š
Original date posted:2021-06-01
š Original message:
Good morning LL,
> Hi Z,
>
> I just went through the presentation which made your thinking very clear. Thanks.
> I will not be able to match this effort so please bear with me as I try and explain my own thinking.
> I don't see why fast forwards (FF) need "symmetrically encumbered outputs"? To me the protocol should be asymmetric.
>
> This is what I think happens when offering a FF HTLC:
> 1. The offerer creates and signs a new commitment tx as normal with the HTLC except it has the same revocation key as the last one.
> 2. The offerer patches their balance output by sending a tx spending from it to a new tx which has the HTLC output and their balance output (unencumbered).
>
> The HTLC is now irrevocably committed from the perspective of the receiver.
> Now the receiver presents the pre-image and the offerer then:
>
> 1. The offerer creates and signs a new commitment tx as normal consolidating the funds into the receiver's balance output except once again it has the same revocation key as the last one.
> 2. The offerer patches their commitment tx balance output again by sending a tx spending from it to a new tx which splits into the receiver's balance (the value of the claimed HTLC) and the offerer's remaining balance.
>
> You can repeat the above process without having the receiver's revocation keys online or their commitment tx keys for many HTLCs while the offerer still has balance towards the receiver.
> The on-chain cost is about the same as before for an uncooperative close.
>
> Once the receiver brings their keys on line they can consolidate the FF state into a new commitment txs on both sides and with a proper revocation operate the channel normally. What has been the receiver up until now can finally send funds.
>
> Am I missing something?
Basically, you are taking advantage of the fact that we **actually** let the commitments on both sides be desynchronized with each other.
I tend to elide this fact when explaining, and also avoid it when planning protocols.
However I believe the idea is correct.
Anyway, as I understood it:
So suppose we start with this pair of commitment txes:
+--------------------------+
| Commitment tx 1 of A |
+------------+-------------+
| | (A[0] && B) |
| |||(A && CSV) |
| SigB +-------------+
| | B |
| | |
+------------+-------------+
+--------------------------+
| Commitment tx 1 of B |
+------------+-------------+
| SigA | A |
| | |
| +-------------+
| | (A && B[0]) |
| |||(B && CSV) |
+------------+-------------+
Now Alice wants to offer an HTLC to Bob.
What Alice does is:
* **Retain** the Alice commitment tx and create an HTLC tx spending from it.
* **Advance** the Bob commitment tx (and letting it desync from the Alice commitment tx), adding the same HTLC.
So after Alice sends its new signatures, our offchain txes are:
+--------------------------+ +--------------------------+
| Commitment tx 1 of A | | HTLC Tx |
+------------+-------------+ +------------+-------------+
| | (A[0] && B) |--->| SigA[0] | (A[0] && B) |
| |||(A && CSV) | | |||(A && CSV) |
| SigB +-------------+ | +-------------+
| | B | | | A->B |
| | | | | HTLC |
+------------+-------------+ +------------+-------------+
+--------------------------+
| Commitment tx *2* of B |
+------------+-------------+
| SigA | A |
| | |
| +-------------+
| | (A && B[1]) |
| |||(B && CSV) |
| +-------------+
| | A->B |
| | HTLC |
+------------+-------------+
Notes:
* Again, for Alice to offer the HTLC to Bob, only Alice has to make new signatures (`SigA[0]` and `SigA` for commitment tx *2* of Bob).
* If Alice goes offline and Bob decides to drop onchain, Bob only needs to sign the new commitment tx.
We can argue that dropping channels *should* be rare enough that requiring privkeys for this operation is not a burden.
* If Alice decides to drop the channel onchain, Bob only needs to bring in the privkey for the HTLC tx, which we can (at a lower, detailed level) be different from the "main" B privkey.
So yes, I think it seems workable without symmetric encumbrance.
Regards.
ZmnSCPxj
ZmnSCPxj [ARCHIVE] /
npub1g5ā¦3ms3l
2023-06-09 13:02:31
in reply to nevent1qā¦yq3h
Author Public Key
npub1g5zswf6y48f7fy90jf3tlcuwdmjn8znhzaa4vkmtxaeskca8hpss23ms3lPublished at
2023-06-09 13:02:31Event JSON
{
"id": "e3eb5983bd18d914729f45614ed60543965e986be1205183a884eb39950b46ba",
"pubkey": "4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861",
"created_at": 1686315751,
"kind": 1,
"tags": [
[
"e",
"7ab4fa35e6b278d8bea1b5efdcbc58ea834d6522b2d39ad439fcb5fecb4d4b54",
"",
"root"
],
[
"e",
"e15265ce44ee54e4aceb5f1ae40b7cdcdd64bea867c2a40e4a080a8f3015ea09",
"",
"reply"
],
[
"p",
"b5ff7c704f90e4eebfa414c0a017a84544c32586a1bd2fc86c74c2914d03c25e"
]
],
"content": "š
Original date posted:2021-06-01\nš Original message:\nGood morning LL,\n\n\u003e Hi Z,\n\u003e\n\u003e I just went through the presentation which made your thinking very clear. Thanks.\n\u003e I will not be able to match this effort so please bear with me as I try and explain my own thinking.\n\u003e I don't see why fast forwards (FF) need \"symmetrically encumbered outputs\"? To me the protocol should be asymmetric.\n\u003e\n\u003e This is what I think happens when offering a FF HTLC:\n\u003e 1. The offerer creates and signs a new commitment tx as normal with the HTLC except it has the same revocation key as the last one.\n\u003e 2. The offerer patches their balance output by sending a tx spending from it to a new tx which has the HTLC output and their balance output (unencumbered).\n\u003e\n\u003e The HTLC is now irrevocably committed from the perspective of the receiver.\n\u003e Now the receiver presents the pre-image and the offerer then:\n\u003e\n\u003e 1. The offerer creates and signs a new commitment tx as normal consolidating the funds into the receiver's balance output except once again it has the same revocation key as the last one.\n\u003e 2. The offerer patches their commitment tx balance output again by sending a tx spending from it to a new tx which splits into the receiver's balance (the value of the claimed HTLC) and the offerer's remaining balance.\n\u003e\n\u003e You can repeat the above process without having the receiver's revocation keys online or their commitment tx keys for many HTLCs while the offerer still has balance towards the receiver.\n\u003e The on-chain cost is about the same as before for an uncooperative close.\n\u003e\n\u003e Once the receiver brings their keys on line they can consolidate the FF state into a new commitment txs on both sides and with a proper revocation operate the channel normally. What has been the receiver up until now can finally send funds.\n\u003e\n\u003e Am I missing something?\n\nBasically, you are taking advantage of the fact that we **actually** let the commitments on both sides be desynchronized with each other.\nI tend to elide this fact when explaining, and also avoid it when planning protocols.\n\nHowever I believe the idea is correct.\n\nAnyway, as I understood it:\n\nSo suppose we start with this pair of commitment txes:\n\n +--------------------------+\n | Commitment tx 1 of A |\n +------------+-------------+\n | | (A[0] \u0026\u0026 B) |\n | |||(A \u0026\u0026 CSV) |\n | SigB +-------------+\n | | B |\n | | |\n +------------+-------------+\n\n +--------------------------+\n | Commitment tx 1 of B |\n +------------+-------------+\n | SigA | A |\n | | |\n | +-------------+\n | | (A \u0026\u0026 B[0]) |\n | |||(B \u0026\u0026 CSV) |\n +------------+-------------+\n\nNow Alice wants to offer an HTLC to Bob.\nWhat Alice does is:\n\n* **Retain** the Alice commitment tx and create an HTLC tx spending from it.\n* **Advance** the Bob commitment tx (and letting it desync from the Alice commitment tx), adding the same HTLC.\n\nSo after Alice sends its new signatures, our offchain txes are:\n\n +--------------------------+ +--------------------------+\n | Commitment tx 1 of A | | HTLC Tx |\n +------------+-------------+ +------------+-------------+\n | | (A[0] \u0026\u0026 B) |---\u003e| SigA[0] | (A[0] \u0026\u0026 B) |\n | |||(A \u0026\u0026 CSV) | | |||(A \u0026\u0026 CSV) |\n | SigB +-------------+ | +-------------+\n | | B | | | A-\u003eB |\n | | | | | HTLC |\n +------------+-------------+ +------------+-------------+\n\n +--------------------------+\n | Commitment tx *2* of B |\n +------------+-------------+\n | SigA | A |\n | | |\n | +-------------+\n | | (A \u0026\u0026 B[1]) |\n | |||(B \u0026\u0026 CSV) |\n | +-------------+\n | | A-\u003eB |\n | | HTLC |\n +------------+-------------+\n\nNotes:\n\n* Again, for Alice to offer the HTLC to Bob, only Alice has to make new signatures (`SigA[0]` and `SigA` for commitment tx *2* of Bob).\n* If Alice goes offline and Bob decides to drop onchain, Bob only needs to sign the new commitment tx.\n We can argue that dropping channels *should* be rare enough that requiring privkeys for this operation is not a burden.\n* If Alice decides to drop the channel onchain, Bob only needs to bring in the privkey for the HTLC tx, which we can (at a lower, detailed level) be different from the \"main\" B privkey.\n\nSo yes, I think it seems workable without symmetric encumbrance.\n\nRegards.\nZmnSCPxj",
"sig": "bca9865a037fbf0081a40fd95b6c3535bc88165d03a46f133ee3b938a12f14349d818ef0e6f3077e6337da002c27fbf77907b99972bf40930c978fa5e0c00d17"
}