From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id BCAC5C000E for ; Mon, 12 Jul 2021 00:02:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id A921C81B17 for ; Mon, 12 Jul 2021 00:02:27 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: smtp1.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yO7cF4Ry-zTj for ; Mon, 12 Jul 2021 00:02:26 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) by smtp1.osuosl.org (Postfix) with ESMTPS id 8867C8100F for ; Mon, 12 Jul 2021 00:02:26 +0000 (UTC) Received: by mail-wm1-x334.google.com with SMTP id w13so10166778wmc.3 for ; Sun, 11 Jul 2021 17:02:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AORjHDbsT2QAlDYpViFnZzRlb3lsArt0FvM+6Q6ulrA=; b=WM/IHOefA/3GnQPpe0H5QnBtAddR/gCsGk3NTNHCs9S5PmiUl/4CffsnAyZEyvDWsb UlK1tQeVMpVijHgUQsXXJ+KILvNo5DBMhRMeNOBIJLzAU5dACVmynnXD67Xz8AxfkUTP UBxCgZFO24KpjObopLJhAg2UpE5DyQCbsULVz3qlxm7QvL4SpOLy2c0AtgpPYjt9bglR +AmrEMGugqonyTmpF8hxxmm1uJA8AbwEFx8ReKfnAS5s7RCBvUfLPBuABkVwD5NPhhVd NQQCtc9ZPeRkDcuxtvulpa4dMcn8rsnhDzEkaL4PxSbb6vb9brA9Dcbl5nPOMJD3O4Rk zvKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AORjHDbsT2QAlDYpViFnZzRlb3lsArt0FvM+6Q6ulrA=; b=hsDIU6ghWiWBWpuZzu2CDTB0vIRRqM9MMLLA5zTQdLKr/PJ8IlFWCnNr6ZRs2UaIqy NJTHJvSdaQ5nCsdOwX1B1iV3XgBIs50brFtGj6kprdZZwPeASMv8bS6A+4WHcKuf1W3F DLL3QjXGd7GbK/cUsRst9OElWB8OIB3rm+EBYCEKMWFYYD6T2N3EMI83twDqW5Svc6pN DVq47ZYQfcDbEO+0vsfWbRmKNZMjeAP/V6tJIFyMVYXkYlWSeeQFT3BInvxq4dX6Kn6W MgQEHqd/u1Co690rKVLaj/fD3Vo+xZkxaAW1D77vbZl02wRSSS85fps3k0gdqZ3vKm1o ZMlQ== X-Gm-Message-State: AOAM531ge/k6kGahJ1QAr4Uj5rPc3gqft3vJjYCV+2CycL+hMmN88a4t +ivfE7Ghf/fCC8dKLdhcqpG8XbnK5IeXPWRkTkrMTcmEPxC3Jg== X-Google-Smtp-Source: ABdhPJxGeZYYddDzU4clCmNGOKT+e7EBJu63K8SSQJCHWC5r+pJ+PVDt3ALloPC4UbPvz95NcqBZJRKwuXkv0D+mE0o= X-Received: by 2002:a05:600c:287:: with SMTP id 7mr8122445wmk.1.1626048144555; Sun, 11 Jul 2021 17:02:24 -0700 (PDT) MIME-Version: 1.0 References: <20210708111716.GC1339@erisian.com.au> <20210710014732.GA5164@erisian.com.au> In-Reply-To: <20210710014732.GA5164@erisian.com.au> From: Antoine Riard Date: Sun, 11 Jul 2021 20:02:12 -0400 Message-ID: To: Anthony Towns Content-Type: multipart/alternative; boundary="0000000000000b445005c6e1d675" X-Mailman-Approved-At: Mon, 12 Jul 2021 00:16:16 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] A Stroll through Fee-Bumping Techniques : Input-Based vs Child-Pay-For-Parent X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jul 2021 00:02:27 -0000 --0000000000000b445005c6e1d675 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > So the sha256 of the span of the group doesn't commit to start and end > -- it just serializes a vector, so commits to the number of elements, > the order, and the elements themselves. Gotcha wasn't clear to me that the new state pair isn't committed as part of the annex. Have been confused by "Introduce a new SIGHASH_GROUP flag, as an alternative to ALL/SINGLE/NONE, that commits to each output i, start <=3D i= < end." > Does the above resolve that? I think so. It shouldn't be susceptible to any spend replay attack, as the state pair prevents output group overlapping though you might still have to be careful about siphoning ? Something you should already care about if you use SIGHASH_SINGLE and your x's amount > y's value. Le ven. 9 juil. 2021 =C3=A0 21:47, Anthony Towns a =C3= =A9crit : > On Fri, Jul 09, 2021 at 09:19:45AM -0400, Antoine Riard via bitcoin-dev > wrote: > > > The easy way to avoid O(n^2) behaviour in (3) is to disallow partial > > > overlaps. So let's treat the tx as being distinct bundles of x-inputs > > > and y-outputs, and we'll use the annex for grouping, since that is > > > committed to by singatures. Call the annex field "sig_group_count". > > > When processing inputs, setup a new state pair, (start, end), initial= ly > > > (0,0). > > > When evaluating an input, lookup sig_group_count. If it's not present= , > > > then set start :=3D end. If it's present and 0, leave start and end > > > unchanged. Otherwise, if it's present and greather than 0, set > > > start :=3D end, and then set end :=3D start + sig_group_count. > > IIUC the design rationale, the "sig_group_count" lockdowns the hashing = of > > outputs for a given input, thus allowing midstate reuse across signatur= es > > input. > > No midstates, the message being signed would just replace > SIGHASH_SINGLE's: > > sha_single_output: the SHA256 of the corresponding output in CTxOut > format > > with > > sha_group_outputs: the SHA256 of the serialization of the group > outputs in CTxOut format. > > ie, you'd take span{start,end}, serialize it (same as if it were > a vector of just those CTxOuts), and sha256 it. > > > Let's say you want to combine {x_1, y_1} and {x_2, y_2} where {x, y} > denotes > > bundles of Lightning commitment transactions. > > x_1 is dual-signed by Alice and Bob under the SIGHASH_GROUP flag with > > `sig_group_count`=3D3. > > x_2 is dual-signed by Alice and Caroll under the SIGHASH_GROUP flag, wi= th > > `sig_group_count`=3D2. > > y_1 and y_2 are disjunctive. > > At broadcast, Alice is not able to combine {x_1,y_1} and {x_2, y_2} for > the > > reason that x_1, x_2 are colliding on the absolute output position. > > So the sha256 of the span of the group doesn't commit to start and end > -- it just serializes a vector, so commits to the number of elements, > the order, and the elements themselves. So you're taking serialize(y_1) > and serialize(y_2), and each of x_1 signs against the former, and each > of x_2 signs against the latter. > > (Note that the annex for x_1_0 specifies sig_group_count=3Dlen(y_1) > and the annex for x_1_{1..} specifies sig_group_count=3D0, for "reuse > previous input's group", and the signatures for each input commit to > the annex anyway) > > > One fix could be to skim the "end > num_ouputs" semantic, > > That's only there to ensure the span doesn't go out of range, so I don't > think it makes any sense to skip it? > > > I think this SIGHASH_GROUP proposal might solve other use-cases, but if= I > > understand the semantics correctly, it doesn't seem to achieve the batc= h > > fee-bumping of multiple Lightning commitment with O(1) onchain footprin= t > I was > > thinking of for IOMAP... > > Does the above resolve that? > > Cheers, > aj > > --0000000000000b445005c6e1d675 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
> So the sha256 of the span of the group doesn't co= mmit to start and end
> -- it just serializes a vector, so commits to= the number of elements,
> the order, and the elements themselves.
Gotcha wasn't clear to me that the new state pair isn't commit= ted as part of the annex.

Have been confused by "Introduce a ne= w SIGHASH_GROUP flag, as an alternative to ALL/SINGLE/NONE, that commits to= each output i, start <=3D i < end."

> Does the above = resolve that?

I think so. It shouldn't be susceptible to any spe= nd replay attack, as the state pair prevents output group overlapping thoug= h you might still have to be careful about siphoning ? Something you should= already care about if you use SIGHASH_SINGLE and your x's amount > = y's value.

Le=C2=A0ven. 9 juil. 2021 =C3=A0=C2=A021:47, Anthony Town= s <aj@erisian.com.au> a =C3= =A9crit=C2=A0:
O= n Fri, Jul 09, 2021 at 09:19:45AM -0400, Antoine Riard via bitcoin-dev wrot= e:
> > The easy way to avoid O(n^2) behaviour in (3) is to disallow part= ial
> > overlaps. So let's treat the tx as being distinct bundles of = x-inputs
> > and y-outputs, and we'll use the annex for grouping, since th= at is
> > committed to by singatures. Call the annex field "sig_group_= count".
> > When processing inputs, setup a new state pair, (start, end), ini= tially
> > (0,0).
> > When evaluating an input, lookup sig_group_count. If it's not= present,
> > then set start :=3D end. If it's present and 0, leave start a= nd end
> > unchanged. Otherwise, if it's present and greather than 0, se= t
> > start :=3D end, and then set end :=3D start + sig_group_count. > IIUC the design rationale, the "sig_group_count" lockdowns t= he hashing of
> outputs for a given input, thus allowing midstate reuse across signatu= res
> input.

No midstates, the message being signed would just replace
SIGHASH_SINGLE's:

=C2=A0 sha_single_output: the SHA256 of the corresponding output in CTxOut<= br> =C2=A0 format

with

=C2=A0 sha_group_outputs: the SHA256 of the serialization of the group
=C2=A0 outputs in CTxOut format.

ie, you'd take span<CTxOut>{start,end}, serialize it (same as if = it were
a vector of just those CTxOuts), and sha256 it.

> Let's say you want to combine {x_1, y_1} and {x_2, y_2} where {x, = y} denotes
> bundles of Lightning commitment transactions.
> x_1 is dual-signed by Alice and Bob under the SIGHASH_GROUP flag with<= br> > `sig_group_count`=3D3.
> x_2 is dual-signed by Alice and Caroll under the SIGHASH_GROUP flag, w= ith
> `sig_group_count`=3D2.
> y_1 and y_2 are disjunctive.
> At broadcast, Alice is not able to combine {x_1,y_1} and {x_2, y_2} fo= r the
> reason that x_1, x_2 are colliding on the absolute output position.
So the sha256 of the span of the group doesn't commit to start and end<= br> -- it just serializes a vector, so commits to the number of elements,
the order, and the elements themselves. So you're taking serialize(y_1)=
and serialize(y_2), and each of x_1 signs against the former, and each
of x_2 signs against the latter.

(Note that the annex for x_1_0 specifies sig_group_count=3Dlen(y_1)
and the annex for x_1_{1..} specifies sig_group_count=3D0, for "reuse<= br> previous input's group", and the signatures for each input commit = to
the annex anyway)

> One fix could be to skim the "end > num_ouputs" semantic,=

That's only there to ensure the span doesn't go out of range, so I = don't
think it makes any sense to skip it?

> I think this SIGHASH_GROUP proposal might solve other use-cases, but i= f I
> understand the semantics correctly, it doesn't seem to achieve the= batch
> fee-bumping of multiple Lightning commitment with O(1) onchain footpri= nt I was
> thinking of for IOMAP...

Does the above resolve that?

Cheers,
aj

--0000000000000b445005c6e1d675--