📅 Original date posted:2019-09-19
📝 Original message:
ZmnSCPxj <ZmnSCPxj at protonmail.com> writes:
>> Not necessarily. If we have an escape hatch in the scripts that allows
>> to spend any output attached to the settlement transaction by n-1
>> participants we could reclaim these into a new open right away.
>
> This would have to be very very carefully designed.
> The entire point of requiring an n-of-n signature is:
>
> * By using an n-of-n signatory where *you* are a signer, you are completely immune to Sybil attacks: even if everybody other than *you* in the signatory set is secretly just one entity, this is no different from doing a 2-of-2 bog-standard boring sleepy Zzzzzz Poon-Dryja Lightning Network channel.
> * Any m-of-n signatory where strictly m < n allows anybody with the ability to run m nodes to outright steal money from you.
> * As processing power is cheap nowadays, there is no m that can be considered safe.
> Your alternative is to fall back on proof-of-work, but that just means going onchain, so you might as well just do things onchain.
> * This is why 2-of-2 channels work so well, it's the minimum useable construction and any multiparty construction, when Sybilled, devolves to a 2-of-2 channel.
>
> So the n-1 participants would have to be very very very carefully limited in what they can do.
> And if the only "right" the n-1 participants can do is to force the nth participant to claim its funds onchain, then that is implementable with a transaction doing just that, which is pre-signed by the nth participant and given to participants 1..n-1.
Just to be clear, I do *not* want to support uncooperative splice-outs.
This is due to their need to either pre-sign a splice-out of the party
like I explained further down, or it requires encumbering whatever we
build on top in order to do a fast-reopen.
But I do think there is value in exploring what the options are :-)
>> Notice that we are negotiating whether or not to apply generic
>> transactions to a shared state. This also means that there is no direct
>> relationship between the ownership of an output and the ID signing off
>> on a change.
>>
>> The privacy guarantees are identical to Bitcoin on-chain, with the one
>> caveat that we may identify the proposing participant, but we can defend
>> against this by mixing as you propose.
>
> Yes, but if we later combine this with allowing multiilateral kick-out
> of a member that is unresponsive (i.e. we splice out the outputs it
> has at least partial ownership of, and keep only those that are owned
> only by the remaining members), then each member would have to
> honestly claim which UTXOs it is interested in keeping after it is
> kicked out of the membership set, defeating this point entirely. I
> believe this is roughly what you propose in the next point, and
> roughly what you would want with the "n-1 participants" earlier.
That is indeed the issue I explained further down:
> It also adds the complexity of having to identify which participant is
> the co-owner of an output, otherwise I can claim ownership of an
> unrelated output and force that to move on-chain by including it in my
> fallback and then becoming unresponsive (added rounds of communication
> can help here, but are cumbersome).
Claiming ownership would then involve providing a valid input script
(disregarding any timelocks) that could spend the output under some
condition. Others would have to verify this proof-of-ownership before
accepting the node's self-splice-out before accepting it.
>> It may be a bit much added complexity for a small complexity to be
>> honest, hopefully this won't be needed too often :-)
>
> Statement makes no sense, unless you meant to say "It may be a bit
> much complexity for a small benefit" or similar?
Indeed, that was a weird sentence :-) I did mean that it is a lot of
complexity for very little benefit :-)
Cheers,
Christian
Christian Decker [ARCHIVE] /
npub1wt…gtuyn
2023-06-09 12:56:06
in reply to nevent1q…wx3r
Author Public Key
npub1wtx5qvewc7pd6znlvwktq03mdld05mv3h5dkzfwd3dc30gdmsptsugtuynPublished at
2023-06-09 12:56:06Event JSON
{
"id": "e1966f7991c3b263b9a8e65fbd0be66da7dd7d00fe988597f9a09813ca7d888d",
"pubkey": "72cd40332ec782dd0a7f63acb03e3b6fdafa6d91bd1b6125cd8b7117a1bb8057",
"created_at": 1686315366,
"kind": 1,
"tags": [
[
"e",
"f4018e39cf7279e2758c296b03a48a9e4f76cc5d421f2c22436c76e2f6962268",
"",
"root"
],
[
"e",
"b9dcd73b8532b4caf6f9191fd8dfa79e69363a158de269ea6ed5fcdb9d92f3ef",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "📅 Original date posted:2019-09-19\n📝 Original message:\nZmnSCPxj \u003cZmnSCPxj at protonmail.com\u003e writes:\n\u003e\u003e Not necessarily. If we have an escape hatch in the scripts that allows\n\u003e\u003e to spend any output attached to the settlement transaction by n-1\n\u003e\u003e participants we could reclaim these into a new open right away.\n\u003e\n\u003e This would have to be very very carefully designed.\n\u003e The entire point of requiring an n-of-n signature is:\n\u003e\n\u003e * By using an n-of-n signatory where *you* are a signer, you are completely immune to Sybil attacks: even if everybody other than *you* in the signatory set is secretly just one entity, this is no different from doing a 2-of-2 bog-standard boring sleepy Zzzzzz Poon-Dryja Lightning Network channel.\n\u003e * Any m-of-n signatory where strictly m \u003c n allows anybody with the ability to run m nodes to outright steal money from you.\n\u003e * As processing power is cheap nowadays, there is no m that can be considered safe.\n\u003e Your alternative is to fall back on proof-of-work, but that just means going onchain, so you might as well just do things onchain.\n\u003e * This is why 2-of-2 channels work so well, it's the minimum useable construction and any multiparty construction, when Sybilled, devolves to a 2-of-2 channel.\n\u003e\n\u003e So the n-1 participants would have to be very very very carefully limited in what they can do.\n\u003e And if the only \"right\" the n-1 participants can do is to force the nth participant to claim its funds onchain, then that is implementable with a transaction doing just that, which is pre-signed by the nth participant and given to participants 1..n-1.\n\nJust to be clear, I do *not* want to support uncooperative splice-outs.\nThis is due to their need to either pre-sign a splice-out of the party\nlike I explained further down, or it requires encumbering whatever we\nbuild on top in order to do a fast-reopen.\n\nBut I do think there is value in exploring what the options are :-)\n\n\u003e\u003e Notice that we are negotiating whether or not to apply generic\n\u003e\u003e transactions to a shared state. This also means that there is no direct\n\u003e\u003e relationship between the ownership of an output and the ID signing off\n\u003e\u003e on a change.\n\u003e\u003e\n\u003e\u003e The privacy guarantees are identical to Bitcoin on-chain, with the one\n\u003e\u003e caveat that we may identify the proposing participant, but we can defend\n\u003e\u003e against this by mixing as you propose.\n\u003e\n\u003e Yes, but if we later combine this with allowing multiilateral kick-out\n\u003e of a member that is unresponsive (i.e. we splice out the outputs it\n\u003e has at least partial ownership of, and keep only those that are owned\n\u003e only by the remaining members), then each member would have to\n\u003e honestly claim which UTXOs it is interested in keeping after it is\n\u003e kicked out of the membership set, defeating this point entirely. I\n\u003e believe this is roughly what you propose in the next point, and\n\u003e roughly what you would want with the \"n-1 participants\" earlier.\n\nThat is indeed the issue I explained further down:\n\n\u003e It also adds the complexity of having to identify which participant is\n\u003e the co-owner of an output, otherwise I can claim ownership of an\n\u003e unrelated output and force that to move on-chain by including it in my\n\u003e fallback and then becoming unresponsive (added rounds of communication\n\u003e can help here, but are cumbersome).\n\nClaiming ownership would then involve providing a valid input script\n(disregarding any timelocks) that could spend the output under some\ncondition. Others would have to verify this proof-of-ownership before\naccepting the node's self-splice-out before accepting it.\n\n\u003e\u003e It may be a bit much added complexity for a small complexity to be\n\u003e\u003e honest, hopefully this won't be needed too often :-)\n\u003e\n\u003e Statement makes no sense, unless you meant to say \"It may be a bit\n\u003e much complexity for a small benefit\" or similar?\n\nIndeed, that was a weird sentence :-) I did mean that it is a lot of\ncomplexity for very little benefit :-)\n\nCheers,\nChristian",
"sig": "8dfe13b510421381cb500ecb8d6e7f38057889dfbe24ef2eb2debc50a81de9dbffad77570f25a577ede9c587d42da5333db33c2cccc1c2dbddef4022172da2d5"
}