π
Original date posted:2018-03-01
π Original message:On Wed, Feb 28, 2018 at 10:30 PM, Anthony Towns <aj at erisian.com.au> wrote:
> On Wed, Feb 28, 2018 at 04:34:18AM +0000, γ’γ«γ γ«γΌγ«γ¨γγ³ via bitcoin-dev wrote:
>> 1. Graftroot probably breaks this (someone could just sign the
>> time-locked output with a script that has no time-lock).
>
> Making the graftroot key be a 2-of-2 muSig with an independent third party
> that commits to only signing CLTV scripts could avoid this. Making it
> 3-of-3 or 5-of-5 could be even better if you can find multiple independent
> services that will do it.
That kind of defeats the purpose. If you go through the trouble of
doing that, you can just do multisig and skip the freezing part
entirely. A robber would have to get you and the cosigner to sign in
both cases, and the CLTV could be overridden with graftroot.
On Wed, Feb 28, 2018 at 11:36 PM, Adam Back <adam.back at gmail.com> wrote:
> Coincidentally I had thought of something similar to what Kalle posted
> about a kind of software only time-lock vault, and described the idea
> to a few people off-list. Re. Root incompatibility, if the key is
> deleted (as it must be) then a delegated signature can not be made
> that bypasses the CSV timeout restriction, so Root should not be
> incompatible with this. I think it would be disadvantageous to mark
> keys as Rootable vs not in a sighash sense, because then that is
> another privacy/fungibility loss eroding the uniformity advantage of
> Root when the delegate is not used.
1. Create TX1=(tx, sig) from UTXO A to p2sh B which has a CSV
timelock. Discard privkey A.
2. After broadcasting TX1, you need privkey B to spend it.
3. Use graftroot and privkey B with a script without timelock to spend B.
The robber can simply force you to execute step 3, since you have the
privkey to B.
> One drawback is deleting keys may itself be a bit difficult to assure
> with HD wallet seeds setup-time backup model.
That's a good point. Even more of a reason to include as part of
'freezing' a send to a new ephemeral key as 'initialization'. Sucks to
pay triple fees though (freeze ephemeral + unfreeze + actual use).
> As Anthony described I think, a simpler though less robust model would
> be to have a third party refuse to co-sign until a pre-arranged time,
> and this would have the advantage of not requiring two on-chain
> transactions.
I was hoping there was a way for a person to simply lock-up the major
portion of their coins easily.
As a sidenote: a security firm (e.g. one that comes to your house when
the alarm goes off) could have a service where seeing an unfreeze
transaction which you have told them about without you giving a heads
up beforehand is equal to alarm going off.
-Kalle.
γ’γ«γ γγ«γΌγ«γ¨γγ³ [ARCHIVE] /
npub146β¦ma9dy
2023-06-07 18:11:02
in reply to nevent1qβ¦vst3
Author Public Key
npub1464lx5trtuw08ukz0ss6ds0afctuydeawsz2hw0yjhas64wklmmskma9dyPublished at
2023-06-07 18:11:02Event JSON
{
"id": "b615938bfc07e73893da7b4ce37e2e54b3860f71e7e095d65042d808d153683b",
"pubkey": "aeabf351635f1cf3f2c27c21a6c1fd4e17c2373d7404abb9e495fb0d55d6fef7",
"created_at": 1686161462,
"kind": 1,
"tags": [
[
"e",
"544353a0733dbb643c90ba6f804f5fca7c7d0d1de238954af7f8413f3d9f8d1c",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "π
Original date posted:2018-03-01\nπ Original message:On Wed, Feb 28, 2018 at 10:30 PM, Anthony Towns \u003caj at erisian.com.au\u003e wrote:\n\u003e On Wed, Feb 28, 2018 at 04:34:18AM +0000, γ’γ«γ γ«γΌγ«γ¨γγ³ via bitcoin-dev wrote:\n\u003e\u003e 1. Graftroot probably breaks this (someone could just sign the\n\u003e\u003e time-locked output with a script that has no time-lock).\n\u003e\n\u003e Making the graftroot key be a 2-of-2 muSig with an independent third party\n\u003e that commits to only signing CLTV scripts could avoid this. Making it\n\u003e 3-of-3 or 5-of-5 could be even better if you can find multiple independent\n\u003e services that will do it.\n\nThat kind of defeats the purpose. If you go through the trouble of\ndoing that, you can just do multisig and skip the freezing part\nentirely. A robber would have to get you and the cosigner to sign in\nboth cases, and the CLTV could be overridden with graftroot.\n\nOn Wed, Feb 28, 2018 at 11:36 PM, Adam Back \u003cadam.back at gmail.com\u003e wrote:\n\u003e Coincidentally I had thought of something similar to what Kalle posted\n\u003e about a kind of software only time-lock vault, and described the idea\n\u003e to a few people off-list. Re. Root incompatibility, if the key is\n\u003e deleted (as it must be) then a delegated signature can not be made\n\u003e that bypasses the CSV timeout restriction, so Root should not be\n\u003e incompatible with this. I think it would be disadvantageous to mark\n\u003e keys as Rootable vs not in a sighash sense, because then that is\n\u003e another privacy/fungibility loss eroding the uniformity advantage of\n\u003e Root when the delegate is not used.\n\n1. Create TX1=(tx, sig) from UTXO A to p2sh B which has a CSV\ntimelock. Discard privkey A.\n2. After broadcasting TX1, you need privkey B to spend it.\n3. Use graftroot and privkey B with a script without timelock to spend B.\n\nThe robber can simply force you to execute step 3, since you have the\nprivkey to B.\n\n\u003e One drawback is deleting keys may itself be a bit difficult to assure\n\u003e with HD wallet seeds setup-time backup model.\n\nThat's a good point. Even more of a reason to include as part of\n'freezing' a send to a new ephemeral key as 'initialization'. Sucks to\npay triple fees though (freeze ephemeral + unfreeze + actual use).\n\n\u003e As Anthony described I think, a simpler though less robust model would\n\u003e be to have a third party refuse to co-sign until a pre-arranged time,\n\u003e and this would have the advantage of not requiring two on-chain\n\u003e transactions.\n\nI was hoping there was a way for a person to simply lock-up the major\nportion of their coins easily.\n\nAs a sidenote: a security firm (e.g. one that comes to your house when\nthe alarm goes off) could have a service where seeing an unfreeze\ntransaction which you have told them about without you giving a heads\nup beforehand is equal to alarm going off.\n\n-Kalle.",
"sig": "c4276b5d571e9dba481fdc389d09e2b1299651264edab9fbd85ebd19aa6ecda63ad3ac3f26f434b3c312fdcb3654c211428323a8b96caa48be63da2d53482889"
}