public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: ZmnSCPxj <ZmnSCPxj@protonmail.com>
To: Haoyu LIN <chris.haoyul@gmail.com>,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists.linuxfoundation.org>
Cc: "jiangshan.yu@monash.edu" <jiangshan.yu@monash.edu>,
	"runchao.han@monash.edu" <runchao.han@monash.edu>
Subject: Re: [bitcoin-dev] OP_LOOKUP_OUTPUT proposal
Date: Fri, 09 Aug 2019 14:29:25 +0000	[thread overview]
Message-ID: <qBFyALsLsiKkSXsssc3T7dvwrXtzBXmAAmTFWAt04AkrFwbWnoCdGIjoyqMZGnJa5Y4CX5mi0-1uWtuzPT5Swr3txw6NthtkOUdzCOlyfXo=@protonmail.com> (raw)
In-Reply-To: <CAEtgg6GOdceubg+b=-MvH66CKGBy-67mbQR01JpG3L1YJ1jaVw@mail.gmail.com>

Good morning Haoyu LIN et al.,


> We have investigated this problem in very detail. We analysed how profitable the arbitrage can be given the default timelock setting (24/48 hrs). Our result shows that the profit can be approximately 1% ~ 2.3%, which is non-negligible compared with 0.3% for stock market. This can be attractive as it's totally risk-free. Please refer to our paper https://eprint.iacr.org/2019/896, and the related code https://github.com/HAOYUatHZ/fair-atomic-swap if interested.
>
> Several studies have proposed for solving this problem e.g., http://diyhpl.us/wiki/transcripts/scalingbitcoin/tokyo-2018/atomic-swaps/ and https://coblox.tech/docs/financial_crypto19.pdf. Their basic idea is that, the transaction for the premium needs to be locked with the same secret hash but with a flipped payout, i.e. when redeemed with the secret, the money goes back to Alice and after timelock, the premium goes to Bob as a compensation for Alice not revealing the secret. However, this introduces a new problem: Bob can get the premium without paying anything, by never participating in.
>
> To solve this, the transaction verifier needs to know the status of an dependent transaction. Unfortunately, Bitcoin does not support the stateful transaction functionalities. Therefore, we propose the new opcode: OP_LOOKUP_OUTPUT. It takes the id of an output, and produces the address of the output’s owner. With OP_LOOKUP_OUTPUT, the Bitcoin script can decide whether Alice or Bob should take the premium by `<output> OP_LOOKUP_OUTPUT <pubkeyhash> OP_EQUALVERIFY`.

I believe an unsaid principle of SCRIPT opcode design is this:

* No SCRIPT opcode can look at anything that is not in the transaction spending from the SCRIPT.

This issue underlies the previous `OP_PUBREF` proposal also.

The reason for this is:

* We support a pruning mode, where in only the UTXO set is retained.
  If `OP_LOOKUP_OUTPUT` exists, we cannot prune, as `OP_LOOKUP_OUTPUT` might refer to a TXO that has been spent in very early historical blocks.
* The SCRIPT interpreter is run only once, at the time the transaction enters the mempool.
  Thus it cannot get information about the block it is in.
  Instead, the SCRIPT interpreter can have as input only the transaction that is attempting to spend the SCRIPT.

In any case:

> However, this introduces a new problem: Bob can get the premium without paying anything, by never participating in.

Premium payment can be made contingent on Bob participating.
Of course, it does mean the premium is paid using the destination coin.
It also requires the destination coin to support SegWit.

Let me explain by this:

1.  Alice and Bob agree on swap parameters:
    * Alice will exchange 1 BTC for 1,000,000 WJT from Bob.
    * Alice will pay 10,000 WJT as premium to Bob.
    * Alice will lock BTC for 48 hours.
    * Bob will lock WJT for 24 hours.
    * The protocol will start at particular time T.
2.  Alice generates a preimage+hash.
3.  Alice pays 1 BTC to a HTLC with hashlock going to Bob and timelocked at T+48 going to Alice.
4.  Alice presents above UTXO to Bob.
5.  Alice reveals the WJT UTXOs to be spent to pay for the 10,000 WJT premium to Bob.
6.  Alice and Bob generate, but do not sign, a funding transaction spending some of Bob coin as well as the premium coin from Alice.
    This pays out to 1,010,000 WJT (the value plus the premium) HTLC.
    The hashlock branch requires not just Alice, but also Bob.
    The timelock branch at T+24 just requires Bob.
7.  Alice and Bob generate the claim transaction.
    This spends the funding transaction HTLC output and pays out 1,000,000 WJT to Alice and 10,000 WJT to Bob.
8.  Alice and Bob sign the claim transaction.
    This does not allow Bob to make the claim transaction valid by itself as it still requires the preimage, and at this point, only Alice knows the preimage.
9.  Alice and Bob sign the funding transaction and broadcast it.
10.  Alice completes the claim transaction by adding the preimage and broadcasts it.
11.  Bob sees the preimage on the WJT blockchain and claims the BTC using the preimage.

If Bob stalls at step 8, then there is no way to claim the premium, as the funding transaction (which is the source of the claim transaction that pays the premium) is not valid yet.
After step 9, Bob has been forced to participate and cannot back out and claim the premium only.

This is basically this proposal: https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-January/001798.html


In addition, if you really want the premium to be denominated in BTC, I have a more complicated ritual: https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-January/001795.html
The described ritual only sets up the American Call Option, but by the time it has been set up, the premium has been paid already and the rest of the execution is claiming the American Call Option.


Thus, I believe there is no need to add `OP_LOOKUP_OUTPUT`.

Regards,
ZmnSCPxj


  reply	other threads:[~2019-08-09 14:29 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-09 13:35 [bitcoin-dev] OP_LOOKUP_OUTPUT proposal Haoyu LIN
2019-08-09 14:29 ` ZmnSCPxj [this message]
2019-08-10  5:46   ` Runchao Han
     [not found]   ` <ADA03200-1EED-4EAD-B320-3F2034F00954@monash.edu>
2019-08-10 12:50     ` ZmnSCPxj
2019-08-10 13:01       ` Runchao Han
2019-08-12  3:19         ` Runchao Han
2019-08-12  8:05           ` ZmnSCPxj
2019-08-12  9:22             ` Lloyd Fournier
2019-08-12 10:02             ` Runchao Han
2019-08-12 13:15               ` ZmnSCPxj

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='qBFyALsLsiKkSXsssc3T7dvwrXtzBXmAAmTFWAt04AkrFwbWnoCdGIjoyqMZGnJa5Y4CX5mi0-1uWtuzPT5Swr3txw6NthtkOUdzCOlyfXo=@protonmail.com' \
    --to=zmnscpxj@protonmail.com \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=chris.haoyul@gmail.com \
    --cc=jiangshan.yu@monash.edu \
    --cc=runchao.han@monash.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox