Return-Path: Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id E6150C000E for ; Tue, 31 Aug 2021 09:00:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id D22D24047B for ; Tue, 31 Aug 2021 09:00:28 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: 1.098 X-Spam-Level: * X-Spam-Status: No, score=1.098 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: smtp2.osuosl.org (amavisd-new); dkim=pass (1024-bit key) header.d=protonmail.com Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L0Lh-CCOf1O0 for ; Tue, 31 Aug 2021 09:00:24 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from mail-4324.protonmail.ch (mail-4324.protonmail.ch [185.70.43.24]) by smtp2.osuosl.org (Postfix) with ESMTPS id 5958140474 for ; Tue, 31 Aug 2021 09:00:24 +0000 (UTC) Date: Tue, 31 Aug 2021 09:00:15 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1630400421; bh=kqDksoeqC0NhzEmlWhH/xucgy196RwKlaViLLcTKY0s=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=gEH74gp9CcDnH0YYC6lRPDSWiH8alyhHVrWJ554cJCAqPVaWRU2jgY83w/8yldMiN 0hruKXS6MpvhwbDtN6/KjcqwCZy4vdpWO5tNu6Avzeds4rkEJeT98j3jtcGyqB49Ll c9LskHkr0NdZOq+VETTPY4Q5Sc6Srv9XazqJfHMs= To: Zac Greenwood From: ZmnSCPxj Reply-To: ZmnSCPxj Message-ID: In-Reply-To: References: <1qkQ1p1rAZApZhMKVFwQV6gfLyZxMYIUPrhcjtXNU4z0DBRwslPSbi76GnNnllpvPPfqt1bH3EyzJNhfK0Uxum7zJ_dh3H0DXqUpf2nmHyk=@protonmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Exploring: limiting transaction output amount as a function of total input value X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Aug 2021 09:00:29 -0000 Good morning Zac, > Perhaps you could help me understand what would be required to implement = the *unmodified* proposal. That way, the community will be able to better a= ssess the cost (in terms of effort and risk) and weigh it against the perce= ived benefits. Perhaps *then* we find that the cost could be significantly = reduced without any significant reduction of the benefits, for instance by = slightly compromising on the functionality such that no changes to consensu= s would be required for its implementation. (I am skeptical that this would= be possible though). The cost reduction must be carefully weighed against = the functional gaps it creates. For one, such output need to be explicitly visible, to implement the "chang= e outputs must also be rate-limited". A tx spending a rate-limited output has to know that one of the outputs is = also a rate-limited output. This flagging needs to be done by either allocating a new SegWit version --= - a resource that is not lightly allocated, there being only 30 versions le= ft if my understanding is correct --- or blessing yet another anyone-can-sp= end `scriptPubKey` template, something we want to avoid which is why SegWit= has versions (i.e. we want SegWit to be the last anyone-can-spend `scriptP= ubKey` template we bless for a **long** time). Explicit flagging is bad as well for privacy, which is another mark against= it. Notice how Taproot improves privacy by making n-of-n indistinguishable from= 1-of-1 (and with proper design or a setup ritual, k-of-n can be made indis= tinguishable from 1-of-1). Notice as well that my first counterproposal is significantly more private = than explicit flagging, and my second coutnerproposal is also more private = if wallets change their anti-fee-sniping mitigation. This privacy loss represented by explicit flagging will be resisted by some= people, especially those that use a bunch of random letters as a pseudonym= (because duh, privacy). (Yes, people can just decide not to use the privacy-leaking explicitly-flag= ged outputs, but that reduces the anonymity set of people who *are* interes= ted in privacy, so people who are interested in privacy will prefer that ot= her people do not leak their privacy so they can hide among *those* people = as well.) You also probably need to keep some data with each output. This can be done by explicitly storing that data in the output directly, ra= ther than a commitment to that data --- again, the "change outputs must als= o be rate-limited" requirement needs to check those data. The larger data stored with the output is undesirable, ideally we want each= output to just be a commitment rather than contain any actual data, becaus= e often a 20-byte commitment is smaller than the data that needs to be stor= ed. For example, I imagine that your original proposal requires, for change out= puts, to store: * The actual rate limit. * The time frame of the rate limit. * The reduced rate limit, since we spent an amount within a specific time f= rame (i.e. residual limit) which is why this is a change output. * How long that time frame lasts. * A commitment to the keys that can spend this. Basically, until the residual limit expires, we impose the residual limit, = then after the expiry of the residual limit we go back to the original rate= limit. The commitment to the keys itself takes at least 20 bytes, and if you are p= lanning a to support k-of-n then that takes at least 32 bytes. If this was not explicitly tagged, then a 32 byte commitment to all the nec= essary data would have been enough, but you do need the explicit tagging fo= r the "change outputs must be rate-limited too". Note as well that the residual needs to be kept with the output. Bitcoin Core does not store transactions in a lookup table, it stores indiv= idual *outputs*. While the residual can be derived from the transaction, we do not have a tr= ansaction table. Thus, we need to explicitly put it on the output itself, directly, since we= only have a lookup table for the unspent outputs, not individual transacti= ons. (well there is `txindex` but that is an option for each node, not something= consensus code can rely on) So yes, that "change outputs must also be rate-limited" is the big sticking= point, and a lot of the "gaps" you worry about occur when we drop this bit= . Drop this bit and you can implement it today without any consensus code cha= nge, and with privacy good enough to prevent people with random letters as = pseudonym from trying to stop you. Regards, ZmnSCPxj