it may be=C2=A0 possible t= o=20 create a null operation that the acceptor of the action ends up paying=20 fees for, which can be used as a financial attack to drain acceptors).

Yes,= but also you want the acceptor to pay for its inputs announced to avoid po= uring the spending burden on the initiator only, or doing any free-ride agg= regation .

> There may= be other protocols interested in this as well --- for instance "submarine swaps" and "lightning loops", which are the= same thing.

Yes good poi= nt, specially batched submarine swaps are good candidates, also DLCs (will = enquiry on tx pattern of more bitcoin protocol)


Le=C2=A0lun. 24 f=C3=A9vr. 2020 =C3=A0=C2=A018:36, ZmnSCPxj &l= t;ZmnSCPxj@protonmail.com>= ; a =C3=A9crit=C2=A0:
Good morning Antoine,


> > On mutual closes, we should probably set `nLockTime` to the curre= nt blockheight + 1 as well.
> > This has greater benefit later in a Taproot world.
>
> I assume mutual closes would fall under the aforementioned tx construc= tion proposal, so a closing may be a batch to fund other channels or
> splice existent ones.

Ah, that is indeed of great interest.
I proposed before to consider splicing as a form of merged closing plus fun= ding, rather than a modification of channel state; in particular we might n= ote that, for compatibility with our existing system, a spliced channel wou= ld have to change its short channel ID and channel ID, so it is arguably a = different channel already.

>
> > A kind of non-equal-value CoinJoin could emulate a Lightning open= + close, but most Lightning channels will have a large number of blocks (t= housands or tens of thousands) between the open and the close; it seems unl= ikely that a short-term channel will exist > that matches the non-equal-= value CoinJoin.
>
> That's a really acute point, utxo age and spending frequency may b= e obvious protocol leaks.

Yes; I am curious how JoinMarket reconciles how makers mix their coins vs. = how takers do; presumably the tumbler.py emulates the behavior of a maker s= omehow.

> Splicing may help there because a LN node would do multiple chain writ= es during channel lifecycle for liquidity reasons but it's
> near-impossible to predict its frequency without deployment.

Long ago, I proposed an alternative to splicing, which would today be recog= nizable as a "submarine swap" or "lightning loop". https://lists.linuxfoundat= ion.org/pipermail/lightning-dev/2017-May/000692.html
Perhaps the frequencies of those operations may hint as to how much splicin= g would occur in practice in the future.

> Even with this, I do fear an analysis gap between Coinjoin spending de= lta and LN ones. A way to circumvent this would be for CoinjoinXT to timelo= ck its PTG
> transactions to mimick actively-spliced LN channels. That's where = adoption of a common format by other onchain transactions than LN ones woul= d help a lot.

Well, one way to implement splice-in would be to have an output that is fir= st dedicated to the splice-in, and *then* a separate transaction which actu= ally does the splice-in.
This has a drawback of requiring an extra transaction, which wins us the fa= cility to continue operation of the channel even while the splice-in transa= ctions are being confirmed while retaining only one state.
(the latest proposal, I believe, does *not* use this construction, and inst= ead requires both sides to maintain two sets of states, with one state bein= g a fallback in case the splice-in gets double spent; but in times of high = blockchain load this can lead to the channel having a two sets of states un= til blockchain load reduces.)

As it happens, my alternate proposal for CoinJoinXT is similar in that ther= e are "entry transactions" that introduce coins into the PTG, whi= ch are needed to prevent participants from double-spending while the mix is= on-going. https://zmnscpxj.github.io/bitcoin/coin= joinxt.html
Note the proposal differs from the original by waxwing, which requires back= outs at each intermediate output, and the entry transactions are potential = watermarks on the CoinJoinXT protocol as well.
A Chaumian CoinJoinXT cannot use backouts at each intermediate output since= no participant should have any knowledge of how much each participant has = contributed to each intermediate output, they only know they put so many fu= nds in and so should get so many funds out.

Emulating LN splices mildly makes ConJoinXT less desirable, however, as the= mix takes longer and is more costly.

>
> > Should always be on, even if we do not (yet) have a facility to r= e-interact to bump fees higher.
> > While it is true that a surveillor can determine that a transacti= on has in fact been replaced (by observing the mempool) and thus eliminate = the set of transactions that arose from protocols that mark RBF but do not = (yet) have a facility to bump fees higher, this > information is not per= manently recorded on all fullnodes and at least we force surveillors to rec= ord this information themselves.
>
> Yes but if you do this for Core and given some merchants are refusing = RBF transactions for onchain payments, people are going to complain...

Grumble grumble, all unconfirmed transaction are RBF because miners like mo= ney, grumble grumble, flagged RBF is just a node relay policy, grumble grum= ble, some humans sometimes, grumble grumble....

Does not Electrum do RBF by default?
Unless I have a lower-level agent that always enables RBF option when I ins= tall new Electrums, hmmm, maybe I should check first.

> Also see footnote on spurious-RBF about not-having facility to bump fe= es higher (you can sign multiple RBF transactions in 1-RTT and agree to bro= adcast them later to obfuscate mempool analysis).

1.5RTT with MuSig.

An issue here is that if not all participants contribute to the fees equall= y, then a participant who is paying lower fee or no fee has a mild incentiv= e to just broadcast the highest-fee version and be done with it: forget the= other transactions and just aim for the highest fee immediately, ignore th= e mempool state so you do not have to do all those calculations or even mai= ntain a mempool, and so on.
This can be mitigated if all participants contribute equal or nearly-equall= y to the fees, though that complicates single-funding, and may violate Init= iator Pays Principle (the initiator of an action should pay all fees relate= d to the action, as otherwise it may be possible to create a null operation= that the acceptor of the action ends up paying fees for, which can be used= as a financial attack to drain acceptors).


> > However, it seems to me that we need to as well nail down the det= ails of this format.
>
> Of course, just curious of people opinions right now but if it's a= good way to solve the described problem, will draft a spec.

There may be other protocols interested in this as well --- for instance &q= uot;submarine swaps" and "lightning loops", which are the sa= me thing.

Regards,
ZmnSCPxj

--00000000000074eda5059f6b5274--