📅 Original date posted:2021-10-12
📝 Original message:
On Mon, Oct 11, 2021 at 05:05:05PM +1100, Lloyd Fournier wrote:
> ### Scorched earth punishment
> Another thing that I'd like to mention is that using revocable signatures
> enables scorched earth punishments [2].
I kind-of think it'd be more interesting to simulate eltoo's behaviour.
If Alice's current state has balances (A, B) and P in in-flight
payments, and Bob posts an earlier state with (A', B') and P' (so A+B+P
= A'+B'+P'), then maybe Alice's justice transaction should pay:
A+P + max(0, B'-B)*0.1 to Alice
B-f - max(0, B'-B)*0.1 to Bob
(where "f" is the justice transaction fees)
Idea being that in an ideal world there wouldn't be a hole in your pocket
that lets all your coins fall out, but in the event that there is such
a hole, it's a *nicer* world if the people who find your coins give them
back to you out of the kindness of their heart.
> Note that we number each currently inflight transaction by "k",
> starting at 0. The same htlc/ptlc may have a different value for k
> between different inflight transactions.
> Can you expand on why "k" is needed in addition to "n" and "i". k sounds like
> the same thing as i to me.
"k" is used to distinguish the inflight payments (htlcs/ptlcs), not the
inflight state (which is "i").
> Also what does RP/2/k notation imply given the definition of RP you gave above?
I defined earlier that if P=musig(A,B) then P/x/y = musig(A/x/y,B/x/y);
so RP/2/k = musig(A/2/n/i/2/k,RB2(n,i)/2/k).
> * if the inflight transaction contains a ptlc output, [...]
> What about just doing a scriptless PTLC to avoid this (just CSV input of
> presigned tx)? The cost is pre-sharing more nonces per PTLC message.
Precisely that reason. Means you have to share "k+1" nonce pairs in
advance of every inflight tx update. Not a show stopper, just seemed
like a headache. (It's already a scriptless-script, this would let you
use a key path spend instead of a script path spend)
> This does not support option_static_remotekey, but compensates for that
> by allowing balances to be recovered with only the channel setup data
> even if all revocation data is lost.
> This is rather big drawback but is this really the case? Can't "in-flight"
> transactions send the balance of the remote party to their unencumbered static
> remote key?
They could, but there's no guarantee that there is an inflight
transaction, or that the other party will post it for you. In those case,
you have to be able to redeem your output from the balance tx directly,
and if you can do that, might as well have every possible address be
derived differently to minimise the amount of information any third
parties could glean.
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-09 13:04:08
in reply to nevent1q…rf9v
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-09 13:04:08Event JSON
{
"id": "408974f0dff5cb12372e2c60249fa79cbc5ff33fa0092cdad28489494f58e12d",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686315848,
"kind": 1,
"tags": [
[
"e",
"bfc4ed728b228b9341f3493f5bd7d935423e85bd9d039717f691001784a42238",
"",
"root"
],
[
"e",
"e063955ec2c19311c08d28a06a08149af7e16637ca8589236792c888bbe9924a",
"",
"reply"
],
[
"p",
"b5ff7c704f90e4eebfa414c0a017a84544c32586a1bd2fc86c74c2914d03c25e"
]
],
"content": "📅 Original date posted:2021-10-12\n📝 Original message:\nOn Mon, Oct 11, 2021 at 05:05:05PM +1100, Lloyd Fournier wrote:\n\u003e ### Scorched earth punishment\n\u003e Another thing that I'd like to mention is that using revocable signatures\n\u003e enables scorched earth punishments [2]. \n\nI kind-of think it'd be more interesting to simulate eltoo's behaviour.\nIf Alice's current state has balances (A, B) and P in in-flight\npayments, and Bob posts an earlier state with (A', B') and P' (so A+B+P\n= A'+B'+P'), then maybe Alice's justice transaction should pay:\n\n A+P + max(0, B'-B)*0.1 to Alice\n B-f - max(0, B'-B)*0.1 to Bob\n\n(where \"f\" is the justice transaction fees)\n\nIdea being that in an ideal world there wouldn't be a hole in your pocket\nthat lets all your coins fall out, but in the event that there is such\na hole, it's a *nicer* world if the people who find your coins give them\nback to you out of the kindness of their heart.\n\n\u003e Note that we number each currently inflight transaction by \"k\",\n\u003e starting at 0. The same htlc/ptlc may have a different value for k\n\u003e between different inflight transactions.\n\u003e Can you expand on why \"k\" is needed in addition to \"n\" and \"i\". k sounds like\n\u003e the same thing as i to me.\n\n\"k\" is used to distinguish the inflight payments (htlcs/ptlcs), not the\ninflight state (which is \"i\").\n\n\u003e Also what does RP/2/k notation imply given the definition of RP you gave above?\n\nI defined earlier that if P=musig(A,B) then P/x/y = musig(A/x/y,B/x/y);\nso RP/2/k = musig(A/2/n/i/2/k,RB2(n,i)/2/k).\n\n\u003e * if the inflight transaction contains a ptlc output, [...]\n\u003e What about just doing a scriptless PTLC to avoid this (just CSV input of\n\u003e presigned tx)? The cost is pre-sharing more nonces per PTLC message.\n\nPrecisely that reason. Means you have to share \"k+1\" nonce pairs in\nadvance of every inflight tx update. Not a show stopper, just seemed\nlike a headache. (It's already a scriptless-script, this would let you\nuse a key path spend instead of a script path spend)\n\n\u003e This does not support option_static_remotekey, but compensates for that\n\u003e by allowing balances to be recovered with only the channel setup data\n\u003e even if all revocation data is lost.\n\u003e This is rather big drawback but is this really the case? Can't \"in-flight\"\n\u003e transactions send the balance of the remote party to their unencumbered static\n\u003e remote key?\n\nThey could, but there's no guarantee that there is an inflight\ntransaction, or that the other party will post it for you. In those case,\nyou have to be able to redeem your output from the balance tx directly,\nand if you can do that, might as well have every possible address be\nderived differently to minimise the amount of information any third\nparties could glean.\n\nCheers,\naj",
"sig": "f30ad6bc55f8159326504f2723b480548d6ee00211eddda829ef60d1dcc445f4a89e910a11c29fc55a08bc7c260f195f9fdd51d4ea86c1ecf2308527d4d5bd63"
}