Re: [bitcoin-dev] `OP_EVICT`: An Alternative to `OP_TAPLEAFUPDATEVERIFY`

2022-02-23 Thread ZmnSCPxj via bitcoin-dev 
Good morning Antoine,

> TLUV doesn't assume cooperation among the construction participants once the 
> Taproot tree is setup. EVICT assumes cooperation among the remaining 
> construction participants to satisfy the final CHECKSIG.
>
> So that would be a feature difference between TLUV and EVICT, I think ?

`OP_TLUV` leaves the transaction output with the remaining Tapleaves intact, 
and, optionally, with a point subtracted from Taproot internal pubkey.

In order to *truly* revive the construct, you need a separate transaction that 
spends that change output, and puts it back into a new construct.

See: 
https://lists.linuxfoundation.org/pipermail/lightning-dev/2022-February/003479.html
I describe how this works.

That `OP_EVICT` does another `CHECKSIG` simply cuts through the separate 
transaction that `OP_TLUV` would require in order to revive the construct.

> > I thought it was part of Taproot?
>
> I checked BIP342 again, *as far as I can read* (unreliable process), it 
> sounds like it was proposed by BIP118 only.

*shrug* Okay!

> > A single participant withdrawing their funds unilaterally can do so by 
> > evicting everyone else (and paying for those evictions, as sort of a 
> > "nuisance fee").
>
> I see, I'm more interested in the property of a single participant 
> withdrawing their funds, without affecting the stability of the off-chain 
> pool and without cooperation with other users. This is currently a 
> restriction of the channel factories fault-tolerance. If one channel goes 
> on-chain, all the outputs are published.

See also: 
https://lists.linuxfoundation.org/pipermail/lightning-dev/2022-February/003479.html

Generally, the reason for a channel to go *onchain*, instead of just being 
removed inside the channel factory and its funds redistributed elsewhere, is 
that an HTLC/PTLC is about to time out.
The blockchain is really the only entity that can reliably enforce timeouts.

And, from the above link:

> * If a channel has an HTLC/PTLC time out:
>   * If the participant to whom the HTLC/PTLC is offered is
> offline, that may very well be a signal that it is unlikely
> to come online soon.
> The participant has strong incentives to come online before
> the channel is forcibly closed due to the HTLC/PTLC timeout,
> so if it is not coming online, something is very wrong with
> that participant and we should really evict the participant.
>   * If the participant to whom the HTLC/PTLC is offered is
> online, then it is not behaving properly and we should
> really evict the participant.

Note the term "evict" as well --- the remaining participants that are 
presumably still behaving correctly (i.e. not letting HTLC/PTLC time out) evict 
the participants that *are*, and that is what `OP_EVICT` does, as its name 
suggests.

Indeed, I came up with `OP_EVICT` *after* musing the above link.

Regards,
ZmnSCPxj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] `OP_EVICT`: An Alternative to `OP_TAPLEAFUPDATEVERIFY`

2022-02-21 Thread Antoine Riard via bitcoin-dev 
Hi Zeeman,

> To reveal a single participant in a TLUV-based CoinPool, you need to
reveal O(log N) hashes.
> It is the O(log N) space consumption I want to avoid with `OP_EVICT`, and
I believe the reason for that O(log N) revelation is due precisely to the
arbitrary but necessary ordering.

AFAIU the TLUV proposal, it removes the constraint in the *outputs
publication ordering*, once they have all been generated. The tree update
mechanism ensure that whatever the order of dependency :
- the spend path can't be replayed because the user leaf is removed
- the key path can be re-used by remaining participant because the
withdrawing user point is removed

However, I agree that TLUV enforces a constraint in the *spends path
ordering* for the reason you raise.

I think `OP_EVICT` also removes the constraint in the *outputs publication
ordering*. AFAIU, opcode semantics you can mark as indicated any subset of
them. Further, it also solves the *spends paths ordering* as you don't need
to reveal O(log N) hashes anymore.

However, I don't think it's solving the *outputs publication ordering*
issues with the same non-cooperative property of TLUV. TLUV doesn't assume
cooperation among the construction participants once the Taproot tree is
setup. EVICT assumes cooperation among the remaining construction
participants to satisfy the final CHECKSIG.

So that would be a feature difference between TLUV and EVICT, I think ?

> I thought it was part of Taproot?

I checked BIP342 again, *as far as I can read* (unreliable process), it
sounds like it was proposed by BIP118 only.

> No, I considered onchain fees as the only mechanism to avoid eviction
abuse.

I'm unsure about the game-theory robustness of such abuse deterrent
mechanisms... As the pool off-chain payments are cheaper, you might break
your counterparty economic predictions by forcing them to go on-chain
before fee spikes and thus increasing their liquidity operational costs. Or
evicting them as a time where the fees are lower than they have paid to
get-in.

> A single participant withdrawing their funds unilaterally can do so by
evicting everyone else (and paying for those evictions, as sort of a
"nuisance fee").

I see, I'm more interested in the property of a single participant
withdrawing their funds, without affecting the stability of the off-chain
pool and without cooperation with other users. This is currently a
restriction of the channel factories fault-tolerance. If one channel goes
on-chain, all the outputs are published.

Antoine

Le ven. 18 févr. 2022 à 18:39, ZmnSCPxj  a écrit :

> Good morning ariard,
>
>
> > > A statechain is really just a CoinPool hosted inside a
> > >  Decker-Wattenhofer or Decker-Russell-Osuntokun construction.
> >
> > Note, to the best of my knowledge, how to use LN-Penalty in the context
> of multi-party construction is still an unsolved issue. If an invalidated
> state is published on-chain, how do you guarantee that the punished output
> value is distributed "fairly" among the "honest" set of users ? At least
> > where fairness is defined as a reasonable proportion of the balances
> they owned in the latest state.
>
> LN-Penalty I believe is what I call Poon-Dryja?
>
> Both Decker-Wattenhofer (has no common colloquial name) and
> Decker-Russell-Osuntokun ("eltoo") are safe with N > 2.
> The former has bad locktime tradeoffs in the unilateral close case, and
> the latter requires `SIGHASH_NOINPUT`/`SIGHASH_ANYPREVOUT`.
>
>
> > > In principle, a set of promised outputs, if the owners of those
> > > outputs are peers, does not have *any* inherent order.
> > > Thus, I started to think about a commitment scheme that does not
> > > impose any ordering during commitment.
> >
> > I think we should dissociate a) *outputs publication ordering* from the
> b) *spends paths ordering* itself. Even if to each spend path a output
> publication is attached, the ordering constraint might not present the same
> complexity.
> >
> > Under this distinction, are you sure that TLUV imposes an ordering on
> the output publication ?
>
> Yes, because TLUV is based on tapleaf revelation.
> Each participant gets its own unique tapleaf that lets that participant
> get evicted.
>
> In Taproot, the recommendation is to sort the hashes of each tapleaf
> before arranging them into a MAST that the Taproot address then commits to.
> This sort-by-hash *is* the arbitrary ordering I refer to when I say that
> TLUV imposes an arbitrary ordering.
> (actually the only requirement is that pairs of scripts are
> sorted-by-hash, but it is just easier to sort the whole array by hash.)
>
> To reveal a single participant in a TLUV-based CoinPool, you need to
> reveal O(log N) hashes.
> It is the O(log N) space consumption I want to avoid with `OP_EVICT`, and
> I believe the reason for that O(log N) revelation is due precisely to the
> arbitrary but necessary ordering.
>
> > > With `OP_TLUV`, however, it is possible to create an "N-of-N With
> > > Eviction" construction.
> >

Re: [bitcoin-dev] `OP_EVICT`: An Alternative to `OP_TAPLEAFUPDATEVERIFY`

2022-02-19 Thread Billy Tetrud via bitcoin-dev 
Thanks for the clarification ZmnSCPxj!

On Sat, Feb 19, 2022 at 5:41 AM ZmnSCPxj  wrote:

> Good morning Billy,
>
> > > "fully" punitive channels also make large value channels more
> dangerous from the perspective of bugs causing old states to be published
> >
> > Wouldn't it be ideal to have the penalty be to pay for a single extra
> transaction fee? That way there is a penalty so cheating attempts aren't
> free (for someone who wants to close a channel anyway) and yet a single fee
> isn't going to be much of a concern in the accidental publishing case. It
> still perplexes me why eltoo chose no penalty at all vs a small penalty
> like that.
>
> Nothing in the Decker-Russell-Osunstokun paper *prevents* that --- you
> could continue to retain per-participant versions of update+state
> transactions (congruent to the per-participant commitment transactions of
> Poon-Dryja) and have each participant hold a version that deducts the fee
> from their main owned funds.
> The Decker-Russell-Osuntokun paper simply focuses on the mechanism by
> itself without regard to fees, on the understanding that the reader already
> knows fees exist and need to be paid.
>
> Regards,
> ZmnSCPxj
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] `OP_EVICT`: An Alternative to `OP_TAPLEAFUPDATEVERIFY`

2022-02-19 Thread ZmnSCPxj via bitcoin-dev 
Good morning Billy,

> > "fully" punitive channels also make large value channels more dangerous 
> >from the perspective of bugs causing old states to be published
>
> Wouldn't it be ideal to have the penalty be to pay for a single extra 
> transaction fee? That way there is a penalty so cheating attempts aren't free 
> (for someone who wants to close a channel anyway) and yet a single fee isn't 
> going to be much of a concern in the accidental publishing case. It still 
> perplexes me why eltoo chose no penalty at all vs a small penalty like that.

Nothing in the Decker-Russell-Osunstokun paper *prevents* that --- you could 
continue to retain per-participant versions of update+state transactions 
(congruent to the per-participant commitment transactions of Poon-Dryja) and 
have each participant hold a version that deducts the fee from their main owned 
funds.
The Decker-Russell-Osuntokun paper simply focuses on the mechanism by itself 
without regard to fees, on the understanding that the reader already knows fees 
exist and need to be paid.

Regards,
ZmnSCPxj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] `OP_EVICT`: An Alternative to `OP_TAPLEAFUPDATEVERIFY`

2022-02-19 Thread Billy Tetrud via bitcoin-dev 
> "fully" punitive channels also make large value channels more dangerous
from the perspective of bugs causing old states to be published

Wouldn't it be ideal to have the penalty be to pay for a single extra
transaction fee? That way there is a penalty so cheating attempts aren't
free (for someone who wants to close a channel anyway) and yet a single fee
isn't going to be much of a concern in the accidental publishing case. It
still perplexes me why eltoo chose no penalty at all vs a small penalty
like that.

On Fri, Feb 18, 2022, 19:46 Greg Sanders via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> > One point of discomfort I have with Eltoo that I think is not
> universal, but is shared by some others, is that non-punitive channels may
> not be good for high-value channels as you do want, especially in a
> congested blockspace world, punishments to incentivize correct behavior
> (otherwise cheating may look like a free option).
>
> Without derailing the conversation too far, "fully" punitive channels also
> make large value channels more dangerous from the perspective of bugs
> causing old states to be published. High value channels you'll need to have
> very high uptime. If you're available, your counterparty is incentivized to
> do a mutual close to reduce fees and remove timelocks on outputs. I think
> these tradeoffs will result in both types existing for N==2.
>
> On Sat, Feb 19, 2022 at 8:56 AM Jeremy Rubin via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> This is a fascinating post and I'm still chewing on it.
>>
>> Chiming in with two points:
>>
>> Point 1, note with respect to evictions, revivals, CTV, TLUV:
>>
>> CTV enables 1 person to be evicted in O(log N) or one person to leave in
>> O(log N). TLUV enables 1 person to leave in O(1) O(log N) transactions, but
>> evictions take (AFAICT?) O(N) O(log N) transactions because the un-live
>> party stays in the pool. Hence OP_EVICT helps also make it so you can kick
>> someone out, rather than all having to leave, which is an improvement.
>>
>> CTV rejoins work as follows:
>>
>> suppose you have a pool with 1 failure, you need to do log N txns to
>> evict the failure, which creates R * log_R(N) outputs, which can then do a
>> transaction to rejoin.
>>
>> For example, suppose I had 64 people in a radix 4 tree. you'd have at the
>> top level 4 groups of 16, then 4 groups of 4 people, and then 1 to 4 txns.
>> Kicking 1 person out would make you do 3 txns, and create 12 outputs total.
>> A transaction spending the 11 outputs that are live would capture 63 people
>> back into the tree, and with CISA would not be terribly expensive. To be a
>> bit more economical, you might prefer to just join the 3 outputs with 16
>> people in it, and yield 48 people in one pool. Alternatively, you can
>> lazily re-join if fees make it worth it/piggybacking another transaction,
>> or operate independently or try to find new, better, peers.
>>
>> Overall this is the type of application that necessitates *exact* byte
>> counting. Oftentimes things with CTV seem inefficient, but when you crunch
>> the numbers it turns out not to be so terrible. OP_EVICT seems promising in
>> this regard compared to TLUV or accumulators.
>>
>> Another option is to randomize the CTV trees with multiple outputs per
>> party (radix Q), then you need to do Q times the evictions, but you end up
>> with sub-pools that contain more people/fractional liquidity (this might
>> happen naturally if CTV Pools have channels in them, so it's good to model).
>>
>>
>> Point 2, on Eltoo:
>>
>> One point of discomfort I have with Eltoo that I think is not universal,
>> but is shared by some others, is that non-punitive channels may not be good
>> for high-value channels as you do want, especially in a congested
>> blockspace world, punishments to incentivize correct behavior (otherwise
>> cheating may look like a free option).
>>
>> Thus I'm reluctant to fully embrace designs which do not permit nested
>> traditional punitive channels in favor of Eltoo, when Eltoo might not have
>> product-market-fit for higher valued channels.
>>
>> If someone had a punitive-eltoo variant that would ameliorate this
>> concern almost entirely.
>>
>> Cheers,
>>
>> Jeremy
>>
>>
>>
>> --
>> @JeremyRubin 
>>
>> On Fri, Feb 18, 2022 at 3:40 PM ZmnSCPxj via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>> Good morning ariard,
>>>
>>>
>>> > > A statechain is really just a CoinPool hosted inside a
>>> > >  Decker-Wattenhofer or Decker-Russell-Osuntokun construction.
>>> >
>>> > Note, to the best of my knowledge, how to use LN-Penalty in the
>>> context of multi-party construction is still an unsolved issue. If an
>>> invalidated state is published on-chain, how do you guarantee that the
>>> punished output value is distributed "fairly" among the "honest" set of
>>> users ? At least
>>> > where fairness is defined as a reasonable proportion of

Re: [bitcoin-dev] `OP_EVICT`: An Alternative to `OP_TAPLEAFUPDATEVERIFY`

2022-02-18 Thread Greg Sanders via bitcoin-dev 
> One point of discomfort I have with Eltoo that I think is not universal,
but is shared by some others, is that non-punitive channels may not be good
for high-value channels as you do want, especially in a congested
blockspace world, punishments to incentivize correct behavior (otherwise
cheating may look like a free option).

Without derailing the conversation too far, "fully" punitive channels also
make large value channels more dangerous from the perspective of bugs
causing old states to be published. High value channels you'll need to have
very high uptime. If you're available, your counterparty is incentivized to
do a mutual close to reduce fees and remove timelocks on outputs. I think
these tradeoffs will result in both types existing for N==2.

On Sat, Feb 19, 2022 at 8:56 AM Jeremy Rubin via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> This is a fascinating post and I'm still chewing on it.
>
> Chiming in with two points:
>
> Point 1, note with respect to evictions, revivals, CTV, TLUV:
>
> CTV enables 1 person to be evicted in O(log N) or one person to leave in
> O(log N). TLUV enables 1 person to leave in O(1) O(log N) transactions, but
> evictions take (AFAICT?) O(N) O(log N) transactions because the un-live
> party stays in the pool. Hence OP_EVICT helps also make it so you can kick
> someone out, rather than all having to leave, which is an improvement.
>
> CTV rejoins work as follows:
>
> suppose you have a pool with 1 failure, you need to do log N txns to evict
> the failure, which creates R * log_R(N) outputs, which can then do a
> transaction to rejoin.
>
> For example, suppose I had 64 people in a radix 4 tree. you'd have at the
> top level 4 groups of 16, then 4 groups of 4 people, and then 1 to 4 txns.
> Kicking 1 person out would make you do 3 txns, and create 12 outputs total.
> A transaction spending the 11 outputs that are live would capture 63 people
> back into the tree, and with CISA would not be terribly expensive. To be a
> bit more economical, you might prefer to just join the 3 outputs with 16
> people in it, and yield 48 people in one pool. Alternatively, you can
> lazily re-join if fees make it worth it/piggybacking another transaction,
> or operate independently or try to find new, better, peers.
>
> Overall this is the type of application that necessitates *exact* byte
> counting. Oftentimes things with CTV seem inefficient, but when you crunch
> the numbers it turns out not to be so terrible. OP_EVICT seems promising in
> this regard compared to TLUV or accumulators.
>
> Another option is to randomize the CTV trees with multiple outputs per
> party (radix Q), then you need to do Q times the evictions, but you end up
> with sub-pools that contain more people/fractional liquidity (this might
> happen naturally if CTV Pools have channels in them, so it's good to model).
>
>
> Point 2, on Eltoo:
>
> One point of discomfort I have with Eltoo that I think is not universal,
> but is shared by some others, is that non-punitive channels may not be good
> for high-value channels as you do want, especially in a congested
> blockspace world, punishments to incentivize correct behavior (otherwise
> cheating may look like a free option).
>
> Thus I'm reluctant to fully embrace designs which do not permit nested
> traditional punitive channels in favor of Eltoo, when Eltoo might not have
> product-market-fit for higher valued channels.
>
> If someone had a punitive-eltoo variant that would ameliorate this concern
> almost entirely.
>
> Cheers,
>
> Jeremy
>
>
>
> --
> @JeremyRubin 
>
> On Fri, Feb 18, 2022 at 3:40 PM ZmnSCPxj via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Good morning ariard,
>>
>>
>> > > A statechain is really just a CoinPool hosted inside a
>> > >  Decker-Wattenhofer or Decker-Russell-Osuntokun construction.
>> >
>> > Note, to the best of my knowledge, how to use LN-Penalty in the context
>> of multi-party construction is still an unsolved issue. If an invalidated
>> state is published on-chain, how do you guarantee that the punished output
>> value is distributed "fairly" among the "honest" set of users ? At least
>> > where fairness is defined as a reasonable proportion of the balances
>> they owned in the latest state.
>>
>> LN-Penalty I believe is what I call Poon-Dryja?
>>
>> Both Decker-Wattenhofer (has no common colloquial name) and
>> Decker-Russell-Osuntokun ("eltoo") are safe with N > 2.
>> The former has bad locktime tradeoffs in the unilateral close case, and
>> the latter requires `SIGHASH_NOINPUT`/`SIGHASH_ANYPREVOUT`.
>>
>>
>> > > In principle, a set of promised outputs, if the owners of those
>> > > outputs are peers, does not have *any* inherent order.
>> > > Thus, I started to think about a commitment scheme that does not
>> > > impose any ordering during commitment.
>> >
>> > I think we should dissociate a) *outputs publication ordering* from the
>> b) *spends paths

Re: [bitcoin-dev] `OP_EVICT`: An Alternative to `OP_TAPLEAFUPDATEVERIFY`

2022-02-18 Thread ZmnSCPxj via bitcoin-dev 
Good morning Jeremy,

> This is a fascinating post and I'm still chewing on it.
>
> Chiming in with two points:
>
> Point 1, note with respect to evictions, revivals, CTV, TLUV:
>
> CTV enables 1 person to be evicted in O(log N) or one person to leave in 
> O(log N). TLUV enables 1 person to leave in O(1) O(log N) transactions, but 
> evictions take (AFAICT?) O(N) O(log N) transactions because the un-live party 
> stays in the pool. Hence OP_EVICT helps also make it so you can kick someone 
> out, rather than all having to leave, which is an improvement.
>
> CTV rejoins work as follows:
>
> suppose you have a pool with 1 failure, you need to do log N txns to evict 
> the failure, which creates R * log_R(N) outputs, which can then do a 
> transaction to rejoin.
>
> For example, suppose I had 64 people in a radix 4 tree. you'd have at the top 
> level 4 groups of 16, then 4 groups of 4 people, and then 1 to 4 txns. 
> Kicking 1 person out would make you do 3 txns, and create 12 outputs total. A 
> transaction spending the 11 outputs that are live would capture 63 people 
> back into the tree, and with CISA would not be terribly expensive. To be a 
> bit more economical, you might prefer to just join the 3 outputs with 16 
> people in it, and yield 48 people in one pool. Alternatively, you can lazily 
> re-join if fees make it worth it/piggybacking another transaction, or operate 
> independently or try to find new, better, peers.
>
> Overall this is the type of application that necessitates *exact* byte 
> counting. Oftentimes things with CTV seem inefficient, but when you crunch 
> the numbers it turns out not to be so terrible. OP_EVICT seems promising in 
> this regard compared to TLUV or accumulators.
>
> Another option is to randomize the CTV trees with multiple outputs per party 
> (radix Q), then you need to do Q times the evictions, but you end up with 
> sub-pools that contain more people/fractional liquidity (this might happen 
> naturally if CTV Pools have channels in them, so it's good to model).

Do note that a weakness of CTV is that you *have to* split up the CoinPool into 
many smaller pools, and re-merging them requires waiting for onchain 
confirmation.
This overall means you have no real incentive to revive the original CoinPool 
minus evicted parties.
`OP_EVICT` lets the CoinPool revival be made into the same transaction that 
performs the evict.

> Point 2, on Eltoo:
>
> One point of discomfort I have with Eltoo that I think is not universal, but 
> is shared by some others, is that non-punitive channels may not be good for 
> high-value channels as you do want, especially in a congested blockspace 
> world, punishments to incentivize correct behavior (otherwise cheating may 
> look like a free option).
>
> Thus I'm reluctant to fully embrace designs which do not permit nested 
> traditional punitive channels in favor of Eltoo, when Eltoo might not have 
> product-market-fit for higher valued channels.
>
> If someone had a punitive-eltoo variant that would ameliorate this concern 
> almost entirely.

Unfortunately, it seems the way to any kind of N > 2 construction *with* 
penalty would require bonds, such as the recent PathCoin idea (which is an N > 
2 construction *with* penalty, and is definitely offchain for much of its 
operation).

Having a Decker-Russell-Osuntokun "factory" layer that hosts multiple 
Poon-Dryja channels is not quite a solution; if old state on 
Decker-Russell-Osuntokun layer pushes through, then its obsolete Poon-Dryja 
channels will have all states invalid and unclaimable, but in case of Sybil 
where some participants are sockpuppets, it would still be possible for a thief 
to claim the funds from an "invalidated" Poon-Dryja channel if that channel is 
with a sockpuppet.


Regards,
ZmnSCPxj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] `OP_EVICT`: An Alternative to `OP_TAPLEAFUPDATEVERIFY`

2022-02-18 Thread Jeremy Rubin via bitcoin-dev 
This is a fascinating post and I'm still chewing on it.

Chiming in with two points:

Point 1, note with respect to evictions, revivals, CTV, TLUV:

CTV enables 1 person to be evicted in O(log N) or one person to leave in
O(log N). TLUV enables 1 person to leave in O(1) O(log N) transactions, but
evictions take (AFAICT?) O(N) O(log N) transactions because the un-live
party stays in the pool. Hence OP_EVICT helps also make it so you can kick
someone out, rather than all having to leave, which is an improvement.

CTV rejoins work as follows:

suppose you have a pool with 1 failure, you need to do log N txns to evict
the failure, which creates R * log_R(N) outputs, which can then do a
transaction to rejoin.

For example, suppose I had 64 people in a radix 4 tree. you'd have at the
top level 4 groups of 16, then 4 groups of 4 people, and then 1 to 4 txns.
Kicking 1 person out would make you do 3 txns, and create 12 outputs total.
A transaction spending the 11 outputs that are live would capture 63 people
back into the tree, and with CISA would not be terribly expensive. To be a
bit more economical, you might prefer to just join the 3 outputs with 16
people in it, and yield 48 people in one pool. Alternatively, you can
lazily re-join if fees make it worth it/piggybacking another transaction,
or operate independently or try to find new, better, peers.

Overall this is the type of application that necessitates *exact* byte
counting. Oftentimes things with CTV seem inefficient, but when you crunch
the numbers it turns out not to be so terrible. OP_EVICT seems promising in
this regard compared to TLUV or accumulators.

Another option is to randomize the CTV trees with multiple outputs per
party (radix Q), then you need to do Q times the evictions, but you end up
with sub-pools that contain more people/fractional liquidity (this might
happen naturally if CTV Pools have channels in them, so it's good to model).


Point 2, on Eltoo:

One point of discomfort I have with Eltoo that I think is not universal,
but is shared by some others, is that non-punitive channels may not be good
for high-value channels as you do want, especially in a congested
blockspace world, punishments to incentivize correct behavior (otherwise
cheating may look like a free option).

Thus I'm reluctant to fully embrace designs which do not permit nested
traditional punitive channels in favor of Eltoo, when Eltoo might not have
product-market-fit for higher valued channels.

If someone had a punitive-eltoo variant that would ameliorate this concern
almost entirely.

Cheers,

Jeremy



--
@JeremyRubin 

On Fri, Feb 18, 2022 at 3:40 PM ZmnSCPxj via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Good morning ariard,
>
>
> > > A statechain is really just a CoinPool hosted inside a
> > >  Decker-Wattenhofer or Decker-Russell-Osuntokun construction.
> >
> > Note, to the best of my knowledge, how to use LN-Penalty in the context
> of multi-party construction is still an unsolved issue. If an invalidated
> state is published on-chain, how do you guarantee that the punished output
> value is distributed "fairly" among the "honest" set of users ? At least
> > where fairness is defined as a reasonable proportion of the balances
> they owned in the latest state.
>
> LN-Penalty I believe is what I call Poon-Dryja?
>
> Both Decker-Wattenhofer (has no common colloquial name) and
> Decker-Russell-Osuntokun ("eltoo") are safe with N > 2.
> The former has bad locktime tradeoffs in the unilateral close case, and
> the latter requires `SIGHASH_NOINPUT`/`SIGHASH_ANYPREVOUT`.
>
>
> > > In principle, a set of promised outputs, if the owners of those
> > > outputs are peers, does not have *any* inherent order.
> > > Thus, I started to think about a commitment scheme that does not
> > > impose any ordering during commitment.
> >
> > I think we should dissociate a) *outputs publication ordering* from the
> b) *spends paths ordering* itself. Even if to each spend path a output
> publication is attached, the ordering constraint might not present the same
> complexity.
> >
> > Under this distinction, are you sure that TLUV imposes an ordering on
> the output publication ?
>
> Yes, because TLUV is based on tapleaf revelation.
> Each participant gets its own unique tapleaf that lets that participant
> get evicted.
>
> In Taproot, the recommendation is to sort the hashes of each tapleaf
> before arranging them into a MAST that the Taproot address then commits to.
> This sort-by-hash *is* the arbitrary ordering I refer to when I say that
> TLUV imposes an arbitrary ordering.
> (actually the only requirement is that pairs of scripts are
> sorted-by-hash, but it is just easier to sort the whole array by hash.)
>
> To reveal a single participant in a TLUV-based CoinPool, you need to
> reveal O(log N) hashes.
> It is the O(log N) space consumption I want to avoid with `OP_EVICT`, and
> I believe the reason for that O(log N) revelation

Re: [bitcoin-dev] `OP_EVICT`: An Alternative to `OP_TAPLEAFUPDATEVERIFY`

2022-02-18 Thread ZmnSCPxj via bitcoin-dev 
Good morning ariard,


> > A statechain is really just a CoinPool hosted inside a
> >  Decker-Wattenhofer or Decker-Russell-Osuntokun construction.
>
> Note, to the best of my knowledge, how to use LN-Penalty in the context of 
> multi-party construction is still an unsolved issue. If an invalidated state 
> is published on-chain, how do you guarantee that the punished output value is 
> distributed "fairly" among the "honest" set of users ? At least
> where fairness is defined as a reasonable proportion of the balances they 
> owned in the latest state.

LN-Penalty I believe is what I call Poon-Dryja?

Both Decker-Wattenhofer (has no common colloquial name) and 
Decker-Russell-Osuntokun ("eltoo") are safe with N > 2.
The former has bad locktime tradeoffs in the unilateral close case, and the 
latter requires `SIGHASH_NOINPUT`/`SIGHASH_ANYPREVOUT`.


> > In principle, a set of promised outputs, if the owners of those
> > outputs are peers, does not have *any* inherent order.
> > Thus, I started to think about a commitment scheme that does not
> > impose any ordering during commitment.
>
> I think we should dissociate a) *outputs publication ordering* from the b) 
> *spends paths ordering* itself. Even if to each spend path a output 
> publication is attached, the ordering constraint might not present the same 
> complexity.
>
> Under this distinction, are you sure that TLUV imposes an ordering on the 
> output publication ?

Yes, because TLUV is based on tapleaf revelation.
Each participant gets its own unique tapleaf that lets that participant get 
evicted.

In Taproot, the recommendation is to sort the hashes of each tapleaf before 
arranging them into a MAST that the Taproot address then commits to.
This sort-by-hash *is* the arbitrary ordering I refer to when I say that TLUV 
imposes an arbitrary ordering.
(actually the only requirement is that pairs of scripts are sorted-by-hash, but 
it is just easier to sort the whole array by hash.)

To reveal a single participant in a TLUV-based CoinPool, you need to reveal 
O(log N) hashes.
It is the O(log N) space consumption I want to avoid with `OP_EVICT`, and I 
believe the reason for that O(log N) revelation is due precisely to the 
arbitrary but necessary ordering.

> > With `OP_TLUV`, however, it is possible to create an "N-of-N With
> > Eviction" construction.
> > When a participant in the N-of-N is offline, but the remaining
> > participants want to advance the state of the construction, they
> > instead evict the offline participant, creating a smaller N-of-N
> > where *all* participants are online, and continue operating.
>
> I think we should dissociate two types of pool spends : a) eviction by the 
> pool unanimity in case of irresponsive participants and b) unilateral 
> withdrawal by a participant because of the liquidity allocation policy. I 
> think the distinction is worthy, as the pool participant should be stable and 
> the eviction not abused.
>
> I'm not sure if TLUV enables b), at least without transforming the unilateral 
> withdrawal into an eviction. To ensure the TLUV operation is correct  (spent 
> leaf is removed, withdrawing participant point removed, etc), the script 
> content must be inspected by *all* the participant. However, I believe
> knowledge of this content effectively allows you to play it out against the 
> pool at any time ? It's likely solvable at the price of a CHECKSIG.

Indeed, that distinction is important.
`OP_TLUV` (and `OP_EVICT`, which is just a redesigned `OP_TLUV`) supports (a) 
but not (b).

> `OP_EVICT`
> --
>
> >  * If it is `1` that simply means "use the Taproot internal
> >    pubkey", as is usual for `OP_CHECKSIG`.
>
> IIUC, this assumes the deployment of BIP118, where if the  public key is a 
> single byte 0x01, the internal pubkey is used
> for verification.

I thought it was part of Taproot?

>
> >  * Output indices must not be duplicated, and indicated
> >    outputs must be SegWit v1 ("Taproot") outputs.
>
> I think public key duplication must not be verified. If a duplicated public 
> key is present, the point is subtracted twice from the internal pubkey and 
> therefore the aggregated
> key remains unknown ? So it sounds to me safe against replay attacks.

Ah, right.

> >  * The public key is the input point (i.e. stack top)
> >    **MINUS** all the public keys of the indicated outputs.
>
> Can you prevent eviction abuse where one counterparty threatens to evict 
> everyone as all the output signatures are known among participants and free 
> to sum ? (at least not considering fees)

No, I considered onchain fees as the only mechanism to avoid eviction abuse.
The individual-evict signatures commit to fixed quantities.
The remaining change is then the only fund that can pay for onchain fees, so a 
single party evicting everyone else has to pay for the eviction of everyone 
else.


> > Suppose however that B is offline.
> > Then A, C, and D then decide to evict B.
> > To do so, they create

Re: [bitcoin-dev] `OP_EVICT`: An Alternative to `OP_TAPLEAFUPDATEVERIFY`

2022-02-18 Thread Antoine Riard via bitcoin-dev 
Hi Zeeman,

> After some thinking, I realized that it was the use of the
> Merkle tree to represent the promised-but-offchain outputs of
> the CoinPool that lead to the O(log N) space usage.
> I then started thinking of alternative representations of
> sets of promised outputs, which would not require O(log N)
> revelations by avoiding the tree structure.

In the context of payment pools, I think the O(log N) revelations can be
avoided already today by pre-signing all the combinations of
promised-but-offchain outputs publications order. However, this approach
presents a factorial complexity and appears as an intractable problem for
high-number of pool users.

I think this factorial complexity issue is the primary problem to enable
scalable payment pools. This issue appears to be solvable by introducing an
accumulator at the script interpreter level. IMO, the efficiency of the
accumulated set representations comes as a second-order issue.

In the comparison of different covenant primitives, I believe we should ask
first if the flexibility offered is enough to solve the factorial
complexity. I would say performance trade-offs analysis can only be
conducted in logically equivalent primitives.

> A statechain is really just a CoinPool hosted inside a
>  Decker-Wattenhofer or Decker-Russell-Osuntokun construction.

Note, to the best of my knowledge, how to use LN-Penalty in the context of
multi-party construction is still an unsolved issue. If an invalidated
state is published on-chain, how do you guarantee that the punished output
value is distributed "fairly" among the "honest" set of users ? At least
where fairness is defined as a reasonable proportion of the balances they
owned in the latest state.

> (To Bitcoin Cashers: this is not an IOU, this is *committed* and
> can be enforced onchain, that is enough to threaten your offchain
> counterparties into behaving correctly.
> They cannot gain anything by denying the outputs they promised,
> you can always drop it onchain and have it enforced, thus it is
> not just merely an IOU, as IOUs are not necessarily enforceable,
> but this mechanism *would* be.
> Blockchain as judge+jury+executioner, not noisy marketplace.)

To be fair towards the Bitcoin Cashers, I think there are still limitations
of LN, we have not solved yet. Especially, w.r.t to mass exits from the
off-chain layers to the chain, where the blocks would stay fulfilled longer
than the standard HTLC timelocks, at  a fee price point that the average
user can't buy... I'm not sure if we have outlawed the "bank runs" scenario
yet of LN.

I would say yes the Blockchain is a juge authority, but in the worst-case
we might be all in market competition to get enforcement.

> In principle, a set of promised outputs, if the owners of those
> outputs are peers, does not have *any* inherent order.
> Thus, I started to think about a commitment scheme that does not
> impose any ordering during commitment.

I think we should dissociate a) *outputs publication ordering* from the b)
*spends paths ordering* itself. Even if to each spend path a output
publication is attached, the ordering constraint might not present the same
complexity.

Under this distinction, are you sure that TLUV imposes an ordering on the
output publication ?

> With `OP_TLUV`, however, it is possible to create an "N-of-N With
> Eviction" construction.
> When a participant in the N-of-N is offline, but the remaining
> participants want to advance the state of the construction, they
> instead evict the offline participant, creating a smaller N-of-N
> where *all* participants are online, and continue operating.

I think we should dissociate two types of pool spends : a) eviction by the
pool unanimity in case of irresponsive participants and b) unilateral
withdrawal by a participant because of the liquidity allocation policy. I
think the distinction is worthy, as the pool participant should be stable
and the eviction not abused.

I'm not sure if TLUV enables b), at least without transforming the
unilateral withdrawal into an eviction. To ensure the TLUV operation is
correct  (spent leaf is removed, withdrawing participant point removed,
etc), the script content must be inspected by *all* the participant.
However, I believe
knowledge of this content effectively allows you to play it out against the
pool at any time ? It's likely solvable at the price of a CHECKSIG.

`OP_EVICT`
--

>  * If it is `1` that simply means "use the Taproot internal
>pubkey", as is usual for `OP_CHECKSIG`.

IIUC, this assumes the deployment of BIP118, where if the  public key is a
single byte 0x01, the internal pubkey is used
for verification.

>  * Output indices must not be duplicated, and indicated
>outputs must be SegWit v1 ("Taproot") outputs.

I think public key duplication must not be verified. If a duplicated public
key is present, the point is subtracted twice from the internal pubkey and
therefore the aggregated
key remains unknown ? So it sounds

Re: [bitcoin-dev] `OP_EVICT`: An Alternative to `OP_TAPLEAFUPDATEVERIFY`

2022-02-18 Thread ZmnSCPxj via bitcoin-dev 
Good morning Erik,

> > As I understand your counterproposal, it would require publishing one 
> > transaction per evicted participant.
>
> if you also pre-sign (N-2, N-3, etc), you can avoid this

It also increases the combinatorial explosion.

> > In addition, each participant has to store `N!` possible orderings in which 
> > participants can be evicted, as you cannot predict the future and cannot 
> > predict which partiicpants will go offline first.
>
> why would the ordering matter?  these are unordered pre commitments to move 
> funds, right?   you agree post the one that represents "everyone that's 
> offline"

Suppose `B` is offline first, then the remaining `A` `C` and `D` publish the 
eviction transaction that evicts only `B`.
What happens if `C` then goes offline?
We need to prepare for that case (and other cases where the participants go 
offline at arbitrary orders) and pre-sign a spend from the `ACD` set and evicts 
`C` as well, increasing combinatorial explosion.
And so on.

We *could* use multiple Tapleaves, of the form ` OP_CHECKSIG  
OP_CHECKSIG` for each participant.
Then the per-participant `` signature is signed with 
`SIGHASH_SINGLE|SIGHASH_ANYONECANPAY` and is pre-signed, while the remainder is 
signed by `` with default `SIGHASH_ALL`.
Then if one participant `B` is offline they can evict `B` and then the change 
is put into a new UTXO with a similar pre-signed scheme ` OP_CHECKSIG  
OP_CHECKSIG`.
This technique precludes pre-signing multiple evictions.

>
> > But yes, certainly that can work, just as pre-signed transactions can be 
> > used instead of `OP_CTV` 
>
> i don't see how multiple users can securely share a channel (allowing massive 
> additional scaling with lighting) without op_ctv

They can, they just pre-sign, like you pointed out.
The same technique works --- `OP_CTV` just avoids having ridiculous amounts of 
combinatorial explosion and just requires `O(log n)` per eviction.
Remember, this proposal can be used for channel factories just as well, as 
pointed out, so any objection to this proposal also applies to `OP_CTV`.



Regards,
ZmnSCPxj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] `OP_EVICT`: An Alternative to `OP_TAPLEAFUPDATEVERIFY`

2022-02-18 Thread Erik Aronesty via bitcoin-dev 
> As I understand your counterproposal, it would require publishing one
transaction per evicted participant.

if you also pre-sign (N-2, N-3, etc), you can avoid this

> In addition, each participant has to store `N!` possible orderings in
which participants can be evicted, as you cannot predict the future and
cannot predict which partiicpants will go offline first.

why would the ordering matter?  these are unordered pre commitments to move
funds, right?   you agree post the one that represents "everyone that's
offline"

> But yes, certainly that can work, just as pre-signed transactions can be
used instead of `OP_CTV`

i don't see how multiple users can securely share a channel (allowing
massive additional scaling with lighting) without op_ctv


On Fri, Feb 18, 2022 at 9:48 AM ZmnSCPxj  wrote:

> Good morning Erik,
>
> > hey, i read that whole thing, but i'm confused as to why it's necessary
> >
> > seems like N of N participants can pre-sign an on-chain transfer of
> funds for each participant to a new address that consists of (N-1) or (N-1)
> participants, of which each portion of the signature is encrypted for the
> same (N-1) participants
> >
> > then any (N-1) subset of participants can collude publish that
> transaction at any time to remove any other member from the pool
> >
> > all of the set up  (dkg for N-1), and transfer (encryption of partial
> sigs) is done offchain, and online with the participants that are online
>
>
> As I understand your counterproposal, it would require publishing one
> transaction per evicted participant.
> In addition, each participant has to store `N!` possible orderings in
> which participants can be evicted, as you cannot predict the future and
> cannot predict which partiicpants will go offline first.
>
> Finally, please see also the other thread on lightning-dev:
> https://lists.linuxfoundation.org/pipermail/lightning-dev/2022-February/003479.html
> In this thread, I point out that if we ever use channel factories, it
> would be best if we treat each channel as a 2-of-2 that participates in an
> overall N-of-N (i.e. the N in the outer channel factory is composed of
> 2-of-2).
> For example, instead of the channel factory being signed by participants
> `A`, `B`, `C`, `D`, instead the channel factory is signed by `AB`, `AC`,
> `AD`, `BC`, `BD`, `CD`, so that if e.g. participant B needs to be evicted,
> we can evict the signers `AB`, `BC`, and `BD`.
> This means that for the channel factory case, already the number of
> "participants" is quadratic on the number of *actual* participants, which
> greatly increases the number of transactions that need to be evicted in
> one-eviction-at-a-time schemes (which is how I understand your proposal) as
> well as increasing the `N!` number of signatures that need to be exchanged
> during setup.
>
>
> But yes, certainly that can work, just as pre-signed transactions can be
> used instead of `OP_CTV` or pretty much any non-`OP_CHECKMULTISIG` opcode,
> xref Smart Contracts Unchained.
>
> Regards,
> ZmnSCPxj
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] `OP_EVICT`: An Alternative to `OP_TAPLEAFUPDATEVERIFY`

2022-02-18 Thread ZmnSCPxj via bitcoin-dev 
Good morning Erik,

> hey, i read that whole thing, but i'm confused as to why it's necessary
>
> seems like N of N participants can pre-sign an on-chain transfer of funds for 
> each participant to a new address that consists of (N-1) or (N-1) 
> participants, of which each portion of the signature is encrypted for the 
> same (N-1) participants
>
> then any (N-1) subset of participants can collude publish that transaction at 
> any time to remove any other member from the pool
>
> all of the set up  (dkg for N-1), and transfer (encryption of partial sigs) 
> is done offchain, and online with the participants that are online


As I understand your counterproposal, it would require publishing one 
transaction per evicted participant.
In addition, each participant has to store `N!` possible orderings in which 
participants can be evicted, as you cannot predict the future and cannot 
predict which partiicpants will go offline first.

Finally, please see also the other thread on lightning-dev: 
https://lists.linuxfoundation.org/pipermail/lightning-dev/2022-February/003479.html
In this thread, I point out that if we ever use channel factories, it would be 
best if we treat each channel as a 2-of-2 that participates in an overall 
N-of-N (i.e. the N in the outer channel factory is composed of 2-of-2).
For example, instead of the channel factory being signed by participants `A`, 
`B`, `C`, `D`, instead the channel factory is signed by `AB`, `AC`, `AD`, `BC`, 
`BD`, `CD`, so that if e.g. participant B needs to be evicted, we can evict the 
signers `AB`, `BC`, and `BD`.
This means that for the channel factory case, already the number of 
"participants" is quadratic on the number of *actual* participants, which 
greatly increases the number of transactions that need to be evicted in 
one-eviction-at-a-time schemes (which is how I understand your proposal) as 
well as increasing the `N!` number of signatures that need to be exchanged 
during setup.


But yes, certainly that can work, just as pre-signed transactions can be used 
instead of `OP_CTV` or pretty much any non-`OP_CHECKMULTISIG` opcode, xref 
Smart Contracts Unchained.

Regards,
ZmnSCPxj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] `OP_EVICT`: An Alternative to `OP_TAPLEAFUPDATEVERIFY`

2022-02-18 Thread Erik Aronesty via bitcoin-dev 
hey, i read that whole thing, but i'm confused as to why it's necessary

seems like N of N participants can pre-sign an on-chain transfer of funds
for each participant to a new address that consists of (N-1) or (N-1)
participants, of which each portion of the signature is encrypted for the
same (N-1) participants

then any (N-1) subset of participants can collude publish that transaction
at any time to remove any other member from the pool

all of the set up  (dkg for N-1), and transfer (encryption of partial sigs)
is done offchain, and online with the participants that are online



On Thu, Feb 17, 2022 at 9:45 PM ZmnSCPxj via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> `OP_EVICT`: An Alternative to `OP_TAPLEAFUPDATEVERIFY`
> ==
>
> In late 2021, `aj` proposed `OP_TAPLEAFUPDATEVERIFY` in order to
> implement CoinPools and similar constructions.
>
> `Jeremy` observed that due to the use of Merkle tree paths, an
> `OP_TLUV` would require O(log N) hash revelations in order to
> reach a particular tapleaf, which, in the case of a CoinPool,
> would then delete itself after spending only a particular amount
> of funds.
> He then observed that `OP_CTV` trees also require a similar
> revelation of O(log N) transactions, but with the advantage that
> once revealed, the transactions can then be reused, thus overall
> the expectation is that the number of total bytes onchain is
> lesser compared to `OP_TLUV`.
>
> After some thinking, I realized that it was the use of the
> Merkle tree to represent the promised-but-offchain outputs of
> the CoinPool that lead to the O(log N) space usage.
> I then started thinking of alternative representations of
> sets of promised outputs, which would not require O(log N)
> revelations by avoiding the tree structure.
>
> Promised Outputs
> 
>
> Fundamentally, we can consider that a solution for scaling
> Bitcoin would be to *promise* that some output *can* appear
> onchain at some point in the future, without requiring that the
> output be shown onchain *right now*.
> Then, we can perform transactional cut-through on spends of the
> promised outputs, without requiring onchain activity ("offchain").
> Only if something Really Bad (TM) happens do we need to actually
> drop the latest set of promised outputs onchain, where it has to
> be verified globally by all fullnodes (and would thus incur scaling
> and privacy costs).
>
> As an example of the above paradigm, consider the Lightning
> Network.
> Outputs representing the money of each party in a channel are
> promised, and *can* appear onchain (via the unilateral close
> mechanism).
> In the meantime, there is a mechanism for performing cut-through,
> allowing transfers between channel participants; any number of
> transactions can be performed that are only "solidified" later,
> without expensive onchain activity.
>
> Thus:
>
> * A CoinPool is really a way to commit to promised outputs.
>   To change the distribution of those promised outputs, the
>   CoinPool operators need to post an onchain transaction, but
>   that is only a 1-input-1-output transaction, and with Schnorr
>   signatures the single input requires only a single signature.
>   But in case something Really Bad (TM) happens, any participant
>   can unilaterally close the CoinPool, instantiating the promised
>   outputs.
> * A statechain is really just a CoinPool hosted inside a
>   Decker-Wattenhofer or Decker-Russell-Osuntokun construction.
>   This allows changing the distribution of those promised outputs
>   without using an onchain transaction --- instead, a new state
>   in the Decker-Wattenhofer/Decker-Russell-Osuntokun construction
>   is created containing the new state, which invalidates all older
>   states.
>   Again, any participant can unilaterally shut it down, exposing
>   the state of the inner CoinPool.
> * A channel factory is really just a statechain where the
>   promised outputs are not simple 1-of-1 single-owner outputs,
>   but are rather 2-of-2 channels.
>   This allows graceful degradation, where even if the statechain
>   ("factory") layer has missing participants, individual 2-of-2
>   channels can still continue operating as long as they do not
>   involve missing participants, without requiring all participants
>   to be online for large numbers of transactions.
>
> We can then consider that the base CoinPool usage should be enough,
> as other mechanisms (`OP_CTV`+`OP_CSFS`, `SIGHASH_NOINPUT`) can be
> used to implement statechains and channels and channel factories.
>
> I therefore conclude that what we really need is "just" a way to
> commit ourselves to exposing a set of promised outputs, with the
> proviso that if we all agree, we can change that set (without
> requiring that the current or next set be exposed, for both
> scaling and privacy).
>
> (To Bitcoin Cashers: this is not an IOU, this is *committed* and
> can be enforced onchain, that is

Re: [bitcoin-dev] `OP_EVICT`: An Alternative to `OP_TAPLEAFUPDATEVERIFY`

2022-02-18 Thread Jonas Nick via bitcoin-dev 

On the topic of half aggregation, Chalkias et al. gave a convincing security
proof last year:
https://eprint.iacr.org/2021/350

As an aside, half aggregation is not exactly the scheme in the OP because that
one is insecure. This does not affect Zmn's conclusion and was already
pointed out in the original half aggregation thread:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-May/014306.html

It is required that each of the "s"-values are multiplied with a different
unpredictable value, for example like this:
https://github.com/ElementsProject/cross-input-aggregation/blob/master/slides/2021-Q2-halfagg-impl.org#schnorr-signature-half-aggregation-1
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

[bitcoin-dev] `OP_EVICT`: An Alternative to `OP_TAPLEAFUPDATEVERIFY`

2022-02-17 Thread ZmnSCPxj via bitcoin-dev 
`OP_EVICT`: An Alternative to `OP_TAPLEAFUPDATEVERIFY`
==

In late 2021, `aj` proposed `OP_TAPLEAFUPDATEVERIFY` in order to
implement CoinPools and similar constructions.

`Jeremy` observed that due to the use of Merkle tree paths, an
`OP_TLUV` would require O(log N) hash revelations in order to
reach a particular tapleaf, which, in the case of a CoinPool,
would then delete itself after spending only a particular amount
of funds.
He then observed that `OP_CTV` trees also require a similar
revelation of O(log N) transactions, but with the advantage that
once revealed, the transactions can then be reused, thus overall
the expectation is that the number of total bytes onchain is
lesser compared to `OP_TLUV`.

After some thinking, I realized that it was the use of the
Merkle tree to represent the promised-but-offchain outputs of
the CoinPool that lead to the O(log N) space usage.
I then started thinking of alternative representations of
sets of promised outputs, which would not require O(log N)
revelations by avoiding the tree structure.

Promised Outputs


Fundamentally, we can consider that a solution for scaling
Bitcoin would be to *promise* that some output *can* appear
onchain at some point in the future, without requiring that the
output be shown onchain *right now*.
Then, we can perform transactional cut-through on spends of the
promised outputs, without requiring onchain activity ("offchain").
Only if something Really Bad (TM) happens do we need to actually
drop the latest set of promised outputs onchain, where it has to
be verified globally by all fullnodes (and would thus incur scaling
and privacy costs).

As an example of the above paradigm, consider the Lightning
Network.
Outputs representing the money of each party in a channel are
promised, and *can* appear onchain (via the unilateral close
mechanism).
In the meantime, there is a mechanism for performing cut-through,
allowing transfers between channel participants; any number of
transactions can be performed that are only "solidified" later,
without expensive onchain activity.

Thus:

* A CoinPool is really a way to commit to promised outputs.
  To change the distribution of those promised outputs, the
  CoinPool operators need to post an onchain transaction, but
  that is only a 1-input-1-output transaction, and with Schnorr
  signatures the single input requires only a single signature.
  But in case something Really Bad (TM) happens, any participant
  can unilaterally close the CoinPool, instantiating the promised
  outputs.
* A statechain is really just a CoinPool hosted inside a
  Decker-Wattenhofer or Decker-Russell-Osuntokun construction.
  This allows changing the distribution of those promised outputs
  without using an onchain transaction --- instead, a new state
  in the Decker-Wattenhofer/Decker-Russell-Osuntokun construction
  is created containing the new state, which invalidates all older
  states.
  Again, any participant can unilaterally shut it down, exposing
  the state of the inner CoinPool.
* A channel factory is really just a statechain where the
  promised outputs are not simple 1-of-1 single-owner outputs,
  but are rather 2-of-2 channels.
  This allows graceful degradation, where even if the statechain
  ("factory") layer has missing participants, individual 2-of-2
  channels can still continue operating as long as they do not
  involve missing participants, without requiring all participants
  to be online for large numbers of transactions.

We can then consider that the base CoinPool usage should be enough,
as other mechanisms (`OP_CTV`+`OP_CSFS`, `SIGHASH_NOINPUT`) can be
used to implement statechains and channels and channel factories.

I therefore conclude that what we really need is "just" a way to
commit ourselves to exposing a set of promised outputs, with the
proviso that if we all agree, we can change that set (without
requiring that the current or next set be exposed, for both
scaling and privacy).

(To Bitcoin Cashers: this is not an IOU, this is *committed* and
can be enforced onchain, that is enough to threaten your offchain
counterparties into behaving correctly.
They cannot gain anything by denying the outputs they promised,
you can always drop it onchain and have it enforced, thus it is
not just merely an IOU, as IOUs are not necessarily enforceable,
but this mechanism *would* be.
Blockchain as judge+jury+executioner, not noisy marketplace.)

Importantly: both `OP_CTV` and `OP_TLUV` force the user to
decide on a particular, but ultimately arbitrary, ordering for
promised outputs.
In principle, a set of promised outputs, if the owners of those
outputs are peers, does not have *any* inherent order.
Thus, I started to think about a commitment scheme that does not
impose any ordering during commitment.

Digression: N-of-N With Eviction


An issue with using an N-of-N construction is that if any single