From: Johnson Lau <jl2012@xbt.hk>
To: ZmnSCPxj <ZmnSCPxj@protonmail.com>,
bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>
Cc: "lightning-dev@lists.linuxfoundation.org"
<lightning-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] [Lightning-dev] More thoughts on NOINPUT safety
Date: Fri, 22 Mar 2019 12:23:28 +0800 [thread overview]
Message-ID: <F2238063-59EA-482A-B402-B9D0DB76D603@xbt.hk> (raw)
In-Reply-To: <ITq8Tl8XaPXWzqs0F7yY3POHtysci93evnyLteDL9bYRxjjgJbTV_d-xCn_j5AZApGqCIBQ0p6UH8S-bD_n8hm1IMYS98ukpJkO4PGDXsuQ=@protonmail.com>
[-- Attachment #1: Type: text/plain, Size: 3783 bytes --]
> On 22 Mar 2019, at 9:59 AM, ZmnSCPxj via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> Good morning aj,
>>
>> If you are committing to the script code, though, then each settlement
>> sig is already only usable with the corresponding update tx, so you
>> don't need to roll the keys. But you do need to make it so that the
>> update sig requires the CLTV; one way to do that is using codeseparator
>> to distinguish between the two cases.
>>
>>> Also, I cannot understand `OP_CODESEPARATOR`, please no.
>>
>> If codeseparator is too scary, you could probably also just always
>> require the locktime (ie for settlmenet txs as well as update txs), ie:
>>
>> OP_CHECKLOCKTIMEVERIFY OP_DROP
>> <muSig(A_u,B_u)> OP_CHECKDLSVERIFY <Q> OP_CHECKDLS
>>
>> and have update txs set their timelock; and settlement txs set a absolute
>> timelock, relative timelock via sequence, and commit to the script code.
>>
>> (Note that both those approaches (with and without codesep) assume there's
>> some flag that allows you to commit to the scriptcode even though you're
>> not committing to your input tx (and possibly not committing to the
>> scriptpubkey). BIP118 doesn't have that flexibility, so the A_s_i and
>> B_s_i key rolling is necessary)
>
> I think the issue I have here is the lack of `OP_CSV` in the settlement branch.
>
> Consider a channel with offchain transactions update-1, settlement-1, update-2, and settlement-2.
> If update-1 is placed onchain, update-1 is also immediately spendable by settlement-1.
> But settlement-1 cannot be spent by update-2 and thus the invalidation of older state fails.
>
> The `OP_CSV` in the settlement branch of the update transaction outputs exists to allow later update transactions have higher priority over settlement transactions.
>
> To ensure that a settlement signature can only take the settlement branch, we need a distinct public key for the branch, so at least `A_s` and `B_s` without rolling them for each `i`, if we use `nLockTime` on the settlement transactions and enforce it with `OP_CHECKLOCKTIMEVERIFY`.
> It might be possible to do this with `OP_CODESEPARATOR`, but we do need the `OP_CSV` in the settlement branch.
>
> Regards,
> ZmnSCPxj
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>
OP_CSV (BIP112) is not needed. Only BIP68 relative-time is needed.
With this script:
<t> OP_CHECKLOCKTIMEVERIFY OP_DROP <muSig(A,B)> OP_CHECKSIGVERIFY <Q> OP_CHECKSIG
For update purpose, A and B will co-sign the muSig with nLockTime = t, not committing to the scriptCode, and no BIP68 lock time
For settlement purpose, A and B will co-sign the muSig with nLockTime = t, committing to the scriptCode, and with an agreed BIP68 locktime
Without committing to the scriptCode and BIP68 lock time, the update sig could be bind to any previous update tx immediately.
OTOH, the settlement sig will only bind to a specific update tx (thought scriptCode), and only after the relative locktime is passed.
The eltoo paper is wrong about using OP_CSV. That’s a common mistake even for experienced bitcoin developer. OP_CSV is needed only if one party could single handedly decide the relative-lock-time. However, this is not the case here as it is a muSig.
(With some risks of distracting the discussion, please note that even this script: <t> OP_CHECKLOCKTIMEVERIFY OP_DROP <A> OP_CHECKSIGVERIFY <B> OP_CHECKSIG doesn’t need OP_CSV, despite not using muSig. It is because the 2 sigs must use the same relative locktime, or the tx is invalid.)
[-- Attachment #2: Type: text/html, Size: 5087 bytes --]
prev parent reply other threads:[~2019-03-22 4:23 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-13 1:41 [bitcoin-dev] More thoughts on NOINPUT safety Anthony Towns
2019-03-13 6:41 ` [bitcoin-dev] [Lightning-dev] " ZmnSCPxj
2019-03-13 11:10 ` Anthony Towns
2019-03-14 5:22 ` ZmnSCPxj
2019-03-14 7:24 ` Anthony Towns
2019-03-14 7:55 ` ZmnSCPxj
2019-03-14 12:00 ` Christian Decker
2019-03-20 0:22 ` Rusty Russell
2019-03-20 3:33 ` Rusty Russell
2019-03-20 7:38 ` ZmnSCPxj
2019-03-20 8:07 ` ZmnSCPxj
2019-03-21 8:37 ` Johnson Lau
2019-03-21 9:06 ` Anthony Towns
2019-03-21 10:05 ` ZmnSCPxj
2019-03-21 11:55 ` Anthony Towns
2019-03-22 1:59 ` ZmnSCPxj
2019-03-22 2:58 ` Anthony Towns
2019-03-22 7:46 ` ZmnSCPxj
2019-03-22 4:23 ` Johnson Lau [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=F2238063-59EA-482A-B402-B9D0DB76D603@xbt.hk \
--to=jl2012@xbt.hk \
--cc=ZmnSCPxj@protonmail.com \
--cc=bitcoin-dev@lists.linuxfoundation.org \
--cc=lightning-dev@lists.linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox