Re: [bitcoin-dev] Continuing the discussion about noinput / anyprevout

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: ZmnSCPxj <ZmnSCPxj@protonmail•com>
To: Christian Decker <decker.christian@gmail•com>,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists•linuxfoundation.org>
Cc: "lightning-dev@lists•linuxfoundation.org"
	<lightning-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Continuing the discussion about noinput / anyprevout
Date: Mon, 30 Sep 2019 16:00:35 +0000	[thread overview]
Message-ID: <-5H29F71ID9UFqUGMaegQxPjKZSrF1mvdgfaaYtt_lwI7l1OTmN_8OgcooyoMt2_XuyZ5aDljL6gEup9C7skF8iuP_NbMW_81h0tJIGbJno=@protonmail.com> (raw)
In-Reply-To: <87wodp7w9f.fsf@gmail.com>

Good morning Christian,

> The concern with output tagging is that it hurts fungibility, marking outputs
> used in a contract as such and making them identifiable. But maybe it would be
> a good idea to create two domains anyway: one for user-addressable
> destinations which users can use with their general purpose wallets, and one
> domain for contracts, which users cannot send to directly.

I rather strongly oppose output tagging.

The entire point of for example Taproot was to reduce the variability of how outputs look like, so that unspent Taproot outputs look exactly like other unspent Taproot outputs regardless of the SCRIPT (or lack of SCRIPT) used to protect the outputs.
That is the reason why we would prefer to not support P2SH-wrapped Taproot even though P2SH-wrapping was intended to cover all future uses of SegWit, including SegWit v1 that Taproot will eventually get.

Indeed, if it is output tagging that gets into Bitcoin base layer, I would strongly suggest the below for all Decker-Russell-Osuntokun implementations:

* A standard MuSig 2-of-2 bip-schnorr SegWit v1 Funding Transaction Output, confirmed onchain
* A "translator transaction" spending the above and paying out to a SegWit v16 output-tagged output, kept offchain.
* Decker-Russell-Osuntokun update transaction, signed with `SIGHASH_NOINPUT` spending the translator transaction output.
* Decker-Russell-Osuntokun state transaction, signed with `SIGHASH_NOINPUT` spending the update transaction output.

The point regarding use of a commonly-known privkey to work around chaperone signatures is appropriate to the above, incidentally.
In short: this is a workaround, plain and simple, and one wonders the point of adding *either* chaperones *or* output tagging if we will, in practice, just work around them anyway.

Again, the *more* important point is that special blockchain constructions should only be used in the "bad" unilateral close case.
In the cooperative case, we want to use simple plain bip-schnorr-signed outputs getting spent to further bip-schnor/Taproot SegWit v1 addresses, to increase the anonymity set of all uses of Decker-Russell-Osuntokun and other applications that might use `SIGHASH_NOINPUT` in some edge case (but which resolve down to simple bip-schnorr-signed n-of-n cases when the protocol is completed successfully by all participants).

We already have the issue in current Lightning where the blockchain-explorer-revealed address for current, existing Poon-Dryja channels is unsafe to send any amount to.
Granted, we should work to make things safer; but I suggest that we should be willing to sacrifice some amount of safety against arguably-stupid decisions in order to have better privacy for larger sets of users.

>
> This also came up during the CoreDev meeting [ams-coredev]:
>
> > these sort of NOINPUT signatures are only things that are within some
> > application or within some protocol that gets negotiated between participants,
> > but they don't cross-independent domains where you see a wallet or a protocol
> > as a kind of domain. You can't tell the difference, is this an address I can
> > give to someone else or not? It's all scripts, no real addresses. There are
> > types of outputs that are completely insecure unconditionally; there are
> > things that are protected and I can give to anyone, you don't want to reuse
> > it, but there's no security issue from doing so. This is an additional class
> > that is secure perfectly but only when used in the right way.

I submit that a Taproot whose internal Taproot point is a NUMS point (thus nobody knows its scalar) is similarly "secure perfectly but only when used in the right way".
Yet the point of Taproot is to hide these outputs until they are spent, improving their privacy while unspent.

I submit also that a Taproot whose internal Taproot point is an n-of-n of all participants, with script branches enforcing particular modes, are similarly "secure perfectly but only when used in the right way", and again the point of Taproot is to allow the n-of-n "everybody agrees" path to hide among the 1-of-1 whale HODLers.

In short: I do not see how you can coherently argue for "we should separate `SIGHASH_NOINPUT` types to a new script type" while simultaneously arguing "we should merge all kinds of SCRIPT usage (and non-usage) together into a single script type".
If we will separate `SIGHASH_NOINPUT`-enabled outputs, we should not implement Taproot, as the existing separation of P2WSH and P2WPKH is congruent to the proposed separation of `SIGHASH_NOINPUT`-enablement.

>
> Open questions
>
> ---------------
>
> The questions that remain to be addressed are the following:
>
> 1.  General agreement on the usefulness of noinput / anyprevoutanyscript /
>     anyprevout. While at the CoreDev meeting I think everybody agreed that
>     these proposals a useful, also beyond eltoo, not everybody could be
>     there. I'd therefore like to elicit some feedback from the wider community.

I strongly agree that `NOINPUT` is useful, and I was not able to attend CoreDev (at least, not with any human fleshbot already known to you --- I checked).

>
> 2.  Is there strong support or opposition to the chaperone signatures
>     introduced in anyprevout / anyprevoutanyscript? I think it'd be best to
>     formulate a concrete set of pros and contras, rather than talk about
>     abstract dangers or advantages.

No opposition, we will just work around this by publishing a common known private key to use for all chaperone signatures, since all the important security is in the `NOINPUT` signature anyway.

>
> 3.  The same for output tagging / explicit opt-in. What are the advantages and
>     disadvantages?

Strongly oppose, see above about my argument.

>
> 4.  Shall we merge BIP-118 and bip-anyprevout. This would likely reduce the
>     confusion and make for simpler discussions in the end.

Ambivalent, mildly support.

>
> 5.  Anything I forgot to mention :-)

Cats are very interesting creatures, and are irrelevant to `SIGHASH_NOINPUT` discussion, but are extremely cute nonetheless.

Regards,
ZmnSCPxj

next prev parent reply	other threads:[~2019-09-30 16:00 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-30 13:23 Christian Decker
2019-09-30 16:00 ` ZmnSCPxj [this message]
2019-09-30 23:28   ` ZmnSCPxj
2019-10-01 14:26     ` Christian Decker
2019-10-01 14:45     ` Anthony Towns
2019-10-01 15:42       ` ZmnSCPxj
2019-10-01 14:20   ` Christian Decker
2019-10-01 15:35     ` ZmnSCPxj
2019-10-03  9:42       ` Christian Decker
2019-10-01 12:23 ` Chris Stewart
2019-10-01 13:31   ` [bitcoin-dev] [Lightning-dev] " ZmnSCPxj
2019-10-03 10:01     ` Christian Decker
2019-10-03  9:57   ` Christian Decker
     [not found] ` <CACJVCgJ9PL-2jTS71--tXsa=QkK+f5_ciYLwv468WUno=XXAig@mail.gmail.com>
2019-10-01 14:27   ` Ethan Heilman
2019-10-01 15:14   ` Chris Stewart
2019-10-03 10:30     ` Christian Decker
2019-10-01 15:59 ` [bitcoin-dev] " Anthony Towns
2019-10-02  2:03   ` ZmnSCPxj
2019-10-03  1:47     ` [bitcoin-dev] [Lightning-dev] " Anthony Towns
2019-10-03  3:07       ` ZmnSCPxj
2019-10-03 15:05     ` [bitcoin-dev] OP_CAT was " Ethan Heilman
2019-10-03 23:42       ` [bitcoin-dev] [Lightning-dev] " ZmnSCPxj
2019-10-04  0:48         ` Ethan Heilman
2019-10-04  5:02           ` Jeremy
2019-10-04  7:00             ` ZmnSCPxj
2019-10-04 18:33               ` Jeremy
2019-10-04 11:15             ` Peter Todd
2019-10-04 18:40               ` Jeremy
2019-10-05 15:49                 ` Peter Todd
2019-10-06  8:46                   ` ZmnSCPxj
2019-10-06  9:12                     ` Peter Todd
2019-10-06  7:02       ` Lloyd Fournier
2019-10-09 16:56       ` Andrew Poelstra
2019-10-02 15:11   ` [bitcoin-dev] " s7r
2019-10-03 11:08   ` Christian Decker
2019-10-05 10:06     ` Anthony Towns

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='-5H29F71ID9UFqUGMaegQxPjKZSrF1mvdgfaaYtt_lwI7l1OTmN_8OgcooyoMt2_XuyZ5aDljL6gEup9C7skF8iuP_NbMW_81h0tJIGbJno=@protonmail.com' \
    --to=zmnscpxj@protonmail$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    --cc=decker.christian@gmail$(echo .)com \
    --cc=lightning-dev@lists$(echo .)linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox