š
Original date posted:2019-09-19
š Original message:Isn't there some way to "rebase" a relative lock-time to some anchor even
further in the past while cancelling out the intermediate transactions?
best regards,
Martin
On Thu, Sep 19, 2019 at 9:52 AM ZmnSCPxj via bitcoin-dev <
bitcoin-dev at lists.linuxfoundation.org> wrote:
> Good morning list,
>
> I was reading transcript of recent talk:
> https://diyhpl.us/wiki/transcripts/scalingbitcoin/tel-aviv-2019/edgedevplusplus/blockchain-design-patterns/
>
> And in section "Taproot: main idea":
>
> > Q: Can you do timelocks iwth adaptor signatures?
> >
> > ...
> >
> > A: This is one way it's being proposed by mimblewimble; but this
> requires the ability to aggregate signatures across transactions.
> >
> > Q: No, there's two transactions already existing. Before locktime, you
> can spend wit hthe adaptor signature one like atomic swaps. After locktime,
> the other one becomes valid and you can spend with that. They just double
> spend each other.
> >
> > A: You'd have to diagram that out for me. There's a few ways to do this,
> some that I know, but yours isn't one of them.
>
> I believe what is being referred to here is to simply have an `nLockTime`
> transaction that is signed by all participants first, and serves as the
> "timelock" path.
> Then, another transaction is created, for which adaptor signatures are
> given, before completing the ritual to create a "hashlock" path.
>
> I find it surprising that this is not well-known.
> I describe it here tangentially, for instance:
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-April/016888.html
> The section "Payjoin2swap Swap Protocol" refers to "pre-swap transaction"
> and "pre-swap backout transaction", which are `nLockTime`d transactions.
> Later transactions then use a Scriptless Script-like construction to
> transfer information about a secret scalar x.
>
> My understanding of MimbleWimble is that:
>
> * There must exist a proof-of-knowledge of the sum of blinding factors
> used.
> This can be trivially had by using a signature of this sum, signing an
> empty message or "kernel".
> * I believe I have seen at least one proposal (I cannot find it again now)
> where the "kernel" is replaced with an `nLockTime`-equivalent.
> Basically, the `nLockTime` would have to be explicitly published, and it
> would be rejected for a block if the `nLockTime` was less than the block
> height.
> * There may or may not exist some kind of proof where the message being
> signed is an integer that is known to be no greater than a particular
> value, and multiple signatures that signed a lower value can somehow be
> aggregated to a higher value, which serves this purpose as well, but is
> compressible.
>
> My understanding is thus that the above `nLockTime` technique is what is
> indeed intended for MimbleWimble cross-system atomic swaps.
>
> --------
>
> However, I believe that Lightning and similar offchain protocols are **not
> possible** on MimbleWimble, at least if we want to retain its "magical
> shrinking blockchain" property.
>
> All practical channel constructions with indefinite lifetime require the
> use of *relative* locktime.
> Of note is that `nLockTime` represents an *absolute* lifetime.
>
> The only practical channel constructions I know of that do not require
> *relative* locktime (mostly various variants of Spilman channels) have a
> fixed lifetime, i.e. the channel will have to be closed before the lifetime
> arrives.
> This is impractical for a scaling network.
>
> It seems to me that some kind of "timeout" is always necessary, similar to
> the timeout used in SPV-proof sidechains, in order to allow an existing
> claimed-latest-state to be proven as not-actually-latest.
>
> * In Poon-Dryja, knowledge of the revocation key by the other side proves
> the published claimed-latest-state is not-actually-latest and awards the
> entire amount to the other party.
> * This key can only be presented during the timeout, a security
> parameter.
> * In Decker-Wattenhofer decrementing-`nSequence` channels, a kickoff
> starts this timeout, and only the smallest-timeout state gets onchain, due
> to it having a time advantage over all other versions.
> * In indefinite-lifetime Spilman channels (also described in the
> Decker-Wattenhofer paper), the absolute-timelock initial backoff
> transaction is replaced with a kickoff + relative-locktime transaction.
> * In Decker-Russell-Osuntokun, each update transaction has an imposed
> `nSequence` that forces a state transaction to be delayed compared to the
> update transaction it is paired with.
>
> It seems that all practical offchain updateable cryptocurrency systems,
> some kind of "timeout" is needed during which participants have an
> opportunity to claim an alternative version of some previous claim of
> correct state.
>
> This timeout could be implemented as either relative or absolute lock
> time, but obviously an absolute locktime would create a limit on the
> lifetime of the channel.
> Thus, if we were to target an indefinite-lifetime channel, we must use
> relative lock times, with the timeout starting only when the unilateral
> close is initiated by one participant.
>
> Now, let us turn back to the MimbleWimble.
> As it happens, we do *not* actually need SCRIPT to implement these
> offchain updateable cryptocurrency systems.
> 2-of-2 is often enough (and with Schnorr and other homomorphic signatures,
> this is possible without explicit script, only pubkeys and signatures,
> which MimbleWimble supports).
>
> * Poon-Dryja revocation can be rewritten as an HTLC-like construct (indeed
> this was the original formulation).
> * Since we have shown that, by use of two transaction alternatives, one
> timelocked and the other hashlocked, we can implement an HTLC-like
> construct on MimbleWimble, that is enough.
> * Relative locktimes in Decker-Wattenhofer are imposed by simple
> `nSequence`, not by `OP_CSV`.
> HTLCs hosted inside such constructions can again use the
> two-transactions construct in MimbleWimble.
> * Ditto with indefinite-lifetime Spilman.
> * Ditto with Decker-Russell-Osuntokun.
> * The paper shows the use of `OP_CSV`, but aj notes it is redundant, and
> I agree:
> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-March/001933.html
>
> Thus, it is not the "nonexistence of SCRIPT" that prevents Lightning from
> being deployed on MimbleWimble.
>
> Instead, it is the "nonexistence of **relative** locktime" that prevents
> Lightning over MimbleWimble.
>
> Why would **relative** locktimes not possibly exist?
> In order to **validate** a relative locktime, we need to know the
> blockheight that the output we are spending was confirmed in.
>
> But the entire point of the "magical shrinking blockchain" is that
> already-spent outputs can be removed completely and all that needs to be
> validated by a new node is:
>
> * The coin-creation events.
> * The current UTXO set (plus attached rangeproofs).
> * The blinding keys.
> * Signatures of the blinding keys, and the kernels they sign (if we use
> the "kernels encode `nLockTime`" technique in some way, they should not
> exceed the current supposed blockheight).
>
> The problem is that an output that exists in the UTXO set might be
> invalid, if it appears "too near" to an `nSequence` minimum spend of a
> previous output that was spent in its creation.
> That is, the above does not allow validation of **relative** locktimes,
> only **absolute locktimes**.
> (At least as far as I understand: there may be special cryptographic
> constructs that allow signatures to reliably commit to some relative
> locktime).
>
> This means that relative locktimes need to be implemented by showing the
> transactions that spend previous UTXOS and create the current UTXOs, and so
> no backwards to coin-creation events.
> This forces us back to the old "validate all transactions" model of
> starting a new node (and seriously damaging the entire point of using
> MimbleWimble anyway).
>
> I do not believe it is the lack of SCRIPT that prevents
> Lightning-over-MimbleWimble, but rather the lack of relative locktime,
> which seems difficult to validate without knowing the individual
> transactions and when they were confirmed.
>
> Regards,
> ZmnSCPxj
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190919/28cb2694/attachment.html>;
Martin Schwarz [ARCHIVE] /
npub1c6ā¦fz7ln
2023-06-07 18:20:37
in reply to nevent1qā¦a5u4
Author Public Key
npub1c6ytpr5fshkjp2hptfqrvfxy6qkkcgre9fv9va8qyq7h4fs03ehs4fz7lnPublished at
2023-06-07 18:20:37Event JSON
{
"id": "c233edfed1420e9f649e454fbcdd9775ae2662aa96759239861b04664229e92f",
"pubkey": "c688b08e8985ed20aae15a403624c4d02d6c20792a585674e0203d7aa60f8e6f",
"created_at": 1686162037,
"kind": 1,
"tags": [
[
"e",
"4f9c510f9265bd7b4c5c3c171129396198003ea0e277b6917a7f91aba0bc5bfb",
"",
"root"
],
[
"e",
"8a22c5a87ae2f7bd90fe0e7d8671aa1347a4c135c7baade1aba20d5d1f3c08af",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "š
Original date posted:2019-09-19\nš Original message:Isn't there some way to \"rebase\" a relative lock-time to some anchor even\nfurther in the past while cancelling out the intermediate transactions?\n\nbest regards,\nMartin\n\nOn Thu, Sep 19, 2019 at 9:52 AM ZmnSCPxj via bitcoin-dev \u003c\nbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\n\u003e Good morning list,\n\u003e\n\u003e I was reading transcript of recent talk:\n\u003e https://diyhpl.us/wiki/transcripts/scalingbitcoin/tel-aviv-2019/edgedevplusplus/blockchain-design-patterns/\n\u003e\n\u003e And in section \"Taproot: main idea\":\n\u003e\n\u003e \u003e Q: Can you do timelocks iwth adaptor signatures?\n\u003e \u003e\n\u003e \u003e ...\n\u003e \u003e\n\u003e \u003e A: This is one way it's being proposed by mimblewimble; but this\n\u003e requires the ability to aggregate signatures across transactions.\n\u003e \u003e\n\u003e \u003e Q: No, there's two transactions already existing. Before locktime, you\n\u003e can spend wit hthe adaptor signature one like atomic swaps. After locktime,\n\u003e the other one becomes valid and you can spend with that. They just double\n\u003e spend each other.\n\u003e \u003e\n\u003e \u003e A: You'd have to diagram that out for me. There's a few ways to do this,\n\u003e some that I know, but yours isn't one of them.\n\u003e\n\u003e I believe what is being referred to here is to simply have an `nLockTime`\n\u003e transaction that is signed by all participants first, and serves as the\n\u003e \"timelock\" path.\n\u003e Then, another transaction is created, for which adaptor signatures are\n\u003e given, before completing the ritual to create a \"hashlock\" path.\n\u003e\n\u003e I find it surprising that this is not well-known.\n\u003e I describe it here tangentially, for instance:\n\u003e https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-April/016888.html\n\u003e The section \"Payjoin2swap Swap Protocol\" refers to \"pre-swap transaction\"\n\u003e and \"pre-swap backout transaction\", which are `nLockTime`d transactions.\n\u003e Later transactions then use a Scriptless Script-like construction to\n\u003e transfer information about a secret scalar x.\n\u003e\n\u003e My understanding of MimbleWimble is that:\n\u003e\n\u003e * There must exist a proof-of-knowledge of the sum of blinding factors\n\u003e used.\n\u003e This can be trivially had by using a signature of this sum, signing an\n\u003e empty message or \"kernel\".\n\u003e * I believe I have seen at least one proposal (I cannot find it again now)\n\u003e where the \"kernel\" is replaced with an `nLockTime`-equivalent.\n\u003e Basically, the `nLockTime` would have to be explicitly published, and it\n\u003e would be rejected for a block if the `nLockTime` was less than the block\n\u003e height.\n\u003e * There may or may not exist some kind of proof where the message being\n\u003e signed is an integer that is known to be no greater than a particular\n\u003e value, and multiple signatures that signed a lower value can somehow be\n\u003e aggregated to a higher value, which serves this purpose as well, but is\n\u003e compressible.\n\u003e\n\u003e My understanding is thus that the above `nLockTime` technique is what is\n\u003e indeed intended for MimbleWimble cross-system atomic swaps.\n\u003e\n\u003e --------\n\u003e\n\u003e However, I believe that Lightning and similar offchain protocols are **not\n\u003e possible** on MimbleWimble, at least if we want to retain its \"magical\n\u003e shrinking blockchain\" property.\n\u003e\n\u003e All practical channel constructions with indefinite lifetime require the\n\u003e use of *relative* locktime.\n\u003e Of note is that `nLockTime` represents an *absolute* lifetime.\n\u003e\n\u003e The only practical channel constructions I know of that do not require\n\u003e *relative* locktime (mostly various variants of Spilman channels) have a\n\u003e fixed lifetime, i.e. the channel will have to be closed before the lifetime\n\u003e arrives.\n\u003e This is impractical for a scaling network.\n\u003e\n\u003e It seems to me that some kind of \"timeout\" is always necessary, similar to\n\u003e the timeout used in SPV-proof sidechains, in order to allow an existing\n\u003e claimed-latest-state to be proven as not-actually-latest.\n\u003e\n\u003e * In Poon-Dryja, knowledge of the revocation key by the other side proves\n\u003e the published claimed-latest-state is not-actually-latest and awards the\n\u003e entire amount to the other party.\n\u003e * This key can only be presented during the timeout, a security\n\u003e parameter.\n\u003e * In Decker-Wattenhofer decrementing-`nSequence` channels, a kickoff\n\u003e starts this timeout, and only the smallest-timeout state gets onchain, due\n\u003e to it having a time advantage over all other versions.\n\u003e * In indefinite-lifetime Spilman channels (also described in the\n\u003e Decker-Wattenhofer paper), the absolute-timelock initial backoff\n\u003e transaction is replaced with a kickoff + relative-locktime transaction.\n\u003e * In Decker-Russell-Osuntokun, each update transaction has an imposed\n\u003e `nSequence` that forces a state transaction to be delayed compared to the\n\u003e update transaction it is paired with.\n\u003e\n\u003e It seems that all practical offchain updateable cryptocurrency systems,\n\u003e some kind of \"timeout\" is needed during which participants have an\n\u003e opportunity to claim an alternative version of some previous claim of\n\u003e correct state.\n\u003e\n\u003e This timeout could be implemented as either relative or absolute lock\n\u003e time, but obviously an absolute locktime would create a limit on the\n\u003e lifetime of the channel.\n\u003e Thus, if we were to target an indefinite-lifetime channel, we must use\n\u003e relative lock times, with the timeout starting only when the unilateral\n\u003e close is initiated by one participant.\n\u003e\n\u003e Now, let us turn back to the MimbleWimble.\n\u003e As it happens, we do *not* actually need SCRIPT to implement these\n\u003e offchain updateable cryptocurrency systems.\n\u003e 2-of-2 is often enough (and with Schnorr and other homomorphic signatures,\n\u003e this is possible without explicit script, only pubkeys and signatures,\n\u003e which MimbleWimble supports).\n\u003e\n\u003e * Poon-Dryja revocation can be rewritten as an HTLC-like construct (indeed\n\u003e this was the original formulation).\n\u003e * Since we have shown that, by use of two transaction alternatives, one\n\u003e timelocked and the other hashlocked, we can implement an HTLC-like\n\u003e construct on MimbleWimble, that is enough.\n\u003e * Relative locktimes in Decker-Wattenhofer are imposed by simple\n\u003e `nSequence`, not by `OP_CSV`.\n\u003e HTLCs hosted inside such constructions can again use the\n\u003e two-transactions construct in MimbleWimble.\n\u003e * Ditto with indefinite-lifetime Spilman.\n\u003e * Ditto with Decker-Russell-Osuntokun.\n\u003e * The paper shows the use of `OP_CSV`, but aj notes it is redundant, and\n\u003e I agree:\n\u003e https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-March/001933.html\n\u003e\n\u003e Thus, it is not the \"nonexistence of SCRIPT\" that prevents Lightning from\n\u003e being deployed on MimbleWimble.\n\u003e\n\u003e Instead, it is the \"nonexistence of **relative** locktime\" that prevents\n\u003e Lightning over MimbleWimble.\n\u003e\n\u003e Why would **relative** locktimes not possibly exist?\n\u003e In order to **validate** a relative locktime, we need to know the\n\u003e blockheight that the output we are spending was confirmed in.\n\u003e\n\u003e But the entire point of the \"magical shrinking blockchain\" is that\n\u003e already-spent outputs can be removed completely and all that needs to be\n\u003e validated by a new node is:\n\u003e\n\u003e * The coin-creation events.\n\u003e * The current UTXO set (plus attached rangeproofs).\n\u003e * The blinding keys.\n\u003e * Signatures of the blinding keys, and the kernels they sign (if we use\n\u003e the \"kernels encode `nLockTime`\" technique in some way, they should not\n\u003e exceed the current supposed blockheight).\n\u003e\n\u003e The problem is that an output that exists in the UTXO set might be\n\u003e invalid, if it appears \"too near\" to an `nSequence` minimum spend of a\n\u003e previous output that was spent in its creation.\n\u003e That is, the above does not allow validation of **relative** locktimes,\n\u003e only **absolute locktimes**.\n\u003e (At least as far as I understand: there may be special cryptographic\n\u003e constructs that allow signatures to reliably commit to some relative\n\u003e locktime).\n\u003e\n\u003e This means that relative locktimes need to be implemented by showing the\n\u003e transactions that spend previous UTXOS and create the current UTXOs, and so\n\u003e no backwards to coin-creation events.\n\u003e This forces us back to the old \"validate all transactions\" model of\n\u003e starting a new node (and seriously damaging the entire point of using\n\u003e MimbleWimble anyway).\n\u003e\n\u003e I do not believe it is the lack of SCRIPT that prevents\n\u003e Lightning-over-MimbleWimble, but rather the lack of relative locktime,\n\u003e which seems difficult to validate without knowing the individual\n\u003e transactions and when they were confirmed.\n\u003e\n\u003e Regards,\n\u003e ZmnSCPxj\n\u003e\n\u003e _______________________________________________\n\u003e bitcoin-dev mailing list\n\u003e bitcoin-dev at lists.linuxfoundation.org\n\u003e https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190919/28cb2694/attachment.html\u003e",
"sig": "9de3b52c6d2870c5f05b5bfc8d8b9174dda9d78c48edb2238a1cc637f7b3a64788f0ece74436a00e92ab83391db268ab811142c6e4f93e34d8ff5751c3bf965a"
}