📅 Original date posted:2018-10-10
📝 Original message:
René Pickhardt <r.pickhardt at googlemail.com> writes:
> So let us take the example of Splicing in:
> * The situation before splicing is that we have one output in our funding
> tx that is being spent with each commitment tx. (actually if the channel
> was spliced before we have more inputs but that should not change anything)
> * Splice in would create one additional output that can be spent in future
> commitment tx.
> * I propose while splicing in this output should be spent by a special
> commitment tx which goes to the funder of the splicing operation. This
> should happen before the actual funding takes place. The other commitment
> tx spending the original output continues to operate (assuring non blocking
> splice in operation).
> * Once we have enough confirmations we merge the channels (either
> automatically or with the next channel update). A new commitment tx is
> being created which now spends each output of each of the two funding tx
> and assigns the channel balance to the channel partners accordingly to the
> two independent channels. The old commitment txs are being invalidated.
> * The disadvantage is that while splicing is not completed and if the
> funder of the splicing tx is trying to publish an old commitment tx the
> node will only be punished by sending all the funds of the first funding tx
> to the partner as the special commitment tx of the 2nd output has no newer
> state yet.
Yes, this is the alternative method; produce a parallel funding tx
(which only needs to support a single revocation, or could even be done
by a long timeout) and then join them when it reaches the agreed depth.
It has some elegance; particularly because one side doesn't have to do
any validation or store anything until it's about to splice in. You get
asked for a key and signature, you produce a new one, and sign whatever
tx they want. They hand you back the tx and the key you used once it's
buried far enough, and you check the tx is indeed buried and the output
is the script you're expecting, then you flip the commitment tx.
But I chose chose not to do this because every transaction commitment
forever will require 2 signatures, and doesn't allow us to forget old
revocation information.
And it has some strange side-effects: onchain this looks like two
channels; do we gossip about both? We have to figure the limit on
splice-in to make sure the commitment tx stays under 400kSipa.
> I believe splicing out is even safer:
> * One just creates a spent of the funding tx which has two outputs. One
> output goes to the recipient of the splice out operation and the second
> output acts as a new funding transaction for the newly spliced channel.
> Once signatures for the new commitment transaction are exchanged (basically
> following the protocol to open a channel) the splicing operation can be
> broadcasted.
>
> * The old channel MUST NOT be used anymore but the new channel can be
> operational right away without blockchain confirmation. In case someone
> tries to publish an old state of the old channel it will be a double spent
> of the splicing operation and in the worst case will be punished and the
> splicing was not successful.
>
> if one publishes an old state of the new
> channel everything will just work as normal even if the funding tx is not
> yet mined. It could only be replaced with an old state of the previous
> channel (which as we saw is not a larger risk than the usual operation of a
> lightning node)
Right, you're relying on CPFP pushing through the splice-out tx if it
gets stuck. This requires that we check carefully for standardness and
other constraints which might prevent this; for example, we can't allow
more than 20 (?) of these in a row without being sufficiently buried
since I think that's where CPFP calculations top out.
> As mentioned maybe you had this workflow already in your mind but I don't
> see why we need to send around all the messages twice with my workflow. We
> only need to maintain double state but only until it is fair / safe to do
> so. I would also believe that with my approach it should be possible (but
> not really necessary) to have multiple splicing operations in parallel.
The extra sigs are only needed in transition, though; once splicing is
over the channel looks exactly like a newly created one, which is nice.
> One other question: What happens to the short_channel_id of a channel to
> which founds have been spliced in?
In the parallel splice world, they look like two channels. In my
proposal it looks like a new channel, with a channel_update to make sure
modern nodes know that the transition is happening.
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:51:37
in reply to nevent1q…8us8
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:51:37Event JSON
{
"id": "a5f969f1d001bf1c57ffd9922de135cdd832563ebd8e73d0e111e80560c74fdf",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686315097,
"kind": 1,
"tags": [
[
"e",
"d33837a10906296cdab5e5ff391835a12bd3f5d27bdac072961b20f094855a4d",
"",
"root"
],
[
"e",
"9e4f5f8494f6d3c69d0e4977666c5921a8366c0705ab6875bb0d6fd28a4c1887",
"",
"reply"
],
[
"p",
"17ccd89be295c0ae65f1cd3740a9dad84ec8b6d7050712a7f04ae5284b2fab99"
]
],
"content": "📅 Original date posted:2018-10-10\n📝 Original message:\nRené Pickhardt \u003cr.pickhardt at googlemail.com\u003e writes:\n\u003e So let us take the example of Splicing in:\n\u003e * The situation before splicing is that we have one output in our funding\n\u003e tx that is being spent with each commitment tx. (actually if the channel\n\u003e was spliced before we have more inputs but that should not change anything)\n\u003e * Splice in would create one additional output that can be spent in future\n\u003e commitment tx.\n\u003e * I propose while splicing in this output should be spent by a special\n\u003e commitment tx which goes to the funder of the splicing operation. This\n\u003e should happen before the actual funding takes place. The other commitment\n\u003e tx spending the original output continues to operate (assuring non blocking\n\u003e splice in operation).\n\u003e * Once we have enough confirmations we merge the channels (either\n\u003e automatically or with the next channel update). A new commitment tx is\n\u003e being created which now spends each output of each of the two funding tx\n\u003e and assigns the channel balance to the channel partners accordingly to the\n\u003e two independent channels. The old commitment txs are being invalidated.\n\u003e * The disadvantage is that while splicing is not completed and if the\n\u003e funder of the splicing tx is trying to publish an old commitment tx the\n\u003e node will only be punished by sending all the funds of the first funding tx\n\u003e to the partner as the special commitment tx of the 2nd output has no newer\n\u003e state yet.\n\nYes, this is the alternative method; produce a parallel funding tx\n(which only needs to support a single revocation, or could even be done\nby a long timeout) and then join them when it reaches the agreed depth.\n\nIt has some elegance; particularly because one side doesn't have to do\nany validation or store anything until it's about to splice in. You get\nasked for a key and signature, you produce a new one, and sign whatever\ntx they want. They hand you back the tx and the key you used once it's\nburied far enough, and you check the tx is indeed buried and the output\nis the script you're expecting, then you flip the commitment tx.\n\nBut I chose chose not to do this because every transaction commitment\nforever will require 2 signatures, and doesn't allow us to forget old\nrevocation information.\n\nAnd it has some strange side-effects: onchain this looks like two\nchannels; do we gossip about both? We have to figure the limit on\nsplice-in to make sure the commitment tx stays under 400kSipa.\n\n\u003e I believe splicing out is even safer:\n\u003e * One just creates a spent of the funding tx which has two outputs. One\n\u003e output goes to the recipient of the splice out operation and the second\n\u003e output acts as a new funding transaction for the newly spliced channel.\n\u003e Once signatures for the new commitment transaction are exchanged (basically\n\u003e following the protocol to open a channel) the splicing operation can be\n\u003e broadcasted.\n\u003e\n\u003e * The old channel MUST NOT be used anymore but the new channel can be\n\u003e operational right away without blockchain confirmation. In case someone\n\u003e tries to publish an old state of the old channel it will be a double spent\n\u003e of the splicing operation and in the worst case will be punished and the\n\u003e splicing was not successful.\n\u003e\n\u003e if one publishes an old state of the new\n\u003e channel everything will just work as normal even if the funding tx is not\n\u003e yet mined. It could only be replaced with an old state of the previous\n\u003e channel (which as we saw is not a larger risk than the usual operation of a\n\u003e lightning node)\n\nRight, you're relying on CPFP pushing through the splice-out tx if it\ngets stuck. This requires that we check carefully for standardness and\nother constraints which might prevent this; for example, we can't allow\nmore than 20 (?) of these in a row without being sufficiently buried\nsince I think that's where CPFP calculations top out.\n\n\u003e As mentioned maybe you had this workflow already in your mind but I don't\n\u003e see why we need to send around all the messages twice with my workflow. We\n\u003e only need to maintain double state but only until it is fair / safe to do\n\u003e so. I would also believe that with my approach it should be possible (but\n\u003e not really necessary) to have multiple splicing operations in parallel.\n\nThe extra sigs are only needed in transition, though; once splicing is\nover the channel looks exactly like a newly created one, which is nice.\n\n\u003e One other question: What happens to the short_channel_id of a channel to\n\u003e which founds have been spliced in?\n\nIn the parallel splice world, they look like two channels. In my\nproposal it looks like a new channel, with a channel_update to make sure\nmodern nodes know that the transition is happening.\n\nCheers,\nRusty.",
"sig": "cb62b49e05dce42a5cb794f5a970810181de84e23aada683d291cca86dd7573bdbcb9d7f833b1c1bed1e23fa0615f1fbafe1366b856f8d1f02e8b5cd66c41dad"
}