Re: [bitcoin-dev] OP_LOOKUP_OUTPUT proposal

From: Lloyd Fournier <lloyd.fourn@gmail•com>
To: ZmnSCPxj <ZmnSCPxj@protonmail•com>,
	 Bitcoin Protocol Discussion
	<bitcoin-dev@lists•linuxfoundation.org>
Cc: "jiangshan.yu@monash•edu" <jiangshan.yu@monash•edu>,
	Runchao Han <runchao.han@monash•edu>
Subject: Re: [bitcoin-dev] OP_LOOKUP_OUTPUT proposal
Date: Mon, 12 Aug 2019 17:22:29 +0800	[thread overview]
Message-ID: <CAH5Bsr0rfHVnwcaHq_hpU4Wiz6AZ12kwDstJ34s3K7w=o-4azQ@mail.gmail.com> (raw)
In-Reply-To: <OLQmXBBI4kc9mkjbpr92bKp3UFhmg7ZtTn-m_VNinXNDT4CYz9Jf45gpSfxmkzXQLJfchMk7AaqEjbEor-ZJ02xrd_0yb2MOekXfRyovj6U=@protonmail.com>

[-- Attachment #1: Type: text/plain, Size: 9235 bytes --]

Hello Runchao and ZmnSCPxj,

I think we can simplify the explanation here by not using joint signatures
and payment channel like constructions. ZmnSCPxj's more complex
construction could be more dynamic and practical in some settings but at
least for me it gets in the way of capturing how this relatively simple
idea works.
Here's my attempt at distilling the idea:

Step 0: Alice and Bob negotiate the parameters (timeouts, refund/redeem
pubkeys, the collateral amounts and inputs/outputs for the WTJ-HTLC)

=== Step 1 ===
 Alice signs and broadcasts the BTC-HTLC and sends signature(s) on her
input(s) to the WJT-HLTC to Bob.
Note:
1. She does not need to wait for the BTC-HTLC to confirm before she sends
her signature(s).
2. There is no benefit to Alice in delaying at this point

=== Step 2 ===
Upon receiving Alice's input signature(s) and seeing the BTC-HTLC with
sufficient confirmations, Bob completes the transaction by supplying his
own signature(s) and broadcasts it.

Note:
1. Bob's ability to delay at this point shouldn't be considered an option.
Alice may withdraw her offer by double spending her one of her inputs to
the WTJ-HTLC. Alice's ability to cancel the offer and take back BTC after
the timeout proves there is no option (options cannot be cancelled)
2. In this plain construction Alice should cancel promptly (if she doesn't
see the WTJ-HTLC within the next 1 or 2 blocks for example)
3. You could even extend this protocol  to specify that Bob send signatures
on his inputs the WTJ-HTLC immediately to Alice. If he refuses Alice can
cancel within a second or two.

=== Step 3 ===
Upon seeing the WTJ-HTLC get sufficient confirmations, Alice takes the
funds (including her collateral back) by revealing the secret.

Note:
1. If she doesn't redeem the HTLC she loses her collateral. Assuming the
loss of the collateral overwhelms any gain she could experience from the
delaying her decision and she operates in her own financial interest she
redeems it immediately.

Step 4 is as usual.

At each step there is no unfair advantage to either party (at least if we
idealise the blockchains somewhat and assume that neither party can
influence which transactions get into which block etc etc).

ZmnSCPxj,

Thanks for continuing to spread this idea!
I'm still not sure about your "two hashes" approach to lightning but I hope
to get to the bottom of it soon by describing how I think it should work
more formally somewhere. Will post to lightning-dev when I do :)

LL

On Mon, Aug 12, 2019 at 4:06 PM ZmnSCPxj via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:

> Good morning Runchao,
>
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Monday, August 12, 2019 11:19 AM, Runchao Han <runchao.han@monash•edu>
> wrote:
>
> > Good morning ZmnSCPxj,
> >
> > Sorry for the ambiguity of my last email. It was Sunday and I wrote it
> in 1 min on my bed. Let me elaborate what we are thinking of here.
> >
> > ## Analysis on the protocol from Fournier et al.
> >
> > In this protocol, Bob participates in the swap following the steps below:
> >
> > 1. Alice and Bob creates a payment channel on WJT blockchain.
> > 2. Bob creates the WJT transaction using the joint account of Alice and
> Bob, including 1) Bob's input of 1,000,000 WJT, 2) Alice’s input for the
> 10,000 WJT premium. This transaction should be signed by both Alice and Bob
> in order to be valid.
> > 3. Bob signs the WJT transaction and sends the WJT transaction to Alice.
> > 4. Alice signs this WJT transaction. At this stage, Alice has both the
> valid BTC transaction and the valid WJT transaction.
> > 5. Alice broadcasts both the BTC transaction and the WJT transaction.
>
> Incorrect.
>
> The order is below.
> I add also the behavior when the protocol is stalled such that a step is
> not completed.
>
> 1.  Alice broadcasts and confirms a BTC transaction paying an HTLC,
> hashlock Bob, Timelock Alice.
>     * Alice is initiating the protocol via this step, thus non-completion
> of this step is simply not performing the protocol.
> 2.  Alice informs the BTC transaction to Bob.
>     * If Alice does not perform this, Bob does not know it and Alice
> locked her own money for no reason.
> 3.  Alice and Bob indicate their inputs for the WJT-side funding
> transaction.
>     * If Alice does not perform this, it aborts the protocol and Alice
> locked her own money for no reason.
>     * If Bob does not perform this, it aborts the protocol and Bob turns
> down the opportunity to earn 10,000 WJT (opportunity cost).
> 4.  Alice and Bob exchange signatures for the WJT-side claim transaction
> which spends the funding transaction via the hashlock side and gives
> 1,000,000 WJT to payout to Alice and 10,000 WJT premium to Bob.
>     Order does not matter as funding  tx is still unsigned.
>     * If Alice does not perform this, it aborts the protocol and Alice
> locked her own money for no reason.
>     * If Bob does not perform this, it aborts the protocol and Bob turns
> down the opportunity to earn 10,000 WJT (opportunity cost).
> 5.  Bob provides signatures for the WJT funding tx,
>     * If Bob does not perform this, it aborts the protocol and Bob turns
> down the opportunity to earn 10,000 WJT (opportunity cost).
> 6.  Alice signs WJT funding tx and broacasts and confirms.
>     * If Alice does not perform this, Bob invalidates the transaction by
> spending any of his inputs.
>       * Alice has an option here, but a very short option: up until Bob
> grows tired of waiting.
>         Bob can make this timeout arbitrarily small, without requiring
> input from Alice.
>         What value would there be in a 1-second option, even gotten for
> free, when Alice has spent fees on the BTC-side transaction in the first
> place?
> 7.  Alice completes the claim transaction and broadcasts.
>     * If Alice does not perform this, Bob simply waits out the timelock
> and recovers his funds plus premium.
> 8.  Bob spends the BTC HTLC via the hashlock path.
>     * If Bob does not perform this, Bob has given money for free to Alice.
>
> Thus I do not believe this is needed for blockchain-layer atomic swaps.
>
> For Lightning-layer atomic swaps, the solution requires that two hashes be
> used on the WJT side, and is largely the above protocol in very broad
> strokes.
> Unfortunately, using two hashes instead of one leaks to intermediate hops
> that the payment involved a cross-currency swap, thus undesirable.
>
>
>
> >
> > In a word, Bob is responsible for preparing the WJT transaction, while
> Alice is responsible for preparing the BTC transaction and broadcasting
> both transactions.
> >
> > Here, if Bob stalls, nothing will happen, because Bob cannot spend the
> 10,000 WJT premium without Alice’s signature.
> > If Alice stalls, you are saying that Bob can spend the input of
> 1,000,000 WJT so he does not lose any money.
> >
> > I have 3 questions on this scheme.
> >
> > First, I’m not sure how do you define “Alice stalls”. In this case,
> Alice can stall by 1) withhold the WJT tx, or 2) broadcast BTC/WJT funding
> txs but withhold the preimage.
> > If 2), this protocol is okay. But what about 1) i.e. Alice withholds the
> WJT tx? Here, Bob cannot do anything except for closing the payment channel
> and quit.
>
> Yes.
>
> >
> > Second, I’m not sure whether Bob can spend his money in this payment
> channel while the payment channel is still valid.
> > In Bitcoin, Bob needs to close the payment channel and get back his
> money first, then he can spend the money.
>
> Depends on how the payment channel is implemented.
> If you do something like send transactions spending the internal state
> outputs, then ratifying this later by performing a transaction cut-through
> to derive the next state update, then it is no different from blockchain
> layer.
> Of course, if you postulate the non-cooperation of Alice in this, there is
> indeed a need to close unilaterally.
> But this is the same as any non-cooperation in any channel system: that is
> the entire point why you have unilateral closes.
>
> >
> > Third, let’s optimistically assume Bob can close this payment channel
> without Alice’s consent.
>
> Every payment channel system worth consideration today has a unilateral
> close.
> There is no need for optimism.
>
> > Now he decides to close this channel if Alice does not broadcast the WJT
> tx all the time.
> > Alice does not need to pay for the premium if she withholds the WJT tx.
> If Alice decides not to proceed this swap, Bob should close this channel
> and get back 1,000,000 WJT. However, Bob cannot get the 10,000 WJT premium.
>
> And this time frame can be made arbitarily small by Bob by simple threat
> of unilateral close, thus not making it an option for Alice.
>
> Regards,
> ZmnSCPxj
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

[-- Attachment #2: Type: text/html, Size: 10454 bytes --]