From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1YxQUk-0007f4-MC for bitcoin-development@lists.sourceforge.net; Wed, 27 May 2015 01:50:58 +0000 X-ACL-Warn: Received: from mail-ig0-f182.google.com ([209.85.213.182]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1YxQUg-0005ux-S6 for bitcoin-development@lists.sourceforge.net; Wed, 27 May 2015 01:50:58 +0000 Received: by igbpi8 with SMTP id pi8so75022774igb.0 for ; Tue, 26 May 2015 18:50:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=LG4CuOXgVWHsB7jKHXHm+veI6jJlWXflF2kMsL68D+Q=; b=g01VlBirESgU6uoEH7j2AD1z2Q3enCZ8Rh3WAAsXhxR/Xbd4wnB8JLWzxUS3/uskMS whfp+QYBlmVjIG1bhFGEV1uaVhd0A8sU4h8gS6eX3K9AVy3cpXsF8KvGDwUI/mEwr/fi JonCkyrcnKp0E2hWOrGMZmHIwtftzrR6kBncK5VzE2MI8yuVXUG2BW9AS0QX/7V38Nfl ZbpOyj/iwI59gOMbmmPXjjpXGwYwkEaGKpdrAyF2H27LcmEyXsudWYfigPovkfbtl9ZS wioTdhN7aqI0xOYlZ/vsjGNvFVrSS6E3STM5Mk33wnSyVG9tjyWBodrq5h0MPCzKkF3X 84yg== X-Gm-Message-State: ALoCoQnHfc2V1/3xDsGun06qvUkSnUbaMCWGUwLHgz0YTOjVX13oRu4dP/LOMK3LzbcApS7R/iZ9 X-Received: by 10.107.17.17 with SMTP id z17mr39064913ioi.76.1432691449445; Tue, 26 May 2015 18:50:49 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.10.197 with HTTP; Tue, 26 May 2015 18:50:29 -0700 (PDT) X-Originating-IP: [172.56.9.144] From: Mark Friedenbach Date: Tue, 26 May 2015 18:50:29 -0700 Message-ID: To: Bitcoin Development Content-Type: multipart/alternative; boundary=001a113ed46ceaf001051706788b X-Spam-Score: 2.0 (++) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 1.0 HTML_MESSAGE BODY: HTML included in message 1.0 UC_GIBBERISH_OBFU Multiple instances of "word VERYLONGGIBBERISH word" X-Headers-End: 1YxQUg-0005ux-S6 Subject: [Bitcoin-development] Consensus-enforced transaction replacement via sequence numbers X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2015 01:50:58 -0000 --001a113ed46ceaf001051706788b Content-Type: text/plain; charset=UTF-8 Sequence numbers appear to have been originally intended as a mechanism for transaction replacement within the context of multi-party transaction construction, e.g. a micropayment channel. The idea is that a participant can sign successive versions of a transaction, each time incrementing the sequence field by some amount. Relay nodes perform transaction replacement according to some policy rule making use of the sequence numbers, e.g. requiring sequence numbers in a replacement to be monotonically increasing. As it happens, this cannot be made safe in the bitcoin protocol as deployed today, as there is no enforcement of the rule that miners include the most recent transaction in their blocks. As such, any protocol relying on a transaction replacement policy can be defeated by miners choosing not to follow that policy, which they may even be incentivised to do so (if older transactions provide higher fee per byte, for example). Transaction replacement is presently disabled in Bitcoin Core. These shortcomings can be fixed in an elegant way by giving sequence numbers new consensus-enforced semantics as a relative lock-time: if a sequence number is non-final (MAX_INT), its bitwise inverse is interpreted as either a relative height or time delta which is added to the height or median time of the block containing the output being spent to form a per-input lock-time. The lock-time of each input constructed in this manor, plus the nLockTime of the transaction itself if any input is non-final must be satisfied for a transaction to be valid. For example, a transaction with an txin.nSequence set to 0xffffff9b [== ~(uint32_t)100] is prevented by consensus rule from being selected for inclusion in a block until the 100th block following the one including the parent transaction referenced by that input. In this way one may construct, for example, a bidirectional micropayment channel where each change of direction increments sequence numbers to make the transaction become valid prior to any of the previously exchanged transactions. This also enables the discussed relative-form of CHECKLOCKTIMEVERIFY to be implemented in the same way: by checking transaction data only and not requiring contextual information like the block height or timestamp. An example implementation of this concept, as a policy change to the mempool processing of Bitcoin Core is available on github: https://github.com/maaku/bitcoin/tree/sequencenumbers --001a113ed46ceaf001051706788b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Sequence numbers appear to have been originally intended a= s a mechanism for transaction replacement within the context of multi-party= transaction construction, e.g. a micropayment channel. The idea is that a = participant can sign successive versions of a transaction, each time increm= enting the sequence field by some amount. Relay nodes perform transaction r= eplacement according to some policy rule making use of the sequence numbers= , e.g. requiring sequence numbers in a replacement to be monotonically incr= easing.

As it happens, this cannot be made safe in the bitcoin proto= col as deployed today, as there is no enforcement of the rule that miners i= nclude the most recent transaction in their blocks. As such, any protocol r= elying on a transaction replacement policy can be defeated by miners choosi= ng not to follow that policy, which they may even be incentivised to do so = (if older transactions provide higher fee per byte, for example). Transacti= on replacement is presently disabled in Bitcoin Core.

These shortcom= ings can be fixed in an elegant way by giving sequence numbers new consensu= s-enforced semantics as a relative lock-time: if a sequence number is non-f= inal (MAX_INT), its bitwise inverse is interpreted as either a relative hei= ght or time delta which is added to the height or median time of the block = containing the output being spent to form a per-input lock-time. The lock-t= ime of each input constructed in this manor, plus the nLockTime of the tran= saction itself if any input is non-final must be satisfied for a transactio= n to be valid.

For example, a transaction with an txin.nSequence set= to 0xffffff9b [=3D=3D ~(uint32_t)100] is prevented by consensus rule from = being selected for inclusion in a block until the 100th block following the= one including the parent transaction referenced by that input.

In t= his way one may construct, for example, a bidirectional micropayment channe= l where each change of direction increments sequence numbers to make the tr= ansaction become valid prior to any of the previously exchanged transaction= s.

This also enables the discussed relative-form of CHECKLOCKTIMEVER= IFY to be implemented in the same way: by checking transaction data only an= d not requiring contextual information like the block height or timestamp.<= br>
An example implementation of this concept, as a policy change to the= mempool processing of Bitcoin Core is available on github:

https://github.c= om/maaku/bitcoin/tree/sequencenumbers
--001a113ed46ceaf001051706788b--