<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
  <updated>2023-06-09T12:15:26Z</updated>
  <generator>https://njump.me</generator>

  <title>Nostr notes by Martin Schwarz [ARCHIVE]</title>
  <author>
    <name>Martin Schwarz [ARCHIVE]</name>
  </author>
  <link rel="self" type="application/atom+xml" href="https://njump.me/npub1c6ytpr5fshkjp2hptfqrvfxy6qkkcgre9fv9va8qyq7h4fs03ehs4fz7ln.rss" />
  <link href="https://njump.me/npub1c6ytpr5fshkjp2hptfqrvfxy6qkkcgre9fv9va8qyq7h4fs03ehs4fz7ln" />
  <id>https://njump.me/npub1c6ytpr5fshkjp2hptfqrvfxy6qkkcgre9fv9va8qyq7h4fs03ehs4fz7ln</id>
  <icon></icon>
  <logo></logo>




  <entry>
    <id>https://njump.me/nevent1qqsy8gv9804nyxm3j3jl5km9hgzhp4tmln8kcsd94gkhslc3ql7xpwqzyrrg3vyw3xz76g92u9dyqd3ycngz6mpq0y49s4n5uqsr674xp78x74754x8</id>
    
      <title type="html">📅 Original date posted:2017-08-17 📝 Original message: Dear ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsy8gv9804nyxm3j3jl5km9hgzhp4tmln8kcsd94gkhslc3ql7xpwqzyrrg3vyw3xz76g92u9dyqd3ycngz6mpq0y49s4n5uqsr674xp78x74754x8" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsd24dwhc3d9zw7nntqmcutw40lcguhdyrnldmm6gezsdejpj4zngsa50ta3&#39;&gt;nevent1q…0ta3&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2017-08-17&lt;br/&gt;📝 Original message:&lt;br/&gt;Dear all,&lt;br/&gt;&lt;br/&gt;currently the chain_id allows to distinguish blockchains by the hash of&lt;br/&gt;their genesis block.&lt;br/&gt;&lt;br/&gt;With hardforks branching off of the Bitcoin blockchain, how can Lightning&lt;br/&gt;work on (or across)&lt;br/&gt;distinct, permanent forks of a parent blockchain that share the same&lt;br/&gt;genesis block?&lt;br/&gt;&lt;br/&gt;I suppose changing the definition of chain_id to the hash of the first&lt;br/&gt;block of the new&lt;br/&gt;branch and requiring replay and wipe-out protection should be sufficient.&lt;br/&gt;But can we&lt;br/&gt;relax these requirements? Are slow block times an issue? Can we use&lt;br/&gt;Lightning to transact&lt;br/&gt;on &amp;#34;almost frozen&amp;#34; block chains suffering from a sudden loss of hashpower?&lt;br/&gt;&lt;br/&gt;Has there been any previous discussion or study of Lightning in the setting&lt;br/&gt;of hardforks?&lt;br/&gt;(Is this the right place to discuss this? If not, where would be the right&lt;br/&gt;place?)&lt;br/&gt;&lt;br/&gt;thanks,&lt;br/&gt;Martin&lt;br/&gt;-------------- next part --------------&lt;br/&gt;An HTML attachment was scrubbed...&lt;br/&gt;URL: &amp;lt;&lt;a href=&#34;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20170817/6f4f0ddc/attachment.html&amp;gt&#34;&gt;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20170817/6f4f0ddc/attachment.html&amp;gt&lt;/a&gt;;
    </content>
    <updated>2023-06-09T12:47:27Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsyye2e3ursuqcmycncjm6vaevu2vsfs5hlx6hxxchgjcazcem3ccszyrrg3vyw3xz76g92u9dyqd3ycngz6mpq0y49s4n5uqsr674xp78x733j48q</id>
    
      <title type="html">📅 Original date posted:2017-08-17 📝 Original message: Dear ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsyye2e3ursuqcmycncjm6vaevu2vsfs5hlx6hxxchgjcazcem3ccszyrrg3vyw3xz76g92u9dyqd3ycngz6mpq0y49s4n5uqsr674xp78x733j48q" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsy8gv9804nyxm3j3jl5km9hgzhp4tmln8kcsd94gkhslc3ql7xpwqhn84xz&#39;&gt;nevent1q…84xz&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2017-08-17&lt;br/&gt;📝 Original message:&lt;br/&gt;Dear all,&lt;br/&gt;&lt;br/&gt;currently the chain_id allows to distinguish blockchains by the hash of&lt;br/&gt;their genesis block.&lt;br/&gt;&lt;br/&gt;With hardforks branching off of the Bitcoin blockchain, how can Lightning&lt;br/&gt;work on (or across)&lt;br/&gt;distinct, permanent forks of a parent blockchain that share the same&lt;br/&gt;genesis block?&lt;br/&gt;&lt;br/&gt;I suppose changing the definition of chain_id to the hash of the first&lt;br/&gt;block of the new&lt;br/&gt;branch and requiring replay and wipe-out protection should be sufficient.&lt;br/&gt;But can we&lt;br/&gt;relax these requirements? Are slow block times an issue? Can we use&lt;br/&gt;Lightning to transact&lt;br/&gt;on &amp;#34;almost frozen&amp;#34; block chains suffering from a sudden loss of hashpower?&lt;br/&gt;&lt;br/&gt;Has there been any previous discussion or study of Lightning in the setting&lt;br/&gt;of hardforks?&lt;br/&gt;(Is this the right place to discuss this? If not, where would be the right&lt;br/&gt;place?)&lt;br/&gt;&lt;br/&gt;thanks,&lt;br/&gt;Martin&lt;br/&gt;-------------- next part --------------&lt;br/&gt;An HTML attachment was scrubbed...&lt;br/&gt;URL: &amp;lt;&lt;a href=&#34;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20170817/a68ca5d6/attachment.html&amp;gt&#34;&gt;http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20170817/a68ca5d6/attachment.html&amp;gt&lt;/a&gt;;
    </content>
    <updated>2023-06-09T12:47:27Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsd0te60ughtn23nuvyld3eppyehted6dpxmahv7fqk3ycqyp83utqzyrrg3vyw3xz76g92u9dyqd3ycngz6mpq0y49s4n5uqsr674xp78x7tm8nat</id>
    
      <title type="html">📅 Original date posted:2021-03-23 📝 Original message:Erik, ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsd0te60ughtn23nuvyld3eppyehted6dpxmahv7fqk3ycqyp83utqzyrrg3vyw3xz76g92u9dyqd3ycngz6mpq0y49s4n5uqsr674xp78x7tm8nat" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsdlmn76r9qg38ghc4qt7yjlen3lwmrjj4k74zvn9qq2vgg2n3vaeq8lfjet&#39;&gt;nevent1q…fjet&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2021-03-23&lt;br/&gt;📝 Original message:Erik,&lt;br/&gt;&lt;br/&gt;&amp;gt; Does anyone think it would it be useful to write up a more official,&lt;br/&gt;and even partly functional plan for Bitcoin to use zero-knowledge&lt;br/&gt;proofs to transition to quantum resistance?&lt;br/&gt;&lt;br/&gt;yes, this would be appreciated very much! Andrew Chow&amp;#39;s write-up&lt;br/&gt;gives already some high-level idea, but a more detailed exposition&lt;br/&gt;would be essential for further discussion.&lt;br/&gt;&lt;br/&gt;thank you,&lt;br/&gt;Martin&lt;br/&gt;&lt;br/&gt;On Mon, Mar 22, 2021 at 3:47 PM Erik Aronesty via bitcoin-dev &amp;lt;&lt;br/&gt;bitcoin-dev at lists.linuxfoundation.org&amp;gt; wrote:&lt;br/&gt;&lt;br/&gt;&amp;gt; The argument that hashed public addresses provide meaningful quantum&lt;br/&gt;&amp;gt; resistance is flawed *when considered in the context*.of Bitcoin&lt;br/&gt;&amp;gt; itself.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This article by Andrew Chow is easy to read and makes a strong case&lt;br/&gt;&amp;gt; against the quantum utility of hashed public keys:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://cryptowords.github.io/why-does-hashing-public-keys-not-actually-provide-any-quantum-resistance&#34;&gt;https://cryptowords.github.io/why-does-hashing-public-keys-not-actually-provide-any-quantum-resistance&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; And then, of course, one should be mindful of the case against quantum&lt;br/&gt;&amp;gt; computing itself - it is neither inevitable nor &amp;#34;just around the&lt;br/&gt;&amp;gt; corner&amp;#34;.   Mikhail Dyakonov summarized the arguments well here:&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://t.co/cgrfrroTTT?amp=1&#34;&gt;https://t.co/cgrfrroTTT?amp=1&lt;/a&gt;.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; My current stance (at my company at least) is that planning for&lt;br/&gt;&amp;gt; quantum computing should be limited to &amp;#34;a provable and written ability&lt;br/&gt;&amp;gt; to upgrade if it becomes clear that it&amp;#39;s necessary.&amp;#34;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Does anyone think it would it be useful to write up a more official,&lt;br/&gt;&amp;gt; and even partly functional plan for Bitcoin to use zero-knowledge&lt;br/&gt;&amp;gt; proofs to transition to quantum resistance?&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; - Erik Aronesty&lt;br/&gt;&amp;gt;   CTO, Atkama&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; On Mon, Mar 15, 2021 at 5:48 PM Luke Dashjr via bitcoin-dev&lt;br/&gt;&amp;gt; &amp;lt;bitcoin-dev at lists.linuxfoundation.org&amp;gt; wrote:&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; I do not personally see this as a reason to NACK Taproot, but it has&lt;br/&gt;&amp;gt; become&lt;br/&gt;&amp;gt; &amp;gt; clear to me over the past week or so that many others are unaware of this&lt;br/&gt;&amp;gt; &amp;gt; tradeoff, so I am sharing it here to ensure the wider community is aware&lt;br/&gt;&amp;gt; of&lt;br/&gt;&amp;gt; &amp;gt; it and can make their own judgements.&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; Mark Friedenbach explains on his blog:&lt;br/&gt;&amp;gt; &amp;gt;     &lt;a href=&#34;https://freicoin.substack.com/p/why-im-against-taproot&#34;&gt;https://freicoin.substack.com/p/why-im-against-taproot&lt;/a&gt;&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; In short, Taproot loses an important safety protection against quantum.&lt;br/&gt;&amp;gt; &amp;gt; Note that in all circumstances, Bitcoin is endangered when QC becomes a&lt;br/&gt;&amp;gt; &amp;gt; reality, but pre-Taproot, it is possible for the network to &amp;#34;pause&amp;#34;&lt;br/&gt;&amp;gt; while a&lt;br/&gt;&amp;gt; &amp;gt; full quantum-safe fix is developed, and then resume transacting. With&lt;br/&gt;&amp;gt; Taproot&lt;br/&gt;&amp;gt; &amp;gt; as-is, it could very well become an unrecoverable situation if QC go&lt;br/&gt;&amp;gt; online&lt;br/&gt;&amp;gt; &amp;gt; prior to having a full quantum-safe solution.&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; Also, what I didn&amp;#39;t know myself until today, is that we do not actually&lt;br/&gt;&amp;gt; gain&lt;br/&gt;&amp;gt; &amp;gt; anything from this: the features proposed to make use of the raw keys&lt;br/&gt;&amp;gt; being&lt;br/&gt;&amp;gt; &amp;gt; public prior to spending can be implemented with hashed keys as well.&lt;br/&gt;&amp;gt; &amp;gt; It would use significantly more CPU time and bandwidth (between private&lt;br/&gt;&amp;gt; &amp;gt; parties, not on-chain), but there should be no shortage of that for&lt;br/&gt;&amp;gt; anyone&lt;br/&gt;&amp;gt; &amp;gt; running a full node (indeed, CPU time is freed up by Taproot!); at&lt;br/&gt;&amp;gt; worst, it&lt;br/&gt;&amp;gt; &amp;gt; would create an incentive for more people to use their own full node,&lt;br/&gt;&amp;gt; which&lt;br/&gt;&amp;gt; &amp;gt; is a good thing!&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; Despite this, I still don&amp;#39;t think it&amp;#39;s a reason to NACK Taproot: it&lt;br/&gt;&amp;gt; should be&lt;br/&gt;&amp;gt; &amp;gt; fairly trivial to add a hash on top in an additional softfork and fix&lt;br/&gt;&amp;gt; this.&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; In addition to the points made by Mark, I also want to add two more, in&lt;br/&gt;&amp;gt; &amp;gt; response to Pieter&amp;#39;s &amp;#34;you can&amp;#39;t claim much security if 37% of the supply&lt;br/&gt;&amp;gt; is&lt;br/&gt;&amp;gt; &amp;gt; at risk&amp;#34; argument. This argument is based in part on the fact that many&lt;br/&gt;&amp;gt; &amp;gt; people reuse Bitcoin invoice addresses.&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; First, so long as we have hash-based addresses as a best practice, we can&lt;br/&gt;&amp;gt; &amp;gt; continue to shrink the percentage of bitcoins affected through social&lt;br/&gt;&amp;gt; efforts&lt;br/&gt;&amp;gt; &amp;gt; discouraging address use. If the standard loses the hash, the situation&lt;br/&gt;&amp;gt; &amp;gt; cannot be improved, and will indeed only get worse.&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; Second, when/if quantum does compromise these coins, so long as they are&lt;br/&gt;&amp;gt; &amp;gt; neglected or abandoned/lost coins (inherent in the current model), it&lt;br/&gt;&amp;gt; can be&lt;br/&gt;&amp;gt; &amp;gt; seen as equivalent to Bitcoin mining. At the end of the day, 37% of&lt;br/&gt;&amp;gt; supply&lt;br/&gt;&amp;gt; &amp;gt; minable by QCs is really no different than 37% minable by ASICs. (We&amp;#39;ve&lt;br/&gt;&amp;gt; seen&lt;br/&gt;&amp;gt; &amp;gt; far higher %s available for mining obviously.)&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; To conclude, I recommend anyone using Bitcoin to read Mark&amp;#39;s article, my&lt;br/&gt;&amp;gt; &amp;gt; thoughts, and any other arguments on the topic; decide if this is a&lt;br/&gt;&amp;gt; concern&lt;br/&gt;&amp;gt; &amp;gt; to you, and make your own post(s) accordingly. Mark has conceded the&lt;br/&gt;&amp;gt; argument&lt;br/&gt;&amp;gt; &amp;gt; (AFAIK he doesn&amp;#39;t have an interest in bitcoins anyway), and I do not&lt;br/&gt;&amp;gt; consider&lt;br/&gt;&amp;gt; &amp;gt; it a showstopper - so if anyone else out there does, please make yourself&lt;br/&gt;&amp;gt; &amp;gt; known ASAP since Taproot has already moved on to the activation phase&lt;br/&gt;&amp;gt; and it&lt;br/&gt;&amp;gt; &amp;gt; is likely software will be released within the next month or two as&lt;br/&gt;&amp;gt; things&lt;br/&gt;&amp;gt; &amp;gt; stand.&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; Luke&lt;br/&gt;&amp;gt; &amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; &amp;gt; bitcoin-dev mailing list&lt;br/&gt;&amp;gt; &amp;gt; bitcoin-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev&lt;/a&gt;&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; bitcoin-dev mailing list&lt;br/&gt;&amp;gt; bitcoin-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;-------------- next part --------------&lt;br/&gt;An HTML attachment was scrubbed...&lt;br/&gt;URL: &amp;lt;&lt;a href=&#34;http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20210323/d5592b95/attachment-0001.html&amp;gt&#34;&gt;http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20210323/d5592b95/attachment-0001.html&amp;gt&lt;/a&gt;;
    </content>
    <updated>2023-06-07T18:30:57Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqsvyvldlmg5yr5lvj0y2naumkthtt3xv24fvavj8xrpkprxgg57jtczyrrg3vyw3xz76g92u9dyqd3ycngz6mpq0y49s4n5uqsr674xp78x7cvlc54</id>
    
      <title type="html">📅 Original date posted:2019-09-19 📝 Original ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqsvyvldlmg5yr5lvj0y2naumkthtt3xv24fvavj8xrpkprxgg57jtczyrrg3vyw3xz76g92u9dyqd3ycngz6mpq0y49s4n5uqsr674xp78x7cvlc54" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsg5gk94paw9aaajrlqulvxwx4px3aycy6u0w4dux46yr2aru7q3tcrsa5u4&#39;&gt;nevent1q…a5u4&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2019-09-19&lt;br/&gt;📝 Original message:Isn&amp;#39;t there some way to &amp;#34;rebase&amp;#34; a relative lock-time to some anchor even&lt;br/&gt;further in the past while cancelling out the intermediate transactions?&lt;br/&gt;&lt;br/&gt;best regards,&lt;br/&gt;Martin&lt;br/&gt;&lt;br/&gt;On Thu, Sep 19, 2019 at 9:52 AM ZmnSCPxj via bitcoin-dev &amp;lt;&lt;br/&gt;bitcoin-dev at lists.linuxfoundation.org&amp;gt; wrote:&lt;br/&gt;&lt;br/&gt;&amp;gt; Good morning list,&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I was reading transcript of recent talk:&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://diyhpl.us/wiki/transcripts/scalingbitcoin/tel-aviv-2019/edgedevplusplus/blockchain-design-patterns/&#34;&gt;https://diyhpl.us/wiki/transcripts/scalingbitcoin/tel-aviv-2019/edgedevplusplus/blockchain-design-patterns/&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; And in section &amp;#34;Taproot: main idea&amp;#34;:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; Q: Can you do timelocks iwth adaptor signatures?&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; ...&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; A: This is one way it&amp;#39;s being proposed by mimblewimble; but this&lt;br/&gt;&amp;gt; requires the ability to aggregate signatures across transactions.&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; Q: No, there&amp;#39;s two transactions already existing. Before locktime, you&lt;br/&gt;&amp;gt; can spend wit hthe adaptor signature one like atomic swaps. After locktime,&lt;br/&gt;&amp;gt; the other one becomes valid and you can spend with that. They just double&lt;br/&gt;&amp;gt; spend each other.&lt;br/&gt;&amp;gt; &amp;gt;&lt;br/&gt;&amp;gt; &amp;gt; A: You&amp;#39;d have to diagram that out for me. There&amp;#39;s a few ways to do this,&lt;br/&gt;&amp;gt; some that I know, but yours isn&amp;#39;t one of them.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I believe what is being referred to here is to simply have an `nLockTime`&lt;br/&gt;&amp;gt; transaction that is signed by all participants first, and serves as the&lt;br/&gt;&amp;gt; &amp;#34;timelock&amp;#34; path.&lt;br/&gt;&amp;gt; Then, another transaction is created, for which adaptor signatures are&lt;br/&gt;&amp;gt; given, before completing the ritual to create a &amp;#34;hashlock&amp;#34; path.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I find it surprising that this is not well-known.&lt;br/&gt;&amp;gt; I describe it here tangentially, for instance:&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-April/016888.html&#34;&gt;https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-April/016888.html&lt;/a&gt;&lt;br/&gt;&amp;gt; The section &amp;#34;Payjoin2swap Swap Protocol&amp;#34; refers to &amp;#34;pre-swap transaction&amp;#34;&lt;br/&gt;&amp;gt; and &amp;#34;pre-swap backout transaction&amp;#34;, which are `nLockTime`d transactions.&lt;br/&gt;&amp;gt; Later transactions then use a Scriptless Script-like construction to&lt;br/&gt;&amp;gt; transfer information about a secret scalar x.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; My understanding of MimbleWimble is that:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; * There must exist a proof-of-knowledge of the sum of blinding factors&lt;br/&gt;&amp;gt; used.&lt;br/&gt;&amp;gt;   This can be trivially had by using a signature of this sum, signing an&lt;br/&gt;&amp;gt; empty message or &amp;#34;kernel&amp;#34;.&lt;br/&gt;&amp;gt; * I believe I have seen at least one proposal (I cannot find it again now)&lt;br/&gt;&amp;gt; where the &amp;#34;kernel&amp;#34; is replaced with an `nLockTime`-equivalent.&lt;br/&gt;&amp;gt;   Basically, the `nLockTime` would have to be explicitly published, and it&lt;br/&gt;&amp;gt; would be rejected for a block if the `nLockTime` was less than the block&lt;br/&gt;&amp;gt; height.&lt;br/&gt;&amp;gt;   * There may or may not exist some kind of proof where the message being&lt;br/&gt;&amp;gt; signed is an integer that is known to be no greater than a particular&lt;br/&gt;&amp;gt; value, and multiple signatures that signed a lower value can somehow be&lt;br/&gt;&amp;gt; aggregated to a higher value, which serves this purpose as well, but is&lt;br/&gt;&amp;gt; compressible.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; My understanding is thus that the above `nLockTime` technique is what is&lt;br/&gt;&amp;gt; indeed intended for MimbleWimble cross-system atomic swaps.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; --------&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; However, I believe that Lightning and similar offchain protocols are **not&lt;br/&gt;&amp;gt; possible** on MimbleWimble, at least if we want to retain its &amp;#34;magical&lt;br/&gt;&amp;gt; shrinking blockchain&amp;#34; property.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; All practical channel constructions with indefinite lifetime require the&lt;br/&gt;&amp;gt; use of *relative* locktime.&lt;br/&gt;&amp;gt; Of note is that `nLockTime` represents an *absolute* lifetime.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The only practical channel constructions I know of that do not require&lt;br/&gt;&amp;gt; *relative* locktime (mostly various variants of Spilman channels) have a&lt;br/&gt;&amp;gt; fixed lifetime, i.e. the channel will have to be closed before the lifetime&lt;br/&gt;&amp;gt; arrives.&lt;br/&gt;&amp;gt; This is impractical for a scaling network.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; It seems to me that some kind of &amp;#34;timeout&amp;#34; is always necessary, similar to&lt;br/&gt;&amp;gt; the timeout used in SPV-proof sidechains, in order to allow an existing&lt;br/&gt;&amp;gt; claimed-latest-state to be proven as not-actually-latest.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; * In Poon-Dryja, knowledge of the revocation key by the other side proves&lt;br/&gt;&amp;gt; the published claimed-latest-state is not-actually-latest and awards the&lt;br/&gt;&amp;gt; entire amount to the other party.&lt;br/&gt;&amp;gt;   * This key can only be presented during the timeout, a security&lt;br/&gt;&amp;gt; parameter.&lt;br/&gt;&amp;gt; * In Decker-Wattenhofer decrementing-`nSequence` channels, a kickoff&lt;br/&gt;&amp;gt; starts this timeout, and only the smallest-timeout state gets onchain, due&lt;br/&gt;&amp;gt; to it having a time advantage over all other versions.&lt;br/&gt;&amp;gt; * In indefinite-lifetime Spilman channels (also described in the&lt;br/&gt;&amp;gt; Decker-Wattenhofer paper), the absolute-timelock initial backoff&lt;br/&gt;&amp;gt; transaction is replaced with a kickoff &#43; relative-locktime transaction.&lt;br/&gt;&amp;gt; * In Decker-Russell-Osuntokun, each update transaction has an imposed&lt;br/&gt;&amp;gt; `nSequence` that forces a state transaction to be delayed compared to the&lt;br/&gt;&amp;gt; update transaction it is paired with.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; It seems that all practical offchain updateable cryptocurrency systems,&lt;br/&gt;&amp;gt; some kind of &amp;#34;timeout&amp;#34; is needed during which participants have an&lt;br/&gt;&amp;gt; opportunity to claim an alternative version of some previous claim of&lt;br/&gt;&amp;gt; correct state.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This timeout could be implemented as either relative or absolute lock&lt;br/&gt;&amp;gt; time, but obviously an absolute locktime would create a limit on the&lt;br/&gt;&amp;gt; lifetime of the channel.&lt;br/&gt;&amp;gt; Thus, if we were to target an indefinite-lifetime channel, we must use&lt;br/&gt;&amp;gt; relative lock times, with the timeout starting only when the unilateral&lt;br/&gt;&amp;gt; close is initiated by one participant.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Now, let us turn back to the MimbleWimble.&lt;br/&gt;&amp;gt; As it happens, we do *not* actually need SCRIPT to implement these&lt;br/&gt;&amp;gt; offchain updateable cryptocurrency systems.&lt;br/&gt;&amp;gt; 2-of-2 is often enough (and with Schnorr and other homomorphic signatures,&lt;br/&gt;&amp;gt; this is possible without explicit script, only pubkeys and signatures,&lt;br/&gt;&amp;gt; which MimbleWimble supports).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; * Poon-Dryja revocation can be rewritten as an HTLC-like construct (indeed&lt;br/&gt;&amp;gt; this was the original formulation).&lt;br/&gt;&amp;gt;   * Since we have shown that, by use of two transaction alternatives, one&lt;br/&gt;&amp;gt; timelocked and the other hashlocked, we can implement an HTLC-like&lt;br/&gt;&amp;gt; construct on MimbleWimble, that is enough.&lt;br/&gt;&amp;gt; * Relative locktimes in Decker-Wattenhofer are imposed by simple&lt;br/&gt;&amp;gt; `nSequence`, not by `OP_CSV`.&lt;br/&gt;&amp;gt;   HTLCs hosted inside such constructions can again use the&lt;br/&gt;&amp;gt; two-transactions construct in MimbleWimble.&lt;br/&gt;&amp;gt; * Ditto with indefinite-lifetime Spilman.&lt;br/&gt;&amp;gt; * Ditto with Decker-Russell-Osuntokun.&lt;br/&gt;&amp;gt;   * The paper shows the use of `OP_CSV`, but aj notes it is redundant, and&lt;br/&gt;&amp;gt; I agree:&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-March/001933.html&#34;&gt;https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-March/001933.html&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Thus, it is not the &amp;#34;nonexistence of SCRIPT&amp;#34; that prevents Lightning from&lt;br/&gt;&amp;gt; being deployed on MimbleWimble.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Instead, it is the &amp;#34;nonexistence of **relative** locktime&amp;#34; that prevents&lt;br/&gt;&amp;gt; Lightning over MimbleWimble.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Why would **relative** locktimes not possibly exist?&lt;br/&gt;&amp;gt; In order to **validate** a relative locktime, we need to know the&lt;br/&gt;&amp;gt; blockheight that the output we are spending was confirmed in.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; But the entire point of the &amp;#34;magical shrinking blockchain&amp;#34; is that&lt;br/&gt;&amp;gt; already-spent outputs can be removed completely and all that needs to be&lt;br/&gt;&amp;gt; validated by a new node is:&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; * The coin-creation events.&lt;br/&gt;&amp;gt; * The current UTXO set (plus attached rangeproofs).&lt;br/&gt;&amp;gt; * The blinding keys.&lt;br/&gt;&amp;gt; * Signatures of the blinding keys, and the kernels they sign (if we use&lt;br/&gt;&amp;gt; the &amp;#34;kernels encode `nLockTime`&amp;#34; technique in some way, they should not&lt;br/&gt;&amp;gt; exceed the current supposed blockheight).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; The problem is that an output that exists in the UTXO set might be&lt;br/&gt;&amp;gt; invalid, if it appears &amp;#34;too near&amp;#34; to an `nSequence` minimum spend of a&lt;br/&gt;&amp;gt; previous output that was spent in its creation.&lt;br/&gt;&amp;gt; That is, the above does not allow validation of **relative** locktimes,&lt;br/&gt;&amp;gt; only **absolute locktimes**.&lt;br/&gt;&amp;gt; (At least as far as I understand: there may be special cryptographic&lt;br/&gt;&amp;gt; constructs that allow signatures to reliably commit to some relative&lt;br/&gt;&amp;gt; locktime).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; This means that relative locktimes need to be implemented by showing the&lt;br/&gt;&amp;gt; transactions that spend previous UTXOS and create the current UTXOs, and so&lt;br/&gt;&amp;gt; no backwards to coin-creation events.&lt;br/&gt;&amp;gt; This forces us back to the old &amp;#34;validate all transactions&amp;#34; model of&lt;br/&gt;&amp;gt; starting a new node (and seriously damaging the entire point of using&lt;br/&gt;&amp;gt; MimbleWimble anyway).&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; I do not believe it is the lack of SCRIPT that prevents&lt;br/&gt;&amp;gt; Lightning-over-MimbleWimble, but rather the lack of relative locktime,&lt;br/&gt;&amp;gt; which seems difficult to validate without knowing the individual&lt;br/&gt;&amp;gt; transactions and when they were confirmed.&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; Regards,&lt;br/&gt;&amp;gt; ZmnSCPxj&lt;br/&gt;&amp;gt;&lt;br/&gt;&amp;gt; _______________________________________________&lt;br/&gt;&amp;gt; bitcoin-dev mailing list&lt;br/&gt;&amp;gt; bitcoin-dev at lists.linuxfoundation.org&lt;br/&gt;&amp;gt; &lt;a href=&#34;https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev&#34;&gt;https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev&lt;/a&gt;&lt;br/&gt;&amp;gt;&lt;br/&gt;-------------- next part --------------&lt;br/&gt;An HTML attachment was scrubbed...&lt;br/&gt;URL: &amp;lt;&lt;a href=&#34;http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190919/28cb2694/attachment.html&amp;gt&#34;&gt;http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190919/28cb2694/attachment.html&amp;gt&lt;/a&gt;;
    </content>
    <updated>2023-06-07T18:20:37Z</updated>
  </entry>

  <entry>
    <id>https://njump.me/nevent1qqs85q4rufgeutly5meda6l82faz8kvhsskuhd0qtmy4z6z52wzde0qzyrrg3vyw3xz76g92u9dyqd3ycngz6mpq0y49s4n5uqsr674xp78x72kvw24</id>
    
      <title type="html">📅 Original date posted:2015-06-22 📝 Original message:Gavin, ...</title>
    
    <link rel="alternate" href="https://njump.me/nevent1qqs85q4rufgeutly5meda6l82faz8kvhsskuhd0qtmy4z6z52wzde0qzyrrg3vyw3xz76g92u9dyqd3ycngz6mpq0y49s4n5uqsr674xp78x72kvw24" />
    <content type="html">
      In reply to &lt;a href=&#39;/nevent1qqsqk5ckrarz5yhjuykqavn8c8sn7jkdze3z04jluwswhy7ms2q2wpqu2pjmv&#39;&gt;nevent1q…pjmv&lt;/a&gt;&lt;br/&gt;_________________________&lt;br/&gt;&lt;br/&gt;📅 Original date posted:2015-06-22&lt;br/&gt;📝 Original message:Gavin,&lt;br/&gt;&lt;br/&gt;in 2022 your proposal (BIP as well as code) crosses the 32MB maximum&lt;br/&gt;message size limit. In order to avoid deployment of code that deterministically&lt;br/&gt;fails fatally in 2022, I&amp;#39;d propose to stop the doublings at 32MB for now and fix&lt;br/&gt;the message size limit in the mean time. Since the message size fix requires&lt;br/&gt;a 2nd hard fork anyway, your current 8GB limit could be re-instateted in that&lt;br/&gt;2nd fork as well. Even if you disagree, I&amp;#39;d suggest to address the topic in the BIP.&lt;br/&gt;&lt;br/&gt;best regards,&lt;br/&gt;Martin
    </content>
    <updated>2023-06-07T15:39:40Z</updated>
  </entry>

</feed>