š
Original date posted:2021-12-07
š Original message:
Good morning t-bast,
> I believe these new transactions may require an additional round-trip.
> Let's take a very simple example, where we have one pending PTLC in each
> direction: PTLC_AB was offered by A to B and PTLC_BA was offered by B to A.
>
> Now A makes some unrelated updates and wants to sign a new commitment.
> A cannot immediately send her `commitment_signed` to B.
> If she did, B would be able to broadcast this new commitment, and A would
> not be able to claim PTLC_BA from B's new commitment (even if she knew
> the payment secret) because she wouldn't have B's signature for the new
> PTLC-remote-success transaction.
>
> So we first need B to send a new message `remote_ptlcs_signed` to A that
> contains B's adaptor signatures for the PTLC-remote-success transactions
> that would spend B's future commitment. After that A can safely send her
> `commitment_signed`. Similarly, A must send `remote_ptlcs_signed` to B
> before B can send its `commitment_signed`.
>
> It's actually not that bad, we're only adding one message in each direction,
> and we're not adding more data (apart from nonces) to existing messages.
>
> If you have ideas on how to avoid this new message, I'd be glad to hear
> them, hopefully I missed something again and we can make it better!
`SIGHASH_NONE | SIGHASH_NOINPUT` (which will take another what, four years?) or a similar "covenant" opcode, such as `OP_CHECKTEMPLATEVERIFY` without any commitments or an `OP_CHECKSIGFROMSTACK` on an empty message.
All you really need is a signature for an empty message, really...
Alternately, fast-forwards, which avoid this because it does not change commitment transactions on the payment-forwarding path.
You only change commitment transactions once you have enough changes to justify collapsing them.
Even in the aj formulation, when A adds a PTLC it only changes the transaction that hosts **only** A->B PTLCs as well as the A main output, all of which can be sent outright by A without changing any B->A PTLCs.
Basically... instead of a commitment tx like this:
+-------+
funding outpoint -->| |--> A main
| |--> B main
| |--> A->B PTLC
| |--> B->A PTLC
+-------+
We could do this instead:
+-------+2of2 +-----+
funding outpoint -->| |----->| |--> A main
| | | |--> A->B PTLC
| | +-----+
| |2or2 +-----+
| |----->| |--> B main
| | | |--> B->A PTLC
+-------+ +-----+
Then whenever A wants to add a new A->B PTLC it only changes the tx inputs of the *other* A->B PTLCs without affecting the B->A PTLCs.
Payment forwarding is fast, and you only change the "big" commitment tx rarely to clean up claimed and failed PTLCs, moving the extra messages out of the forwarding hot path.
But this is basically highly similar to what aj designed anyway, so...
Regards,
ZmnSCPxj
ZmnSCPxj [ARCHIVE] /
npub1g5ā¦3ms3l
2023-06-09 13:04:37
in reply to nevent1qā¦e3qf
Author Public Key
npub1g5zswf6y48f7fy90jf3tlcuwdmjn8znhzaa4vkmtxaeskca8hpss23ms3lPublished at
2023-06-09 13:04:37Event JSON
{
"id": "3c375eb047af072b6ed752de8ff8a6715bac2929ada88c084222c3400b9a2cf5",
"pubkey": "4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861",
"created_at": 1686315877,
"kind": 1,
"tags": [
[
"e",
"86d882af7142eecbdb4ce698181b82aaa475c9b46541e1e4831400616b496e77",
"",
"root"
],
[
"e",
"a9948f05e2349463625121b08bd070c11f841b9017bed16b7811a4479d8e9db1",
"",
"reply"
],
[
"p",
"f26569a10f83f6935797b8b53a87974fdcc1de6abd31e3b1a3a19bdaed8031cb"
]
],
"content": "š
Original date posted:2021-12-07\nš Original message:\nGood morning t-bast,\n\n\n\u003e I believe these new transactions may require an additional round-trip.\n\u003e Let's take a very simple example, where we have one pending PTLC in each\n\u003e direction: PTLC_AB was offered by A to B and PTLC_BA was offered by B to A.\n\u003e\n\u003e Now A makes some unrelated updates and wants to sign a new commitment.\n\u003e A cannot immediately send her `commitment_signed` to B.\n\u003e If she did, B would be able to broadcast this new commitment, and A would\n\u003e not be able to claim PTLC_BA from B's new commitment (even if she knew\n\u003e the payment secret) because she wouldn't have B's signature for the new\n\u003e PTLC-remote-success transaction.\n\u003e\n\u003e So we first need B to send a new message `remote_ptlcs_signed` to A that\n\u003e contains B's adaptor signatures for the PTLC-remote-success transactions\n\u003e that would spend B's future commitment. After that A can safely send her\n\u003e `commitment_signed`. Similarly, A must send `remote_ptlcs_signed` to B\n\u003e before B can send its `commitment_signed`.\n\u003e\n\u003e It's actually not that bad, we're only adding one message in each direction,\n\u003e and we're not adding more data (apart from nonces) to existing messages.\n\u003e\n\u003e If you have ideas on how to avoid this new message, I'd be glad to hear\n\u003e them, hopefully I missed something again and we can make it better!\n\n`SIGHASH_NONE | SIGHASH_NOINPUT` (which will take another what, four years?) or a similar \"covenant\" opcode, such as `OP_CHECKTEMPLATEVERIFY` without any commitments or an `OP_CHECKSIGFROMSTACK` on an empty message.\nAll you really need is a signature for an empty message, really...\n\nAlternately, fast-forwards, which avoid this because it does not change commitment transactions on the payment-forwarding path.\nYou only change commitment transactions once you have enough changes to justify collapsing them.\nEven in the aj formulation, when A adds a PTLC it only changes the transaction that hosts **only** A-\u003eB PTLCs as well as the A main output, all of which can be sent outright by A without changing any B-\u003eA PTLCs.\n\nBasically... instead of a commitment tx like this:\n\n +-------+\n funding outpoint --\u003e| |--\u003e A main\n | |--\u003e B main\n | |--\u003e A-\u003eB PTLC\n | |--\u003e B-\u003eA PTLC\n +-------+\n\nWe could do this instead:\n\n +-------+2of2 +-----+\n funding outpoint --\u003e| |-----\u003e| |--\u003e A main\n | | | |--\u003e A-\u003eB PTLC\n | | +-----+\n | |2or2 +-----+\n | |-----\u003e| |--\u003e B main\n | | | |--\u003e B-\u003eA PTLC\n +-------+ +-----+\n\nThen whenever A wants to add a new A-\u003eB PTLC it only changes the tx inputs of the *other* A-\u003eB PTLCs without affecting the B-\u003eA PTLCs.\nPayment forwarding is fast, and you only change the \"big\" commitment tx rarely to clean up claimed and failed PTLCs, moving the extra messages out of the forwarding hot path.\n\nBut this is basically highly similar to what aj designed anyway, so...\n\nRegards,\nZmnSCPxj",
"sig": "1a53db45b770c02ad12fd1088f6828618bd7add95e301dc56ccf9b5a668584157b43aad80da78b7015f025f64808c55512dcf82133059429d573bf394b60a572"
}