📅 Original date posted:2019-10-01
📝 Original message:
ZmnSCPxj <ZmnSCPxj at protonmail.com> writes:
> I rather strongly oppose output tagging.
>
> The entire point of for example Taproot was to reduce the variability
> of how outputs look like, so that unspent Taproot outputs look exactly
> like other unspent Taproot outputs regardless of the SCRIPT (or lack
> of SCRIPT) used to protect the outputs. That is the reason why we
> would prefer to not support P2SH-wrapped Taproot even though
> P2SH-wrapping was intended to cover all future uses of SegWit,
> including SegWit v1 that Taproot will eventually get.
That is a bit reductive if you ask me. Taproot brings a number of
improvements such as the reduction of on-chain footprint in the
collaborative spend case, the hiding of complex logic in that case, and
yes, the uniformity of UTXOs that you mentioned. I do agree that it'd be
to make everything look identical to the outside observer, but saying
that separating outputs into two coarse-grained domains is equivalent to
throwing the baby out with the bath-water :-)
That being said, I should clarify that I would prefer not having to make
special accomodations on top of the raw sighash_noinput proposal, for
some perceived, but abstract danger that someone might shoot themselves
in the foot. I think we're all old enough not to need too much
handholding :-)
Output tagging is my second choice, since it minimizes the need for
people to get creative to work around other proposals, and minimizes the
on-chain footprint, and finally chaperone signatures are my least
preferred option due to its heavy-handed nature and the increased cost.
> Indeed, if it is output tagging that gets into Bitcoin base layer, I
> would strongly suggest the below for all Decker-Russell-Osuntokun
> implementations:
>
> * A standard MuSig 2-of-2 bip-schnorr SegWit v1 Funding Transaction Output, confirmed onchain
> * A "translator transaction" spending the above and paying out to a SegWit v16 output-tagged output, kept offchain.
> * Decker-Russell-Osuntokun update transaction, signed with `SIGHASH_NOINPUT` spending the translator transaction output.
> * Decker-Russell-Osuntokun state transaction, signed with `SIGHASH_NOINPUT` spending the update transaction output.
That is very much how I was planning to implement it anyway, using a
trigger transaction to separate timeout start and the actual
update/settlement pairs (cfr. eltoo paper Section 4.2). So for eltoo
there shouldn't be an issue here :-)
> The point regarding use of a commonly-known privkey to work around
> chaperone signatures is appropriate to the above, incidentally. In
> short: this is a workaround, plain and simple, and one wonders the
> point of adding *either* chaperones *or* output tagging if we will, in
> practice, just work around them anyway.
Exactly, why introduce the extra burden of chaperone signatures or
output tagging if we're just going to sidestep it?
> Again, the *more* important point is that special blockchain
> constructions should only be used in the "bad" unilateral close case.
> In the cooperative case, we want to use simple plain
> bip-schnorr-signed outputs getting spent to further bip-schnor/Taproot
> SegWit v1 addresses, to increase the anonymity set of all uses of
> Decker-Russell-Osuntokun and other applications that might use
> `SIGHASH_NOINPUT` in some edge case (but which resolve down to simple
> bip-schnorr-signed n-of-n cases when the protocol is completed
> successfully by all participants).
While I do agree that we should keep outputs as unidentifiable as
possible, I am starting to question whether that is possible for
off-chain payment networks since we are gossiping about the existence of
channels and binding them to outpoints to prove their existence anyway.
Not the strongest argument I know, but there's little point in talking
ideal cases when we need to weaken that later again.
>> Open questions
>>
>> ---------------
>>
>> The questions that remain to be addressed are the following:
>>
>> 1. General agreement on the usefulness of noinput / anyprevoutanyscript /
>> anyprevout. While at the CoreDev meeting I think everybody agreed that
>> these proposals a useful, also beyond eltoo, not everybody could be
>> there. I'd therefore like to elicit some feedback from the wider community.
>
> I strongly agree that `NOINPUT` is useful, and I was not able to attend CoreDev (at least, not with any human fleshbot already known to you --- I checked).
Great, good to know that I'm not shouting into the void, and that I'm
not just that crazy guy trying to get his hairbrained scheme to work :-)
>> 2. Is there strong support or opposition to the chaperone signatures
>> introduced in anyprevout / anyprevoutanyscript? I think it'd be best to
>> formulate a concrete set of pros and contras, rather than talk about
>> abstract dangers or advantages.
>
> No opposition, we will just work around this by publishing a common
> known private key to use for all chaperone signatures, since all the
> important security is in the `NOINPUT` signature anyway.
>
>>
>> 3. The same for output tagging / explicit opt-in. What are the advantages and
>> disadvantages?
>
> Strongly oppose, see above about my argument.
>
>>
>> 4. Shall we merge BIP-118 and bip-anyprevout. This would likely reduce the
>> confusion and make for simpler discussions in the end.
>
> Ambivalent, mildly support.
>
>>
>> 5. Anything I forgot to mention :-)
>
> Cats are very interesting creatures, and are irrelevant to `SIGHASH_NOINPUT` discussion, but are extremely cute nonetheless.
Definitely agreed :+1:
Christian Decker [ARCHIVE] /
npub1wt…gtuyn
2023-06-09 12:56:19
in reply to nevent1q…nx2z
Author Public Key
npub1wtx5qvewc7pd6znlvwktq03mdld05mv3h5dkzfwd3dc30gdmsptsugtuynPublished at
2023-06-09 12:56:19Event JSON
{
"id": "9a3e35b66b1615390ca69424ce79cbf76beaf632c090515918068157c17535a4",
"pubkey": "72cd40332ec782dd0a7f63acb03e3b6fdafa6d91bd1b6125cd8b7117a1bb8057",
"created_at": 1686315379,
"kind": 1,
"tags": [
[
"e",
"cdcb20d8f8d63cc4e462299d7b2042087b535b172c963061dbb6929331fffa55",
"",
"root"
],
[
"e",
"1130bcbd760235d804db7251d77abe2e2bf0606ede4047cfbfd06f61a56e7d46",
"",
"reply"
],
[
"p",
"72cd40332ec782dd0a7f63acb03e3b6fdafa6d91bd1b6125cd8b7117a1bb8057"
]
],
"content": "📅 Original date posted:2019-10-01\n📝 Original message:\nZmnSCPxj \u003cZmnSCPxj at protonmail.com\u003e writes:\n\u003e I rather strongly oppose output tagging.\n\u003e\n\u003e The entire point of for example Taproot was to reduce the variability\n\u003e of how outputs look like, so that unspent Taproot outputs look exactly\n\u003e like other unspent Taproot outputs regardless of the SCRIPT (or lack\n\u003e of SCRIPT) used to protect the outputs. That is the reason why we\n\u003e would prefer to not support P2SH-wrapped Taproot even though\n\u003e P2SH-wrapping was intended to cover all future uses of SegWit,\n\u003e including SegWit v1 that Taproot will eventually get.\n\nThat is a bit reductive if you ask me. Taproot brings a number of\nimprovements such as the reduction of on-chain footprint in the\ncollaborative spend case, the hiding of complex logic in that case, and\nyes, the uniformity of UTXOs that you mentioned. I do agree that it'd be\nto make everything look identical to the outside observer, but saying\nthat separating outputs into two coarse-grained domains is equivalent to\nthrowing the baby out with the bath-water :-)\n\nThat being said, I should clarify that I would prefer not having to make\nspecial accomodations on top of the raw sighash_noinput proposal, for\nsome perceived, but abstract danger that someone might shoot themselves\nin the foot. I think we're all old enough not to need too much\nhandholding :-)\n\nOutput tagging is my second choice, since it minimizes the need for\npeople to get creative to work around other proposals, and minimizes the\non-chain footprint, and finally chaperone signatures are my least\npreferred option due to its heavy-handed nature and the increased cost.\n\n\u003e Indeed, if it is output tagging that gets into Bitcoin base layer, I\n\u003e would strongly suggest the below for all Decker-Russell-Osuntokun\n\u003e implementations:\n\u003e\n\u003e * A standard MuSig 2-of-2 bip-schnorr SegWit v1 Funding Transaction Output, confirmed onchain\n\u003e * A \"translator transaction\" spending the above and paying out to a SegWit v16 output-tagged output, kept offchain.\n\u003e * Decker-Russell-Osuntokun update transaction, signed with `SIGHASH_NOINPUT` spending the translator transaction output.\n\u003e * Decker-Russell-Osuntokun state transaction, signed with `SIGHASH_NOINPUT` spending the update transaction output.\n\nThat is very much how I was planning to implement it anyway, using a\ntrigger transaction to separate timeout start and the actual\nupdate/settlement pairs (cfr. eltoo paper Section 4.2). So for eltoo\nthere shouldn't be an issue here :-)\n\n\u003e The point regarding use of a commonly-known privkey to work around\n\u003e chaperone signatures is appropriate to the above, incidentally. In\n\u003e short: this is a workaround, plain and simple, and one wonders the\n\u003e point of adding *either* chaperones *or* output tagging if we will, in\n\u003e practice, just work around them anyway.\n\nExactly, why introduce the extra burden of chaperone signatures or\noutput tagging if we're just going to sidestep it?\n\n\u003e Again, the *more* important point is that special blockchain\n\u003e constructions should only be used in the \"bad\" unilateral close case.\n\u003e In the cooperative case, we want to use simple plain\n\u003e bip-schnorr-signed outputs getting spent to further bip-schnor/Taproot\n\u003e SegWit v1 addresses, to increase the anonymity set of all uses of\n\u003e Decker-Russell-Osuntokun and other applications that might use\n\u003e `SIGHASH_NOINPUT` in some edge case (but which resolve down to simple\n\u003e bip-schnorr-signed n-of-n cases when the protocol is completed\n\u003e successfully by all participants).\n\nWhile I do agree that we should keep outputs as unidentifiable as\npossible, I am starting to question whether that is possible for\noff-chain payment networks since we are gossiping about the existence of\nchannels and binding them to outpoints to prove their existence anyway.\n\nNot the strongest argument I know, but there's little point in talking\nideal cases when we need to weaken that later again. \n\n\u003e\u003e Open questions\n\u003e\u003e\n\u003e\u003e ---------------\n\u003e\u003e\n\u003e\u003e The questions that remain to be addressed are the following:\n\u003e\u003e\n\u003e\u003e 1. General agreement on the usefulness of noinput / anyprevoutanyscript /\n\u003e\u003e anyprevout. While at the CoreDev meeting I think everybody agreed that\n\u003e\u003e these proposals a useful, also beyond eltoo, not everybody could be\n\u003e\u003e there. I'd therefore like to elicit some feedback from the wider community.\n\u003e\n\u003e I strongly agree that `NOINPUT` is useful, and I was not able to attend CoreDev (at least, not with any human fleshbot already known to you --- I checked).\n\nGreat, good to know that I'm not shouting into the void, and that I'm\nnot just that crazy guy trying to get his hairbrained scheme to work :-)\n\n\u003e\u003e 2. Is there strong support or opposition to the chaperone signatures\n\u003e\u003e introduced in anyprevout / anyprevoutanyscript? I think it'd be best to\n\u003e\u003e formulate a concrete set of pros and contras, rather than talk about\n\u003e\u003e abstract dangers or advantages.\n\u003e\n\u003e No opposition, we will just work around this by publishing a common\n\u003e known private key to use for all chaperone signatures, since all the\n\u003e important security is in the `NOINPUT` signature anyway.\n\u003e\n\u003e\u003e\n\u003e\u003e 3. The same for output tagging / explicit opt-in. What are the advantages and\n\u003e\u003e disadvantages?\n\u003e\n\u003e Strongly oppose, see above about my argument.\n\u003e\n\u003e\u003e\n\u003e\u003e 4. Shall we merge BIP-118 and bip-anyprevout. This would likely reduce the\n\u003e\u003e confusion and make for simpler discussions in the end.\n\u003e\n\u003e Ambivalent, mildly support.\n\u003e\n\u003e\u003e\n\u003e\u003e 5. Anything I forgot to mention :-)\n\u003e\n\u003e Cats are very interesting creatures, and are irrelevant to `SIGHASH_NOINPUT` discussion, but are extremely cute nonetheless.\n\nDefinitely agreed :+1:",
"sig": "025c340b13164624a87083d0b0cb3009dd457496f7555555ad84eef52ed1594979f7477921db3dd1739c9eb97cfc9af5324f4ed2dba66ac8c7ebad386df15976"
}