📅 Original date posted:2018-04-03
📝 Original message:On Tue, Apr 03, 2018 at 09:16:45AM +0930, Rusty Russell via bitcoin-dev wrote:
> Proposal: Two bits: SIGHASH_BUNDLESTART/SIGHASH_INBUNDLE
> --------
>
> A signature needs to indicate that signs only part of a transaction's
> inputs and outputs (a.k.a. a "bundle"). Bundles can be combined
> together into larger transactions, and non-bundled signature inputs /
> outputs appended.
> Two per-tx counters are kept: bundle_inputs_used and
> bundle_outputs_used, both starting at 0.
>
> SIGHASH_BUNDLESTART indicates two var_int sit between the sighash flags
> and the signature itself: the first is the number of inputs in this
> bundle starting at bundle_inputs_used, the second is the number of
> outputs starting at bundle_outputs_used. bundle_inputs_used and
> bundle_outputs_used have these values added, for next time.
>
> SIGHASH_INBUNDLE indicates that this signature applies to the current
> bundle. The txCopy is reduced to cover only the inputs and
> outputs in the current bundle, and the signature commits to the two
> var_ints from SIGHASH_BUNDLESTART along with the sighash flags.
So suppose you have two bundles you want to combine together, and they
didn't pay enough fees, so you have an extra input so you can bump up the
fees. Your tx looks like:
bundle 1:
input 1: 500 bits, signed by key A [pre]
input 2: 500 bits, signed by key B [pre]
input 3: 500 bits, signed by key C
output 1: 1450 bits
bundle 2:
input 3: 600 bits, signed by key D [pre]
output 2: 200 bits
output 3: 380 bits
extra:
input 4: 2000 bits, signed by key E
output 4: 864 bits
Keys A, B and D have pre-signed their respective bundle, but you have
control over keys C and E at the time you're constructing the transaction.
So the things you'd have to do when signing would be:
A,B,C decide on an order for the inputs and outputs (ideally just sort them)
Because A turns out to be first, A signs with BUNDLESTART[3,1] INBUNDLE
Because B is second, B just signs with INBUNDLE
D just signs with BUNDLESTART[3,1] INBUNDLE
And finally they get collected and C and E signs the entire transaction
with SIGHASH_ALL
All bundles have to appear together, before any extra inputs; though they
can be reordered arbitrarily prior to adding the SIGHASH_ALL sigs.
If you've got one bundle that overpays fees and another that underpays,
you can safely combine the two only if you can put a SIGHASH_ALL sig in
the one that overpays (otherwise miners could just make their own tx of
just the overpaying bundle).
This could replace SINGLE|ANYONECANPAY at a cost of an extra couple of
witness bytes.
I think BUNDLESTART is arguably redundant -- you could just infer
BUNDLESTART if you see an INBUNDLE flag when you're not already in
a bundle. Probably better to have the flag to make parsing easier,
so just have the rule be BUNDLESTART is set for precisely the first
INBUNDLE signature since the last bundle finished.
Should be straightforward to establish BIP-69-style ordering rules too:
within a bundle, order inputs lexically, then order outputs lexically;
order bundles lexically by the first input; order remaining inputs
lexically, then order remaining outputs lexically.
I think the only reason to do bundling like this (rather than just post
separate transactions) is to deal with fees? It doesn't seem like you gain
any privacy -- the inputs/outputs in each bundle are tightly related, and
you're only saving about 10 bytes due to sharing a transaction structure.
Anyway, seems like it makes sense.
> One of the issues we've struck with lightning is trying to guess future
> fees for commitment transactions: we can't rely on getting another
> signature from our counterparty to increase fees. Nor can we use
> parent-pays-for-child since the outputs we can spend are timelocked.
That doesn't quite work with the HTLC-Success/HTLC-Timeout transactions
though, does it? They spend outputs from the commitment transaction
and need to be pre-signed by your channel partner in order to ensure
the output address is correct -- but if the commitment transaction gets
bundled, its txid will change, so it can't be pre-signed.
FWIW, a dumb idea I had for this problem was to add a zero-value
anyone-can-spend output to commitment transactions, that can then be
used with CPFP to bump the fees. Not very nice for UTXO bloat if fee
bumping isn't needed though, and I presume it would fail to pass the
dust threshold...
I wonder if it would be plausible to have after-the-fact fee-bumping
via special sighash flags at the block level anyway though. Concretely:
say you have two transactions, X and Y, that don't pay enough in fees,
you then provide a third transaction whose witness is [txid-for-X,
txid-for-Y, signature committing to (txid-for-X, txid-for-Y)], and can
only be included in a block if X and Y are also in the same block. You
could make that fairly concise if you allowed miners to replace txid-for-X
with X's offset within the block (or the delta between X's txnum and the
third transaction's txnum), though coding that probably isn't terribly
straightforward.
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-07 18:11:29
in reply to nevent1q…vp5g
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-07 18:11:29Event JSON
{
"id": "9235696656e4e058457e5836715d4e5aff19a044fa9354685adc654b366fa313",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686161489,
"kind": 1,
"tags": [
[
"e",
"089f07c162e08f60d9b6514834d8dbd501c5586732b84c2e093e47c4bd89b6fc",
"",
"root"
],
[
"e",
"7cca81caac85bf5df2888988cdb63857eb9602d88ab0bdf025b52453de3493d1",
"",
"reply"
],
[
"p",
"13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425"
]
],
"content": "📅 Original date posted:2018-04-03\n📝 Original message:On Tue, Apr 03, 2018 at 09:16:45AM +0930, Rusty Russell via bitcoin-dev wrote:\n\u003e Proposal: Two bits: SIGHASH_BUNDLESTART/SIGHASH_INBUNDLE\n\u003e --------\n\u003e \n\u003e A signature needs to indicate that signs only part of a transaction's\n\u003e inputs and outputs (a.k.a. a \"bundle\"). Bundles can be combined\n\u003e together into larger transactions, and non-bundled signature inputs /\n\u003e outputs appended.\n\n\u003e Two per-tx counters are kept: bundle_inputs_used and\n\u003e bundle_outputs_used, both starting at 0.\n\u003e \n\u003e SIGHASH_BUNDLESTART indicates two var_int sit between the sighash flags\n\u003e and the signature itself: the first is the number of inputs in this\n\u003e bundle starting at bundle_inputs_used, the second is the number of\n\u003e outputs starting at bundle_outputs_used. bundle_inputs_used and\n\u003e bundle_outputs_used have these values added, for next time.\n\u003e \n\u003e SIGHASH_INBUNDLE indicates that this signature applies to the current\n\u003e bundle. The txCopy is reduced to cover only the inputs and\n\u003e outputs in the current bundle, and the signature commits to the two\n\u003e var_ints from SIGHASH_BUNDLESTART along with the sighash flags.\n\nSo suppose you have two bundles you want to combine together, and they\ndidn't pay enough fees, so you have an extra input so you can bump up the\nfees. Your tx looks like:\n\nbundle 1:\n input 1: 500 bits, signed by key A [pre]\n input 2: 500 bits, signed by key B [pre]\n input 3: 500 bits, signed by key C\n output 1: 1450 bits\nbundle 2:\n input 3: 600 bits, signed by key D [pre]\n output 2: 200 bits\n output 3: 380 bits\nextra:\n input 4: 2000 bits, signed by key E\n output 4: 864 bits\n\nKeys A, B and D have pre-signed their respective bundle, but you have\ncontrol over keys C and E at the time you're constructing the transaction.\n\nSo the things you'd have to do when signing would be:\n\n A,B,C decide on an order for the inputs and outputs (ideally just sort them)\n Because A turns out to be first, A signs with BUNDLESTART[3,1] INBUNDLE\n Because B is second, B just signs with INBUNDLE\n\n D just signs with BUNDLESTART[3,1] INBUNDLE\n\n And finally they get collected and C and E signs the entire transaction\n with SIGHASH_ALL\n\nAll bundles have to appear together, before any extra inputs; though they\ncan be reordered arbitrarily prior to adding the SIGHASH_ALL sigs.\n\nIf you've got one bundle that overpays fees and another that underpays,\nyou can safely combine the two only if you can put a SIGHASH_ALL sig in\nthe one that overpays (otherwise miners could just make their own tx of\njust the overpaying bundle).\n\nThis could replace SINGLE|ANYONECANPAY at a cost of an extra couple of\nwitness bytes.\n\nI think BUNDLESTART is arguably redundant -- you could just infer\nBUNDLESTART if you see an INBUNDLE flag when you're not already in\na bundle. Probably better to have the flag to make parsing easier,\nso just have the rule be BUNDLESTART is set for precisely the first\nINBUNDLE signature since the last bundle finished.\n\nShould be straightforward to establish BIP-69-style ordering rules too:\nwithin a bundle, order inputs lexically, then order outputs lexically;\norder bundles lexically by the first input; order remaining inputs\nlexically, then order remaining outputs lexically.\n\nI think the only reason to do bundling like this (rather than just post\nseparate transactions) is to deal with fees? It doesn't seem like you gain\nany privacy -- the inputs/outputs in each bundle are tightly related, and\nyou're only saving about 10 bytes due to sharing a transaction structure.\n\nAnyway, seems like it makes sense. \n\n\u003e One of the issues we've struck with lightning is trying to guess future\n\u003e fees for commitment transactions: we can't rely on getting another\n\u003e signature from our counterparty to increase fees. Nor can we use\n\u003e parent-pays-for-child since the outputs we can spend are timelocked.\n\nThat doesn't quite work with the HTLC-Success/HTLC-Timeout transactions\nthough, does it? They spend outputs from the commitment transaction\nand need to be pre-signed by your channel partner in order to ensure\nthe output address is correct -- but if the commitment transaction gets\nbundled, its txid will change, so it can't be pre-signed.\n\nFWIW, a dumb idea I had for this problem was to add a zero-value\nanyone-can-spend output to commitment transactions, that can then be\nused with CPFP to bump the fees. Not very nice for UTXO bloat if fee\nbumping isn't needed though, and I presume it would fail to pass the\ndust threshold...\n\nI wonder if it would be plausible to have after-the-fact fee-bumping\nvia special sighash flags at the block level anyway though. Concretely:\nsay you have two transactions, X and Y, that don't pay enough in fees,\nyou then provide a third transaction whose witness is [txid-for-X,\ntxid-for-Y, signature committing to (txid-for-X, txid-for-Y)], and can\nonly be included in a block if X and Y are also in the same block. You\ncould make that fairly concise if you allowed miners to replace txid-for-X\nwith X's offset within the block (or the delta between X's txnum and the\nthird transaction's txnum), though coding that probably isn't terribly\nstraightforward.\n\nCheers,\naj",
"sig": "d822b2c65611f0c354f1631a53868a8b46fea752c5827392f8b79f6045dd35db6bd861f572da100089e6f0422f6a601fb39e25d844d394b25bcfb1114c10eed9"
}