📅 Original date posted:2022-03-21
📝 Original message:Hi ZmnSCPxj,
Thanks for the feedback. The DLC idea is interesting but you are centralizing the liveness requirements,
effectively creating a SPOF: in order to bypass the revocation clause no need to make sure to down each and
every watchtower anymore, just down the oracle and you are sure no revocation transaction can be pushed.
> Okay, let me see if I understand your concern correctly.
> When using a signature challenge, the concern is that you need to presign multiple versions of a transaction with varying feerates.
I was thinking of having a hot key (in this case probably shared amongst the monitors) where they would sign
the right fee level at broadcast time. Pre-signing makes it quickly too many signatures (and kills the purpose
of having covenants in the first place).
> And you have a set of network monitors / watchtowers that are supposed to watch the chain on your behalf in case your ISP suddenly hates you for no reason.
> The more monitors there are, the more likely that one of them will be corrupted by a miner and jump to the highest-feerate version, overpaying fees and making miners very happy.
> Such is third-party trust.
> Is my understanding correct?
Your understanding of the tradeoff is correct.
------- Original Message -------
Le jeudi 17 mars 2022 à 12:29 AM, ZmnSCPxj <ZmnSCPxj at protonmail.com> a écrit :
> Good morning Antoine,
>
> > For "hot contracts" a signature challenge is used to achieve the same. I know the latter is imperfect, since
> >
> > the lower the uptime risk (increase the number of network monitors) the higher the DOS risk (as you duplicate
> >
> > the key).. That's why i asked if anybody had some thoughts about this and if there was a cleverer way of doing
> >
> > it.
>
> Okay, let me see if I understand your concern correctly.
>
> When using a signature challenge, the concern is that you need to presign multiple versions of a transaction with varying feerates.
>
> And you have a set of network monitors / watchtowers that are supposed to watch the chain on your behalf in case your ISP suddenly hates you for no reason.
>
> The more monitors there are, the more likely that one of them will be corrupted by a miner and jump to the highest-feerate version, overpaying fees and making miners very happy.
>
> Such is third-party trust.
>
> Is my understanding correct?
>
> A cleverer way, which requires consolidating (but is unable to eliminate) third-party trust, would be to use a DLC oracle.
>
> The DLC oracle provides a set of points corresponding to a set of feerate ranges, and commits to publishing the scalar of one of those points at some particular future block height.
>
> Ostensibly, the scalar it publishes is the one of the point that corresponds to the feerate range found at that future block height.
>
> You then create adaptor signatures for each feerate version, corresponding to the feerate ranges the DLC oracle could eventually publish.
>
> The adaptor signatures can only be completed if the DLC oracle publishes the corresponding scalar for that feerate range.
>
> You can then send the adaptor signatures to multiple watchtowers, who can only publish one of the feerate versions, unless the DLC oracle is hacked and publishes multiple scalars (at which point the DLC oracle protocol reveals a privkey of the DLC oracle, which should be usable for slashing some bond of the DLC oracle).
>
> This prevents any of them from publishing the highest-feerate version, as the adaptor signature cannot be completed unless that is what the oracle published.
>
> There are still drawbacks:
>
> * Third-party trust risk: the oracle can still lie.
>
> * DLC oracles are prevented from publishing multiple scalars; they cannot be prevented from publishing a single wrong scalar.
>
> * DLCs must be time bound.
>
> * DLC oracles commit to publishing a particular point at a particular fixed time.
>
> * For "hot" dynamic protocols, you need the ability to invoke the oracle at any time, not a particular fixed time.
>
> The latter probably makes this unusable for hot protocols anyway, so maybe not so clever.
>
> Regards,
>
> ZmnSCPxj
darosior [ARCHIVE] /
npub1pj…x22xp
2023-06-07 23:06:28
in reply to nevent1q…qmps
Author Public Key
npub1pj9022f74rzq7d5x7gnxje6wpsgk4r5jgeck8y5awd423ydhan3q7x22xpPublished at
2023-06-07 23:06:28Event JSON
{
"id": "875ea9f3e5f1f636b0f30a77068ecaa1c9379307248362302fcadfe271ab5961",
"pubkey": "0c8af5293ea8c40f3686f22669674e0c116a8e92467163929d736aa891b7ece2",
"created_at": 1686179188,
"kind": 1,
"tags": [
[
"e",
"77d972ef3d460767b84fe6f2bdc5b27e047f778eb10ffda28474d9e07ff6acc9",
"",
"root"
],
[
"e",
"20067b0eac815be40a5efee427b0173e84f7ebc681a4bc1e5b172fb04cf9cf38",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "📅 Original date posted:2022-03-21\n📝 Original message:Hi ZmnSCPxj,\n\nThanks for the feedback. The DLC idea is interesting but you are centralizing the liveness requirements,\neffectively creating a SPOF: in order to bypass the revocation clause no need to make sure to down each and\nevery watchtower anymore, just down the oracle and you are sure no revocation transaction can be pushed.\n\n\n\u003e Okay, let me see if I understand your concern correctly.\n\u003e When using a signature challenge, the concern is that you need to presign multiple versions of a transaction with varying feerates.\n\nI was thinking of having a hot key (in this case probably shared amongst the monitors) where they would sign\nthe right fee level at broadcast time. Pre-signing makes it quickly too many signatures (and kills the purpose\nof having covenants in the first place).\n\n\u003e And you have a set of network monitors / watchtowers that are supposed to watch the chain on your behalf in case your ISP suddenly hates you for no reason.\n\u003e The more monitors there are, the more likely that one of them will be corrupted by a miner and jump to the highest-feerate version, overpaying fees and making miners very happy.\n\u003e Such is third-party trust.\n\u003e Is my understanding correct?\n\nYour understanding of the tradeoff is correct.\n\n------- Original Message -------\n\nLe jeudi 17 mars 2022 à 12:29 AM, ZmnSCPxj \u003cZmnSCPxj at protonmail.com\u003e a écrit :\n\n\u003e Good morning Antoine,\n\u003e\n\u003e \u003e For \"hot contracts\" a signature challenge is used to achieve the same. I know the latter is imperfect, since\n\u003e \u003e\n\u003e \u003e the lower the uptime risk (increase the number of network monitors) the higher the DOS risk (as you duplicate\n\u003e \u003e\n\u003e \u003e the key).. That's why i asked if anybody had some thoughts about this and if there was a cleverer way of doing\n\u003e \u003e\n\u003e \u003e it.\n\u003e\n\u003e Okay, let me see if I understand your concern correctly.\n\u003e\n\u003e When using a signature challenge, the concern is that you need to presign multiple versions of a transaction with varying feerates.\n\u003e\n\u003e And you have a set of network monitors / watchtowers that are supposed to watch the chain on your behalf in case your ISP suddenly hates you for no reason.\n\u003e\n\u003e The more monitors there are, the more likely that one of them will be corrupted by a miner and jump to the highest-feerate version, overpaying fees and making miners very happy.\n\u003e\n\u003e Such is third-party trust.\n\u003e\n\u003e Is my understanding correct?\n\u003e\n\u003e A cleverer way, which requires consolidating (but is unable to eliminate) third-party trust, would be to use a DLC oracle.\n\u003e\n\u003e The DLC oracle provides a set of points corresponding to a set of feerate ranges, and commits to publishing the scalar of one of those points at some particular future block height.\n\u003e\n\u003e Ostensibly, the scalar it publishes is the one of the point that corresponds to the feerate range found at that future block height.\n\u003e\n\u003e You then create adaptor signatures for each feerate version, corresponding to the feerate ranges the DLC oracle could eventually publish.\n\u003e\n\u003e The adaptor signatures can only be completed if the DLC oracle publishes the corresponding scalar for that feerate range.\n\u003e\n\u003e You can then send the adaptor signatures to multiple watchtowers, who can only publish one of the feerate versions, unless the DLC oracle is hacked and publishes multiple scalars (at which point the DLC oracle protocol reveals a privkey of the DLC oracle, which should be usable for slashing some bond of the DLC oracle).\n\u003e\n\u003e This prevents any of them from publishing the highest-feerate version, as the adaptor signature cannot be completed unless that is what the oracle published.\n\u003e\n\u003e There are still drawbacks:\n\u003e\n\u003e * Third-party trust risk: the oracle can still lie.\n\u003e\n\u003e * DLC oracles are prevented from publishing multiple scalars; they cannot be prevented from publishing a single wrong scalar.\n\u003e\n\u003e * DLCs must be time bound.\n\u003e\n\u003e * DLC oracles commit to publishing a particular point at a particular fixed time.\n\u003e\n\u003e * For \"hot\" dynamic protocols, you need the ability to invoke the oracle at any time, not a particular fixed time.\n\u003e\n\u003e The latter probably makes this unusable for hot protocols anyway, so maybe not so clever.\n\u003e\n\u003e Regards,\n\u003e\n\u003e ZmnSCPxj",
"sig": "6bae76fdd91cdb3ba963f125c36a52da922f7678c433550a20721117ece8a6736d93f2298474168be2c93fdd35fe42ed6168364c05c4cb2417209ad0ec2b80ae"
}