Good morning Zac,
> Hi ZmnSCPxj, > > Thank you for your insightful response. > > Perhaps I should take a step back and take a strictly functional angle. > Perhaps the list could help me to establish whether the proposed > functionality is: > > Desirable; > Not already possible; > Feasible to implement. > > The proposed functionality is as follows: > > The ability to control some coin with two private keys (or two sets of > private keys) such that spending is limited over time for one private key > (i.e., it is for instance not possible to spend all coin in a single > transaction) while spending is unrestricted for the other private key (no > limits apply). No limits must apply to coin transacted to a third party. > > Also, it must be possible never having to bring the unrestricted private key > online unless more than the limit imposed on the restrictive private key is > desired to be spent. > > Less generally, taking the perspective of a hodler: the user must be able to > keep one key offline and one key online. The offline key allows unrestricted > spending, the online key is limited in how much it is allowed to spend over > time. > > Furthermore, the spending limit must be intuitive. Best candidate I believe > would be a maximum spend per some fixed number of blocks. For instance, the > restrictive key may allow a maximum of 100k sats per any window of 144 > blocks. Ofcourse the user must be able to set these parameters freely. My proposal does not *quite* implement a window. However, that is because it uses `nLockTime`. With the use of `nSequence` in relative-locktime mode, however, it *does* implement a window, sort of. More specifically, it implements a timeout on spending --- if you spend using a presigned transaction (which creates an unencumbered specific-valued TXO that can be arbitrarily spent with your online keyset) then you cannot get another "batch" of funds until the `nSequence` relative locktime passes. However, this *does* implement a window that limits a maximum value spendable per any window of the relative timelock you select. The disadvantage is that `nSequence` use is a lot more obvious and discernible than `nLockTime` use. Many wallets today use non-zero `nLockTime` for anti-fee-sniping, and that is a good cover for `nLockTime` transactions. I believe Dave Harding proposed that wallets should also use, at random, (say 50-50) `nSequence`-in-relative-locktime-mode as an alternate anti-fee-sniping mechanism. This alternate anti-fee-sniping would help cover `nSequence` use. Note that my proposal does impose a maximum limit on the number of windows. With `nSequence`-in-relative-locktime-mode the limit is the number of times that the online keyset can spend. After spending that many windows, the offline keyset has to be put back online to generate a new set of transactions. It has the massive massive advantage that you can implement it today without any consensus change, and I think you can expect that consensus change will take a LONG time (xref SegWit, Taproot). Certainly the functionality is desirable. But it seems it can be implemented with Bitcoin today. Regards, ZmnSCPxj _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev