📅 Original date posted:2023-09-26
🗒️ Summary of this message: OP_EVICT requires participant cooperation for a single participant to withdraw funds, which may not be safe. TLUV or MERKLESUB offer more flexibility. No sound covenant proposal combines TLUV and EVICT-like semantics. The best direction to solve interactivity issues is still uncertain.
📝 Original message:
Hi Zeeman,
See my comments at the time of OP_EVICT original publication.
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-February/019939.html
"I think in the context of (off-chain) payment pool, OP_EVICT requires
participant cooperation *after* the state update to allow a single
participant to withdraw her funds.
I believe this is unsafe if we retain as an off-chain construction security
requirement that a participant should have the unilateral means to enforce
the latest agreed upon state at any time during the construction lifetime".
I think this level of covenant flexibility is still wished for CoinPool as
a fundamental property, and this is offered by TLUV or MERKLESUB.
On the other hand, I think OP_EVICT introduces this idea of *subgroup
novation* (i.e `K-of-N`) of a PT2R scriptpubkey.
To the best of my understanding, I think there is not yet any sound
covenant proposal aiming to combine TLUV and EVICT-like semantics in a
consistent set of Script primitives to enable "cut-through" updates, while
still retaining the key property of unilateral withdraw of promised
balances in any-order.
I might go to work on crafting one, though for now I'm still interested to
understand better if on-chain "cut-through" is the best direction to solve
the fundamental high interactivity issue of channel factory and payment
pool over punishment-based ideas.
Best,
Antoine
Le mar. 26 sept. 2023 à 07:51, ZmnSCPxj <ZmnSCPxj at protonmail.com> a écrit :
> Good morning Antoine,
>
> Does `OP_EVICT` not fit?
>
>
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-February/019926.html
>
> Regards,
> ZmnSCPxj
>
>
> Sent with Proton Mail secure email.
>
> ------- Original Message -------
> On Monday, September 25th, 2023 at 6:18 PM, Antoine Riard via bitcoin-dev <
> bitcoin-dev at lists.linuxfoundation.org> wrote:
>
>
> > Payment pools and channel factories are afflicted by severe
> interactivity constraints worsening with the number of users owning an
> off-chain balance in the construction. The security of user funds is
> paramount on the ability to withdraw unilaterally from the off-chain
> construction. As such any update applied to the off-chain balances requires
> a signature contribution from the unanimity of the construction users to
> ensure this ability is conserved along updates.
> > As soon as one user starts to be offline or irresponsive, the updates of
> the off-chain balances must have to be halted and payments progress are
> limited among subsets of 2 users sharing a channel. Different people have
> proposed solutions to this issue: introducing a coordinator, partitioning
> or layering balances in off-chain users subsets. I think all those
> solutions have circled around a novel issue introduced, namely equivocation
> of off-chain balances at the harm of construction counterparties [0].
> >
> > As ZmnSCPxj pointed out recently, one way to mitigate this equivocation
> consists in punishing the cheating pre-nominated coordinator on an external
> fidelity bond. One can even imagine more trust-mimized and decentralized
> fraud proofs to implement this mitigation, removing the need of a
> coordinator [1].
> >
> > However, I believe punishment equivocation to be game-theory sound
> should compensate a defrauded counterparty of the integrity of its lost
> off-chain balance. As one cheating counterparty can equivocate in the
> worst-case against all the other counterparties in the construction, one
> fidelity bond should be equal to ( C - 1 ) * B satoshi amount, where C is
> the number of construction counterparty and B the initial off-chain balance
> of the cheating counterparty.
> >
> > Moreover, I guess it is impossible to know ahead of a partition or
> transition who will be the "honest" counterparties from the "dishonest"
> ones, therefore this ( C - 1 ) * B-sized fidelity bond must be maintained
> by every counterparty in the pool or factory. On this ground, I think this
> mitigation and other corrective ones are not economically practical for
> large-scale pools among a set of anonymous users.
> >
> > I think the best solution to solve the interactivity issue which is
> realistic to design is one ruling out off-chain group equivocation in a
> prophylactic fashion. The pool or factory funding utxo should be edited in
> an efficient way to register new off-chain subgroups, as lack of
> interactivity from a subset of counterparties demands it.
> >
> > With CoinPool, there is already this idea of including a user pubkey and
> balance amount to each leaf composing the Taproot tree while preserving the
> key-path spend in case of unanimity in the user group. Taproot leaves can
> be effectively regarded as off-chain user accounts available to realize
> privacy-preserving payments and contracts.
> >
> > I think one (new ?) idea can be to introduce taproot leaves
> "cut-through" spends where multiple leaves are updated with a single
> witness, interactively composed by the owners of the spent leaves. This
> spend sends back the leaves amount to a new single leaf, aggregating the
> amounts and user pubkeys. The user leaves not participating in this
> "cut-through" are inherited with full integrity in the new version of the
> Taproot tree, at the gain of no interactivity from their side.
> >
> > Let's say you have a CoinPool funded and initially set with Alice, Bob,
> Caroll, Dave and Eve. Each pool participant has a leaf L.x committing to an
> amount A.x and user pubkey P.x, where x is the user name owning a leaf.
> >
> > Bob and Eve are deemed to be offline by the Alice, Caroll and Dave
> subset (the ACD group).
> >
> > The ACD group composes a cut-through spend of L.a + L.c + L.d. This
> spends generates a new leaf L.(acd) leaf committing to amount A.(acd) and
> P.(acd).
> >
> > Amount A.(acd) = A.a + A.c + A.d and pubkey P.(acd) = P.a + P.c + P.d.
> >
> > Bob's leaf L.b and Eve's leaf L.e are left unmodified.
> >
> > The ACD group generates a new Taproot tree T' = L.(acd) + L.b + L.e,
> where the key-path K spend including the original unanimity of pool
> counterparties is left unmodified.
> >
> > The ACD group can confirm a transaction spending the pool funding utxo
> to a new single output committing to the scriptpubkey K + T'.
> >
> > From then, the ACD group can pursue off-chain balance updates among the
> subgroup thanks to the new P.(acd) and relying on the known Eltoo
> mechanism. There is no possibility for any member of the ACD group to
> equivocate with Bob or Eve in a non-observable fashion.
> >
> > Once Bob and Eve are online and ready to negotiate an on-chain pool
> "refresh" transaction, the conserved key-path spend can be used to
> re-equilibrate the Taproot tree, prune out old subgroups unlikely to be
> used and provision future subgroups, all with a compact spend based on
> signature aggregation.
> >
> > Few new Taproot tree update script primitives have been proposed, e.g
> [2]. Though I think none with the level of flexibility offered to generate
> leaves cut-through spends, or even batch of "cut-through" where M subgroups
> are willing to spend N leaves to compose P new subgroups fan-out in Q new
> outputs, with showing a single on-chain witness. I believe such a
> hypothetical primitive can also reduce the chain space consumed in the
> occurrence of naive mass pool withdraws at the same time.
> >
> > I think this solution to the high-interactivity issue of payment pools
> and factories shifts the burden on each individual user to pre-commit fast
> Taproot tree traversals, allowing them to compose new pool subgroups as
> fluctuations in pool users' level of liveliness demand it. Pool efficiency
> becomes the sum of the quality of user prediction on its counterparties'
> liveliness during the construction lifetime. Recursive taproot tree spends
> or more efficient accumulator than merkle tree sounds ideas to lower the
> on-chain witness space consumed by every pool in the average
> non-interactive case.
> >
> > Cheers,
> > Antoine
> >
> > [0]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020370.html
> > [1]
> https://lists.linuxfoundation.org/pipermail/lightning-dev/2023-August/004043.html
> > [2]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-September/019420.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20230926/8231a2e7/attachment.html>;
Antoine Riard [ARCHIVE] /
npub1vj…4x8dd
2023-10-03 21:44:19
in reply to nevent1q…ylq2
Author Public Key
npub1vjzmc45k8dgujppapp2ue20h3l9apnsntgv4c0ukncvv549q64gsz4x8ddPublished at
2023-10-03 21:44:19Event JSON
{
"id": "eb9e91375647b53ccb82367c6f8f08ee015cc94718cd1a5965fb1390c776ede0",
"pubkey": "6485bc56963b51c9043d0855cca9f78fcbd0ce135a195c3f969e18ca54a0d551",
"created_at": 1696369459,
"kind": 1,
"tags": [
[
"e",
"7251faf1bb1463283fa165e7cec19d39c6305a17173f589d4dfcce59e5848ee0",
"",
"root"
],
[
"e",
"7df261f1158b8a8b3acab4ca112e984cb3c89fae3e8002e7e080e144a8704a3f",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "📅 Original date posted:2023-09-26\n🗒️ Summary of this message: OP_EVICT requires participant cooperation for a single participant to withdraw funds, which may not be safe. TLUV or MERKLESUB offer more flexibility. No sound covenant proposal combines TLUV and EVICT-like semantics. The best direction to solve interactivity issues is still uncertain.\n📝 Original message:\nHi Zeeman,\n\nSee my comments at the time of OP_EVICT original publication.\n\nhttps://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-February/019939.html\n\n\"I think in the context of (off-chain) payment pool, OP_EVICT requires\nparticipant cooperation *after* the state update to allow a single\nparticipant to withdraw her funds.\n\nI believe this is unsafe if we retain as an off-chain construction security\nrequirement that a participant should have the unilateral means to enforce\nthe latest agreed upon state at any time during the construction lifetime\".\n\nI think this level of covenant flexibility is still wished for CoinPool as\na fundamental property, and this is offered by TLUV or MERKLESUB.\nOn the other hand, I think OP_EVICT introduces this idea of *subgroup\nnovation* (i.e `K-of-N`) of a PT2R scriptpubkey.\n\nTo the best of my understanding, I think there is not yet any sound\ncovenant proposal aiming to combine TLUV and EVICT-like semantics in a\nconsistent set of Script primitives to enable \"cut-through\" updates, while\nstill retaining the key property of unilateral withdraw of promised\nbalances in any-order.\n\nI might go to work on crafting one, though for now I'm still interested to\nunderstand better if on-chain \"cut-through\" is the best direction to solve\nthe fundamental high interactivity issue of channel factory and payment\npool over punishment-based ideas.\n\nBest,\nAntoine\n\nLe mar. 26 sept. 2023 à 07:51, ZmnSCPxj \u003cZmnSCPxj at protonmail.com\u003e a écrit :\n\n\u003e Good morning Antoine,\n\u003e\n\u003e Does `OP_EVICT` not fit?\n\u003e\n\u003e\n\u003e https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-February/019926.html\n\u003e\n\u003e Regards,\n\u003e ZmnSCPxj\n\u003e\n\u003e\n\u003e Sent with Proton Mail secure email.\n\u003e\n\u003e ------- Original Message -------\n\u003e On Monday, September 25th, 2023 at 6:18 PM, Antoine Riard via bitcoin-dev \u003c\n\u003e bitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e\n\u003e\n\u003e \u003e Payment pools and channel factories are afflicted by severe\n\u003e interactivity constraints worsening with the number of users owning an\n\u003e off-chain balance in the construction. The security of user funds is\n\u003e paramount on the ability to withdraw unilaterally from the off-chain\n\u003e construction. As such any update applied to the off-chain balances requires\n\u003e a signature contribution from the unanimity of the construction users to\n\u003e ensure this ability is conserved along updates.\n\u003e \u003e As soon as one user starts to be offline or irresponsive, the updates of\n\u003e the off-chain balances must have to be halted and payments progress are\n\u003e limited among subsets of 2 users sharing a channel. Different people have\n\u003e proposed solutions to this issue: introducing a coordinator, partitioning\n\u003e or layering balances in off-chain users subsets. I think all those\n\u003e solutions have circled around a novel issue introduced, namely equivocation\n\u003e of off-chain balances at the harm of construction counterparties [0].\n\u003e \u003e\n\u003e \u003e As ZmnSCPxj pointed out recently, one way to mitigate this equivocation\n\u003e consists in punishing the cheating pre-nominated coordinator on an external\n\u003e fidelity bond. One can even imagine more trust-mimized and decentralized\n\u003e fraud proofs to implement this mitigation, removing the need of a\n\u003e coordinator [1].\n\u003e \u003e\n\u003e \u003e However, I believe punishment equivocation to be game-theory sound\n\u003e should compensate a defrauded counterparty of the integrity of its lost\n\u003e off-chain balance. As one cheating counterparty can equivocate in the\n\u003e worst-case against all the other counterparties in the construction, one\n\u003e fidelity bond should be equal to ( C - 1 ) * B satoshi amount, where C is\n\u003e the number of construction counterparty and B the initial off-chain balance\n\u003e of the cheating counterparty.\n\u003e \u003e\n\u003e \u003e Moreover, I guess it is impossible to know ahead of a partition or\n\u003e transition who will be the \"honest\" counterparties from the \"dishonest\"\n\u003e ones, therefore this ( C - 1 ) * B-sized fidelity bond must be maintained\n\u003e by every counterparty in the pool or factory. On this ground, I think this\n\u003e mitigation and other corrective ones are not economically practical for\n\u003e large-scale pools among a set of anonymous users.\n\u003e \u003e\n\u003e \u003e I think the best solution to solve the interactivity issue which is\n\u003e realistic to design is one ruling out off-chain group equivocation in a\n\u003e prophylactic fashion. The pool or factory funding utxo should be edited in\n\u003e an efficient way to register new off-chain subgroups, as lack of\n\u003e interactivity from a subset of counterparties demands it.\n\u003e \u003e\n\u003e \u003e With CoinPool, there is already this idea of including a user pubkey and\n\u003e balance amount to each leaf composing the Taproot tree while preserving the\n\u003e key-path spend in case of unanimity in the user group. Taproot leaves can\n\u003e be effectively regarded as off-chain user accounts available to realize\n\u003e privacy-preserving payments and contracts.\n\u003e \u003e\n\u003e \u003e I think one (new ?) idea can be to introduce taproot leaves\n\u003e \"cut-through\" spends where multiple leaves are updated with a single\n\u003e witness, interactively composed by the owners of the spent leaves. This\n\u003e spend sends back the leaves amount to a new single leaf, aggregating the\n\u003e amounts and user pubkeys. The user leaves not participating in this\n\u003e \"cut-through\" are inherited with full integrity in the new version of the\n\u003e Taproot tree, at the gain of no interactivity from their side.\n\u003e \u003e\n\u003e \u003e Let's say you have a CoinPool funded and initially set with Alice, Bob,\n\u003e Caroll, Dave and Eve. Each pool participant has a leaf L.x committing to an\n\u003e amount A.x and user pubkey P.x, where x is the user name owning a leaf.\n\u003e \u003e\n\u003e \u003e Bob and Eve are deemed to be offline by the Alice, Caroll and Dave\n\u003e subset (the ACD group).\n\u003e \u003e\n\u003e \u003e The ACD group composes a cut-through spend of L.a + L.c + L.d. This\n\u003e spends generates a new leaf L.(acd) leaf committing to amount A.(acd) and\n\u003e P.(acd).\n\u003e \u003e\n\u003e \u003e Amount A.(acd) = A.a + A.c + A.d and pubkey P.(acd) = P.a + P.c + P.d.\n\u003e \u003e\n\u003e \u003e Bob's leaf L.b and Eve's leaf L.e are left unmodified.\n\u003e \u003e\n\u003e \u003e The ACD group generates a new Taproot tree T' = L.(acd) + L.b + L.e,\n\u003e where the key-path K spend including the original unanimity of pool\n\u003e counterparties is left unmodified.\n\u003e \u003e\n\u003e \u003e The ACD group can confirm a transaction spending the pool funding utxo\n\u003e to a new single output committing to the scriptpubkey K + T'.\n\u003e \u003e\n\u003e \u003e From then, the ACD group can pursue off-chain balance updates among the\n\u003e subgroup thanks to the new P.(acd) and relying on the known Eltoo\n\u003e mechanism. There is no possibility for any member of the ACD group to\n\u003e equivocate with Bob or Eve in a non-observable fashion.\n\u003e \u003e\n\u003e \u003e Once Bob and Eve are online and ready to negotiate an on-chain pool\n\u003e \"refresh\" transaction, the conserved key-path spend can be used to\n\u003e re-equilibrate the Taproot tree, prune out old subgroups unlikely to be\n\u003e used and provision future subgroups, all with a compact spend based on\n\u003e signature aggregation.\n\u003e \u003e\n\u003e \u003e Few new Taproot tree update script primitives have been proposed, e.g\n\u003e [2]. Though I think none with the level of flexibility offered to generate\n\u003e leaves cut-through spends, or even batch of \"cut-through\" where M subgroups\n\u003e are willing to spend N leaves to compose P new subgroups fan-out in Q new\n\u003e outputs, with showing a single on-chain witness. I believe such a\n\u003e hypothetical primitive can also reduce the chain space consumed in the\n\u003e occurrence of naive mass pool withdraws at the same time.\n\u003e \u003e\n\u003e \u003e I think this solution to the high-interactivity issue of payment pools\n\u003e and factories shifts the burden on each individual user to pre-commit fast\n\u003e Taproot tree traversals, allowing them to compose new pool subgroups as\n\u003e fluctuations in pool users' level of liveliness demand it. Pool efficiency\n\u003e becomes the sum of the quality of user prediction on its counterparties'\n\u003e liveliness during the construction lifetime. Recursive taproot tree spends\n\u003e or more efficient accumulator than merkle tree sounds ideas to lower the\n\u003e on-chain witness space consumed by every pool in the average\n\u003e non-interactive case.\n\u003e \u003e\n\u003e \u003e Cheers,\n\u003e \u003e Antoine\n\u003e \u003e\n\u003e \u003e [0]\n\u003e https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020370.html\n\u003e \u003e [1]\n\u003e https://lists.linuxfoundation.org/pipermail/lightning-dev/2023-August/004043.html\n\u003e \u003e [2]\n\u003e https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-September/019420.html\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20230926/8231a2e7/attachment.html\u003e",
"sig": "ad89e193162d3424d13d89f4286ca437fa1c92002568f29edea08cd0e082b0f7b9e99742cc909f0d75d3123e6b3aa280e097a1158aa910370717f19f22f4e314"
}