š
Original date posted:2013-04-19
š Original message:Iām not sure I followed Johnās proposal fully, why would a user sign TX1
committing funds to the MULTISIG they may never get back? I also donāt see
the problem with getting a signed TX2 back from the AP before releasing
TX1... see the sequence below. But more importantly, we only need exactly
one replacement, so for starters we could anti-DoS by allowing only
nSequence of 0 or MAX.
If this was enabled on test-net, I would be including a link to
transactions that implement the following proposal. At the moment, the best
I can do is unit test and generate the rawtransaction output at each step ā
you can find source code and test output here:
https://gist.github.com/jspilman/5424310
The initial funding transaction and time-locked refund is pretty annoying
to setup, if you want to support the general case of coins from arbitrarily
sized inputs. You will have:
- 1 or more inputs from the user, 0 or 1 change outputs
- 0 or more inputs from the AP, 0 or 1 change outputs
- 1 output to ā2 PK1 PK2 2 CHECKMULTISIGā
This precludes using SIGHASH_SINGLE except for the special cases where
inputs are perfectly sized (i.e. they are created in a prior step).
0. User and AP negotiate how much to escrow, who pays the fees, and how
far in the future nLockTime will be set (how long userās funds will be tied
if AP doesnāt close the channel)
1. User creates an unsigned TX1 with 1 or more inputs from userās
ālistunspentā, change going back to user (if any), and a single output of
āFundAmountā with scriptPubKey of ā2 PK1 OP_0 CHECKMULTISIGā, and sends to
the AP
2. AP adds to TX1; their inputs (if any), their change (if any), replaces
OP_0 in the scriptPubKey with a PK they control, and signs SIGHASH_ALL, and
returns TX1 to User.
3. User verifies TX1 is as agreed, and signs it SIGHASH_ALL, but keeps it
to himself. User, having completed TX1, knows its TxID and can now create
TX2-Locked spending TX1 back to themselves. User sets nLockTime to the
agreed point, signs SIGHASH_ALL, and sends TX2-Locked to AP.
4. AP verifies TX2-Locked and adds their signature, and returns TX2-Locked
to User. User can now broadcast TX1 and TX2-Locked.
5. At each payment milestone, user creates TX2-Final; TX1 as input, final
nSequence, no lock time, with a single output going back to to the user,
and an amount equal to the remaining balance of the channel. User signs
with SIGHASH_SINGLE and sends to the AP.
6. AP can add an output to TX2-Final sending their portion of the coins
where ever they want, sign it SIGHASH_ALL, and broadcast it at any point,
closing the channel. AP must broadcast TX2-Final before nLockTime, but has
no guarantee the user hasnāt offered a bribe for miners by spending
TX2-Locked with a large fee, e.g. a pissed off user spends TX2-Locked
entirely to fees just to see if they can convince miners to wait for it.
The alternative to the TX2-Locked is a 3rd party in the MULTISIG who is
trusted to close the channel at the request of either party, based on the
latest TX2-Final which was sent by the user. In this case there is no
TX2-Locked, only a single boardcast version of TX2-Final, and you do not
need transaction replacement at all.
Thanks,
--Jeremy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20130419/858beba2/attachment.html>;
Jeremy Spilman [ARCHIVE] /
npub10eā¦jc727
2023-06-07 11:47:50
in reply to nevent1qā¦x28y
Author Public Key
npub10etkvm8l0jr0jsgdx02dxnhnu5g989dnca90guj5rklwkaplnh3sgjc727Published at
2023-06-07 11:47:50Event JSON
{
"id": "a750bd88f46584b3c9010771db626619a24233729de088e432cae42b35999e41",
"pubkey": "7e57666cff7c86f9410d33d4d34ef3e5105395b3c74af472541dbeeb743f9de3",
"created_at": 1686138470,
"kind": 1,
"tags": [
[
"e",
"3fcd79b1ede664ebbdecb2022e12316401553d8fac5d552c27e9efefd1d08943",
"",
"root"
],
[
"e",
"5282d4e793458824fe2d56a005c3a3ec73d47bc5e5d8df9e809ce7ab97d2f0a9",
"",
"reply"
],
[
"p",
"f2c95df3766562e3b96b79a0254881c59e8639f23987846961cf55412a77f6f2"
]
],
"content": "š
Original date posted:2013-04-19\nš Original message:Iām not sure I followed Johnās proposal fully, why would a user sign TX1\ncommitting funds to the MULTISIG they may never get back? I also donāt see\nthe problem with getting a signed TX2 back from the AP before releasing\nTX1... see the sequence below. But more importantly, we only need exactly\none replacement, so for starters we could anti-DoS by allowing only\nnSequence of 0 or MAX.\n\n If this was enabled on test-net, I would be including a link to\ntransactions that implement the following proposal. At the moment, the best\nI can do is unit test and generate the rawtransaction output at each step ā\nyou can find source code and test output here:\nhttps://gist.github.com/jspilman/5424310\n\n The initial funding transaction and time-locked refund is pretty annoying\nto setup, if you want to support the general case of coins from arbitrarily\nsized inputs. You will have:\n - 1 or more inputs from the user, 0 or 1 change outputs\n - 0 or more inputs from the AP, 0 or 1 change outputs\n - 1 output to ā2 PK1 PK2 2 CHECKMULTISIGā\n\n This precludes using SIGHASH_SINGLE except for the special cases where\ninputs are perfectly sized (i.e. they are created in a prior step).\n\n 0. User and AP negotiate how much to escrow, who pays the fees, and how\nfar in the future nLockTime will be set (how long userās funds will be tied\nif AP doesnāt close the channel)\n\n 1. User creates an unsigned TX1 with 1 or more inputs from userās\nālistunspentā, change going back to user (if any), and a single output of\nāFundAmountā with scriptPubKey of ā2 PK1 OP_0 CHECKMULTISIGā, and sends to\nthe AP\n\n 2. AP adds to TX1; their inputs (if any), their change (if any), replaces\nOP_0 in the scriptPubKey with a PK they control, and signs SIGHASH_ALL, and\nreturns TX1 to User.\n\n 3. User verifies TX1 is as agreed, and signs it SIGHASH_ALL, but keeps it\nto himself. User, having completed TX1, knows its TxID and can now create\nTX2-Locked spending TX1 back to themselves. User sets nLockTime to the\nagreed point, signs SIGHASH_ALL, and sends TX2-Locked to AP.\n\n 4. AP verifies TX2-Locked and adds their signature, and returns TX2-Locked\nto User. User can now broadcast TX1 and TX2-Locked.\n\n 5. At each payment milestone, user creates TX2-Final; TX1 as input, final\nnSequence, no lock time, with a single output going back to to the user,\nand an amount equal to the remaining balance of the channel. User signs\nwith SIGHASH_SINGLE and sends to the AP.\n\n 6. AP can add an output to TX2-Final sending their portion of the coins\nwhere ever they want, sign it SIGHASH_ALL, and broadcast it at any point,\nclosing the channel. AP must broadcast TX2-Final before nLockTime, but has\nno guarantee the user hasnāt offered a bribe for miners by spending\nTX2-Locked with a large fee, e.g. a pissed off user spends TX2-Locked\nentirely to fees just to see if they can convince miners to wait for it.\n\n The alternative to the TX2-Locked is a 3rd party in the MULTISIG who is\ntrusted to close the channel at the request of either party, based on the\nlatest TX2-Final which was sent by the user. In this case there is no\nTX2-Locked, only a single boardcast version of TX2-Final, and you do not\nneed transaction replacement at all.\n\n Thanks,\n--Jeremy\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20130419/858beba2/attachment.html\u003e",
"sig": "7da66e2de7ebf2c06a2ffedcc2ea11e191552ff38ba0c403f6dd7d4a345ac1c33272dd1c4dac8ae0b1d4bffb6171c0eaf690a7d80375313a6fb51a178bf31b09"
}