1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
|
Return-Path: <johanth@gmail.com>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
by lists.linuxfoundation.org (Postfix) with ESMTP id 06596C0032
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 12 Oct 2023 09:31:43 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp4.osuosl.org (Postfix) with ESMTP id BF8EF41765
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 12 Oct 2023 09:31:42 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org BF8EF41765
Authentication-Results: smtp4.osuosl.org;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.a=rsa-sha256 header.s=20230601 header.b=C1RLV+xW
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from smtp4.osuosl.org ([127.0.0.1])
by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id RVqNSPkluF4W
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 12 Oct 2023 09:31:40 +0000 (UTC)
Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com
[IPv6:2607:f8b0:4864:20::b31])
by smtp4.osuosl.org (Postfix) with ESMTPS id BFB4C41EBD
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 12 Oct 2023 09:31:39 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org BFB4C41EBD
Received: by mail-yb1-xb31.google.com with SMTP id
3f1490d57ef6-d9a3d737d66so765550276.2
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 12 Oct 2023 02:31:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1697103098; x=1697707898;
darn=lists.linuxfoundation.org;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:from:to:cc:subject:date:message-id:reply-to;
bh=yi9KjyREhIjq7axGqG+tSTD8YMuU7ev7W1cTAItu3Ng=;
b=C1RLV+xWdfdrCSWeAQnTOOy7syd2obgnicsUXlD+ypQ6Bqlv38fTGe5hoP4QVWTSio
17FbvTsiemxv5C1tVcRXpOwkVsewLA3nRoPRX4ziDUOxV6ICXiI1boTdrzLu2xXtWJiS
bEQjTp2admfo7dok4jhqYHLXiYDy7lSLbkORLc9a9EB3eWWgobgtbtz4mgmp5cBzU2bW
a1WQT2fXiKvi/LhqX6Uij06ICwWB2yjSRZWg68HIxzL9xFjpvSSdPtM8l1Lc76KrP+cp
Pck0Ocmw7uUp6BL6CEUfFaJQIRQ/BR4RM+L2C9R9vioRe4MWiOGcOE0+9hl6CTkVd51s
iZAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1697103098; x=1697707898;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=yi9KjyREhIjq7axGqG+tSTD8YMuU7ev7W1cTAItu3Ng=;
b=jR4pWeLHutFMqAIAp5XrkffU+X8LDD7Zbs5Jd1cbMkmnEj1t0xGooQ8Zl/jT1aCkW8
/0AUOc8AloSJhiaksevNSDZGWXdIDtIcjqxGjiWc1FFwshD/ZhXNJ+x8W9jgrk4Y05f0
XugOPgi5qJMRSuFZvoDxjKmLE5Ll5J8ykG08H5Jq909FCVkIi2+1SQGYorPgoFtyG6Qg
CjduQ+120Bl4SQc9QyDbLfvJnK4ouTSJqRFInbcv87+HV0HNjyWWezPn7cjNjuAfgrS1
9hj9+otcspLO6P2e+k/a/QT8MBKDkf3PXNgCRBT4uTWIcj3LQmuUDQDImRp1Uvudx3aN
UDcg==
X-Gm-Message-State: AOJu0Yz0i2fa97huFWsjAJjYwrEi7NNcckN1wl8lijPabwrYBJ+Nhaeu
a9FEam4jxh0ySyPUpa7KAq80SrSnFMX+jxiwXzc=
X-Google-Smtp-Source: AGHT+IEK+VcqE8xWr82ZRdlMe9KRb/LLDGVxJm1j26K0OE7ScPjZwFKBdiTzjFMeyRuo39DCIqdVeNqquUo0I7jUAXQ=
X-Received: by 2002:a5b:342:0:b0:d88:a049:e901 with SMTP id
q2-20020a5b0342000000b00d88a049e901mr21832739ybp.7.1697103098362; Thu, 12 Oct
2023 02:31:38 -0700 (PDT)
MIME-Version: 1.0
References: <CALZpt+F26bArqU7aZj8VN-zDN-3_VZS1K1ibaJOeCrsLDL2_4Q@mail.gmail.com>
<OUAbM8ii-HE8M-kRAkMvdDkbiwKuG_wcYlrvC276eIsKXcW6Yh6iNcxy_PtchHNL3jIIc-nz-ucv2H11EznrZbYhKqyVPhE8__GeIDLxPNw=@protonmail.com>
<CALZpt+Gyo1STD4zrge3yiuC1j_NpJ8ZDYzzzAGCcZpjKw0_9-w@mail.gmail.com>
<CAD3i26DpcfZJ4M0bjrOnGg6bcQ0Lg0hO-13cihzP2CjnCOq=EQ@mail.gmail.com>
<CALZpt+FT3qwP5MaZT4hbGYXvbECsAn7LvNbZC5vP-jGkbpOGVA@mail.gmail.com>
<CAD3i26A2CC2Acr7dUnVMVrs+ag0nNdwnwTPSuVCxVpy+tC8eOg@mail.gmail.com>
In-Reply-To: <CAD3i26A2CC2Acr7dUnVMVrs+ag0nNdwnwTPSuVCxVpy+tC8eOg@mail.gmail.com>
From: =?UTF-8?Q?Johan_Tor=C3=A5s_Halseth?= <johanth@gmail.com>
Date: Thu, 12 Oct 2023 11:31:26 +0200
Message-ID: <CAD3i26BCS36FEBDMxBvBu2nTyLiDDCpmR7Eeu+Ebe3jBx0PvWQ@mail.gmail.com>
To: Antoine Riard <antoine.riard@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000053458e0607819b75"
X-Mailman-Approved-At: Thu, 12 Oct 2023 19:13:24 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Solving CoinPool high-interactivity issue with
cut-through update of Taproot leaves
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Oct 2023 09:31:43 -0000
--00000000000053458e0607819b75
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi, Antoine.
A brief update on this:
I created a demo script for the unilateral exit of 2-of-4 participants in a
Coinpool using OP_CCV:
https://github.com/halseth/tapsim/tree/matt-demo/examples/matt/coinpool/v2.
It shows how pubkeys and balances can be committed, how traversal and
modification of the data can be done, and validation of signatures for the
exiting users.
The script in this case is 142 bytes (can likely be optimized 20-30%) and
the witness including the script is 647 bytes. Most of this comes from the
merkle inclusion proofs, so we can expect this to grow by O(m logn) for m
users exiting a pool of n participants.
Regardless of the size, I think that would not matter in most (cooperative)
settings. N participants would jointly create a coinpool using the above
exit scripts, and a cooperative keyspend path. In case some user goes
offline, the remaining, online users can jointly use the unilateral exit
clause and exit into a _new_ coinpool and continue operations when this
transaction confirms.
What would be really interesting, is if we can do the above exit off-chain,
and when the offline user comes back online, we could revert back to the
original coinpool output updating the balances according to updates that
happened while he was offline.
Assuming APO I believe this could work, since the only thing that matters
for the off-chain transactions to remain valid is that the committed
balances and keys remain compatible. If the offline user is able to
unilaterally spend the original output where the remaining users had built
their off-chain coinpool construction ontop, the only thing they need to
change is the merkle inclusion proofs in their jointly signed transactions
(since they now spend from an output where the offline user exited). All
signatures remain valid.
Was this the kind of functionality you were looking for?
Cheers,
Johan
On Thu, Oct 5, 2023 at 9:38=E2=80=AFAM Johan Tor=C3=A5s Halseth <johanth@gm=
ail.com>
wrote:
> Hi,
>
> Yes, one would need to have the <data> be a merkle root of all
> participants' keys and balances. Then, as you say, the scripts would
> have to enforce that one correctly creates new merkle roots according
> to the coin pool rules when spending it.
>
> - Johan
>
> On Thu, Oct 5, 2023 at 3:13=E2=80=AFAM Antoine Riard <antoine.riard@gmail=
.com>
> wrote:
> >
> > Hi Johan,
> >
> > Thanks for the insight.
> >
> > From the proposed semantics of OP_CHECKCONTRACTVERIFY iirc:
> >
> > <data> <index> <pk> <taptree> <flags>
> >
> > I think this is not yet indicated how the participant's pubkeys and
> balances can be disaggregated from <data>, a partial subset push on the
> stack and verifying that corresponding signatures are valid.
> >
> > One requirement of a cut-through update of taproot leaves is to verify
> the authentication of the fan-out balances and pubkeys towards the "onlin=
e"
> partition. This subset is not known at pool setup, even if the contract o=
r
> tree construct can be equilibrated with some expectation.
> >
> > Otherwise, it sounds OP_CHECKCONTRACTVERIFY could be used to architect
> the proposed design of coinpool and its cut-through mechanism. One hard
> issue sounds to be efficient traversal, inspection and modification of th=
e
> contract <data>.
> >
> > Best,
> > Antoine
> >
> > Le mar. 3 oct. 2023 =C3=A0 12:24, Johan Tor=C3=A5s Halseth <johanth@gma=
il.com> a
> =C3=A9crit :
> >>
> >> Hi, Antoine.
> >>
> >> It sounds like perhaps OP_CHECKCONTRACTVERIFY can achieve what you are
> >> looking for:
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-May/021719.h=
tml
> >>
> >> By committing the participants' pubkeys and balances in the dynamic
> >> data instead of the taptree one can imagine a subset of online users
> >> agreeing to pool their aggregated balances in a new output, while the
> >> offline users' funds would remain inaccessible by them in a second
> >> output.
> >>
> >> The way this would work is by spending the coinpool utxo with a
> >> transaction having two outputs: one output that is the "remainder" of
> >> the previous coinpool (the offline users), and the second output the
> >> new coinpool among the online users*.
> >>
> >> When the offline users are back online, they could all agree to
> >> continue using the original coinpool utxo.
> >>
> >> * assuming Eltoo in case an offline user comes back online and double
> >> spends the UTXO.
> >>
> >> - Johan
> >>
> >>
> >> On Wed, Sep 27, 2023 at 12:08=E2=80=AFPM Antoine Riard via bitcoin-dev
> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >> >
> >> > Hi Zeeman,
> >> >
> >> > See my comments at the time of OP_EVICT original publication.
> >> >
> >> >
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-February/019=
939.html
> >> >
> >> > "I think in the context of (off-chain) payment pool, OP_EVICT requir=
es
> >> > participant cooperation *after* the state update to allow a single
> >> > participant to withdraw her funds.
> >> >
> >> > I believe this is unsafe if we retain as an off-chain construction
> security
> >> > requirement that a participant should have the unilateral means to
> enforce
> >> > the latest agreed upon state at any time during the construction
> lifetime".
> >> >
> >> > I think this level of covenant flexibility is still wished for
> CoinPool as a fundamental property, and this is offered by TLUV or
> MERKLESUB.
> >> > On the other hand, I think OP_EVICT introduces this idea of *subgrou=
p
> novation* (i.e `K-of-N`) of a PT2R scriptpubkey.
> >> >
> >> > To the best of my understanding, I think there is not yet any sound
> covenant proposal aiming to combine TLUV and EVICT-like semantics in a
> consistent set of Script primitives to enable "cut-through" updates, whil=
e
> still retaining the key property of unilateral withdraw of promised
> balances in any-order.
> >> >
> >> > I might go to work on crafting one, though for now I'm still
> interested to understand better if on-chain "cut-through" is the best
> direction to solve the fundamental high interactivity issue of channel
> factory and payment pool over punishment-based ideas.
> >> >
> >> > Best,
> >> > Antoine
> >> >
> >> > Le mar. 26 sept. 2023 =C3=A0 07:51, ZmnSCPxj <ZmnSCPxj@protonmail.co=
m> a
> =C3=A9crit :
> >> >>
> >> >> Good morning Antoine,
> >> >>
> >> >> Does `OP_EVICT` not fit?
> >> >>
> >> >>
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-February/019=
926.html
> >> >>
> >> >> Regards,
> >> >> ZmnSCPxj
> >> >>
> >> >>
> >> >> Sent with Proton Mail secure email.
> >> >>
> >> >> ------- Original Message -------
> >> >> On Monday, September 25th, 2023 at 6:18 PM, Antoine Riard via
> bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >> >>
> >> >>
> >> >> > Payment pools and channel factories are afflicted by severe
> interactivity constraints worsening with the number of users owning an
> off-chain balance in the construction. The security of user funds is
> paramount on the ability to withdraw unilaterally from the off-chain
> construction. As such any update applied to the off-chain balances requir=
es
> a signature contribution from the unanimity of the construction users to
> ensure this ability is conserved along updates.
> >> >> > As soon as one user starts to be offline or irresponsive, the
> updates of the off-chain balances must have to be halted and payments
> progress are limited among subsets of 2 users sharing a channel. Differen=
t
> people have proposed solutions to this issue: introducing a coordinator,
> partitioning or layering balances in off-chain users subsets. I think all
> those solutions have circled around a novel issue introduced, namely
> equivocation of off-chain balances at the harm of construction
> counterparties [0].
> >> >> >
> >> >> > As ZmnSCPxj pointed out recently, one way to mitigate this
> equivocation consists in punishing the cheating pre-nominated coordinator
> on an external fidelity bond. One can even imagine more trust-mimized and
> decentralized fraud proofs to implement this mitigation, removing the nee=
d
> of a coordinator [1].
> >> >> >
> >> >> > However, I believe punishment equivocation to be game-theory soun=
d
> should compensate a defrauded counterparty of the integrity of its lost
> off-chain balance. As one cheating counterparty can equivocate in the
> worst-case against all the other counterparties in the construction, one
> fidelity bond should be equal to ( C - 1 ) * B satoshi amount, where C is
> the number of construction counterparty and B the initial off-chain balan=
ce
> of the cheating counterparty.
> >> >> >
> >> >> > Moreover, I guess it is impossible to know ahead of a partition o=
r
> transition who will be the "honest" counterparties from the "dishonest"
> ones, therefore this ( C - 1 ) * B-sized fidelity bond must be maintained
> by every counterparty in the pool or factory. On this ground, I think thi=
s
> mitigation and other corrective ones are not economically practical for
> large-scale pools among a set of anonymous users.
> >> >> >
> >> >> > I think the best solution to solve the interactivity issue which
> is realistic to design is one ruling out off-chain group equivocation in =
a
> prophylactic fashion. The pool or factory funding utxo should be edited i=
n
> an efficient way to register new off-chain subgroups, as lack of
> interactivity from a subset of counterparties demands it.
> >> >> >
> >> >> > With CoinPool, there is already this idea of including a user
> pubkey and balance amount to each leaf composing the Taproot tree while
> preserving the key-path spend in case of unanimity in the user group.
> Taproot leaves can be effectively regarded as off-chain user accounts
> available to realize privacy-preserving payments and contracts.
> >> >> >
> >> >> > I think one (new ?) idea can be to introduce taproot leaves
> "cut-through" spends where multiple leaves are updated with a single
> witness, interactively composed by the owners of the spent leaves. This
> spend sends back the leaves amount to a new single leaf, aggregating the
> amounts and user pubkeys. The user leaves not participating in this
> "cut-through" are inherited with full integrity in the new version of the
> Taproot tree, at the gain of no interactivity from their side.
> >> >> >
> >> >> > Let's say you have a CoinPool funded and initially set with Alice=
,
> Bob, Caroll, Dave and Eve. Each pool participant has a leaf L.x committin=
g
> to an amount A.x and user pubkey P.x, where x is the user name owning a
> leaf.
> >> >> >
> >> >> > Bob and Eve are deemed to be offline by the Alice, Caroll and Dav=
e
> subset (the ACD group).
> >> >> >
> >> >> > The ACD group composes a cut-through spend of L.a + L.c + L.d.
> This spends generates a new leaf L.(acd) leaf committing to amount A.(acd=
)
> and P.(acd).
> >> >> >
> >> >> > Amount A.(acd) =3D A.a + A.c + A.d and pubkey P.(acd) =3D P.a + P=
.c +
> P.d.
> >> >> >
> >> >> > Bob's leaf L.b and Eve's leaf L.e are left unmodified.
> >> >> >
> >> >> > The ACD group generates a new Taproot tree T' =3D L.(acd) + L.b +
> L.e, where the key-path K spend including the original unanimity of pool
> counterparties is left unmodified.
> >> >> >
> >> >> > The ACD group can confirm a transaction spending the pool funding
> utxo to a new single output committing to the scriptpubkey K + T'.
> >> >> >
> >> >> > From then, the ACD group can pursue off-chain balance updates
> among the subgroup thanks to the new P.(acd) and relying on the known Elt=
oo
> mechanism. There is no possibility for any member of the ACD group to
> equivocate with Bob or Eve in a non-observable fashion.
> >> >> >
> >> >> > Once Bob and Eve are online and ready to negotiate an on-chain
> pool "refresh" transaction, the conserved key-path spend can be used to
> re-equilibrate the Taproot tree, prune out old subgroups unlikely to be
> used and provision future subgroups, all with a compact spend based on
> signature aggregation.
> >> >> >
> >> >> > Few new Taproot tree update script primitives have been proposed,
> e.g [2]. Though I think none with the level of flexibility offered to
> generate leaves cut-through spends, or even batch of "cut-through" where =
M
> subgroups are willing to spend N leaves to compose P new subgroups fan-ou=
t
> in Q new outputs, with showing a single on-chain witness. I believe such =
a
> hypothetical primitive can also reduce the chain space consumed in the
> occurrence of naive mass pool withdraws at the same time.
> >> >> >
> >> >> > I think this solution to the high-interactivity issue of payment
> pools and factories shifts the burden on each individual user to pre-comm=
it
> fast Taproot tree traversals, allowing them to compose new pool subgroups
> as fluctuations in pool users' level of liveliness demand it. Pool
> efficiency becomes the sum of the quality of user prediction on its
> counterparties' liveliness during the construction lifetime. Recursive
> taproot tree spends or more efficient accumulator than merkle tree sounds
> ideas to lower the on-chain witness space consumed by every pool in the
> average non-interactive case.
> >> >> >
> >> >> > Cheers,
> >> >> > Antoine
> >> >> >
> >> >> > [0]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020370=
.html
> >> >> > [1]
> https://lists.linuxfoundation.org/pipermail/lightning-dev/2023-August/004=
043.html
> >> >> > [2]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-September/01=
9420.html
> >> >
> >> > _______________________________________________
> >> > bitcoin-dev mailing list
> >> > bitcoin-dev@lists.linuxfoundation.org
> >> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--00000000000053458e0607819b75
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr">Hi, Antoine.<input name=3D"virtru-metadat=
a" type=3D"hidden" value=3D"{"email-policy":{"disableCopyPas=
te":false,"disablePrint":false,"disableForwarding"=
:false,"enableNoauth":false,"expandedWatermarking":fals=
e,"expires":false,"sms":false,"expirationNum"=
:1,"expirationUnit":"days","isManaged":false,=
"persistentProtection":false},"attachments":{},"co=
mpose-id":"1","compose-window":{"secure"=
:false}}"><div><br></div><div>A brief update on this:</div><div><br></div><=
div>I created a demo script for the unilateral exit of 2-of-4 participants =
in a Coinpool using OP_CCV:=C2=A0<a href=3D"https://github.com/halseth/taps=
im/tree/matt-demo/examples/matt/coinpool/v2">https://github.com/halseth/tap=
sim/tree/matt-demo/examples/matt/coinpool/v2</a>. It shows how pubkeys and =
balances can be committed, how traversal and modification of the data can b=
e done, and validation of signatures for the exiting users.=C2=A0=C2=A0</di=
v><div><br></div><div>The script in this case is 142 bytes (can likely be o=
ptimized 20-30%) and the witness including the script is 647 bytes. Most of=
this comes from the merkle inclusion proofs, so we can expect this to grow=
by O(m logn) for m users exiting a pool of n participants.</div><div><br><=
/div><div>Regardless of the size, I think that would not matter in most (co=
operative) settings. N participants would jointly create a coinpool using t=
he above exit scripts, and a cooperative keyspend path. In case some user g=
oes offline, the remaining, online users can jointly use the unilateral exi=
t clause and exit into a _new_ coinpool=C2=A0and continue operations when t=
his transaction confirms.=C2=A0</div><div><br></div><div>What would be real=
ly interesting, is if we can do the above exit off-chain, and when the offl=
ine user comes back online, we could revert back to the original coinpool=
=C2=A0output updating the balances according to updates that happened while=
he was offline.</div><div><br></div><div>Assuming APO I believe this could=
work, since the only thing that matters for the off-chain transactions to =
remain valid is that the committed balances and keys remain compatible. If =
the offline user is able to unilaterally spend the original output where th=
e remaining users had built their off-chain coinpool construction ontop, th=
e only thing they need to change is the merkle inclusion proofs in their jo=
intly signed transactions (since they now spend from an output where the of=
fline user exited). All signatures remain valid.</div><div><br></div><div>W=
as this the kind of functionality you were looking for?</div><div><br></div=
><div>Cheers,</div><div>Johan</div><div><br></div><div><br></div></div><br>=
<div class=3D"gmail_quote" style=3D""><div dir=3D"ltr" class=3D"gmail_attr"=
>On Thu, Oct 5, 2023 at 9:38=E2=80=AFAM Johan Tor=C3=A5s Halseth <<a hre=
f=3D"mailto:johanth@gmail.com">johanth@gmail.com</a>> wrote:<br></div><b=
lockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-le=
ft:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
Yes, one would need to have the <data> be a merkle root of all<br>
participants' keys and balances. Then, as you say, the scripts would<br=
>
have to enforce that one correctly creates new merkle roots according<br>
to the coin pool rules when spending it.<br>
<br>
- Johan<br>
<br>
On Thu, Oct 5, 2023 at 3:13=E2=80=AFAM Antoine Riard <<a href=3D"mailto:=
antoine.riard@gmail.com" target=3D"_blank">antoine.riard@gmail.com</a>> =
wrote:<br>
><br>
> Hi Johan,<br>
><br>
> Thanks for the insight.<br>
><br>
> From the proposed semantics of OP_CHECKCONTRACTVERIFY iirc:<br>
><br>
> <data> <index> <pk> <taptree> <flags><br=
>
><br>
> I think this is not yet indicated how the participant's pubkeys an=
d balances can be disaggregated from <data>, a partial subset push on=
the stack and verifying that corresponding signatures are valid.<br>
><br>
> One requirement of a cut-through update of taproot leaves is to verify=
the authentication of the fan-out balances and pubkeys towards the "o=
nline" partition. This subset is not known at pool setup, even if the =
contract or tree construct can be equilibrated with some expectation.<br>
><br>
> Otherwise, it sounds OP_CHECKCONTRACTVERIFY could be used to architect=
the proposed design of coinpool and its cut-through mechanism. One hard is=
sue sounds to be efficient traversal, inspection and modification of the co=
ntract <data>.<br>
><br>
> Best,<br>
> Antoine<br>
><br>
> Le mar. 3 oct. 2023 =C3=A0 12:24, Johan Tor=C3=A5s Halseth <<a href=
=3D"mailto:johanth@gmail.com" target=3D"_blank">johanth@gmail.com</a>> a=
=C3=A9crit :<br>
>><br>
>> Hi, Antoine.<br>
>><br>
>> It sounds like perhaps OP_CHECKCONTRACTVERIFY can achieve what you=
are<br>
>> looking for: <a href=3D"https://lists.linuxfoundation.org/pipermai=
l/bitcoin-dev/2023-May/021719.html" rel=3D"noreferrer" target=3D"_blank">ht=
tps://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-May/021719.html<=
/a><br>
>><br>
>> By committing the participants' pubkeys and balances in the dy=
namic<br>
>> data instead of the taptree one can imagine a subset of online use=
rs<br>
>> agreeing to pool their aggregated balances in a new output, while =
the<br>
>> offline users' funds would remain inaccessible by them in a se=
cond<br>
>> output.<br>
>><br>
>> The way this would work is by spending the coinpool utxo with a<br=
>
>> transaction having two outputs: one output that is the "remai=
nder" of<br>
>> the previous coinpool (the offline users), and the second output t=
he<br>
>> new coinpool among the online users*.<br>
>><br>
>> When the offline users are back online, they could all agree to<br=
>
>> continue using the original coinpool utxo.<br>
>><br>
>> * assuming Eltoo in case an offline user comes back online and dou=
ble<br>
>> spends the UTXO.<br>
>><br>
>> - Johan<br>
>><br>
>><br>
>> On Wed, Sep 27, 2023 at 12:08=E2=80=AFPM Antoine Riard via bitcoin=
-dev<br>
>> <<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" targe=
t=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br>
>> ><br>
>> > Hi Zeeman,<br>
>> ><br>
>> > See my comments at the time of OP_EVICT original publication.=
<br>
>> ><br>
>> > <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoi=
n-dev/2022-February/019939.html" rel=3D"noreferrer" target=3D"_blank">https=
://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-February/019939.htm=
l</a><br>
>> ><br>
>> > "I think in the context of (off-chain) payment pool, OP_=
EVICT requires<br>
>> > participant cooperation *after* the state update to allow a s=
ingle<br>
>> > participant to withdraw her funds.<br>
>> ><br>
>> > I believe this is unsafe if we retain as an off-chain constru=
ction security<br>
>> > requirement that a participant should have the unilateral mea=
ns to enforce<br>
>> > the latest agreed upon state at any time during the construct=
ion lifetime".<br>
>> ><br>
>> > I think this level of covenant flexibility is still wished fo=
r CoinPool as a fundamental property, and this is offered by TLUV or MERKLE=
SUB.<br>
>> > On the other hand, I think OP_EVICT introduces this idea of *=
subgroup novation* (i.e `K-of-N`) of a PT2R scriptpubkey.<br>
>> ><br>
>> > To the best of my understanding, I think there is not yet any=
sound covenant proposal aiming to combine TLUV and EVICT-like semantics in=
a consistent set of Script primitives to enable "cut-through" up=
dates, while still retaining the key property of unilateral withdraw of pro=
mised balances in any-order.<br>
>> ><br>
>> > I might go to work on crafting one, though for now I'm st=
ill interested to understand better if on-chain "cut-through" is =
the best direction to solve the fundamental high interactivity issue of cha=
nnel factory and payment pool over punishment-based ideas.<br>
>> ><br>
>> > Best,<br>
>> > Antoine<br>
>> ><br>
>> > Le mar. 26 sept. 2023 =C3=A0 07:51, ZmnSCPxj <<a href=3D"m=
ailto:ZmnSCPxj@protonmail.com" target=3D"_blank">ZmnSCPxj@protonmail.com</a=
>> a =C3=A9crit :<br>
>> >><br>
>> >> Good morning Antoine,<br>
>> >><br>
>> >> Does `OP_EVICT` not fit?<br>
>> >><br>
>> >> <a href=3D"https://lists.linuxfoundation.org/pipermail/bi=
tcoin-dev/2022-February/019926.html" rel=3D"noreferrer" target=3D"_blank">h=
ttps://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-February/019926=
.html</a><br>
>> >><br>
>> >> Regards,<br>
>> >> ZmnSCPxj<br>
>> >><br>
>> >><br>
>> >> Sent with Proton Mail secure email.<br>
>> >><br>
>> >> ------- Original Message -------<br>
>> >> On Monday, September 25th, 2023 at 6:18 PM, Antoine Riard=
via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.or=
g" target=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<b=
r>
>> >><br>
>> >><br>
>> >> > Payment pools and channel factories are afflicted by=
severe interactivity constraints worsening with the number of users owning=
an off-chain balance in the construction. The security of user funds is pa=
ramount on the ability to withdraw unilaterally from the off-chain construc=
tion. As such any update applied to the off-chain balances requires a signa=
ture contribution from the unanimity of the construction users to ensure th=
is ability is conserved along updates.<br>
>> >> > As soon as one user starts to be offline or irrespon=
sive, the updates of the off-chain balances must have to be halted and paym=
ents progress are limited among subsets of 2 users sharing a channel. Diffe=
rent people have proposed solutions to this issue: introducing a coordinato=
r, partitioning or layering balances in off-chain users subsets. I think al=
l those solutions have circled around a novel issue introduced, namely equi=
vocation of off-chain balances at the harm of construction counterparties [=
0].<br>
>> >> ><br>
>> >> > As ZmnSCPxj pointed out recently, one way to mitigat=
e this equivocation consists in punishing the cheating pre-nominated coordi=
nator on an external fidelity bond. One can even imagine more trust-mimized=
and decentralized fraud proofs to implement this mitigation, removing the =
need of a coordinator [1].<br>
>> >> ><br>
>> >> > However, I believe punishment equivocation to be gam=
e-theory sound should compensate a defrauded counterparty of the integrity =
of its lost off-chain balance. As one cheating counterparty can equivocate =
in the worst-case against all the other counterparties in the construction,=
one fidelity bond should be equal to ( C - 1 ) * B satoshi amount, where C=
is the number of construction counterparty and B the initial off-chain bal=
ance of the cheating counterparty.<br>
>> >> ><br>
>> >> > Moreover, I guess it is impossible to know ahead of =
a partition or transition who will be the "honest" counterparties=
from the "dishonest" ones, therefore this ( C - 1 ) * B-sized fi=
delity bond must be maintained by every counterparty in the pool or factory=
. On this ground, I think this mitigation and other corrective ones are not=
economically practical for large-scale pools among a set of anonymous user=
s.<br>
>> >> ><br>
>> >> > I think the best solution to solve the interactivity=
issue which is realistic to design is one ruling out off-chain group equiv=
ocation in a prophylactic fashion. The pool or factory funding utxo should =
be edited in an efficient way to register new off-chain subgroups, as lack =
of interactivity from a subset of counterparties demands it.<br>
>> >> ><br>
>> >> > With CoinPool, there is already this idea of includi=
ng a user pubkey and balance amount to each leaf composing the Taproot tree=
while preserving the key-path spend in case of unanimity in the user group=
. Taproot leaves can be effectively regarded as off-chain user accounts ava=
ilable to realize privacy-preserving payments and contracts.<br>
>> >> ><br>
>> >> > I think one (new ?) idea can be to introduce taproot=
leaves "cut-through" spends where multiple leaves are updated wi=
th a single witness, interactively composed by the owners of the spent leav=
es. This spend sends back the leaves amount to a new single leaf, aggregati=
ng the amounts and user pubkeys. The user leaves not participating in this =
"cut-through" are inherited with full integrity in the new versio=
n of the Taproot tree, at the gain of no interactivity from their side.<br>
>> >> ><br>
>> >> > Let's say you have a CoinPool funded and initial=
ly set with Alice, Bob, Caroll, Dave and Eve. Each pool participant has a l=
eaf L.x committing to an amount A.x and user pubkey P.x, where x is the use=
r name owning a leaf.<br>
>> >> ><br>
>> >> > Bob and Eve are deemed to be offline by the Alice, C=
aroll and Dave subset (the ACD group).<br>
>> >> ><br>
>> >> > The ACD group composes a cut-through spend of L.a + =
L.c + L.d. This spends generates a new leaf L.(acd) leaf committing to amou=
nt A.(acd) and P.(acd).<br>
>> >> ><br>
>> >> > Amount A.(acd) =3D A.a + A.c + A.d and pubkey P.(acd=
) =3D P.a + P.c + P.d.<br>
>> >> ><br>
>> >> > Bob's leaf L.b and Eve's leaf L.e are left u=
nmodified.<br>
>> >> ><br>
>> >> > The ACD group generates a new Taproot tree T' =
=3D L.(acd) + L.b + L.e, where the key-path K spend including the original =
unanimity of pool counterparties is left unmodified.<br>
>> >> ><br>
>> >> > The ACD group can confirm a transaction spending the=
pool funding utxo to a new single output committing to the scriptpubkey K =
+ T'.<br>
>> >> ><br>
>> >> > From then, the ACD group can pursue off-chain balanc=
e updates among the subgroup thanks to the new P.(acd) and relying on the k=
nown Eltoo mechanism. There is no possibility for any member of the ACD gro=
up to equivocate with Bob or Eve in a non-observable fashion.<br>
>> >> ><br>
>> >> > Once Bob and Eve are online and ready to negotiate a=
n on-chain pool "refresh" transaction, the conserved key-path spe=
nd can be used to re-equilibrate the Taproot tree, prune out old subgroups =
unlikely to be used and provision future subgroups, all with a compact spen=
d based on signature aggregation.<br>
>> >> ><br>
>> >> > Few new Taproot tree update script primitives have b=
een proposed, e.g [2]. Though I think none with the level of flexibility of=
fered to generate leaves cut-through spends, or even batch of "cut-thr=
ough" where M subgroups are willing to spend N leaves to compose P new=
subgroups fan-out in Q new outputs, with showing a single on-chain witness=
. I believe such a hypothetical primitive can also reduce the chain space c=
onsumed in the occurrence of naive mass pool withdraws at the same time.<br=
>
>> >> ><br>
>> >> > I think this solution to the high-interactivity issu=
e of payment pools and factories shifts the burden on each individual user =
to pre-commit fast Taproot tree traversals, allowing them to compose new po=
ol subgroups as fluctuations in pool users' level of liveliness demand =
it. Pool efficiency becomes the sum of the quality of user prediction on it=
s counterparties' liveliness during the construction lifetime. Recursiv=
e taproot tree spends or more efficient accumulator than merkle tree sounds=
ideas to lower the on-chain witness space consumed by every pool in the av=
erage non-interactive case.<br>
>> >> ><br>
>> >> > Cheers,<br>
>> >> > Antoine<br>
>> >> ><br>
>> >> > [0] <a href=3D"https://lists.linuxfoundation.org/pip=
ermail/bitcoin-dev/2022-April/020370.html" rel=3D"noreferrer" target=3D"_bl=
ank">https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020=
370.html</a><br>
>> >> > [1] <a href=3D"https://lists.linuxfoundation.org/pip=
ermail/lightning-dev/2023-August/004043.html" rel=3D"noreferrer" target=3D"=
_blank">https://lists.linuxfoundation.org/pipermail/lightning-dev/2023-Augu=
st/004043.html</a><br>
>> >> > [2] <a href=3D"https://lists.linuxfoundation.org/pip=
ermail/bitcoin-dev/2021-September/019420.html" rel=3D"noreferrer" target=3D=
"_blank">https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-Septe=
mber/019420.html</a><br>
>> ><br>
>> > _______________________________________________<br>
>> > bitcoin-dev mailing list<br>
>> > <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" targ=
et=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a><br>
>> > <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo=
/bitcoin-dev" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfound=
ation.org/mailman/listinfo/bitcoin-dev</a><br>
</blockquote></div></div>
--00000000000053458e0607819b75--
|