From: Greg Sanders <gsanders87@gmail•com>
To: Greg Sanders <gsanders87@gmail•com>,
Bitcoin Protocol Discussion
<bitcoin-dev@lists•linuxfoundation.org>,
Anthony Towns <aj@erisian•com.au>
Subject: Re: [bitcoin-dev] BIP for OP_VAULT
Date: Tue, 14 Mar 2023 10:40:53 -0400 [thread overview]
Message-ID: <CAB3F3Dsu8OWJfrEAUB=5rDtrmAm=N9zL1tN_r153v01k9F4LGA@mail.gmail.com> (raw)
In-Reply-To: <ZA9zgqeNiCBfBGUz@console>
[-- Attachment #1: Type: text/plain, Size: 3575 bytes --]
Hi Brandon,
Thank you for chiming in, causing me to think a bit more deeply on the
privacy issues
and what seems possible.
> I like that in James' current PR proposal we can explicitly batch via
the implied input/output summation rules while avoiding address reuse.
If we can retain some or all of that, I think it would be good for on
chain efficiency and potentially privacy.
Rotating trigger authorization keys maintains batchability and stops
address reuse.
Remember that anytime you share any path, like recovery path, for batching,
it becomes
obvious at spend-time. Rotating inner pubkeys only doesn't seem to help
much.
Coinjoins being the other batching scenario which could benefit perhaps are
quite a heavy
lift. You'd need the recovery policy(every other branch) to be agreed upon,
have everyone unvault
to this new joint vault, then mix, and withdrawal back to the original
vault. If someone is going through
all that effort, I suspect they'll just use a NUMS to reduce fingerprinting.
> Many inputs with different internal keys can be combined to satisfy the
total output value for a single output, as long as their scriptpubkeys
with FLU and NUMS internal key are equal This enables avoiding address
reuse within the vault.
To reiterate, we can just cycle any key in the $trigger branch with OP_FLU,
which accomplishes the same thing.
Or in authorization-less $trigger, add a random number which is dropped.
> Many inputs with the same scriptpubkey can be combined to satisfy a
single CTV output template. This allows a user to unfsck themselves if
they initiate a withdrawal that cannot be satisfied because they didn't
send enough sats to satisfy their template.
I think that would fit the deprecated OP_FORWARD_OUTPUTS, but OP_CTV
commits to total
number of inputs to remove txid malleability. I think the real solution to
this mistake would be to hit
the big red RECOVERY button that you're relying on for vault security
anyways.
Cheers,
Greg
On Mon, Mar 13, 2023 at 3:04 PM Brandon Black <freedom@reardencode•com>
wrote:
> Hi Gents,
>
> > > I don't think replacing the internal-public-key makes sense -- if it
> > was immediately spendable via the keypath before there's no reason for
> > it not to be immediately spendable now.
> >
> > Slavishly following the current proposal was the idea to make sure all
> > functionality was captured; I agree with this change.
>
> I think we do need to replace the internal key with a hardcoded NUMS
> point to allow us to batch multiple vault inputs which might have
> different internal keys but the same OP_FLU/OP_VAULT_TRIGGER script to
> the same time+template-restricted output.
>
> I like that in James' current PR proposal we can explicitly batch via
> the implied input/output summation rules while avoiding address reuse.
> If we can retain some or all of that, I think it would be good for on
> chain efficiency and potentially privacy.
>
> My thoughts on batching:
>
> Many inputs with different internal keys can be combined to satisfy the
> total output value for a single output, as long as their scriptpubkeys
> with FLU and NUMS internal key are equal This enables avoiding address
> reuse within the vault.
>
> Many inputs with the same scriptpubkey can be combined to satisfy a
> single CTV output template. This allows a user to unfsck themselves if
> they initiate a withdrawal that cannot be satisfied because they didn't
> send enough sats to satisfy their template.
>
> Best,
>
> --Brandon
>
[-- Attachment #2: Type: text/html, Size: 4301 bytes --]
next prev parent reply other threads:[~2023-03-14 14:41 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-13 21:09 James O'Beirne
2023-03-01 15:05 ` Greg Sanders
2023-03-02 4:46 ` Anthony Towns
2023-03-02 14:54 ` Greg Sanders
2023-03-02 19:51 ` Andrew Melnychuk Oseen
2023-03-06 15:25 ` James O'Beirne
2023-03-06 16:07 ` Greg Sanders
2023-03-07 12:45 ` Anthony Towns
2023-03-09 18:45 ` Greg Sanders
2023-03-10 1:08 ` Anthony Towns
2023-03-24 12:10 ` Anthony Towns
2023-03-29 7:10 ` Zac Greenwood
2023-03-29 19:57 ` alicexbt
2023-03-30 0:16 ` Steve Lee
2023-03-30 10:39 ` Zac Greenwood
2023-03-30 18:12 ` alicexbt
2023-03-13 19:03 ` Brandon Black
2023-03-14 14:40 ` Greg Sanders [this message]
2023-03-11 20:53 ` Luke Dashjr
2023-03-13 14:55 ` Greg Sanders
2023-03-13 14:56 ` Greg Sanders
2023-03-13 20:55 ` Luke Dashjr
2023-03-16 14:44 ` Greg Sanders
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAB3F3Dsu8OWJfrEAUB=5rDtrmAm=N9zL1tN_r153v01k9F4LGA@mail.gmail.com' \
--to=gsanders87@gmail$(echo .)com \
--cc=aj@erisian$(echo .)com.au \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox