📅 Original date posted:2015-10-04
📝 Original message:On Sat, Oct 03, 2015 at 04:30:56PM +0200, Peter Todd via bitcoin-dev wrote:
> So we need to make the case for two main things:
> 1) We have applications that need a relative (instead of absolute CLTV)
> 2) Additionally to RCLTV, we need to implement this via nSequence
> However I don't think we've done a good job showing why we need to
> implement this feature via nSequence. BIP68 describes the new nSequence
> semantics, and gives the rational for them as being a
> "Consensus-enforced tx replacement" mechanism, with a bidirectional
> payment channel as an example of this in action. However, the
> bidirectional payment channel concept itself can be easily implemented
> with CLTV alone.
Do you mean "with RCLTV alone" here?
RCLTV/OP_CSV is used in lightning commitment transactions to enforce a
delay between publishing the commitment transaction, and spending the
output -- that delay is needed so that the counterparty has time to
prove the commitment was revoked and claim the outputs as a penalty.
Using absolute CLTV instead would mean that once the effective delay a
commitment transaction has decreases over time -- initially it will be
longer than desirable, causing unwanted delays in claiming funds when no
cheating is going on; but over time it will become too short, which
means there is not enough time to prove cheating (and the channel has to
be closed prematurely). You can trade those things off and pick
something that works, but it's always going to be bad.
> There is a small drawback in that the initial
> transaction could be delayed, reducing the overall time the channel
> exists, but the protocol already assumes that transactions can be
> reliably confirmed within a day - significantly less than the proposed
> 30 days duration of the channel.
Compared to using a CLTV with 30 days duration, With RCLTV a channel
could be available for years (ie 20x longer), but in the case of problems
funds could be reclaimed within hours or days (ie 30x faster).
But that's all about RCLTV vs CLTV, not about RCLTV vs nSequence/OP_CSV.
ie, it needs BIP 112 (OP_CSV) but not necessarily BIP 68 (nSequence
relative locktime), if they could be disentangled.
You could do all that with "<n> OP_CHECK_HEIGHT_DELTA_VERIFY"
that ignores nSequence, and directly compares the height of the current
block versus the input tx's block (or the diff of their timestamps?)
though, I think?
I think the disadvantage is that (a) you have to look into the input
transaction's block height when processing the script; and (b) you don't
have an easy lookup to check whether the transaction can be included in
the next block.
You could maybe avoid (b) by using locktime though. Have "<n>
OP_CHECK_RELATIVE_LOCKTIME_VERIFY" compare the transactions locktime
against the input's block height or time; if the locktime is 0 or too low,
the transaction is invalid. (So if nLockTime is in blockheight, you can
only spend inputs with blockheight based OP_CRLTV tests; and if it's in
blocktime, you can only spend inputs with blocktime based OP_CRLTV. "n"
does need to encode whether it's time/block height though).
That way, when you see a txn:
- run the script. if you see <n> RCLTV, then
+ if the tx's locktime isn't set, it's invalid; drop it
+ if the input txn is unconfirmed, it's invalid; try again later
+ workout "locktime - n" if that's >= the input tx's block
height/time, it's good; keep it in mempool, forward it, etc
- if you're mining, include the tx when locktime hits, just like you
would any other valid tx with a locktime
I think the use cases for BIP68 (nSequence) are of the form:
1) published input; here's a signed tx that spends it to you, usable
after a delay. might as well just use absolute locktime here, though.
2) here's an unpublished input, you can build your own transaction to
spend it, just not immediately after it's published. BIP112 is
required, and OP_RCLTV as defined above works fine, just include it
in the published input's script.
3) here's an unpublished input, and a signed transaction spending it,
that you can use to spend it after a delay. BIP68 is enough; but
OP_RCLTV in the second transaction works here. however without
normalised tx ids, the input could be malleated before publication,
so maybe this use case isn't actually important anyway.
So I think OP_CRLTV alone works fine for them too...
(Does that make sense, or am I missing something obvious?)
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-07 17:42:25
in reply to nevent1q…njf4
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-07 17:42:25Event JSON
{
"id": "137590085033f49921cd76a4a215a6d3b15b9b64b53476f952097274dcd1870a",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686159745,
"kind": 1,
"tags": [
[
"e",
"cd753793d8b3cbb49eaba9a2f4a53184f03e5acc23bc580b4ff40cab73993d1e",
"",
"root"
],
[
"e",
"4655652b0bc32aafea2d1d3679f63b39100daf5067f3e674a1ab40c2ff500fac",
"",
"reply"
],
[
"p",
"b61e2e7ccbf4abd7f49715c62f4ac7a93cbdd5ead0316279c5f5fe9b18dd0aaa"
]
],
"content": "📅 Original date posted:2015-10-04\n📝 Original message:On Sat, Oct 03, 2015 at 04:30:56PM +0200, Peter Todd via bitcoin-dev wrote:\n\u003e So we need to make the case for two main things:\n\u003e 1) We have applications that need a relative (instead of absolute CLTV)\n\u003e 2) Additionally to RCLTV, we need to implement this via nSequence\n\n\u003e However I don't think we've done a good job showing why we need to\n\u003e implement this feature via nSequence. BIP68 describes the new nSequence\n\u003e semantics, and gives the rational for them as being a\n\u003e \"Consensus-enforced tx replacement\" mechanism, with a bidirectional\n\u003e payment channel as an example of this in action. However, the\n\u003e bidirectional payment channel concept itself can be easily implemented\n\u003e with CLTV alone.\n\nDo you mean \"with RCLTV alone\" here?\n\nRCLTV/OP_CSV is used in lightning commitment transactions to enforce a\ndelay between publishing the commitment transaction, and spending the\noutput -- that delay is needed so that the counterparty has time to\nprove the commitment was revoked and claim the outputs as a penalty.\n\nUsing absolute CLTV instead would mean that once the effective delay a\ncommitment transaction has decreases over time -- initially it will be\nlonger than desirable, causing unwanted delays in claiming funds when no\ncheating is going on; but over time it will become too short, which\nmeans there is not enough time to prove cheating (and the channel has to\nbe closed prematurely). You can trade those things off and pick\nsomething that works, but it's always going to be bad.\n\n\u003e There is a small drawback in that the initial\n\u003e transaction could be delayed, reducing the overall time the channel\n\u003e exists, but the protocol already assumes that transactions can be\n\u003e reliably confirmed within a day - significantly less than the proposed\n\u003e 30 days duration of the channel.\n\nCompared to using a CLTV with 30 days duration, With RCLTV a channel\ncould be available for years (ie 20x longer), but in the case of problems\nfunds could be reclaimed within hours or days (ie 30x faster).\n\nBut that's all about RCLTV vs CLTV, not about RCLTV vs nSequence/OP_CSV.\nie, it needs BIP 112 (OP_CSV) but not necessarily BIP 68 (nSequence\nrelative locktime), if they could be disentangled.\n\nYou could do all that with \"\u003cn\u003e OP_CHECK_HEIGHT_DELTA_VERIFY\"\nthat ignores nSequence, and directly compares the height of the current\nblock versus the input tx's block (or the diff of their timestamps?)\nthough, I think?\n\nI think the disadvantage is that (a) you have to look into the input\ntransaction's block height when processing the script; and (b) you don't\nhave an easy lookup to check whether the transaction can be included in\nthe next block.\n\nYou could maybe avoid (b) by using locktime though. Have \"\u003cn\u003e\nOP_CHECK_RELATIVE_LOCKTIME_VERIFY\" compare the transactions locktime\nagainst the input's block height or time; if the locktime is 0 or too low,\nthe transaction is invalid. (So if nLockTime is in blockheight, you can\nonly spend inputs with blockheight based OP_CRLTV tests; and if it's in\nblocktime, you can only spend inputs with blocktime based OP_CRLTV. \"n\"\ndoes need to encode whether it's time/block height though).\n\nThat way, when you see a txn:\n\n - run the script. if you see \u003cn\u003e RCLTV, then\n + if the tx's locktime isn't set, it's invalid; drop it\n + if the input txn is unconfirmed, it's invalid; try again later\n + workout \"locktime - n\" if that's \u003e= the input tx's block\n height/time, it's good; keep it in mempool, forward it, etc\n\n - if you're mining, include the tx when locktime hits, just like you\n would any other valid tx with a locktime\n\nI think the use cases for BIP68 (nSequence) are of the form:\n\n 1) published input; here's a signed tx that spends it to you, usable\n after a delay. might as well just use absolute locktime here, though.\n\n 2) here's an unpublished input, you can build your own transaction to\n spend it, just not immediately after it's published. BIP112 is\n required, and OP_RCLTV as defined above works fine, just include it\n in the published input's script.\n\n 3) here's an unpublished input, and a signed transaction spending it,\n that you can use to spend it after a delay. BIP68 is enough; but\n OP_RCLTV in the second transaction works here. however without\n normalised tx ids, the input could be malleated before publication,\n so maybe this use case isn't actually important anyway.\n\nSo I think OP_CRLTV alone works fine for them too...\n\n(Does that make sense, or am I missing something obvious?)\n\nCheers,\naj",
"sig": "a07091a52abed3af3dcc1b8545996216a9803355d989139dd7ab532d9d6c757fd1133f865d89f9f57524efb916d8b76ba6af400883519e5a14c6657bfdc43720"
}