📅 Original date posted:2022-12-14
📝 Original message:
On Tue, Dec 13, 2022 at 08:22:55PM -0500, Antoine Riard wrote:
> > prior to (1): UA.k (k <= n) -- However this allows Bob to immediately
> > broadcast one of either CA.n or RA.n, and will then have ~150 blocks
> > to claim the HTLC before its timeout
> From my understanding, with two party eltoo w/punihsment, UA.k has a
> tapscript path with "1 CHECKSIGVERIFY k<n CLTV", where the internal pubkey
> substituted is "musig(A,B)/1. Mallory should receive Bob's signature for
> UA.k, though also UA.k+1, UA.k+2, UAk+3, until k=n.
Yes, Mallory can be assumed to be able to generate signatures for UA.0
through UA.n. They all spend the funding transaction (only) though,
so she can only choose one of them, which I called UA.k above.
More particular, I'm imagining scriptPubKeys something like:
F: taproot(AB)
UA.n: taproot(AB/1, "IF CODESEP <n> CLTV DROP ENDIF OP_1 CHECKSIG")
WB.n: taproot(AB/1, "IF CODESEP <n> CLTV DROP ENDIF OP_1 CHECKSIG")
UB.n: taproot(AB/2, "IF CODESEP <n> CLTV DROP ENDIF OP_1 CHECKSIG")
WA.n: taproot(AB/2, "IF CODESEP <n> CLTV DROP ENDIF OP_1 CHECKSIG")
where AB=musig(A,B) and AB/1 and AB/2 are unhardened HD subkeys of AB.
(The outputs of SA/RA/CA and SB/RB/CB are the balances and active HTLCs)
Then I think the following setup works to allow each transaction to only
spend from the transactions that it's supposed to:
UA.n have ALL or SINGLE|ANYONECANPAY signatures spending F with key
AB.
CA.n/WA.n have ANYPREVOUTANYSCRIPT signatures with codesep_pos=2
against AB/2, with locktime set to n
RA.n has an ANYPREVOUTANYSCRIPT signature with codesep_pos=2
against AB/2, with locktime set to n-1
SA.n has an ANYPREVOUT signature with codesep_pos=FFFFFFFF
against AB/1, with nSequence enforcing to_self_delay
B's signatures are similar, swapping AB/2 and AB/1.
(In order to do the fast forward stuff via scriptless scripts, you also
need F to have an "A CHECKSIGVERIFY B CHECKSIG" tapscript path as well,
and there's probably other things I've glossed over)
> Or is this a tapscript only existing for the dual-funding case ? I think
> this a bit unclear from the gist construction, how Mallory is restrained to
> use the tapscript path on UA.k, with UA.k+1 as she should be in possession
> of Bob's signature for this state.
You lock Mallory into using a particular signature with a particular
script template by only using the key for that signature within that
script template, and you lock them into using a particular path through
that script via use of OP_CODESEPARATOR.
> While update transaction 1 could spend update transaction 0 immediately,
> there is no reliable knowledge by U*.1 transaction broadcaster of the state
> of the network mempools.
That doesn't need to be true; we can easily have lightning nodes
gossip mempool state for channel closes by pattern matching on the
close transaction, including offering "catchup" info for nodes that
were offline, even if that isn't something we do for regular mempool
transactions.
I don't really think getting into the weeds on that now is very productive
though; it's still an open question whether we can get eltoo working in
a laboratory environment, let alone in the wild.
> While I think this solution of eltoo nodes quickly replacing any state K
> previous to the latest state N, there is no guarantee the latest state K
> doesn't offer a higher feerate than state N, making it more attractive to
> the miners.
I think there's really two situations here: one is where miners are
just running friendly mempool software that tries to do right by the
network, in which case "always update to the newest state, even if the
fee rate goes down" is probably workable; the other is where miners want
to profit maximise on every single block and will run MEV software; in
which case all we need is for the final state to be relayed -- provided
its at a reasonable feerate, the MEV miner will include it on top of the
high-fee paying chain of earlier states, even if that would mean it has
"too many" in-mempool descendants.
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-09 13:07:43
in reply to nevent1q…9vx6
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-09 13:07:43Event JSON
{
"id": "208551ecf075758018679966ce9152888020716a04bbf2287a3512fbb6b497ae",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686316063,
"kind": 1,
"tags": [
[
"e",
"b81b9b3c106e3ebeb51b59657e273fa06b192516401a8d41be6cf5377dab9ae8",
"",
"root"
],
[
"e",
"46588fe2a7579685c4b70fc5442ae83b1245ac50855beb63f19ecf5dcd8ad80e",
"",
"reply"
],
[
"p",
"6485bc56963b51c9043d0855cca9f78fcbd0ce135a195c3f969e18ca54a0d551"
]
],
"content": "📅 Original date posted:2022-12-14\n📝 Original message:\nOn Tue, Dec 13, 2022 at 08:22:55PM -0500, Antoine Riard wrote:\n\u003e \u003e prior to (1): UA.k (k \u003c= n) -- However this allows Bob to immediately\n\u003e \u003e broadcast one of either CA.n or RA.n, and will then have ~150 blocks\n\u003e \u003e to claim the HTLC before its timeout\n\u003e From my understanding, with two party eltoo w/punihsment, UA.k has a\n\u003e tapscript path with \"1 CHECKSIGVERIFY k\u003cn CLTV\", where the internal pubkey\n\u003e substituted is \"musig(A,B)/1. Mallory should receive Bob's signature for\n\u003e UA.k, though also UA.k+1, UA.k+2, UAk+3, until k=n.\n\nYes, Mallory can be assumed to be able to generate signatures for UA.0\nthrough UA.n. They all spend the funding transaction (only) though,\nso she can only choose one of them, which I called UA.k above.\n\nMore particular, I'm imagining scriptPubKeys something like:\n\n F: taproot(AB)\n\n UA.n: taproot(AB/1, \"IF CODESEP \u003cn\u003e CLTV DROP ENDIF OP_1 CHECKSIG\")\n WB.n: taproot(AB/1, \"IF CODESEP \u003cn\u003e CLTV DROP ENDIF OP_1 CHECKSIG\")\n\n UB.n: taproot(AB/2, \"IF CODESEP \u003cn\u003e CLTV DROP ENDIF OP_1 CHECKSIG\")\n WA.n: taproot(AB/2, \"IF CODESEP \u003cn\u003e CLTV DROP ENDIF OP_1 CHECKSIG\")\n\nwhere AB=musig(A,B) and AB/1 and AB/2 are unhardened HD subkeys of AB.\n(The outputs of SA/RA/CA and SB/RB/CB are the balances and active HTLCs)\n\nThen I think the following setup works to allow each transaction to only\nspend from the transactions that it's supposed to:\n\n UA.n have ALL or SINGLE|ANYONECANPAY signatures spending F with key\n AB.\n\n CA.n/WA.n have ANYPREVOUTANYSCRIPT signatures with codesep_pos=2\n against AB/2, with locktime set to n\n\n RA.n has an ANYPREVOUTANYSCRIPT signature with codesep_pos=2\n against AB/2, with locktime set to n-1\n\n SA.n has an ANYPREVOUT signature with codesep_pos=FFFFFFFF\n against AB/1, with nSequence enforcing to_self_delay\n\nB's signatures are similar, swapping AB/2 and AB/1.\n\n(In order to do the fast forward stuff via scriptless scripts, you also\nneed F to have an \"A CHECKSIGVERIFY B CHECKSIG\" tapscript path as well,\nand there's probably other things I've glossed over)\n\n\u003e Or is this a tapscript only existing for the dual-funding case ? I think\n\u003e this a bit unclear from the gist construction, how Mallory is restrained to\n\u003e use the tapscript path on UA.k, with UA.k+1 as she should be in possession\n\u003e of Bob's signature for this state.\n\nYou lock Mallory into using a particular signature with a particular\nscript template by only using the key for that signature within that\nscript template, and you lock them into using a particular path through\nthat script via use of OP_CODESEPARATOR.\n\n\u003e While update transaction 1 could spend update transaction 0 immediately,\n\u003e there is no reliable knowledge by U*.1 transaction broadcaster of the state\n\u003e of the network mempools.\n\nThat doesn't need to be true; we can easily have lightning nodes\ngossip mempool state for channel closes by pattern matching on the\nclose transaction, including offering \"catchup\" info for nodes that\nwere offline, even if that isn't something we do for regular mempool\ntransactions.\n\nI don't really think getting into the weeds on that now is very productive\nthough; it's still an open question whether we can get eltoo working in\na laboratory environment, let alone in the wild.\n\n\u003e While I think this solution of eltoo nodes quickly replacing any state K\n\u003e previous to the latest state N, there is no guarantee the latest state K\n\u003e doesn't offer a higher feerate than state N, making it more attractive to\n\u003e the miners.\n\nI think there's really two situations here: one is where miners are\njust running friendly mempool software that tries to do right by the\nnetwork, in which case \"always update to the newest state, even if the\nfee rate goes down\" is probably workable; the other is where miners want\nto profit maximise on every single block and will run MEV software; in\nwhich case all we need is for the final state to be relayed -- provided\nits at a reasonable feerate, the MEV miner will include it on top of the\nhigh-fee paying chain of earlier states, even if that would mean it has\n\"too many\" in-mempool descendants.\n\nCheers,\naj",
"sig": "91e08f86fb23b694863f161f07de76af6093ee48ff77e8f08da255c9a00b320eccd507ebecd9409213e202e591eb6bfdbc8c0d323ef7089ecb46f647e2ee3b5b"
}