๐
Original date posted:2014-05-09
๐ Original message:On Fri, May 9, 2014 at 8:13 PM, Peter Todd <pete at petertodd.org> wrote:
> I don't think we're going to find that's practical unfortunately due to
> change. Every payment I make ties up txouts, so if we try to base the
> atomicity of payments on whether or not the payee decides to broadcast
> the transaction the payor is stuck with txouts that they can't use until
> the payee makes up their mind. That leads to lots and lots of nasty edge
> cases.
I haven't talked much about it except for on IRC, but my idea was this:
* PaymentACK messages become signed (with the same key as the payment
request, or using some delegation mechanism, so that the same key
doesn't need to remain online).
* Instead of a full Bitcoin transaction, a Payment message contains a
scriptSig-less Bitcoin transaction + a limit on its byte size (and
perhaps a limit on its sigop count).
* The sender sends such a Payment to the receiver before actually
signing the transaction (or at least, before revealing the signed
form).
* The receiver only ACKs if the transaction satisfies the request, is
within time limits, isn't unlikely to confirm.
* If the sender likes the ACK (the refund and memo fields are intact,
the transaction isn't changed, the signature key is valid, ...), he
either sends the full transaction (with receiver taking responsibility
for broadcasting) or broadcasts it himself.
Together, this means that a paymentACK + a confirmed matching Bitcoin
transaction can count as proof of payment. Both parties have a chance
to disagree with the transaction, and are certain all communicated
data (apart from transaction signatures) in both directions happened
correctly before committing. It would completely remove the chance
that the Bitcoin transaction gets broadcast without the receiver
liking it (for legitimate or illegitimate reasons), or without the
backchannel functioning correctly.
It's also compatible with doing multiple payments in one Bitcoin
transaction - you can ask for ACKs from multiple parties before
signing the transaction.
Of course, the sender can still withhold the signed transaction (in
which case nothing happened, but we probably need a second timeout),
or the receiver can always claim to have never received the
transaction. The sender can broadcast the transaction himself in order
to prevent that, after obtaining an ACK.
--
Pieter
Pieter Wuille [ARCHIVE] /
npub1tjโฆjtl6r
2023-06-07 15:21:11
in reply to nevent1qโฆpzre
Author Public Key
npub1tjephawh7fdf6358jufuh5eyxwauzrjqa7qn50pglee4tayc2ntqcjtl6rPublished at
2023-06-07 15:21:11Event JSON
{
"id": "95aa51bdba9493822f6567cc64443814cbbe5f64c5932b764059beda894b5b3b",
"pubkey": "5cb21bf5d7f25a9d46879713cbd32433bbc10e40ef813a3c28fe7355f49854d6",
"created_at": 1686151271,
"kind": 1,
"tags": [
[
"e",
"8514559181783b25e020bd1cec2b637ea86474de420a1085a131f4b38759b722",
"",
"root"
],
[
"e",
"60b964e751b57d29343ede9613369ee369d7a3f11af0b5f9fcf3548c78708a9c",
"",
"reply"
],
[
"p",
"daa2fc676a25e3b5b45644540bcbd1e1168b111427cd0e3cf19c56194fb231aa"
]
],
"content": "๐
Original date posted:2014-05-09\n๐ Original message:On Fri, May 9, 2014 at 8:13 PM, Peter Todd \u003cpete at petertodd.org\u003e wrote:\n\u003e I don't think we're going to find that's practical unfortunately due to\n\u003e change. Every payment I make ties up txouts, so if we try to base the\n\u003e atomicity of payments on whether or not the payee decides to broadcast\n\u003e the transaction the payor is stuck with txouts that they can't use until\n\u003e the payee makes up their mind. That leads to lots and lots of nasty edge\n\u003e cases.\n\nI haven't talked much about it except for on IRC, but my idea was this:\n* PaymentACK messages become signed (with the same key as the payment\nrequest, or using some delegation mechanism, so that the same key\ndoesn't need to remain online).\n* Instead of a full Bitcoin transaction, a Payment message contains a\nscriptSig-less Bitcoin transaction + a limit on its byte size (and\nperhaps a limit on its sigop count).\n* The sender sends such a Payment to the receiver before actually\nsigning the transaction (or at least, before revealing the signed\nform).\n* The receiver only ACKs if the transaction satisfies the request, is\nwithin time limits, isn't unlikely to confirm.\n* If the sender likes the ACK (the refund and memo fields are intact,\nthe transaction isn't changed, the signature key is valid, ...), he\neither sends the full transaction (with receiver taking responsibility\nfor broadcasting) or broadcasts it himself.\n\nTogether, this means that a paymentACK + a confirmed matching Bitcoin\ntransaction can count as proof of payment. Both parties have a chance\nto disagree with the transaction, and are certain all communicated\ndata (apart from transaction signatures) in both directions happened\ncorrectly before committing. It would completely remove the chance\nthat the Bitcoin transaction gets broadcast without the receiver\nliking it (for legitimate or illegitimate reasons), or without the\nbackchannel functioning correctly.\n\nIt's also compatible with doing multiple payments in one Bitcoin\ntransaction - you can ask for ACKs from multiple parties before\nsigning the transaction.\n\nOf course, the sender can still withhold the signed transaction (in\nwhich case nothing happened, but we probably need a second timeout),\nor the receiver can always claim to have never received the\ntransaction. The sender can broadcast the transaction himself in order\nto prevent that, after obtaining an ACK.\n\n-- \nPieter",
"sig": "9e105412c60e710eaa63135413a6ef0de21ff363a5d4ee80e4ff2735591ce6d9afefe6a6d6c0a103d06a3ad59018796e6a95bc60e9970e3f42ea0d96bb4a98ff"
}