📅 Original date posted:2019-03-18
📝 Original message:
On Thu, Mar 14, 2019 at 01:00:56PM +0100, Christian Decker wrote:
> Anthony Towns <aj at erisian.com.au> writes:
> > I'm thinking of tagged outputs as "taproot plus" (ie, plus noinput),
> > so if you used a tagged output, you could do everything normal taproot
> > address could, but also do noinput sigs for them.
> > So you might have:
> > funding tx -> cooperative claim
> > funding tx -> update 3 [TAGGED] -> settlement 3 -> claim
> > funding tx -> update 3 [TAGGED] ->
> > update 4 [TAGGED,NOINPUT] ->
> > settlement 4 [TAGGED,NOINPUT] ->
> > claim [NOINPUT]
> > In the cooperative case, no output tagging needed.
> I might be missing something here, but how do you bind update 3 to the
> funding tx output, when that output is not tagged? Do we keep each
> update in multiple separate states, one bound to the funding tx output
> and another signed with noinput?
I don't know that "separate states" is a great description -- until it
hits the blockchain "update N" is a template that can be filled out in a
variety of ways -- in the above the ways are:
- with a NOINPUT sig and a previous "update" tx as its input
- or with a SINGLE|ANYONECANPAY sig and the funding tx as input
The important thing is that approach means two sigs for each update tx.
The above also has two sigs for each settlement tx (and likewise two sigs
for each HTLC claim if using scriptless scripts) -- one using NOINPUT
in case multiple update tx's make it to the blockchain, and one assuming
everything works as expected that can just use direct key path spending.
I think you can do SINGLE,ANYCANPAY and combine multiple channel closures
if you're directly spending the funding tx, but can't do that if you're
using a NOINPUT sig, because the NOINPUT sig would commit to the tx's
locktime and different channel's states will generally have different
locktimes. You still probably want SINGLE,ANYCANPAY in that case so you
can bump fees though.
> If that's the case we just doubled our
> storage and communication requirements for very little gain.
There's three potential gains:
* it lets us make a safer version of NOINPUT
* it makes the common paths give fewer hints that you're using eltoo
* it puts less data/computation load on the blockchain
With tagged outputs your update tx already indicates you're maybe going
to use NOINPUT, so that probably already gives away that you're using
eltoo, so, at least with output tagging, the second benefit probably
doesn't exist. Using a key path spend (without a script) is probably
going to be cheaper on the blockchain though.
But while I think output tagging is probably better than nothing,
requiring a non-NOINPUT signature seems a better approach to me. With
that one, having a dedicated sig for the normal "publish the latest
state spending the funding tx" case, reduces a unilateral close to only
being special due to the settlement tx having a relative timelock, and
the various tx's using SINGLE|ANYCANPAY, which seems like a win. In that
scenario, just using a single sig is much cheaper than revealing a taproot
point, a pubkey or two, and using two sigs and a CLTV check of course.
It does goes from 1+n signatures per update today to 4+n signatures,
if you're using scriptless scripts. If you don't mind revealing the
HTLCs are HTLCs, and could do them with actual scripts, that reduces to
4 signatures. You could reduce it to 2 signatures by also always posting
"funding tx -> update 0 -> update N -> settlement N", or you could reduce
it to 2+2/k signatures by only doing the non-NOINPUT sigs for every k'th
state (or no more often than every t seconds or similar).
> An
> alternative is to add a trigger transaction that needs to be published
> in a unilateral case, but that'd increase our on-chain footprint.
(The above essentially uses update tx's as optional trigger tx's)
Also, I'd expect the extra latency introduced by the interactive signing
protocol for muSig would be more of a hit (share the nonce hash, share
the nonce, calculate the sig). Particularly if you're doing multiparty
channels with many participants, rather than just two.
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-09 12:54:28
in reply to nevent1q…hxhp
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-09 12:54:28Event JSON
{
"id": "536e155075ac127da099162046a2dae6182da4409a6a9f70fc7adeeb0efa8662",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686315268,
"kind": 1,
"tags": [
[
"e",
"86a47a61621252784fd45b6d576812ee01ce9af9bd2a53aeaae914577c5267a8",
"",
"root"
],
[
"e",
"3d6d9979850dd1013564cfdea307040b01fa1a83314d23c5ed933b9f442d65f5",
"",
"reply"
],
[
"p",
"72cd40332ec782dd0a7f63acb03e3b6fdafa6d91bd1b6125cd8b7117a1bb8057"
]
],
"content": "📅 Original date posted:2019-03-18\n📝 Original message:\nOn Thu, Mar 14, 2019 at 01:00:56PM +0100, Christian Decker wrote:\n\u003e Anthony Towns \u003caj at erisian.com.au\u003e writes:\n\u003e \u003e I'm thinking of tagged outputs as \"taproot plus\" (ie, plus noinput),\n\u003e \u003e so if you used a tagged output, you could do everything normal taproot\n\u003e \u003e address could, but also do noinput sigs for them.\n\u003e \u003e So you might have:\n\u003e \u003e funding tx -\u003e cooperative claim\n\u003e \u003e funding tx -\u003e update 3 [TAGGED] -\u003e settlement 3 -\u003e claim\n\u003e \u003e funding tx -\u003e update 3 [TAGGED] -\u003e \n\u003e \u003e update 4 [TAGGED,NOINPUT] -\u003e \n\u003e \u003e \t\t settlement 4 [TAGGED,NOINPUT] -\u003e \n\u003e \u003e \t\t claim [NOINPUT]\n\u003e \u003e In the cooperative case, no output tagging needed.\n\u003e I might be missing something here, but how do you bind update 3 to the\n\u003e funding tx output, when that output is not tagged? Do we keep each\n\u003e update in multiple separate states, one bound to the funding tx output\n\u003e and another signed with noinput?\n\nI don't know that \"separate states\" is a great description -- until it\nhits the blockchain \"update N\" is a template that can be filled out in a\nvariety of ways -- in the above the ways are:\n - with a NOINPUT sig and a previous \"update\" tx as its input\n - or with a SINGLE|ANYONECANPAY sig and the funding tx as input\n\nThe important thing is that approach means two sigs for each update tx.\nThe above also has two sigs for each settlement tx (and likewise two sigs\nfor each HTLC claim if using scriptless scripts) -- one using NOINPUT\nin case multiple update tx's make it to the blockchain, and one assuming\neverything works as expected that can just use direct key path spending.\n\nI think you can do SINGLE,ANYCANPAY and combine multiple channel closures\nif you're directly spending the funding tx, but can't do that if you're\nusing a NOINPUT sig, because the NOINPUT sig would commit to the tx's\nlocktime and different channel's states will generally have different\nlocktimes. You still probably want SINGLE,ANYCANPAY in that case so you\ncan bump fees though.\n\n\u003e If that's the case we just doubled our\n\u003e storage and communication requirements for very little gain.\n\nThere's three potential gains:\n * it lets us make a safer version of NOINPUT\n * it makes the common paths give fewer hints that you're using eltoo\n * it puts less data/computation load on the blockchain\n\nWith tagged outputs your update tx already indicates you're maybe going\nto use NOINPUT, so that probably already gives away that you're using\neltoo, so, at least with output tagging, the second benefit probably\ndoesn't exist. Using a key path spend (without a script) is probably\ngoing to be cheaper on the blockchain though.\n\nBut while I think output tagging is probably better than nothing,\nrequiring a non-NOINPUT signature seems a better approach to me. With\nthat one, having a dedicated sig for the normal \"publish the latest\nstate spending the funding tx\" case, reduces a unilateral close to only\nbeing special due to the settlement tx having a relative timelock, and\nthe various tx's using SINGLE|ANYCANPAY, which seems like a win. In that\nscenario, just using a single sig is much cheaper than revealing a taproot\npoint, a pubkey or two, and using two sigs and a CLTV check of course.\n\nIt does goes from 1+n signatures per update today to 4+n signatures,\nif you're using scriptless scripts. If you don't mind revealing the\nHTLCs are HTLCs, and could do them with actual scripts, that reduces to\n4 signatures. You could reduce it to 2 signatures by also always posting\n\"funding tx -\u003e update 0 -\u003e update N -\u003e settlement N\", or you could reduce\nit to 2+2/k signatures by only doing the non-NOINPUT sigs for every k'th\nstate (or no more often than every t seconds or similar).\n\n\u003e An\n\u003e alternative is to add a trigger transaction that needs to be published\n\u003e in a unilateral case, but that'd increase our on-chain footprint.\n\n(The above essentially uses update tx's as optional trigger tx's)\n\nAlso, I'd expect the extra latency introduced by the interactive signing\nprotocol for muSig would be more of a hit (share the nonce hash, share\nthe nonce, calculate the sig). Particularly if you're doing multiparty\nchannels with many participants, rather than just two.\n\nCheers,\naj",
"sig": "bea393ba43793cc2aead3722f3facb33f2760a7e4604f0ab6be650d9fd7c8a6a34f2d219fb8e333cae3e8ad6f828392ba123b1d76e91ce2ad6bf84ab291e633b"
}