š
Original date posted:2023-06-10
šļø Summary of this message: A proposal has been made to improve the safety of time-locked vaults by using a scriptpath solution that avoids the circular reference problem. Additionally, a decentralized protocol could be used to store data without putting it on the blockchain.
š Original message:
On 2023-06-09 21:43, Joost Jager via bitcoin-dev wrote:
> The most critical application in this category, for me, involves
> time-locked vaults.
> [...]
> Backing up the ephemeral signatures of the pre-signed transactions on
> the blockchain itself is an excellent way to ensure that the vault can
> always be 'opened'. However, without the annex, this is not as safe as
> it could be. Due to the described circular reference problem, the
> vault creation and signature backup can't be executed in one atomic
> operation.
Hi Joost,
For the purpose of experimenting with vaults, I don't think you need the
most efficient construction---instead, anything that works without too
much overhead is probably ok. In that case, I don't think you need the
annex at all:
1. Alice can receive new payments to tr(<key>, raw(OP_DROP <key>
OP_CHECKSIG))
2. Later, Alice creates tr(MuSig2(<key-from-HD-wallet>,
<ephemeral-key>))
3. When paying the script in #2, Alice chooses the scriptpath spend from
#1 and pushes a serialized partial signature for the ephemeral key
from #2 onto the stack, where it's immediately dropped by the
interpreter (but is permanently stored on the block chain). She also
attaches a regular signature for the OP_CHECKSIG opcode.
Alternatively, if Alice decides she doesn't want to pay into a vault,
she uses the keypath spend from #1 with no loss in efficiency.
The scriptpath solution requires some extra preparation on Alice's part
and costs about a dozen vbytes extra over using the annex, which feels
acceptable to me to avoid the problems identified with using the annex.
Even better, I think you can achieve nearly the same safety without
putting any data on the chain. All you need is a widely used
decentralized protocol that allows anyone who can prove ownership of a
UTXO to store some data. You can think of LN gossip as being a version
of this: anyone who proves ownership of a P2WSH 2-of-2 script is allowed
to store data in a certain format on every LN routing node. Rusty
Russell's v2 gossip proposal makes this a bit more generic, but I think
you could make it even more generic by creating a simple server that
stores and forwards a single BIP322 signed message up to size x for any
entry in the current UTXO set, with periodic replacement of the signed
message allowed. The signed data could be LN routing information or it
could be arbitrary data like a signature from an ephemeral key (or it
could even be a JPEG or other data irrelevant to processing payments).
Any full node (including pruned and utreexo nodes) can trustlessly
provide UTXO lookup for such a server and a decentralized network of
such servers could be useful by a large number of protocols, encouraging
hundreds or thousands of servers to be operated---providing similar data
availability guarantees to committing data on the block chain, but
without the permanent footprint (i.e., once a UTXO is spent, the
associated data can be deleted). Many vault designs already effectively
require watchtowers, so it'd be easy to make this simple server part of
the watchtower.
> Regarding the potential payload extension attack, I believe that the
> changes proposed in the [3] to allow tx replacement by smaller witness
> would provide a viable solution?
> [...]
> [3] https://github.com/bitcoin/bitcoin/pull/24007
The two solutions identified above (OP_DROP and decentralized storage
for UTXO owners) can be implemented immediately. By comparison, rolling
out relay of the annex and witness replacement may take months of review
and years for >90% deployment among nodes, would allow an attacker to
lower the feerate of coinjoin-style transactions by up to 4.99%, would
allow an attacker to waste 8 million bytes of bandwidth per relay node
for the same cost they'd have to pay to today to waste 400 thousand
bytes, and might limit the flexibility and efficiency of future
consensus changes that want to use the annex.
-Dave
David A. Harding [ARCHIVE] /
npub16dā¦x4wrd
2023-06-19 20:19:54
in reply to nevent1qā¦p484
Author Public Key
npub16dt55fpq3a8r6zpphd9xngxr46zzqs75gna9cj5vf8pknyv2d7equx4wrdPublished at
2023-06-19 20:19:54Event JSON
{
"id": "86083ba64541c5c681546bc7a6129f76ea15e6352d89a90d17362d459cf34b1c",
"pubkey": "d3574a24208f4e3d0821bb4a69a0c3ae842043d444fa5c4a8c49c369918a6fb2",
"created_at": 1687198794,
"kind": 1,
"tags": [
[
"e",
"68ea5a0105a7a492dce97362b0bd66bf00dac11bf2874dff55cd731b6f35e825",
"",
"root"
],
[
"e",
"0e357af5079abcfbb18dfb7df8c6b540bc30c298a20ad92bec3a2ef4f211b182",
"",
"reply"
],
[
"p",
"ec3fb08b335b94aace30d13181f2ad0280df9bc34f1a99832c4e2da8fb125eb3"
]
],
"content": "š
Original date posted:2023-06-10\nšļø Summary of this message: A proposal has been made to improve the safety of time-locked vaults by using a scriptpath solution that avoids the circular reference problem. Additionally, a decentralized protocol could be used to store data without putting it on the blockchain.\nš Original message:\nOn 2023-06-09 21:43, Joost Jager via bitcoin-dev wrote:\n\u003e The most critical application in this category, for me, involves\n\u003e time-locked vaults.\n\u003e [...]\n\u003e Backing up the ephemeral signatures of the pre-signed transactions on\n\u003e the blockchain itself is an excellent way to ensure that the vault can\n\u003e always be 'opened'. However, without the annex, this is not as safe as\n\u003e it could be. Due to the described circular reference problem, the\n\u003e vault creation and signature backup can't be executed in one atomic\n\u003e operation.\n\nHi Joost,\n\nFor the purpose of experimenting with vaults, I don't think you need the\nmost efficient construction---instead, anything that works without too\nmuch overhead is probably ok. In that case, I don't think you need the\nannex at all:\n\n1. Alice can receive new payments to tr(\u003ckey\u003e, raw(OP_DROP \u003ckey\u003e\n OP_CHECKSIG))\n\n2. Later, Alice creates tr(MuSig2(\u003ckey-from-HD-wallet\u003e,\n \u003cephemeral-key\u003e))\n\n3. When paying the script in #2, Alice chooses the scriptpath spend from\n #1 and pushes a serialized partial signature for the ephemeral key\n from #2 onto the stack, where it's immediately dropped by the\n interpreter (but is permanently stored on the block chain). She also\n attaches a regular signature for the OP_CHECKSIG opcode.\n\nAlternatively, if Alice decides she doesn't want to pay into a vault,\nshe uses the keypath spend from #1 with no loss in efficiency.\n\nThe scriptpath solution requires some extra preparation on Alice's part\nand costs about a dozen vbytes extra over using the annex, which feels\nacceptable to me to avoid the problems identified with using the annex.\n\nEven better, I think you can achieve nearly the same safety without\nputting any data on the chain. All you need is a widely used\ndecentralized protocol that allows anyone who can prove ownership of a\nUTXO to store some data. You can think of LN gossip as being a version\nof this: anyone who proves ownership of a P2WSH 2-of-2 script is allowed\nto store data in a certain format on every LN routing node. Rusty\nRussell's v2 gossip proposal makes this a bit more generic, but I think\nyou could make it even more generic by creating a simple server that\nstores and forwards a single BIP322 signed message up to size x for any\nentry in the current UTXO set, with periodic replacement of the signed\nmessage allowed. The signed data could be LN routing information or it\ncould be arbitrary data like a signature from an ephemeral key (or it\ncould even be a JPEG or other data irrelevant to processing payments).\n\nAny full node (including pruned and utreexo nodes) can trustlessly\nprovide UTXO lookup for such a server and a decentralized network of\nsuch servers could be useful by a large number of protocols, encouraging\nhundreds or thousands of servers to be operated---providing similar data\navailability guarantees to committing data on the block chain, but\nwithout the permanent footprint (i.e., once a UTXO is spent, the\nassociated data can be deleted). Many vault designs already effectively\nrequire watchtowers, so it'd be easy to make this simple server part of\nthe watchtower.\n\n\u003e Regarding the potential payload extension attack, I believe that the\n\u003e changes proposed in the [3] to allow tx replacement by smaller witness\n\u003e would provide a viable solution?\n\u003e [...]\n\u003e [3] https://github.com/bitcoin/bitcoin/pull/24007\n\nThe two solutions identified above (OP_DROP and decentralized storage\nfor UTXO owners) can be implemented immediately. By comparison, rolling\nout relay of the annex and witness replacement may take months of review\nand years for \u003e90% deployment among nodes, would allow an attacker to\nlower the feerate of coinjoin-style transactions by up to 4.99%, would\nallow an attacker to waste 8 million bytes of bandwidth per relay node\nfor the same cost they'd have to pay to today to waste 400 thousand\nbytes, and might limit the flexibility and efficiency of future\nconsensus changes that want to use the annex.\n\n-Dave",
"sig": "e1b54922e0e1138236539dcfdbe6f49795297e94462c1345ed5bd589241dbb1bfa26f92d00e255f30983b3cdd6abd4f9289ee6f30d22bd5f321cea70b081ab8f"
}