📅 Original date posted:2018-04-03
📝 Original message:Anthony Towns via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> writes:
> If you've got one bundle that overpays fees and another that underpays,
> you can safely combine the two only if you can put a SIGHASH_ALL sig in
> the one that overpays (otherwise miners could just make their own tx of
> just the overpaying bundle).
This is a potential problem, yes :( And I'm not sure how to solve it,
unless you do some crazy thing like commit to a set of keys which are
allowed to bundle, which kind of defeats the generality of outsourcing.
> This could replace SINGLE|ANYONECANPAY at a cost of an extra couple of
> witness bytes.
>
> I think BUNDLESTART is arguably redundant -- you could just infer
> BUNDLESTART if you see an INBUNDLE flag when you're not already in
> a bundle. Probably better to have the flag to make parsing easier,
> so just have the rule be BUNDLESTART is set for precisely the first
> INBUNDLE signature since the last bundle finished.
Indeed.
>> One of the issues we've struck with lightning is trying to guess future
>> fees for commitment transactions: we can't rely on getting another
>> signature from our counterparty to increase fees. Nor can we use
>> parent-pays-for-child since the outputs we can spend are timelocked.
>
> That doesn't quite work with the HTLC-Success/HTLC-Timeout transactions
> though, does it? They spend outputs from the commitment transaction
> and need to be pre-signed by your channel partner in order to ensure
> the output address is correct -- but if the commitment transaction gets
> bundled, its txid will change, so it can't be pre-signed.
Not without SIGHASH_NOINPUT, no.
> FWIW, a dumb idea I had for this problem was to add a zero-value
> anyone-can-spend output to commitment transactions, that can then be
> used with CPFP to bump the fees. Not very nice for UTXO bloat if fee
> bumping isn't needed though, and I presume it would fail to pass the
> dust threshold...
Yeah, let's not do that.
> I wonder if it would be plausible to have after-the-fact fee-bumping
> via special sighash flags at the block level anyway though. Concretely:
> say you have two transactions, X and Y, that don't pay enough in fees,
> you then provide a third transaction whose witness is [txid-for-X,
> txid-for-Y, signature committing to (txid-for-X, txid-for-Y)], and can
> only be included in a block if X and Y are also in the same block. You
> could make that fairly concise if you allowed miners to replace txid-for-X
> with X's offset within the block (or the delta between X's txnum and the
> third transaction's txnum), though coding that probably isn't terribly
> straightforward.
What would it spend though? Can't use an existing output, so this
really needs to be stashed in an *output script*, say a zero-amount
output which is literally a push of txids, and is itself unspendable.
<txid1>... <txidN>
That's pretty large though, and it's non-witness data (though
discardable). How about 'OP_NOP4 <N> <ripemd160-of-last-N-txids>'?
Then the miner just bundles those tx all together?
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-07 18:11:29
in reply to nevent1q…64su
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-07 18:11:29Event JSON
{
"id": "7bfbb314c5f0aae590844709e6c1497d8e5486ba588cba329b6fc6bd1aae0070",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686161489,
"kind": 1,
"tags": [
[
"e",
"089f07c162e08f60d9b6514834d8dbd501c5586732b84c2e093e47c4bd89b6fc",
"",
"root"
],
[
"e",
"9235696656e4e058457e5836715d4e5aff19a044fa9354685adc654b366fa313",
"",
"reply"
],
[
"p",
"f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab"
]
],
"content": "📅 Original date posted:2018-04-03\n📝 Original message:Anthony Towns via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e writes:\n\u003e If you've got one bundle that overpays fees and another that underpays,\n\u003e you can safely combine the two only if you can put a SIGHASH_ALL sig in\n\u003e the one that overpays (otherwise miners could just make their own tx of\n\u003e just the overpaying bundle).\n\nThis is a potential problem, yes :( And I'm not sure how to solve it,\nunless you do some crazy thing like commit to a set of keys which are\nallowed to bundle, which kind of defeats the generality of outsourcing.\n\n\u003e This could replace SINGLE|ANYONECANPAY at a cost of an extra couple of\n\u003e witness bytes.\n\u003e\n\u003e I think BUNDLESTART is arguably redundant -- you could just infer\n\u003e BUNDLESTART if you see an INBUNDLE flag when you're not already in\n\u003e a bundle. Probably better to have the flag to make parsing easier,\n\u003e so just have the rule be BUNDLESTART is set for precisely the first\n\u003e INBUNDLE signature since the last bundle finished.\n\nIndeed.\n\n\u003e\u003e One of the issues we've struck with lightning is trying to guess future\n\u003e\u003e fees for commitment transactions: we can't rely on getting another\n\u003e\u003e signature from our counterparty to increase fees. Nor can we use\n\u003e\u003e parent-pays-for-child since the outputs we can spend are timelocked.\n\u003e\n\u003e That doesn't quite work with the HTLC-Success/HTLC-Timeout transactions\n\u003e though, does it? They spend outputs from the commitment transaction\n\u003e and need to be pre-signed by your channel partner in order to ensure\n\u003e the output address is correct -- but if the commitment transaction gets\n\u003e bundled, its txid will change, so it can't be pre-signed.\n\nNot without SIGHASH_NOINPUT, no.\n\n\u003e FWIW, a dumb idea I had for this problem was to add a zero-value\n\u003e anyone-can-spend output to commitment transactions, that can then be\n\u003e used with CPFP to bump the fees. Not very nice for UTXO bloat if fee\n\u003e bumping isn't needed though, and I presume it would fail to pass the\n\u003e dust threshold...\n\nYeah, let's not do that.\n\n\u003e I wonder if it would be plausible to have after-the-fact fee-bumping\n\u003e via special sighash flags at the block level anyway though. Concretely:\n\u003e say you have two transactions, X and Y, that don't pay enough in fees,\n\u003e you then provide a third transaction whose witness is [txid-for-X,\n\u003e txid-for-Y, signature committing to (txid-for-X, txid-for-Y)], and can\n\u003e only be included in a block if X and Y are also in the same block. You\n\u003e could make that fairly concise if you allowed miners to replace txid-for-X\n\u003e with X's offset within the block (or the delta between X's txnum and the\n\u003e third transaction's txnum), though coding that probably isn't terribly\n\u003e straightforward.\n\nWhat would it spend though? Can't use an existing output, so this\nreally needs to be stashed in an *output script*, say a zero-amount\noutput which is literally a push of txids, and is itself unspendable.\n\n \u003ctxid1\u003e... \u003ctxidN\u003e\n\nThat's pretty large though, and it's non-witness data (though\ndiscardable). How about 'OP_NOP4 \u003cN\u003e \u003cripemd160-of-last-N-txids\u003e'?\nThen the miner just bundles those tx all together?\n\nCheers,\nRusty.",
"sig": "c6628369a233edf27a37d7f18123d7ead4239efd53f92e0e5cb4b3d62718cc8ce7d0c64d5d95788da572a647ef2f2fc5ba6023735d3ae0df61be6371ed8adaa5"
}