* [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF against package limit pinning
@ 2022-10-18 13:52 Greg Sanders
2022-10-18 15:33 ` [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage " Arik Sosman
2022-10-19 0:33 ` [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF against package " Antoine Riard
0 siblings, 2 replies; 22+ messages in thread
From: Greg Sanders @ 2022-10-18 13:52 UTC (permalink / raw)
To: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 6015 bytes --]
Hello Everyone,
Following up on the "V3 Transaction" discussion here
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-September/020937.html
, I would like to elaborate a bit further on some potential follow-on work
that would make pinning severely constrained in many setups].
V3 transactions may solve bip125 rule#3 and rule#5 pinning attacks under
some constraints[0]. This means that when a replacement is to be made and
propagated, it costs the expected amount of fees to do so. This is a great
start. What's left in this subset of pinning is *package limit* pinning. In
other words, a fee-paying transaction cannot enter the mempool due to the
existing mempool package it is being added to already being too large in
count or vsize.
Zooming into the V3 simplified scenario for sake of discussion, though this
problem exists in general today:
V3 transactions restrict the package limit of a V3 package to one parent
and one child. If the parent transaction includes two outputs which can be
immediately spent by separate parties, this allows one party to disallow a
spend from the other. In Gloria's proposal for ln-penalty, this is worked
around by reducing the number of anchors per commitment transaction to 1,
and each version of the commitment transaction has a unique party's key on
it. The honest participant can spend their version with their anchor and
package RBF the other commitment transaction safely.
What if there's only one version of the commitment transaction, such as in
other protocols like duplex payment channels, eltoo? What about multi party
payments?
In the package RBF proposal, if the parent transaction is identical to an
existing transaction in the mempool, the parent will be detected and
removed from the package proposal. You are then left with a single V3 child
transaction, which is then proposed for entry into the mempool. In the case
of another parent output already being spent, this is simply rejected,
regardless of feerate of the new child.
I have two proposed solutions, of which I strongly prefer the latter:
1) Expand a carveout for "sibling eviction", where if the new child is
paying "enough" to bump spends from the same parent, it knocks its sibling
out of the mempool and takes the one child slot. This would solve it, but
is a new eviction paradigm that would need to be carefully worked through.
2) Ephemeral Anchors (my real policy-only proposal)
Ephemeral Anchors is a term which means an output is watermarked as an
output that MUST be spent in a V3 package. We mark this anchor by being the
bare script `OP_TRUE` and of course make these outputs standard to relay
and spend with empty witness data.
Also as a simplifying assumption, we require the parent transaction with
such an output to be 0-fee. This makes mempool reasoning simpler in case
the child-spend is somehow evicted, guaranteeing the parent will be as well.
Implications:
a) If the ephemeral anchor MUST be spent, we can allow *any* value, even
dust, even 0, without worrying about bloating the utxo set. We relax this
policy for maximum smart contract flexibility and specification simplicity..
b) Since this anchor MUST be spent, any spending of other outputs in the
same parent transaction MUST directly double-spend prior spends of the
ephemeral anchor. This causes the 1 block CSV timelock on outputs to be
removed in these situations. This greatly magnifies composability of smart
contracts, as now we can do things like safely splice directly into new
channels, into statechains, your custodial wallet account, your cold
wallet, wherever, without requiring other wallets to support arbitrary
scripts. Also it hurts that 1 CSV time locked scripts may not be miniscript
compatible to begin with...
c) *Anyone* can bump the transaction, without any transaction key material.
This is essentially achieving Jeremy's Transaction Sponsors (
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-September/018168.html)
proposal without consensus changes. As long as someone gets a fully signed
parent, they can execute a bump with minimal wallet tooling. If a
transaction author doesn’t want a “sponsor”, do not include the output.
d) Lightning Carve-out(
https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/002240.html)
is superseded by this logic, as we are not restricted to two immediately
spendable output scenarios. In its place, robust multi-party fee bumping is
possible.
e) This also benefits more traditional wallet scenarios, as change outputs
can no longer be pinned, and RBF/CPFP becomes robust. Payees in simple
spends cannot pin you. Batched payouts become a lot less painful. This was
one of the motivating use cases that created the term “pinning” in the
first place(
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-February/015717.html),
even if LN/L2 discussion has largely overtaken it due to HTLC theft risks.
Open Question(s):
1.
If we allow non-zero value in ephemeral outputs, does this open up a MEV
we are worried about? Wallets should toss all the value directly to fees,
and add their own additional fees on top, otherwise miners have incentive
to make the smallest utxo burn transaction to claim those funds. They just
confirmed your parent transaction anyways, so do we care?
2.
SIGHASH_GROUP like constructs would allow uncommitted ephemeral anchors
to be added at spend time, depending on spending requirements.
SIGHASH_SINGLE already allows this.
Hopefully this gives people something to consider as we move forward in
thinking about mempool design within the constraints we have today.
Greg
0: With V3 transactions where you have "veto power" over all the inputs in
that transaction. Therefore something like ANYONECANPAY is still broken. We
need a more complex solution, which I’m punting for the sake of progress.
[-- Attachment #2: Type: text/html, Size: 15040 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning
2022-10-18 13:52 [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF against package limit pinning Greg Sanders
@ 2022-10-18 15:33 ` Arik Sosman
2022-10-18 15:51 ` Greg Sanders
2022-10-19 0:33 ` [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF against package " Antoine Riard
1 sibling, 1 reply; 22+ messages in thread
From: Arik Sosman @ 2022-10-18 15:33 UTC (permalink / raw)
To: bitcoin-dev
[-- Attachment #1: Type: text/plain, Size: 6905 bytes --]
Hi Greg,
Thank you very much for sharing your proposal!
I think there's one thing about the second part of your proposal that I'm missing. Specifically, assuming the scenario of a v3 transaction with three outputs, A, B, and the ephemeral anchor OP_TRUE. If a child transaction spends A and OP_TRUE, does that effectively mark output B as unspendable once the child gets confirmed? If so, isn't the implication therefore that to safely spend a transaction with an ephemeral anchor, all outputs must be spent? Thanks!
Best,
Arik
On Tue, Oct 18, 2022, at 6:52 AM, Greg Sanders via bitcoin-dev wrote:
> Hello Everyone,
>
>
> Following up on the "V3 Transaction" discussion here https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-September/020937.html , I would like to elaborate a bit further on some potential follow-on work that would make pinning severely constrained in many setups].
>
>
> V3 transactions may solve bip125 rule#3 and rule#5 pinning attacks under some constraints[0]. This means that when a replacement is to be made and propagated, it costs the expected amount of fees to do so. This is a great start. What's left in this subset of pinning is *package limit* pinning. In other words, a fee-paying transaction cannot enter the mempool due to the existing mempool package it is being added to already being too large in count or vsize.
>
>
> Zooming into the V3 simplified scenario for sake of discussion, though this problem exists in general today:
>
>
> V3 transactions restrict the package limit of a V3 package to one parent and one child. If the parent transaction includes two outputs which can be immediately spent by separate parties, this allows one party to disallow a spend from the other. In Gloria's proposal for ln-penalty, this is worked around by reducing the number of anchors per commitment transaction to 1, and each version of the commitment transaction has a unique party's key on it. The honest participant can spend their version with their anchor and package RBF the other commitment transaction safely.
>
>
> What if there's only one version of the commitment transaction, such as in other protocols like duplex payment channels, eltoo? What about multi party payments?
>
>
> In the package RBF proposal, if the parent transaction is identical to an existing transaction in the mempool, the parent will be detected and removed from the package proposal. You are then left with a single V3 child transaction, which is then proposed for entry into the mempool. In the case of another parent output already being spent, this is simply rejected, regardless of feerate of the new child.
>
>
> I have two proposed solutions, of which I strongly prefer the latter:
>
>
> 1) Expand a carveout for "sibling eviction", where if the new child is paying "enough" to bump spends from the same parent, it knocks its sibling out of the mempool and takes the one child slot. This would solve it, but is a new eviction paradigm that would need to be carefully worked through.
>
>
> 2) Ephemeral Anchors (my real policy-only proposal)
>
>
> Ephemeral Anchors is a term which means an output is watermarked as an output that MUST be spent in a V3 package. We mark this anchor by being the bare script `OP_TRUE` and of course make these outputs standard to relay and spend with empty witness data.
>
>
> Also as a simplifying assumption, we require the parent transaction with such an output to be 0-fee. This makes mempool reasoning simpler in case the child-spend is somehow evicted, guaranteeing the parent will be as well.
>
>
> Implications:
>
>
> a) If the ephemeral anchor MUST be spent, we can allow *any* value, even dust, even 0, without worrying about bloating the utxo set. We relax this policy for maximum smart contract flexibility and specification simplicity..
>
>
> b) Since this anchor MUST be spent, any spending of other outputs in the same parent transaction MUST directly double-spend prior spends of the ephemeral anchor. This causes the 1 block CSV timelock on outputs to be removed in these situations. This greatly magnifies composability of smart contracts, as now we can do things like safely splice directly into new channels, into statechains, your custodial wallet account, your cold wallet, wherever, without requiring other wallets to support arbitrary scripts. Also it hurts that 1 CSV time locked scripts may not be miniscript compatible to begin with...
>
>
> c) *Anyone* can bump the transaction, without any transaction key material. This is essentially achieving Jeremy's Transaction Sponsors (https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-September/018168.html) proposal without consensus changes. As long as someone gets a fully signed parent, they can execute a bump with minimal wallet tooling. If a transaction author doesn’t want a “sponsor”, do not include the output.
>
>
> d) Lightning Carve-out(https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/002240.html) is superseded by this logic, as we are not restricted to two immediately spendable output scenarios. In its place, robust multi-party fee bumping is possible.
>
>
> e) This also benefits more traditional wallet scenarios, as change outputs can no longer be pinned, and RBF/CPFP becomes robust. Payees in simple spends cannot pin you. Batched payouts become a lot less painful. This was one of the motivating use cases that created the term “pinning” in the first place(https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-February/015717.html), even if LN/L2 discussion has largely overtaken it due to HTLC theft risks.
>
>
> Open Question(s):
>
>
> 1. If we allow non-zero value in ephemeral outputs, does this open up a MEV we are worried about? Wallets should toss all the value directly to fees, and add their own additional fees on top, otherwise miners have incentive to make the smallest utxo burn transaction to claim those funds. They just confirmed your parent transaction anyways, so do we care?
>
> 2. SIGHASH_GROUP like constructs would allow uncommitted ephemeral anchors to be added at spend time, depending on spending requirements. SIGHASH_SINGLE already allows this.
>
>
>
>
> Hopefully this gives people something to consider as we move forward in thinking about mempool design within the constraints we have today.
>
>
>
> Greg
>
>
> 0: With V3 transactions where you have "veto power" over all the inputs in that transaction. Therefore something like ANYONECANPAY is still broken. We need a more complex solution, which I’m punting for the sake of progress.
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 18776 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning
2022-10-18 15:33 ` [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage " Arik Sosman
@ 2022-10-18 15:51 ` Greg Sanders
2022-10-18 16:41 ` Jeremy Rubin
0 siblings, 1 reply; 22+ messages in thread
From: Greg Sanders @ 2022-10-18 15:51 UTC (permalink / raw)
To: Arik Sosman, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 7655 bytes --]
> does that effectively mark output B as unspendable once the child gets
confirmed?
Not at all. It's a normal spend like before, since the parent has been
confirmed. It's completely unrestricted, not being bound to any
V3/ephemeral anchor restrictions on size, version, etc.
On Tue, Oct 18, 2022 at 11:47 AM Arik Sosman via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> Hi Greg,
>
> Thank you very much for sharing your proposal!
>
> I think there's one thing about the second part of your proposal that I'm
> missing. Specifically, assuming the scenario of a v3 transaction with three
> outputs, A, B, and the ephemeral anchor OP_TRUE. If a child transaction
> spends A and OP_TRUE, does that effectively mark output B as unspendable
> once the child gets confirmed? If so, isn't the implication therefore that
> to safely spend a transaction with an ephemeral anchor, all outputs must be
> spent? Thanks!
>
> Best,
> Arik
>
> On Tue, Oct 18, 2022, at 6:52 AM, Greg Sanders via bitcoin-dev wrote:
>
> Hello Everyone,
>
> Following up on the "V3 Transaction" discussion here
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-September/020937.html
> , I would like to elaborate a bit further on some potential follow-on work
> that would make pinning severely constrained in many setups].
>
> V3 transactions may solve bip125 rule#3 and rule#5 pinning attacks under
> some constraints[0]. This means that when a replacement is to be made and
> propagated, it costs the expected amount of fees to do so. This is a great
> start. What's left in this subset of pinning is *package limit* pinning. In
> other words, a fee-paying transaction cannot enter the mempool due to the
> existing mempool package it is being added to already being too large in
> count or vsize.
>
> Zooming into the V3 simplified scenario for sake of discussion, though
> this problem exists in general today:
>
> V3 transactions restrict the package limit of a V3 package to one parent
> and one child. If the parent transaction includes two outputs which can be
> immediately spent by separate parties, this allows one party to disallow a
> spend from the other. In Gloria's proposal for ln-penalty, this is worked
> around by reducing the number of anchors per commitment transaction to 1,
> and each version of the commitment transaction has a unique party's key on
> it. The honest participant can spend their version with their anchor and
> package RBF the other commitment transaction safely.
>
> What if there's only one version of the commitment transaction, such as in
> other protocols like duplex payment channels, eltoo? What about multi party
> payments?
>
> In the package RBF proposal, if the parent transaction is identical to an
> existing transaction in the mempool, the parent will be detected and
> removed from the package proposal. You are then left with a single V3 child
> transaction, which is then proposed for entry into the mempool. In the case
> of another parent output already being spent, this is simply rejected,
> regardless of feerate of the new child.
>
> I have two proposed solutions, of which I strongly prefer the latter:
>
> 1) Expand a carveout for "sibling eviction", where if the new child is
> paying "enough" to bump spends from the same parent, it knocks its sibling
> out of the mempool and takes the one child slot. This would solve it, but
> is a new eviction paradigm that would need to be carefully worked through.
>
> 2) Ephemeral Anchors (my real policy-only proposal)
>
> Ephemeral Anchors is a term which means an output is watermarked as an
> output that MUST be spent in a V3 package. We mark this anchor by being the
> bare script `OP_TRUE` and of course make these outputs standard to relay
> and spend with empty witness data.
>
> Also as a simplifying assumption, we require the parent transaction with
> such an output to be 0-fee. This makes mempool reasoning simpler in case
> the child-spend is somehow evicted, guaranteeing the parent will be as well.
>
> Implications:
>
> a) If the ephemeral anchor MUST be spent, we can allow *any* value, even
> dust, even 0, without worrying about bloating the utxo set. We relax this
> policy for maximum smart contract flexibility and specification simplicity..
>
> b) Since this anchor MUST be spent, any spending of other outputs in the
> same parent transaction MUST directly double-spend prior spends of the
> ephemeral anchor. This causes the 1 block CSV timelock on outputs to be
> removed in these situations. This greatly magnifies composability of smart
> contracts, as now we can do things like safely splice directly into new
> channels, into statechains, your custodial wallet account, your cold
> wallet, wherever, without requiring other wallets to support arbitrary
> scripts. Also it hurts that 1 CSV time locked scripts may not be miniscript
> compatible to begin with...
>
> c) *Anyone* can bump the transaction, without any transaction key
> material. This is essentially achieving Jeremy's Transaction Sponsors (
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-September/018168.html)
> proposal without consensus changes. As long as someone gets a fully signed
> parent, they can execute a bump with minimal wallet tooling. If a
> transaction author doesn’t want a “sponsor”, do not include the output.
>
> d) Lightning Carve-out(
> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/002240.html)
> is superseded by this logic, as we are not restricted to two immediately
> spendable output scenarios. In its place, robust multi-party fee bumping is
> possible.
>
> e) This also benefits more traditional wallet scenarios, as change outputs
> can no longer be pinned, and RBF/CPFP becomes robust. Payees in simple
> spends cannot pin you. Batched payouts become a lot less painful. This was
> one of the motivating use cases that created the term “pinning” in the
> first place(
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-February/015717.html),
> even if LN/L2 discussion has largely overtaken it due to HTLC theft risks.
>
> Open Question(s):
>
>
> 1.
>
> If we allow non-zero value in ephemeral outputs, does this open up a
> MEV we are worried about? Wallets should toss all the value directly to
> fees, and add their own additional fees on top, otherwise miners have
> incentive to make the smallest utxo burn transaction to claim those funds.
> They just confirmed your parent transaction anyways, so do we care?
> 2.
>
> SIGHASH_GROUP like constructs would allow uncommitted ephemeral
> anchors to be added at spend time, depending on spending requirements.
> SIGHASH_SINGLE already allows this.
>
>
>
>
> Hopefully this gives people something to consider as we move forward in
> thinking about mempool design within the constraints we have today.
>
>
> Greg
>
> 0: With V3 transactions where you have "veto power" over all the inputs in
> that transaction. Therefore something like ANYONECANPAY is still broken. We
> need a more complex solution, which I’m punting for the sake of progress.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 19107 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning
2022-10-18 15:51 ` Greg Sanders
@ 2022-10-18 16:41 ` Jeremy Rubin
2022-10-18 18:18 ` Greg Sanders
2022-10-19 15:11 ` James O'Beirne
0 siblings, 2 replies; 22+ messages in thread
From: Jeremy Rubin @ 2022-10-18 16:41 UTC (permalink / raw)
To: Greg Sanders, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 9019 bytes --]
Excellent proposal and I agree it does capture much of the spirit of
sponsors w.r.t. how they might be used for V3 protocols.
The only drawbacks I see is they don't work for lower tx version contracts,
so there's still something to be desired there, and that the requirement to
sweep the output must be incentive compatible for the miner, or else they
won't enforce it (pass the buck onto the future bitcoiners). The Ephemeral
UTXO concept can be a consensus rule (see
https://rubin.io/public/pdfs/multi-txn-contracts.pdf "Intermediate UTXO")
we add later on in lieu of managing them by incentive, so maybe it's a
cleanup one can punt.
One question I have is if V3 is designed for lightning, and this is
designed for lightning, is there any sense in requiring these outputs for
v3? That might help with e.g. anonymity set, as well as potentially keep
the v3 surface smaller.
On Tue, Oct 18, 2022 at 11:51 AM Greg Sanders via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> > does that effectively mark output B as unspendable once the child gets
> confirmed?
>
> Not at all. It's a normal spend like before, since the parent has been
> confirmed. It's completely unrestricted, not being bound to any
> V3/ephemeral anchor restrictions on size, version, etc.
>
> On Tue, Oct 18, 2022 at 11:47 AM Arik Sosman via bitcoin-dev <
> bitcoin-dev@lists•linuxfoundation.org> wrote:
>
>> Hi Greg,
>>
>> Thank you very much for sharing your proposal!
>>
>> I think there's one thing about the second part of your proposal that I'm
>> missing. Specifically, assuming the scenario of a v3 transaction with three
>> outputs, A, B, and the ephemeral anchor OP_TRUE. If a child transaction
>> spends A and OP_TRUE, does that effectively mark output B as unspendable
>> once the child gets confirmed? If so, isn't the implication therefore that
>> to safely spend a transaction with an ephemeral anchor, all outputs must be
>> spent? Thanks!
>>
>> Best,
>> Arik
>>
>> On Tue, Oct 18, 2022, at 6:52 AM, Greg Sanders via bitcoin-dev wrote:
>>
>> Hello Everyone,
>>
>> Following up on the "V3 Transaction" discussion here
>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-September/020937.html
>> , I would like to elaborate a bit further on some potential follow-on work
>> that would make pinning severely constrained in many setups].
>>
>> V3 transactions may solve bip125 rule#3 and rule#5 pinning attacks under
>> some constraints[0]. This means that when a replacement is to be made and
>> propagated, it costs the expected amount of fees to do so. This is a great
>> start. What's left in this subset of pinning is *package limit* pinning. In
>> other words, a fee-paying transaction cannot enter the mempool due to the
>> existing mempool package it is being added to already being too large in
>> count or vsize.
>>
>> Zooming into the V3 simplified scenario for sake of discussion, though
>> this problem exists in general today:
>>
>> V3 transactions restrict the package limit of a V3 package to one parent
>> and one child. If the parent transaction includes two outputs which can be
>> immediately spent by separate parties, this allows one party to disallow a
>> spend from the other. In Gloria's proposal for ln-penalty, this is worked
>> around by reducing the number of anchors per commitment transaction to 1,
>> and each version of the commitment transaction has a unique party's key on
>> it. The honest participant can spend their version with their anchor and
>> package RBF the other commitment transaction safely.
>>
>> What if there's only one version of the commitment transaction, such as
>> in other protocols like duplex payment channels, eltoo? What about multi
>> party payments?
>>
>> In the package RBF proposal, if the parent transaction is identical to an
>> existing transaction in the mempool, the parent will be detected and
>> removed from the package proposal. You are then left with a single V3 child
>> transaction, which is then proposed for entry into the mempool. In the case
>> of another parent output already being spent, this is simply rejected,
>> regardless of feerate of the new child.
>>
>> I have two proposed solutions, of which I strongly prefer the latter:
>>
>> 1) Expand a carveout for "sibling eviction", where if the new child is
>> paying "enough" to bump spends from the same parent, it knocks its sibling
>> out of the mempool and takes the one child slot. This would solve it, but
>> is a new eviction paradigm that would need to be carefully worked through.
>>
>> 2) Ephemeral Anchors (my real policy-only proposal)
>>
>> Ephemeral Anchors is a term which means an output is watermarked as an
>> output that MUST be spent in a V3 package. We mark this anchor by being the
>> bare script `OP_TRUE` and of course make these outputs standard to relay
>> and spend with empty witness data.
>>
>> Also as a simplifying assumption, we require the parent transaction with
>> such an output to be 0-fee. This makes mempool reasoning simpler in case
>> the child-spend is somehow evicted, guaranteeing the parent will be as well.
>>
>> Implications:
>>
>> a) If the ephemeral anchor MUST be spent, we can allow *any* value, even
>> dust, even 0, without worrying about bloating the utxo set. We relax this
>> policy for maximum smart contract flexibility and specification simplicity..
>>
>> b) Since this anchor MUST be spent, any spending of other outputs in the
>> same parent transaction MUST directly double-spend prior spends of the
>> ephemeral anchor. This causes the 1 block CSV timelock on outputs to be
>> removed in these situations. This greatly magnifies composability of smart
>> contracts, as now we can do things like safely splice directly into new
>> channels, into statechains, your custodial wallet account, your cold
>> wallet, wherever, without requiring other wallets to support arbitrary
>> scripts. Also it hurts that 1 CSV time locked scripts may not be miniscript
>> compatible to begin with...
>>
>> c) *Anyone* can bump the transaction, without any transaction key
>> material. This is essentially achieving Jeremy's Transaction Sponsors (
>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-September/018168.html)
>> proposal without consensus changes. As long as someone gets a fully signed
>> parent, they can execute a bump with minimal wallet tooling. If a
>> transaction author doesn’t want a “sponsor”, do not include the output.
>>
>> d) Lightning Carve-out(
>> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/002240.html)
>> is superseded by this logic, as we are not restricted to two immediately
>> spendable output scenarios. In its place, robust multi-party fee bumping is
>> possible.
>>
>> e) This also benefits more traditional wallet scenarios, as change
>> outputs can no longer be pinned, and RBF/CPFP becomes robust. Payees in
>> simple spends cannot pin you. Batched payouts become a lot less painful.
>> This was one of the motivating use cases that created the term “pinning” in
>> the first place(
>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-February/015717.html),
>> even if LN/L2 discussion has largely overtaken it due to HTLC theft risks.
>>
>> Open Question(s):
>>
>>
>> 1.
>>
>> If we allow non-zero value in ephemeral outputs, does this open up a
>> MEV we are worried about? Wallets should toss all the value directly to
>> fees, and add their own additional fees on top, otherwise miners have
>> incentive to make the smallest utxo burn transaction to claim those funds.
>> They just confirmed your parent transaction anyways, so do we care?
>> 2.
>>
>> SIGHASH_GROUP like constructs would allow uncommitted ephemeral
>> anchors to be added at spend time, depending on spending requirements.
>> SIGHASH_SINGLE already allows this.
>>
>>
>>
>>
>> Hopefully this gives people something to consider as we move forward in
>> thinking about mempool design within the constraints we have today.
>>
>>
>> Greg
>>
>> 0: With V3 transactions where you have "veto power" over all the inputs
>> in that transaction. Therefore something like ANYONECANPAY is still broken.
>> We need a more complex solution, which I’m punting for the sake of progress.
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists•linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists•linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 21546 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning
2022-10-18 16:41 ` Jeremy Rubin
@ 2022-10-18 18:18 ` Greg Sanders
2022-10-19 15:11 ` James O'Beirne
1 sibling, 0 replies; 22+ messages in thread
From: Greg Sanders @ 2022-10-18 18:18 UTC (permalink / raw)
To: Jeremy Rubin; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 10409 bytes --]
> (see https://rubin.io/public/pdfs/multi-txn-contracts.pdf "Intermediate
UTXO")
I think I remember you trying to explain this to me a long time ago. Thanks
for the callback!
> One question I have is if V3 is designed for lightning, and this is
designed for lightning, is there any sense in requiring these outputs for
v3? That might help with e.g. anonymity set, as well as potentially keep
the v3 surface smaller.
The fingerprinting angle is yet another thing to consider. There are
definitely uses of V3 that do not require ephemeral anchors, and you can
save a healthy amount of bytes not requiring them. I think in the cases
where RBF of the parent is possible, at least.
f.e., I think V3 alone makes splicing robust even in the presence of
external inputs, since the commitment tx(s) can (package) RBF the splice at
any point. V3 may have enough value-add by itself where the additional
bytes and inability to opt out of "transaction sponsor" style bumps may be
undesirable.
Lastly this would tie deployments of these improvements together. Something
to consider.
Cheers,
Greg
On Tue, Oct 18, 2022 at 12:41 PM Jeremy Rubin <j@rubin•io> wrote:
> Excellent proposal and I agree it does capture much of the spirit of
> sponsors w.r.t. how they might be used for V3 protocols.
>
> The only drawbacks I see is they don't work for lower tx version
> contracts, so there's still something to be desired there, and that the
> requirement to sweep the output must be incentive compatible for the miner,
> or else they won't enforce it (pass the buck onto the future bitcoiners).
> The Ephemeral UTXO concept can be a consensus rule (see
> https://rubin.io/public/pdfs/multi-txn-contracts.pdf "Intermediate UTXO")
> we add later on in lieu of managing them by incentive, so maybe it's a
> cleanup one can punt.
>
> One question I have is if V3 is designed for lightning, and this is
> designed for lightning, is there any sense in requiring these outputs for
> v3? That might help with e.g. anonymity set, as well as potentially keep
> the v3 surface smaller.
>
> On Tue, Oct 18, 2022 at 11:51 AM Greg Sanders via bitcoin-dev <
> bitcoin-dev@lists•linuxfoundation.org> wrote:
>
>> > does that effectively mark output B as unspendable once the child gets
>> confirmed?
>>
>> Not at all. It's a normal spend like before, since the parent has been
>> confirmed. It's completely unrestricted, not being bound to any
>> V3/ephemeral anchor restrictions on size, version, etc.
>>
>> On Tue, Oct 18, 2022 at 11:47 AM Arik Sosman via bitcoin-dev <
>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>
>>> Hi Greg,
>>>
>>> Thank you very much for sharing your proposal!
>>>
>>> I think there's one thing about the second part of your proposal that
>>> I'm missing. Specifically, assuming the scenario of a v3 transaction with
>>> three outputs, A, B, and the ephemeral anchor OP_TRUE. If a child
>>> transaction spends A and OP_TRUE, does that effectively mark output B as
>>> unspendable once the child gets confirmed? If so, isn't the implication
>>> therefore that to safely spend a transaction with an ephemeral anchor, all
>>> outputs must be spent? Thanks!
>>>
>>> Best,
>>> Arik
>>>
>>> On Tue, Oct 18, 2022, at 6:52 AM, Greg Sanders via bitcoin-dev wrote:
>>>
>>> Hello Everyone,
>>>
>>> Following up on the "V3 Transaction" discussion here
>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-September/020937.html
>>> , I would like to elaborate a bit further on some potential follow-on work
>>> that would make pinning severely constrained in many setups].
>>>
>>> V3 transactions may solve bip125 rule#3 and rule#5 pinning attacks under
>>> some constraints[0]. This means that when a replacement is to be made and
>>> propagated, it costs the expected amount of fees to do so. This is a great
>>> start. What's left in this subset of pinning is *package limit* pinning. In
>>> other words, a fee-paying transaction cannot enter the mempool due to the
>>> existing mempool package it is being added to already being too large in
>>> count or vsize.
>>>
>>> Zooming into the V3 simplified scenario for sake of discussion, though
>>> this problem exists in general today:
>>>
>>> V3 transactions restrict the package limit of a V3 package to one parent
>>> and one child. If the parent transaction includes two outputs which can be
>>> immediately spent by separate parties, this allows one party to disallow a
>>> spend from the other. In Gloria's proposal for ln-penalty, this is worked
>>> around by reducing the number of anchors per commitment transaction to 1,
>>> and each version of the commitment transaction has a unique party's key on
>>> it. The honest participant can spend their version with their anchor and
>>> package RBF the other commitment transaction safely.
>>>
>>> What if there's only one version of the commitment transaction, such as
>>> in other protocols like duplex payment channels, eltoo? What about multi
>>> party payments?
>>>
>>> In the package RBF proposal, if the parent transaction is identical to
>>> an existing transaction in the mempool, the parent will be detected and
>>> removed from the package proposal. You are then left with a single V3 child
>>> transaction, which is then proposed for entry into the mempool. In the case
>>> of another parent output already being spent, this is simply rejected,
>>> regardless of feerate of the new child.
>>>
>>> I have two proposed solutions, of which I strongly prefer the latter:
>>>
>>> 1) Expand a carveout for "sibling eviction", where if the new child is
>>> paying "enough" to bump spends from the same parent, it knocks its sibling
>>> out of the mempool and takes the one child slot. This would solve it, but
>>> is a new eviction paradigm that would need to be carefully worked through.
>>>
>>> 2) Ephemeral Anchors (my real policy-only proposal)
>>>
>>> Ephemeral Anchors is a term which means an output is watermarked as an
>>> output that MUST be spent in a V3 package. We mark this anchor by being the
>>> bare script `OP_TRUE` and of course make these outputs standard to relay
>>> and spend with empty witness data.
>>>
>>> Also as a simplifying assumption, we require the parent transaction with
>>> such an output to be 0-fee. This makes mempool reasoning simpler in case
>>> the child-spend is somehow evicted, guaranteeing the parent will be as well.
>>>
>>> Implications:
>>>
>>> a) If the ephemeral anchor MUST be spent, we can allow *any* value, even
>>> dust, even 0, without worrying about bloating the utxo set. We relax this
>>> policy for maximum smart contract flexibility and specification simplicity..
>>>
>>> b) Since this anchor MUST be spent, any spending of other outputs in the
>>> same parent transaction MUST directly double-spend prior spends of the
>>> ephemeral anchor. This causes the 1 block CSV timelock on outputs to be
>>> removed in these situations. This greatly magnifies composability of smart
>>> contracts, as now we can do things like safely splice directly into new
>>> channels, into statechains, your custodial wallet account, your cold
>>> wallet, wherever, without requiring other wallets to support arbitrary
>>> scripts. Also it hurts that 1 CSV time locked scripts may not be miniscript
>>> compatible to begin with...
>>>
>>> c) *Anyone* can bump the transaction, without any transaction key
>>> material. This is essentially achieving Jeremy's Transaction Sponsors (
>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-September/018168.html)
>>> proposal without consensus changes. As long as someone gets a fully signed
>>> parent, they can execute a bump with minimal wallet tooling. If a
>>> transaction author doesn’t want a “sponsor”, do not include the output.
>>>
>>> d) Lightning Carve-out(
>>> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/002240.html)
>>> is superseded by this logic, as we are not restricted to two immediately
>>> spendable output scenarios. In its place, robust multi-party fee bumping is
>>> possible.
>>>
>>> e) This also benefits more traditional wallet scenarios, as change
>>> outputs can no longer be pinned, and RBF/CPFP becomes robust. Payees in
>>> simple spends cannot pin you. Batched payouts become a lot less painful.
>>> This was one of the motivating use cases that created the term “pinning” in
>>> the first place(
>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-February/015717.html),
>>> even if LN/L2 discussion has largely overtaken it due to HTLC theft risks.
>>>
>>> Open Question(s):
>>>
>>>
>>> 1.
>>>
>>> If we allow non-zero value in ephemeral outputs, does this open up a
>>> MEV we are worried about? Wallets should toss all the value directly to
>>> fees, and add their own additional fees on top, otherwise miners have
>>> incentive to make the smallest utxo burn transaction to claim those funds.
>>> They just confirmed your parent transaction anyways, so do we care?
>>> 2.
>>>
>>> SIGHASH_GROUP like constructs would allow uncommitted ephemeral
>>> anchors to be added at spend time, depending on spending requirements.
>>> SIGHASH_SINGLE already allows this.
>>>
>>>
>>>
>>>
>>> Hopefully this gives people something to consider as we move forward in
>>> thinking about mempool design within the constraints we have today.
>>>
>>>
>>> Greg
>>>
>>> 0: With V3 transactions where you have "veto power" over all the inputs
>>> in that transaction. Therefore something like ANYONECANPAY is still broken.
>>> We need a more complex solution, which I’m punting for the sake of progress.
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists•linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>>>
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists•linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists•linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
[-- Attachment #2: Type: text/html, Size: 24124 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF against package limit pinning
2022-10-18 13:52 [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF against package limit pinning Greg Sanders
2022-10-18 15:33 ` [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage " Arik Sosman
@ 2022-10-19 0:33 ` Antoine Riard
2022-10-19 13:22 ` Greg Sanders
1 sibling, 1 reply; 22+ messages in thread
From: Antoine Riard @ 2022-10-19 0:33 UTC (permalink / raw)
To: Greg Sanders, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 9868 bytes --]
Hi Greg,
Thanks for proposing forward the "ephemeral anchors" policy change.
> In Gloria's proposal for ln-penalty, this is worked
> around by reducing the number of anchors per commitment transaction to 1,
> and each version of the commitment transaction has a unique party's key on
> it. The honest participant can spend their version with their anchor and
> package RBF the other commitment transaction safely.
IIRC, here I think we also need _package relay_ in strict addition of
_package RBF_, otherwise if your Lightning transactions are still relayed
and accepted one by one, your version of the commitment transaction won't
succeed to replace the other counterparties's commitments sleeping in
network mempools. The presence of a remote anchor output on the
counterparty commitment still offers an ability to fee-bump, albeit in
practice more a lucky shot as you might have partitioned network mempools
between your local commitment and the remote commitment disputing the spend
of the same funding UTXO.
> 1) Expand a carveout for "sibling eviction", where if the new child is
> paying "enough" to bump spends from the same parent, it knocks its sibling
> out of the mempool and takes the one child slot. This would solve it, but
> is a new eviction paradigm that would need to be carefully worked through.
Note, I wonder about the robustness of such a "sibling eviction" mechanism
in the context of multi-party construction. E.g, a batching payout, where
the participants are competing to each other in a blind way, as they do
want their CPFPs paying back to them to confirm first, enforcing their
individual liquidity preferences. I would think it might artificially lead
the participants to overbid far beyond the top mempool block fees.
> If we allow non-zero value in ephemeral outputs, does this open up a MEV
> we are worried about? Wallets should toss all the value directly to fees,
> and add their own additional fees on top, otherwise miners have incentive
> to make the smallest utxo burn transaction to claim those funds. They
just
> confirmed your parent transaction anyways, so do we care?
If we allow non-zero value in ephemeral outputs, I think we're slightly
modifying the incentives games of the channels counterparties, in the sense
if you have a link Alice-Bob, Bob could circular loop a bunch of dust
offered HTLC deduced from Alice balance and committed as fees in the
ephemeral output value, then break the channel on-chain to pocket in the
trimmed value sum (in the limit of your Lightning implementation dust
exposure). Note, this is already possible today if your counterparty is a
miner however iiuc the proposal, here we're lowering the bar.
> SIGHASH_GROUP like constructs would allow uncommitted ephemeral anchors
> to be added at spend time, depending on spending requirements.
> SIGHASH_SINGLE already allows this.
Note, with SIGHASH_GROUP, you're still allowed to aggregate in a single
bundle multiple ln-penalty commitments or eltoo settlement transactions,
with only one fee-bumping output. It's a cool space performance trick, but
a) I think this is still more a whiteboard idea than a sound proposal and
b) sounds more a long-term, low-hanging fruit optimization of blockspace
consumption.
Best,
Antoine
Le mar. 18 oct. 2022 à 09:53, Greg Sanders via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> a écrit :
> Hello Everyone,
>
> Following up on the "V3 Transaction" discussion here
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-September/020937.html
> , I would like to elaborate a bit further on some potential follow-on work
> that would make pinning severely constrained in many setups].
>
> V3 transactions may solve bip125 rule#3 and rule#5 pinning attacks under
> some constraints[0]. This means that when a replacement is to be made and
> propagated, it costs the expected amount of fees to do so. This is a great
> start. What's left in this subset of pinning is *package limit* pinning. In
> other words, a fee-paying transaction cannot enter the mempool due to the
> existing mempool package it is being added to already being too large in
> count or vsize.
>
> Zooming into the V3 simplified scenario for sake of discussion, though
> this problem exists in general today:
>
> V3 transactions restrict the package limit of a V3 package to one parent
> and one child. If the parent transaction includes two outputs which can be
> immediately spent by separate parties, this allows one party to disallow a
> spend from the other. In Gloria's proposal for ln-penalty, this is worked
> around by reducing the number of anchors per commitment transaction to 1,
> and each version of the commitment transaction has a unique party's key on
> it. The honest participant can spend their version with their anchor and
> package RBF the other commitment transaction safely.
>
> What if there's only one version of the commitment transaction, such as in
> other protocols like duplex payment channels, eltoo? What about multi party
> payments?
>
> In the package RBF proposal, if the parent transaction is identical to an
> existing transaction in the mempool, the parent will be detected and
> removed from the package proposal. You are then left with a single V3 child
> transaction, which is then proposed for entry into the mempool. In the case
> of another parent output already being spent, this is simply rejected,
> regardless of feerate of the new child.
>
> I have two proposed solutions, of which I strongly prefer the latter:
>
> 1) Expand a carveout for "sibling eviction", where if the new child is
> paying "enough" to bump spends from the same parent, it knocks its sibling
> out of the mempool and takes the one child slot. This would solve it, but
> is a new eviction paradigm that would need to be carefully worked through.
>
> 2) Ephemeral Anchors (my real policy-only proposal)
>
> Ephemeral Anchors is a term which means an output is watermarked as an
> output that MUST be spent in a V3 package. We mark this anchor by being the
> bare script `OP_TRUE` and of course make these outputs standard to relay
> and spend with empty witness data.
>
> Also as a simplifying assumption, we require the parent transaction with
> such an output to be 0-fee. This makes mempool reasoning simpler in case
> the child-spend is somehow evicted, guaranteeing the parent will be as well.
>
> Implications:
>
> a) If the ephemeral anchor MUST be spent, we can allow *any* value, even
> dust, even 0, without worrying about bloating the utxo set. We relax this
> policy for maximum smart contract flexibility and specification simplicity..
>
> b) Since this anchor MUST be spent, any spending of other outputs in the
> same parent transaction MUST directly double-spend prior spends of the
> ephemeral anchor. This causes the 1 block CSV timelock on outputs to be
> removed in these situations. This greatly magnifies composability of smart
> contracts, as now we can do things like safely splice directly into new
> channels, into statechains, your custodial wallet account, your cold
> wallet, wherever, without requiring other wallets to support arbitrary
> scripts. Also it hurts that 1 CSV time locked scripts may not be miniscript
> compatible to begin with...
>
> c) *Anyone* can bump the transaction, without any transaction key
> material. This is essentially achieving Jeremy's Transaction Sponsors (
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-September/018168.html)
> proposal without consensus changes. As long as someone gets a fully signed
> parent, they can execute a bump with minimal wallet tooling. If a
> transaction author doesn’t want a “sponsor”, do not include the output.
>
> d) Lightning Carve-out(
> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/002240.html)
> is superseded by this logic, as we are not restricted to two immediately
> spendable output scenarios. In its place, robust multi-party fee bumping is
> possible.
>
> e) This also benefits more traditional wallet scenarios, as change outputs
> can no longer be pinned, and RBF/CPFP becomes robust. Payees in simple
> spends cannot pin you. Batched payouts become a lot less painful. This was
> one of the motivating use cases that created the term “pinning” in the
> first place(
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-February/015717.html),
> even if LN/L2 discussion has largely overtaken it due to HTLC theft risks.
>
> Open Question(s):
>
>
> 1.
>
> If we allow non-zero value in ephemeral outputs, does this open up a
> MEV we are worried about? Wallets should toss all the value directly to
> fees, and add their own additional fees on top, otherwise miners have
> incentive to make the smallest utxo burn transaction to claim those funds.
> They just confirmed your parent transaction anyways, so do we care?
> 2.
>
> SIGHASH_GROUP like constructs would allow uncommitted ephemeral
> anchors to be added at spend time, depending on spending requirements.
> SIGHASH_SINGLE already allows this.
>
>
>
>
> Hopefully this gives people something to consider as we move forward in
> thinking about mempool design within the constraints we have today.
>
>
> Greg
>
> 0: With V3 transactions where you have "veto power" over all the inputs in
> that transaction. Therefore something like ANYONECANPAY is still broken. We
> need a more complex solution, which I’m punting for the sake of progress.
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 19394 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF against package limit pinning
2022-10-19 0:33 ` [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF against package " Antoine Riard
@ 2022-10-19 13:22 ` Greg Sanders
0 siblings, 0 replies; 22+ messages in thread
From: Greg Sanders @ 2022-10-19 13:22 UTC (permalink / raw)
To: Antoine Riard; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 11805 bytes --]
> IIRC, here I think we also need _package relay_ in strict addition of
_package RBF_,
Yes, sorry if that wasn't clear. Package Relay -> Package RBF -> V3 ->
Ephemeral Anchors
> If we allow non-zero value in ephemeral outputs, I think we're slightly
modifying the incentives games of the channels counterparties, in the sense
if you have a link Alice-Bob, Bob could circular loop a bunch of dust
offered HTLC deduced from Alice balance and committed as fees in the
ephemeral output value, then break the channel on-chain to pocket in the
trimmed value sum (in the limit of your Lightning implementation dust
exposure). Note, this is already possible today if your counterparty is a
miner however iiuc the proposal, here we're lowering the bar.
Maybe the 0-fee parent requirement creates too much downstream protocol
complexity. Perhaps each node software can choose its own strategy for
removing the parent when the child is evicted. For example, a node software
could completely ignore the parent tx fee in the presence of an ephemeral
anchor. In other words, the trimmed value can go to fee, but the fee is
effectively ignored from mempool inclusion standpoint.
We already toss things with dust even though it's "incentive incompatible";
it's no worse?
As an entertaining aside, h/t to AJ who found this old thread that proposed
an OP_TRUE, 0-fee parent idea, but 4 years behind in our understanding of
pinning. All the usual suspects chiming in:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-May/015931.html
Great minds, etc.
Greg
On Tue, Oct 18, 2022 at 8:33 PM Antoine Riard <antoine.riard@gmail•com>
wrote:
> Hi Greg,
>
> Thanks for proposing forward the "ephemeral anchors" policy change.
>
> > In Gloria's proposal for ln-penalty, this is worked
> > around by reducing the number of anchors per commitment transaction to 1,
> > and each version of the commitment transaction has a unique party's key
> on
> > it. The honest participant can spend their version with their anchor and
> > package RBF the other commitment transaction safely.
>
> IIRC, here I think we also need _package relay_ in strict addition of
> _package RBF_, otherwise if your Lightning transactions are still relayed
> and accepted one by one, your version of the commitment transaction won't
> succeed to replace the other counterparties's commitments sleeping in
> network mempools. The presence of a remote anchor output on the
> counterparty commitment still offers an ability to fee-bump, albeit in
> practice more a lucky shot as you might have partitioned network mempools
> between your local commitment and the remote commitment disputing the spend
> of the same funding UTXO.
>
> > 1) Expand a carveout for "sibling eviction", where if the new child is
> > paying "enough" to bump spends from the same parent, it knocks its
> sibling
> > out of the mempool and takes the one child slot. This would solve it, but
> > is a new eviction paradigm that would need to be carefully worked
> through.
>
> Note, I wonder about the robustness of such a "sibling eviction" mechanism
> in the context of multi-party construction. E.g, a batching payout, where
> the participants are competing to each other in a blind way, as they do
> want their CPFPs paying back to them to confirm first, enforcing their
> individual liquidity preferences. I would think it might artificially lead
> the participants to overbid far beyond the top mempool block fees.
>
> > If we allow non-zero value in ephemeral outputs, does this open up a MEV
> > we are worried about? Wallets should toss all the value directly to
> fees,
> > and add their own additional fees on top, otherwise miners have
> incentive
> > to make the smallest utxo burn transaction to claim those funds. They
> just
> > confirmed your parent transaction anyways, so do we care?
>
> If we allow non-zero value in ephemeral outputs, I think we're slightly
> modifying the incentives games of the channels counterparties, in the sense
> if you have a link Alice-Bob, Bob could circular loop a bunch of dust
> offered HTLC deduced from Alice balance and committed as fees in the
> ephemeral output value, then break the channel on-chain to pocket in the
> trimmed value sum (in the limit of your Lightning implementation dust
> exposure). Note, this is already possible today if your counterparty is a
> miner however iiuc the proposal, here we're lowering the bar.
>
> > SIGHASH_GROUP like constructs would allow uncommitted ephemeral anchors
> > to be added at spend time, depending on spending requirements.
> > SIGHASH_SINGLE already allows this.
>
> Note, with SIGHASH_GROUP, you're still allowed to aggregate in a single
> bundle multiple ln-penalty commitments or eltoo settlement transactions,
> with only one fee-bumping output. It's a cool space performance trick, but
> a) I think this is still more a whiteboard idea than a sound proposal and
> b) sounds more a long-term, low-hanging fruit optimization of blockspace
> consumption.
>
> Best,
> Antoine
>
> Le mar. 18 oct. 2022 à 09:53, Greg Sanders via bitcoin-dev <
> bitcoin-dev@lists•linuxfoundation.org> a écrit :
>
>> Hello Everyone,
>>
>> Following up on the "V3 Transaction" discussion here
>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-September/020937.html
>> , I would like to elaborate a bit further on some potential follow-on work
>> that would make pinning severely constrained in many setups].
>>
>> V3 transactions may solve bip125 rule#3 and rule#5 pinning attacks under
>> some constraints[0]. This means that when a replacement is to be made and
>> propagated, it costs the expected amount of fees to do so. This is a great
>> start. What's left in this subset of pinning is *package limit* pinning. In
>> other words, a fee-paying transaction cannot enter the mempool due to the
>> existing mempool package it is being added to already being too large in
>> count or vsize.
>>
>> Zooming into the V3 simplified scenario for sake of discussion, though
>> this problem exists in general today:
>>
>> V3 transactions restrict the package limit of a V3 package to one parent
>> and one child. If the parent transaction includes two outputs which can be
>> immediately spent by separate parties, this allows one party to disallow a
>> spend from the other. In Gloria's proposal for ln-penalty, this is worked
>> around by reducing the number of anchors per commitment transaction to 1,
>> and each version of the commitment transaction has a unique party's key on
>> it. The honest participant can spend their version with their anchor and
>> package RBF the other commitment transaction safely.
>>
>> What if there's only one version of the commitment transaction, such as
>> in other protocols like duplex payment channels, eltoo? What about multi
>> party payments?
>>
>> In the package RBF proposal, if the parent transaction is identical to an
>> existing transaction in the mempool, the parent will be detected and
>> removed from the package proposal. You are then left with a single V3 child
>> transaction, which is then proposed for entry into the mempool. In the case
>> of another parent output already being spent, this is simply rejected,
>> regardless of feerate of the new child.
>>
>> I have two proposed solutions, of which I strongly prefer the latter:
>>
>> 1) Expand a carveout for "sibling eviction", where if the new child is
>> paying "enough" to bump spends from the same parent, it knocks its sibling
>> out of the mempool and takes the one child slot. This would solve it, but
>> is a new eviction paradigm that would need to be carefully worked through.
>>
>> 2) Ephemeral Anchors (my real policy-only proposal)
>>
>> Ephemeral Anchors is a term which means an output is watermarked as an
>> output that MUST be spent in a V3 package. We mark this anchor by being the
>> bare script `OP_TRUE` and of course make these outputs standard to relay
>> and spend with empty witness data.
>>
>> Also as a simplifying assumption, we require the parent transaction with
>> such an output to be 0-fee. This makes mempool reasoning simpler in case
>> the child-spend is somehow evicted, guaranteeing the parent will be as well.
>>
>> Implications:
>>
>> a) If the ephemeral anchor MUST be spent, we can allow *any* value, even
>> dust, even 0, without worrying about bloating the utxo set. We relax this
>> policy for maximum smart contract flexibility and specification simplicity..
>>
>> b) Since this anchor MUST be spent, any spending of other outputs in the
>> same parent transaction MUST directly double-spend prior spends of the
>> ephemeral anchor. This causes the 1 block CSV timelock on outputs to be
>> removed in these situations. This greatly magnifies composability of smart
>> contracts, as now we can do things like safely splice directly into new
>> channels, into statechains, your custodial wallet account, your cold
>> wallet, wherever, without requiring other wallets to support arbitrary
>> scripts. Also it hurts that 1 CSV time locked scripts may not be miniscript
>> compatible to begin with...
>>
>> c) *Anyone* can bump the transaction, without any transaction key
>> material. This is essentially achieving Jeremy's Transaction Sponsors (
>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-September/018168.html)
>> proposal without consensus changes. As long as someone gets a fully signed
>> parent, they can execute a bump with minimal wallet tooling. If a
>> transaction author doesn’t want a “sponsor”, do not include the output.
>>
>> d) Lightning Carve-out(
>> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/002240.html)
>> is superseded by this logic, as we are not restricted to two immediately
>> spendable output scenarios. In its place, robust multi-party fee bumping is
>> possible.
>>
>> e) This also benefits more traditional wallet scenarios, as change
>> outputs can no longer be pinned, and RBF/CPFP becomes robust. Payees in
>> simple spends cannot pin you. Batched payouts become a lot less painful.
>> This was one of the motivating use cases that created the term “pinning” in
>> the first place(
>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-February/015717.html),
>> even if LN/L2 discussion has largely overtaken it due to HTLC theft risks.
>>
>> Open Question(s):
>>
>>
>> 1.
>>
>> If we allow non-zero value in ephemeral outputs, does this open up a
>> MEV we are worried about? Wallets should toss all the value directly to
>> fees, and add their own additional fees on top, otherwise miners have
>> incentive to make the smallest utxo burn transaction to claim those funds.
>> They just confirmed your parent transaction anyways, so do we care?
>> 2.
>>
>> SIGHASH_GROUP like constructs would allow uncommitted ephemeral
>> anchors to be added at spend time, depending on spending requirements.
>> SIGHASH_SINGLE already allows this.
>>
>>
>>
>>
>> Hopefully this gives people something to consider as we move forward in
>> thinking about mempool design within the constraints we have today.
>>
>>
>> Greg
>>
>> 0: With V3 transactions where you have "veto power" over all the inputs
>> in that transaction. Therefore something like ANYONECANPAY is still broken.
>> We need a more complex solution, which I’m punting for the sake of progress.
>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists•linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
[-- Attachment #2: Type: text/html, Size: 21659 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning
2022-10-18 16:41 ` Jeremy Rubin
2022-10-18 18:18 ` Greg Sanders
@ 2022-10-19 15:11 ` James O'Beirne
2022-10-20 13:42 ` Greg Sanders
1 sibling, 1 reply; 22+ messages in thread
From: James O'Beirne @ 2022-10-19 15:11 UTC (permalink / raw)
To: Jeremy Rubin, Bitcoin Protocol Discussion; +Cc: Greg Sanders
[-- Attachment #1: Type: text/plain, Size: 10626 bytes --]
I'm also very happy to see this proposal, since it gets us closer to having
a mechanism that allows the contribution to feerate in an "unauthenticated"
way, which seems to be a very helpful feature for vaults and other
contracting protocols.
One possible advantage of the sponsors interface -- and I'm curious for
your input here Greg -- is that with sponsors, assuming we relaxed the "one
sponsor per sponsoree" constraint, multiple uncoordinated parties can
collaboratively bump a tx's feerate. A simple example would be a batch
withdrawal from an exchange could be created with a low feerate, and then
multiple users with a vested interest of expedited confirmation could all
"chip in" to raise the feerate with multiple sponsor transactions.
Having a single ephemeral output seems to create a situation where a single
UTXO has to shoulder the burden of CPFPing a package. Is there some way we
could (possibly later) amend the ephemeral anchor interface to allow for
this kind of collaborative sponsoring? Could you maybe see "chained"
ephemeral anchors that would allow this?
On Tue, Oct 18, 2022 at 12:52 PM Jeremy Rubin via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> Excellent proposal and I agree it does capture much of the spirit of
> sponsors w.r.t. how they might be used for V3 protocols.
>
> The only drawbacks I see is they don't work for lower tx version
> contracts, so there's still something to be desired there, and that the
> requirement to sweep the output must be incentive compatible for the miner,
> or else they won't enforce it (pass the buck onto the future bitcoiners).
> The Ephemeral UTXO concept can be a consensus rule (see
> https://rubin.io/public/pdfs/multi-txn-contracts.pdf "Intermediate UTXO")
> we add later on in lieu of managing them by incentive, so maybe it's a
> cleanup one can punt.
>
> One question I have is if V3 is designed for lightning, and this is
> designed for lightning, is there any sense in requiring these outputs for
> v3? That might help with e.g. anonymity set, as well as potentially keep
> the v3 surface smaller.
>
> On Tue, Oct 18, 2022 at 11:51 AM Greg Sanders via bitcoin-dev <
> bitcoin-dev@lists•linuxfoundation.org> wrote:
>
>> > does that effectively mark output B as unspendable once the child gets
>> confirmed?
>>
>> Not at all. It's a normal spend like before, since the parent has been
>> confirmed. It's completely unrestricted, not being bound to any
>> V3/ephemeral anchor restrictions on size, version, etc.
>>
>> On Tue, Oct 18, 2022 at 11:47 AM Arik Sosman via bitcoin-dev <
>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>
>>> Hi Greg,
>>>
>>> Thank you very much for sharing your proposal!
>>>
>>> I think there's one thing about the second part of your proposal that
>>> I'm missing. Specifically, assuming the scenario of a v3 transaction with
>>> three outputs, A, B, and the ephemeral anchor OP_TRUE. If a child
>>> transaction spends A and OP_TRUE, does that effectively mark output B as
>>> unspendable once the child gets confirmed? If so, isn't the implication
>>> therefore that to safely spend a transaction with an ephemeral anchor, all
>>> outputs must be spent? Thanks!
>>>
>>> Best,
>>> Arik
>>>
>>> On Tue, Oct 18, 2022, at 6:52 AM, Greg Sanders via bitcoin-dev wrote:
>>>
>>> Hello Everyone,
>>>
>>> Following up on the "V3 Transaction" discussion here
>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-September/020937.html
>>> , I would like to elaborate a bit further on some potential follow-on work
>>> that would make pinning severely constrained in many setups].
>>>
>>> V3 transactions may solve bip125 rule#3 and rule#5 pinning attacks under
>>> some constraints[0]. This means that when a replacement is to be made and
>>> propagated, it costs the expected amount of fees to do so. This is a great
>>> start. What's left in this subset of pinning is *package limit* pinning. In
>>> other words, a fee-paying transaction cannot enter the mempool due to the
>>> existing mempool package it is being added to already being too large in
>>> count or vsize.
>>>
>>> Zooming into the V3 simplified scenario for sake of discussion, though
>>> this problem exists in general today:
>>>
>>> V3 transactions restrict the package limit of a V3 package to one parent
>>> and one child. If the parent transaction includes two outputs which can be
>>> immediately spent by separate parties, this allows one party to disallow a
>>> spend from the other. In Gloria's proposal for ln-penalty, this is worked
>>> around by reducing the number of anchors per commitment transaction to 1,
>>> and each version of the commitment transaction has a unique party's key on
>>> it. The honest participant can spend their version with their anchor and
>>> package RBF the other commitment transaction safely.
>>>
>>> What if there's only one version of the commitment transaction, such as
>>> in other protocols like duplex payment channels, eltoo? What about multi
>>> party payments?
>>>
>>> In the package RBF proposal, if the parent transaction is identical to
>>> an existing transaction in the mempool, the parent will be detected and
>>> removed from the package proposal. You are then left with a single V3 child
>>> transaction, which is then proposed for entry into the mempool. In the case
>>> of another parent output already being spent, this is simply rejected,
>>> regardless of feerate of the new child.
>>>
>>> I have two proposed solutions, of which I strongly prefer the latter:
>>>
>>> 1) Expand a carveout for "sibling eviction", where if the new child is
>>> paying "enough" to bump spends from the same parent, it knocks its sibling
>>> out of the mempool and takes the one child slot. This would solve it, but
>>> is a new eviction paradigm that would need to be carefully worked through.
>>>
>>> 2) Ephemeral Anchors (my real policy-only proposal)
>>>
>>> Ephemeral Anchors is a term which means an output is watermarked as an
>>> output that MUST be spent in a V3 package. We mark this anchor by being the
>>> bare script `OP_TRUE` and of course make these outputs standard to relay
>>> and spend with empty witness data.
>>>
>>> Also as a simplifying assumption, we require the parent transaction with
>>> such an output to be 0-fee. This makes mempool reasoning simpler in case
>>> the child-spend is somehow evicted, guaranteeing the parent will be as well.
>>>
>>> Implications:
>>>
>>> a) If the ephemeral anchor MUST be spent, we can allow *any* value, even
>>> dust, even 0, without worrying about bloating the utxo set. We relax this
>>> policy for maximum smart contract flexibility and specification simplicity..
>>>
>>> b) Since this anchor MUST be spent, any spending of other outputs in the
>>> same parent transaction MUST directly double-spend prior spends of the
>>> ephemeral anchor. This causes the 1 block CSV timelock on outputs to be
>>> removed in these situations. This greatly magnifies composability of smart
>>> contracts, as now we can do things like safely splice directly into new
>>> channels, into statechains, your custodial wallet account, your cold
>>> wallet, wherever, without requiring other wallets to support arbitrary
>>> scripts. Also it hurts that 1 CSV time locked scripts may not be miniscript
>>> compatible to begin with...
>>>
>>> c) *Anyone* can bump the transaction, without any transaction key
>>> material. This is essentially achieving Jeremy's Transaction Sponsors (
>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-September/018168.html)
>>> proposal without consensus changes. As long as someone gets a fully signed
>>> parent, they can execute a bump with minimal wallet tooling. If a
>>> transaction author doesn’t want a “sponsor”, do not include the output.
>>>
>>> d) Lightning Carve-out(
>>> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/002240.html)
>>> is superseded by this logic, as we are not restricted to two immediately
>>> spendable output scenarios. In its place, robust multi-party fee bumping is
>>> possible.
>>>
>>> e) This also benefits more traditional wallet scenarios, as change
>>> outputs can no longer be pinned, and RBF/CPFP becomes robust. Payees in
>>> simple spends cannot pin you. Batched payouts become a lot less painful.
>>> This was one of the motivating use cases that created the term “pinning” in
>>> the first place(
>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-February/015717.html),
>>> even if LN/L2 discussion has largely overtaken it due to HTLC theft risks.
>>>
>>> Open Question(s):
>>>
>>>
>>> 1.
>>>
>>> If we allow non-zero value in ephemeral outputs, does this open up a
>>> MEV we are worried about? Wallets should toss all the value directly to
>>> fees, and add their own additional fees on top, otherwise miners have
>>> incentive to make the smallest utxo burn transaction to claim those funds.
>>> They just confirmed your parent transaction anyways, so do we care?
>>> 2.
>>>
>>> SIGHASH_GROUP like constructs would allow uncommitted ephemeral
>>> anchors to be added at spend time, depending on spending requirements.
>>> SIGHASH_SINGLE already allows this.
>>>
>>>
>>>
>>>
>>> Hopefully this gives people something to consider as we move forward in
>>> thinking about mempool design within the constraints we have today.
>>>
>>>
>>> Greg
>>>
>>> 0: With V3 transactions where you have "veto power" over all the inputs
>>> in that transaction. Therefore something like ANYONECANPAY is still broken.
>>> We need a more complex solution, which I’m punting for the sake of progress.
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists•linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>>>
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists•linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists•linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 23556 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning
2022-10-19 15:11 ` James O'Beirne
@ 2022-10-20 13:42 ` Greg Sanders
2022-10-27 9:37 ` Johan Torås Halseth
2022-11-30 15:32 ` Greg Sanders
0 siblings, 2 replies; 22+ messages in thread
From: Greg Sanders @ 2022-10-20 13:42 UTC (permalink / raw)
To: James O'Beirne; +Cc: Jeremy Rubin, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 11282 bytes --]
So it doesn't look like I'm ignoring a good question:
No solid noninteractive ideas, unless we get some very flexible sighash
softfork. Interactively, I think you can get collaborative fee bumps under
the current consensus regime and ephemeral anchors. The child will just be
built with inputs from different people.
On Wed, Oct 19, 2022 at 11:12 AM James O'Beirne <james.obeirne@gmail•com>
wrote:
> I'm also very happy to see this proposal, since it gets us closer to
> having a mechanism that allows the contribution to feerate in an
> "unauthenticated" way, which seems to be a very helpful feature for vaults
> and other contracting protocols.
>
> One possible advantage of the sponsors interface -- and I'm curious for
> your input here Greg -- is that with sponsors, assuming we relaxed the "one
> sponsor per sponsoree" constraint, multiple uncoordinated parties can
> collaboratively bump a tx's feerate. A simple example would be a batch
> withdrawal from an exchange could be created with a low feerate, and then
> multiple users with a vested interest of expedited confirmation could all
> "chip in" to raise the feerate with multiple sponsor transactions.
>
> Having a single ephemeral output seems to create a situation where a
> single UTXO has to shoulder the burden of CPFPing a package. Is there some
> way we could (possibly later) amend the ephemeral anchor interface to allow
> for this kind of collaborative sponsoring? Could you maybe see "chained"
> ephemeral anchors that would allow this?
>
>
> On Tue, Oct 18, 2022 at 12:52 PM Jeremy Rubin via bitcoin-dev <
> bitcoin-dev@lists•linuxfoundation.org> wrote:
>
>> Excellent proposal and I agree it does capture much of the spirit of
>> sponsors w.r.t. how they might be used for V3 protocols.
>>
>> The only drawbacks I see is they don't work for lower tx version
>> contracts, so there's still something to be desired there, and that the
>> requirement to sweep the output must be incentive compatible for the miner,
>> or else they won't enforce it (pass the buck onto the future bitcoiners).
>> The Ephemeral UTXO concept can be a consensus rule (see
>> https://rubin.io/public/pdfs/multi-txn-contracts.pdf "Intermediate
>> UTXO") we add later on in lieu of managing them by incentive, so maybe it's
>> a cleanup one can punt.
>>
>> One question I have is if V3 is designed for lightning, and this is
>> designed for lightning, is there any sense in requiring these outputs for
>> v3? That might help with e.g. anonymity set, as well as potentially keep
>> the v3 surface smaller.
>>
>> On Tue, Oct 18, 2022 at 11:51 AM Greg Sanders via bitcoin-dev <
>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>
>>> > does that effectively mark output B as unspendable once the child gets
>>> confirmed?
>>>
>>> Not at all. It's a normal spend like before, since the parent has been
>>> confirmed. It's completely unrestricted, not being bound to any
>>> V3/ephemeral anchor restrictions on size, version, etc.
>>>
>>> On Tue, Oct 18, 2022 at 11:47 AM Arik Sosman via bitcoin-dev <
>>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>>
>>>> Hi Greg,
>>>>
>>>> Thank you very much for sharing your proposal!
>>>>
>>>> I think there's one thing about the second part of your proposal that
>>>> I'm missing. Specifically, assuming the scenario of a v3 transaction with
>>>> three outputs, A, B, and the ephemeral anchor OP_TRUE. If a child
>>>> transaction spends A and OP_TRUE, does that effectively mark output B as
>>>> unspendable once the child gets confirmed? If so, isn't the implication
>>>> therefore that to safely spend a transaction with an ephemeral anchor, all
>>>> outputs must be spent? Thanks!
>>>>
>>>> Best,
>>>> Arik
>>>>
>>>> On Tue, Oct 18, 2022, at 6:52 AM, Greg Sanders via bitcoin-dev wrote:
>>>>
>>>> Hello Everyone,
>>>>
>>>> Following up on the "V3 Transaction" discussion here
>>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-September/020937.html
>>>> , I would like to elaborate a bit further on some potential follow-on work
>>>> that would make pinning severely constrained in many setups].
>>>>
>>>> V3 transactions may solve bip125 rule#3 and rule#5 pinning attacks
>>>> under some constraints[0]. This means that when a replacement is to be made
>>>> and propagated, it costs the expected amount of fees to do so. This is a
>>>> great start. What's left in this subset of pinning is *package limit*
>>>> pinning. In other words, a fee-paying transaction cannot enter the mempool
>>>> due to the existing mempool package it is being added to already being too
>>>> large in count or vsize.
>>>>
>>>> Zooming into the V3 simplified scenario for sake of discussion, though
>>>> this problem exists in general today:
>>>>
>>>> V3 transactions restrict the package limit of a V3 package to one
>>>> parent and one child. If the parent transaction includes two outputs which
>>>> can be immediately spent by separate parties, this allows one party to
>>>> disallow a spend from the other. In Gloria's proposal for ln-penalty, this
>>>> is worked around by reducing the number of anchors per commitment
>>>> transaction to 1, and each version of the commitment transaction has a
>>>> unique party's key on it. The honest participant can spend their version
>>>> with their anchor and package RBF the other commitment transaction safely.
>>>>
>>>> What if there's only one version of the commitment transaction, such as
>>>> in other protocols like duplex payment channels, eltoo? What about multi
>>>> party payments?
>>>>
>>>> In the package RBF proposal, if the parent transaction is identical to
>>>> an existing transaction in the mempool, the parent will be detected and
>>>> removed from the package proposal. You are then left with a single V3 child
>>>> transaction, which is then proposed for entry into the mempool. In the case
>>>> of another parent output already being spent, this is simply rejected,
>>>> regardless of feerate of the new child.
>>>>
>>>> I have two proposed solutions, of which I strongly prefer the latter:
>>>>
>>>> 1) Expand a carveout for "sibling eviction", where if the new child is
>>>> paying "enough" to bump spends from the same parent, it knocks its sibling
>>>> out of the mempool and takes the one child slot. This would solve it, but
>>>> is a new eviction paradigm that would need to be carefully worked through.
>>>>
>>>> 2) Ephemeral Anchors (my real policy-only proposal)
>>>>
>>>> Ephemeral Anchors is a term which means an output is watermarked as an
>>>> output that MUST be spent in a V3 package. We mark this anchor by being the
>>>> bare script `OP_TRUE` and of course make these outputs standard to relay
>>>> and spend with empty witness data.
>>>>
>>>> Also as a simplifying assumption, we require the parent transaction
>>>> with such an output to be 0-fee. This makes mempool reasoning simpler in
>>>> case the child-spend is somehow evicted, guaranteeing the parent will be as
>>>> well.
>>>>
>>>> Implications:
>>>>
>>>> a) If the ephemeral anchor MUST be spent, we can allow *any* value,
>>>> even dust, even 0, without worrying about bloating the utxo set. We relax
>>>> this policy for maximum smart contract flexibility and specification
>>>> simplicity..
>>>>
>>>> b) Since this anchor MUST be spent, any spending of other outputs in
>>>> the same parent transaction MUST directly double-spend prior spends of the
>>>> ephemeral anchor. This causes the 1 block CSV timelock on outputs to be
>>>> removed in these situations. This greatly magnifies composability of smart
>>>> contracts, as now we can do things like safely splice directly into new
>>>> channels, into statechains, your custodial wallet account, your cold
>>>> wallet, wherever, without requiring other wallets to support arbitrary
>>>> scripts. Also it hurts that 1 CSV time locked scripts may not be miniscript
>>>> compatible to begin with...
>>>>
>>>> c) *Anyone* can bump the transaction, without any transaction key
>>>> material. This is essentially achieving Jeremy's Transaction Sponsors (
>>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-September/018168.html)
>>>> proposal without consensus changes. As long as someone gets a fully signed
>>>> parent, they can execute a bump with minimal wallet tooling. If a
>>>> transaction author doesn’t want a “sponsor”, do not include the output.
>>>>
>>>> d) Lightning Carve-out(
>>>> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/002240.html)
>>>> is superseded by this logic, as we are not restricted to two immediately
>>>> spendable output scenarios. In its place, robust multi-party fee bumping is
>>>> possible.
>>>>
>>>> e) This also benefits more traditional wallet scenarios, as change
>>>> outputs can no longer be pinned, and RBF/CPFP becomes robust. Payees in
>>>> simple spends cannot pin you. Batched payouts become a lot less painful.
>>>> This was one of the motivating use cases that created the term “pinning” in
>>>> the first place(
>>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-February/015717.html),
>>>> even if LN/L2 discussion has largely overtaken it due to HTLC theft risks.
>>>>
>>>> Open Question(s):
>>>>
>>>>
>>>> 1.
>>>>
>>>> If we allow non-zero value in ephemeral outputs, does this open up
>>>> a MEV we are worried about? Wallets should toss all the value directly to
>>>> fees, and add their own additional fees on top, otherwise miners have
>>>> incentive to make the smallest utxo burn transaction to claim those funds.
>>>> They just confirmed your parent transaction anyways, so do we care?
>>>> 2.
>>>>
>>>> SIGHASH_GROUP like constructs would allow uncommitted ephemeral
>>>> anchors to be added at spend time, depending on spending requirements.
>>>> SIGHASH_SINGLE already allows this.
>>>>
>>>>
>>>>
>>>>
>>>> Hopefully this gives people something to consider as we move forward in
>>>> thinking about mempool design within the constraints we have today.
>>>>
>>>>
>>>> Greg
>>>>
>>>> 0: With V3 transactions where you have "veto power" over all the inputs
>>>> in that transaction. Therefore something like ANYONECANPAY is still broken.
>>>> We need a more complex solution, which I’m punting for the sake of progress.
>>>> _______________________________________________
>>>> bitcoin-dev mailing list
>>>> bitcoin-dev@lists•linuxfoundation.org
>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>
>>>>
>>>> _______________________________________________
>>>> bitcoin-dev mailing list
>>>> bitcoin-dev@lists•linuxfoundation.org
>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists•linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists•linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
[-- Attachment #2: Type: text/html, Size: 24337 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning
2022-10-20 13:42 ` Greg Sanders
@ 2022-10-27 9:37 ` Johan Torås Halseth
2022-11-30 15:32 ` Greg Sanders
1 sibling, 0 replies; 22+ messages in thread
From: Johan Torås Halseth @ 2022-10-27 9:37 UTC (permalink / raw)
To: Greg Sanders, Bitcoin Protocol Discussion; +Cc: Jeremy Rubin
[-- Attachment #1: Type: text/plain, Size: 12196 bytes --]
Hi, Greg.
I find this proposal super interesting, and IIUC something that seems
fairly "safe" to allow (assuming V3).
For LN having the commitment transaction pay a non-zero fee is a cause for
a lot of complexity in the channel state machine. Something like this would
remove a lot of edge cases and add more flexibility around adding HTLCs.
Thanks!
- Johan
On Thu, Oct 20, 2022 at 3:42 PM Greg Sanders via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> So it doesn't look like I'm ignoring a good question:
>
> No solid noninteractive ideas, unless we get some very flexible sighash
> softfork. Interactively, I think you can get collaborative fee bumps under
> the current consensus regime and ephemeral anchors. The child will just be
> built with inputs from different people.
>
> On Wed, Oct 19, 2022 at 11:12 AM James O'Beirne <james.obeirne@gmail•com>
> wrote:
>
>> I'm also very happy to see this proposal, since it gets us closer to
>> having a mechanism that allows the contribution to feerate in an
>> "unauthenticated" way, which seems to be a very helpful feature for vaults
>> and other contracting protocols.
>>
>> One possible advantage of the sponsors interface -- and I'm curious for
>> your input here Greg -- is that with sponsors, assuming we relaxed the "one
>> sponsor per sponsoree" constraint, multiple uncoordinated parties can
>> collaboratively bump a tx's feerate. A simple example would be a batch
>> withdrawal from an exchange could be created with a low feerate, and then
>> multiple users with a vested interest of expedited confirmation could all
>> "chip in" to raise the feerate with multiple sponsor transactions.
>>
>> Having a single ephemeral output seems to create a situation where a
>> single UTXO has to shoulder the burden of CPFPing a package. Is there some
>> way we could (possibly later) amend the ephemeral anchor interface to allow
>> for this kind of collaborative sponsoring? Could you maybe see "chained"
>> ephemeral anchors that would allow this?
>>
>>
>> On Tue, Oct 18, 2022 at 12:52 PM Jeremy Rubin via bitcoin-dev <
>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>
>>> Excellent proposal and I agree it does capture much of the spirit of
>>> sponsors w.r.t. how they might be used for V3 protocols.
>>>
>>> The only drawbacks I see is they don't work for lower tx version
>>> contracts, so there's still something to be desired there, and that the
>>> requirement to sweep the output must be incentive compatible for the miner,
>>> or else they won't enforce it (pass the buck onto the future bitcoiners).
>>> The Ephemeral UTXO concept can be a consensus rule (see
>>> https://rubin.io/public/pdfs/multi-txn-contracts.pdf "Intermediate
>>> UTXO") we add later on in lieu of managing them by incentive, so maybe it's
>>> a cleanup one can punt.
>>>
>>> One question I have is if V3 is designed for lightning, and this is
>>> designed for lightning, is there any sense in requiring these outputs for
>>> v3? That might help with e.g. anonymity set, as well as potentially keep
>>> the v3 surface smaller.
>>>
>>> On Tue, Oct 18, 2022 at 11:51 AM Greg Sanders via bitcoin-dev <
>>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>>
>>>> > does that effectively mark output B as unspendable once the child
>>>> gets confirmed?
>>>>
>>>> Not at all. It's a normal spend like before, since the parent has been
>>>> confirmed. It's completely unrestricted, not being bound to any
>>>> V3/ephemeral anchor restrictions on size, version, etc.
>>>>
>>>> On Tue, Oct 18, 2022 at 11:47 AM Arik Sosman via bitcoin-dev <
>>>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>>>
>>>>> Hi Greg,
>>>>>
>>>>> Thank you very much for sharing your proposal!
>>>>>
>>>>> I think there's one thing about the second part of your proposal that
>>>>> I'm missing. Specifically, assuming the scenario of a v3 transaction with
>>>>> three outputs, A, B, and the ephemeral anchor OP_TRUE. If a child
>>>>> transaction spends A and OP_TRUE, does that effectively mark output B as
>>>>> unspendable once the child gets confirmed? If so, isn't the implication
>>>>> therefore that to safely spend a transaction with an ephemeral anchor, all
>>>>> outputs must be spent? Thanks!
>>>>>
>>>>> Best,
>>>>> Arik
>>>>>
>>>>> On Tue, Oct 18, 2022, at 6:52 AM, Greg Sanders via bitcoin-dev wrote:
>>>>>
>>>>> Hello Everyone,
>>>>>
>>>>> Following up on the "V3 Transaction" discussion here
>>>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-September/020937.html
>>>>> , I would like to elaborate a bit further on some potential follow-on work
>>>>> that would make pinning severely constrained in many setups].
>>>>>
>>>>> V3 transactions may solve bip125 rule#3 and rule#5 pinning attacks
>>>>> under some constraints[0]. This means that when a replacement is to be made
>>>>> and propagated, it costs the expected amount of fees to do so. This is a
>>>>> great start. What's left in this subset of pinning is *package limit*
>>>>> pinning. In other words, a fee-paying transaction cannot enter the mempool
>>>>> due to the existing mempool package it is being added to already being too
>>>>> large in count or vsize.
>>>>>
>>>>> Zooming into the V3 simplified scenario for sake of discussion, though
>>>>> this problem exists in general today:
>>>>>
>>>>> V3 transactions restrict the package limit of a V3 package to one
>>>>> parent and one child. If the parent transaction includes two outputs which
>>>>> can be immediately spent by separate parties, this allows one party to
>>>>> disallow a spend from the other. In Gloria's proposal for ln-penalty, this
>>>>> is worked around by reducing the number of anchors per commitment
>>>>> transaction to 1, and each version of the commitment transaction has a
>>>>> unique party's key on it. The honest participant can spend their version
>>>>> with their anchor and package RBF the other commitment transaction safely.
>>>>>
>>>>> What if there's only one version of the commitment transaction, such
>>>>> as in other protocols like duplex payment channels, eltoo? What about multi
>>>>> party payments?
>>>>>
>>>>> In the package RBF proposal, if the parent transaction is identical to
>>>>> an existing transaction in the mempool, the parent will be detected and
>>>>> removed from the package proposal. You are then left with a single V3 child
>>>>> transaction, which is then proposed for entry into the mempool. In the case
>>>>> of another parent output already being spent, this is simply rejected,
>>>>> regardless of feerate of the new child.
>>>>>
>>>>> I have two proposed solutions, of which I strongly prefer the latter:
>>>>>
>>>>> 1) Expand a carveout for "sibling eviction", where if the new child is
>>>>> paying "enough" to bump spends from the same parent, it knocks its sibling
>>>>> out of the mempool and takes the one child slot. This would solve it, but
>>>>> is a new eviction paradigm that would need to be carefully worked through.
>>>>>
>>>>> 2) Ephemeral Anchors (my real policy-only proposal)
>>>>>
>>>>> Ephemeral Anchors is a term which means an output is watermarked as an
>>>>> output that MUST be spent in a V3 package. We mark this anchor by being the
>>>>> bare script `OP_TRUE` and of course make these outputs standard to relay
>>>>> and spend with empty witness data.
>>>>>
>>>>> Also as a simplifying assumption, we require the parent transaction
>>>>> with such an output to be 0-fee. This makes mempool reasoning simpler in
>>>>> case the child-spend is somehow evicted, guaranteeing the parent will be as
>>>>> well.
>>>>>
>>>>> Implications:
>>>>>
>>>>> a) If the ephemeral anchor MUST be spent, we can allow *any* value,
>>>>> even dust, even 0, without worrying about bloating the utxo set. We relax
>>>>> this policy for maximum smart contract flexibility and specification
>>>>> simplicity..
>>>>>
>>>>> b) Since this anchor MUST be spent, any spending of other outputs in
>>>>> the same parent transaction MUST directly double-spend prior spends of the
>>>>> ephemeral anchor. This causes the 1 block CSV timelock on outputs to be
>>>>> removed in these situations. This greatly magnifies composability of smart
>>>>> contracts, as now we can do things like safely splice directly into new
>>>>> channels, into statechains, your custodial wallet account, your cold
>>>>> wallet, wherever, without requiring other wallets to support arbitrary
>>>>> scripts. Also it hurts that 1 CSV time locked scripts may not be miniscript
>>>>> compatible to begin with...
>>>>>
>>>>> c) *Anyone* can bump the transaction, without any transaction key
>>>>> material. This is essentially achieving Jeremy's Transaction Sponsors (
>>>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-September/018168.html)
>>>>> proposal without consensus changes. As long as someone gets a fully signed
>>>>> parent, they can execute a bump with minimal wallet tooling. If a
>>>>> transaction author doesn’t want a “sponsor”, do not include the output.
>>>>>
>>>>> d) Lightning Carve-out(
>>>>> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/002240.html)
>>>>> is superseded by this logic, as we are not restricted to two immediately
>>>>> spendable output scenarios. In its place, robust multi-party fee bumping is
>>>>> possible.
>>>>>
>>>>> e) This also benefits more traditional wallet scenarios, as change
>>>>> outputs can no longer be pinned, and RBF/CPFP becomes robust. Payees in
>>>>> simple spends cannot pin you. Batched payouts become a lot less painful.
>>>>> This was one of the motivating use cases that created the term “pinning” in
>>>>> the first place(
>>>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-February/015717.html),
>>>>> even if LN/L2 discussion has largely overtaken it due to HTLC theft risks.
>>>>>
>>>>> Open Question(s):
>>>>>
>>>>>
>>>>> 1.
>>>>>
>>>>> If we allow non-zero value in ephemeral outputs, does this open up
>>>>> a MEV we are worried about? Wallets should toss all the value directly to
>>>>> fees, and add their own additional fees on top, otherwise miners have
>>>>> incentive to make the smallest utxo burn transaction to claim those funds.
>>>>> They just confirmed your parent transaction anyways, so do we care?
>>>>> 2.
>>>>>
>>>>> SIGHASH_GROUP like constructs would allow uncommitted ephemeral
>>>>> anchors to be added at spend time, depending on spending requirements.
>>>>> SIGHASH_SINGLE already allows this.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Hopefully this gives people something to consider as we move forward
>>>>> in thinking about mempool design within the constraints we have today.
>>>>>
>>>>>
>>>>> Greg
>>>>>
>>>>> 0: With V3 transactions where you have "veto power" over all the
>>>>> inputs in that transaction. Therefore something like ANYONECANPAY is still
>>>>> broken. We need a more complex solution, which I’m punting for the sake of
>>>>> progress.
>>>>> _______________________________________________
>>>>> bitcoin-dev mailing list
>>>>> bitcoin-dev@lists•linuxfoundation.org
>>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> bitcoin-dev mailing list
>>>>> bitcoin-dev@lists•linuxfoundation.org
>>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>>
>>>> _______________________________________________
>>>> bitcoin-dev mailing list
>>>> bitcoin-dev@lists•linuxfoundation.org
>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists•linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 26129 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning
2022-10-20 13:42 ` Greg Sanders
2022-10-27 9:37 ` Johan Torås Halseth
@ 2022-11-30 15:32 ` Greg Sanders
2023-01-27 14:05 ` Greg Sanders
1 sibling, 1 reply; 22+ messages in thread
From: Greg Sanders @ 2022-11-30 15:32 UTC (permalink / raw)
To: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 11972 bytes --]
Small update.
A bit ago I went ahead and implemented ephemeral anchors on top of the V3
proposal to see what the complexity looks like:
https://github.com/bitcoin/bitcoin/pull/26403
Roughly 130 loc excluding tests, using OP_2 instead of OP_TRUE to not camp
the value that is used elsewhere.
Please let me know if you have any early feedback on this!
Greg
On Thu, Oct 20, 2022 at 9:42 AM Greg Sanders <gsanders87@gmail•com> wrote:
> So it doesn't look like I'm ignoring a good question:
>
> No solid noninteractive ideas, unless we get some very flexible sighash
> softfork. Interactively, I think you can get collaborative fee bumps under
> the current consensus regime and ephemeral anchors. The child will just be
> built with inputs from different people.
>
> On Wed, Oct 19, 2022 at 11:12 AM James O'Beirne <james.obeirne@gmail•com>
> wrote:
>
>> I'm also very happy to see this proposal, since it gets us closer to
>> having a mechanism that allows the contribution to feerate in an
>> "unauthenticated" way, which seems to be a very helpful feature for vaults
>> and other contracting protocols.
>>
>> One possible advantage of the sponsors interface -- and I'm curious for
>> your input here Greg -- is that with sponsors, assuming we relaxed the "one
>> sponsor per sponsoree" constraint, multiple uncoordinated parties can
>> collaboratively bump a tx's feerate. A simple example would be a batch
>> withdrawal from an exchange could be created with a low feerate, and then
>> multiple users with a vested interest of expedited confirmation could all
>> "chip in" to raise the feerate with multiple sponsor transactions.
>>
>> Having a single ephemeral output seems to create a situation where a
>> single UTXO has to shoulder the burden of CPFPing a package. Is there some
>> way we could (possibly later) amend the ephemeral anchor interface to allow
>> for this kind of collaborative sponsoring? Could you maybe see "chained"
>> ephemeral anchors that would allow this?
>>
>>
>> On Tue, Oct 18, 2022 at 12:52 PM Jeremy Rubin via bitcoin-dev <
>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>
>>> Excellent proposal and I agree it does capture much of the spirit of
>>> sponsors w.r.t. how they might be used for V3 protocols.
>>>
>>> The only drawbacks I see is they don't work for lower tx version
>>> contracts, so there's still something to be desired there, and that the
>>> requirement to sweep the output must be incentive compatible for the miner,
>>> or else they won't enforce it (pass the buck onto the future bitcoiners).
>>> The Ephemeral UTXO concept can be a consensus rule (see
>>> https://rubin.io/public/pdfs/multi-txn-contracts.pdf "Intermediate
>>> UTXO") we add later on in lieu of managing them by incentive, so maybe it's
>>> a cleanup one can punt.
>>>
>>> One question I have is if V3 is designed for lightning, and this is
>>> designed for lightning, is there any sense in requiring these outputs for
>>> v3? That might help with e.g. anonymity set, as well as potentially keep
>>> the v3 surface smaller.
>>>
>>> On Tue, Oct 18, 2022 at 11:51 AM Greg Sanders via bitcoin-dev <
>>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>>
>>>> > does that effectively mark output B as unspendable once the child
>>>> gets confirmed?
>>>>
>>>> Not at all. It's a normal spend like before, since the parent has been
>>>> confirmed. It's completely unrestricted, not being bound to any
>>>> V3/ephemeral anchor restrictions on size, version, etc.
>>>>
>>>> On Tue, Oct 18, 2022 at 11:47 AM Arik Sosman via bitcoin-dev <
>>>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>>>
>>>>> Hi Greg,
>>>>>
>>>>> Thank you very much for sharing your proposal!
>>>>>
>>>>> I think there's one thing about the second part of your proposal that
>>>>> I'm missing. Specifically, assuming the scenario of a v3 transaction with
>>>>> three outputs, A, B, and the ephemeral anchor OP_TRUE. If a child
>>>>> transaction spends A and OP_TRUE, does that effectively mark output B as
>>>>> unspendable once the child gets confirmed? If so, isn't the implication
>>>>> therefore that to safely spend a transaction with an ephemeral anchor, all
>>>>> outputs must be spent? Thanks!
>>>>>
>>>>> Best,
>>>>> Arik
>>>>>
>>>>> On Tue, Oct 18, 2022, at 6:52 AM, Greg Sanders via bitcoin-dev wrote:
>>>>>
>>>>> Hello Everyone,
>>>>>
>>>>> Following up on the "V3 Transaction" discussion here
>>>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-September/020937.html
>>>>> , I would like to elaborate a bit further on some potential follow-on work
>>>>> that would make pinning severely constrained in many setups].
>>>>>
>>>>> V3 transactions may solve bip125 rule#3 and rule#5 pinning attacks
>>>>> under some constraints[0]. This means that when a replacement is to be made
>>>>> and propagated, it costs the expected amount of fees to do so. This is a
>>>>> great start. What's left in this subset of pinning is *package limit*
>>>>> pinning. In other words, a fee-paying transaction cannot enter the mempool
>>>>> due to the existing mempool package it is being added to already being too
>>>>> large in count or vsize.
>>>>>
>>>>> Zooming into the V3 simplified scenario for sake of discussion, though
>>>>> this problem exists in general today:
>>>>>
>>>>> V3 transactions restrict the package limit of a V3 package to one
>>>>> parent and one child. If the parent transaction includes two outputs which
>>>>> can be immediately spent by separate parties, this allows one party to
>>>>> disallow a spend from the other. In Gloria's proposal for ln-penalty, this
>>>>> is worked around by reducing the number of anchors per commitment
>>>>> transaction to 1, and each version of the commitment transaction has a
>>>>> unique party's key on it. The honest participant can spend their version
>>>>> with their anchor and package RBF the other commitment transaction safely.
>>>>>
>>>>> What if there's only one version of the commitment transaction, such
>>>>> as in other protocols like duplex payment channels, eltoo? What about multi
>>>>> party payments?
>>>>>
>>>>> In the package RBF proposal, if the parent transaction is identical to
>>>>> an existing transaction in the mempool, the parent will be detected and
>>>>> removed from the package proposal. You are then left with a single V3 child
>>>>> transaction, which is then proposed for entry into the mempool. In the case
>>>>> of another parent output already being spent, this is simply rejected,
>>>>> regardless of feerate of the new child.
>>>>>
>>>>> I have two proposed solutions, of which I strongly prefer the latter:
>>>>>
>>>>> 1) Expand a carveout for "sibling eviction", where if the new child is
>>>>> paying "enough" to bump spends from the same parent, it knocks its sibling
>>>>> out of the mempool and takes the one child slot. This would solve it, but
>>>>> is a new eviction paradigm that would need to be carefully worked through.
>>>>>
>>>>> 2) Ephemeral Anchors (my real policy-only proposal)
>>>>>
>>>>> Ephemeral Anchors is a term which means an output is watermarked as an
>>>>> output that MUST be spent in a V3 package. We mark this anchor by being the
>>>>> bare script `OP_TRUE` and of course make these outputs standard to relay
>>>>> and spend with empty witness data.
>>>>>
>>>>> Also as a simplifying assumption, we require the parent transaction
>>>>> with such an output to be 0-fee. This makes mempool reasoning simpler in
>>>>> case the child-spend is somehow evicted, guaranteeing the parent will be as
>>>>> well.
>>>>>
>>>>> Implications:
>>>>>
>>>>> a) If the ephemeral anchor MUST be spent, we can allow *any* value,
>>>>> even dust, even 0, without worrying about bloating the utxo set. We relax
>>>>> this policy for maximum smart contract flexibility and specification
>>>>> simplicity..
>>>>>
>>>>> b) Since this anchor MUST be spent, any spending of other outputs in
>>>>> the same parent transaction MUST directly double-spend prior spends of the
>>>>> ephemeral anchor. This causes the 1 block CSV timelock on outputs to be
>>>>> removed in these situations. This greatly magnifies composability of smart
>>>>> contracts, as now we can do things like safely splice directly into new
>>>>> channels, into statechains, your custodial wallet account, your cold
>>>>> wallet, wherever, without requiring other wallets to support arbitrary
>>>>> scripts. Also it hurts that 1 CSV time locked scripts may not be miniscript
>>>>> compatible to begin with...
>>>>>
>>>>> c) *Anyone* can bump the transaction, without any transaction key
>>>>> material. This is essentially achieving Jeremy's Transaction Sponsors (
>>>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-September/018168.html)
>>>>> proposal without consensus changes. As long as someone gets a fully signed
>>>>> parent, they can execute a bump with minimal wallet tooling. If a
>>>>> transaction author doesn’t want a “sponsor”, do not include the output.
>>>>>
>>>>> d) Lightning Carve-out(
>>>>> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/002240.html)
>>>>> is superseded by this logic, as we are not restricted to two immediately
>>>>> spendable output scenarios. In its place, robust multi-party fee bumping is
>>>>> possible.
>>>>>
>>>>> e) This also benefits more traditional wallet scenarios, as change
>>>>> outputs can no longer be pinned, and RBF/CPFP becomes robust. Payees in
>>>>> simple spends cannot pin you. Batched payouts become a lot less painful.
>>>>> This was one of the motivating use cases that created the term “pinning” in
>>>>> the first place(
>>>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-February/015717.html),
>>>>> even if LN/L2 discussion has largely overtaken it due to HTLC theft risks.
>>>>>
>>>>> Open Question(s):
>>>>>
>>>>>
>>>>> 1.
>>>>>
>>>>> If we allow non-zero value in ephemeral outputs, does this open up
>>>>> a MEV we are worried about? Wallets should toss all the value directly to
>>>>> fees, and add their own additional fees on top, otherwise miners have
>>>>> incentive to make the smallest utxo burn transaction to claim those funds.
>>>>> They just confirmed your parent transaction anyways, so do we care?
>>>>> 2.
>>>>>
>>>>> SIGHASH_GROUP like constructs would allow uncommitted ephemeral
>>>>> anchors to be added at spend time, depending on spending requirements.
>>>>> SIGHASH_SINGLE already allows this.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Hopefully this gives people something to consider as we move forward
>>>>> in thinking about mempool design within the constraints we have today.
>>>>>
>>>>>
>>>>> Greg
>>>>>
>>>>> 0: With V3 transactions where you have "veto power" over all the
>>>>> inputs in that transaction. Therefore something like ANYONECANPAY is still
>>>>> broken. We need a more complex solution, which I’m punting for the sake of
>>>>> progress.
>>>>> _______________________________________________
>>>>> bitcoin-dev mailing list
>>>>> bitcoin-dev@lists•linuxfoundation.org
>>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> bitcoin-dev mailing list
>>>>> bitcoin-dev@lists•linuxfoundation.org
>>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>>
>>>> _______________________________________________
>>>> bitcoin-dev mailing list
>>>> bitcoin-dev@lists•linuxfoundation.org
>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists•linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>>
[-- Attachment #2: Type: text/html, Size: 25268 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning
2022-11-30 15:32 ` Greg Sanders
@ 2023-01-27 14:05 ` Greg Sanders
2023-02-02 14:52 ` Peter Todd
0 siblings, 1 reply; 22+ messages in thread
From: Greg Sanders @ 2023-01-27 14:05 UTC (permalink / raw)
To: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 12738 bytes --]
Hello again dev,
Due to the interest in the proposal and the prodding of certain folks, I've
written up a short draft BIP of the Ephemeral Anchors idea here:
https://github.com/instagibbs/bips/blob/ephemeral_anchor/bip-ephemeralanchors.mediawiki
The pull request at https://github.com/bitcoin/bitcoin/pull/26403 has been
refreshed on top of the latest V3 proposal, but the BIP itself is
unaffected.
Cheers,
Greg
On Wed, Nov 30, 2022 at 10:32 AM Greg Sanders <gsanders87@gmail•com> wrote:
> Small update.
>
> A bit ago I went ahead and implemented ephemeral anchors on top of the V3
> proposal to see what the complexity looks like:
> https://github.com/bitcoin/bitcoin/pull/26403
>
> Roughly 130 loc excluding tests, using OP_2 instead of OP_TRUE to not camp
> the value that is used elsewhere.
>
> Please let me know if you have any early feedback on this!
>
> Greg
>
> On Thu, Oct 20, 2022 at 9:42 AM Greg Sanders <gsanders87@gmail•com> wrote:
>
>> So it doesn't look like I'm ignoring a good question:
>>
>> No solid noninteractive ideas, unless we get some very flexible sighash
>> softfork. Interactively, I think you can get collaborative fee bumps under
>> the current consensus regime and ephemeral anchors. The child will just be
>> built with inputs from different people.
>>
>> On Wed, Oct 19, 2022 at 11:12 AM James O'Beirne <james.obeirne@gmail•com>
>> wrote:
>>
>>> I'm also very happy to see this proposal, since it gets us closer to
>>> having a mechanism that allows the contribution to feerate in an
>>> "unauthenticated" way, which seems to be a very helpful feature for vaults
>>> and other contracting protocols.
>>>
>>> One possible advantage of the sponsors interface -- and I'm curious for
>>> your input here Greg -- is that with sponsors, assuming we relaxed the "one
>>> sponsor per sponsoree" constraint, multiple uncoordinated parties can
>>> collaboratively bump a tx's feerate. A simple example would be a batch
>>> withdrawal from an exchange could be created with a low feerate, and then
>>> multiple users with a vested interest of expedited confirmation could all
>>> "chip in" to raise the feerate with multiple sponsor transactions.
>>>
>>> Having a single ephemeral output seems to create a situation where a
>>> single UTXO has to shoulder the burden of CPFPing a package. Is there some
>>> way we could (possibly later) amend the ephemeral anchor interface to allow
>>> for this kind of collaborative sponsoring? Could you maybe see "chained"
>>> ephemeral anchors that would allow this?
>>>
>>>
>>> On Tue, Oct 18, 2022 at 12:52 PM Jeremy Rubin via bitcoin-dev <
>>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>>
>>>> Excellent proposal and I agree it does capture much of the spirit of
>>>> sponsors w.r.t. how they might be used for V3 protocols.
>>>>
>>>> The only drawbacks I see is they don't work for lower tx version
>>>> contracts, so there's still something to be desired there, and that the
>>>> requirement to sweep the output must be incentive compatible for the miner,
>>>> or else they won't enforce it (pass the buck onto the future bitcoiners).
>>>> The Ephemeral UTXO concept can be a consensus rule (see
>>>> https://rubin.io/public/pdfs/multi-txn-contracts.pdf "Intermediate
>>>> UTXO") we add later on in lieu of managing them by incentive, so maybe it's
>>>> a cleanup one can punt.
>>>>
>>>> One question I have is if V3 is designed for lightning, and this is
>>>> designed for lightning, is there any sense in requiring these outputs for
>>>> v3? That might help with e.g. anonymity set, as well as potentially keep
>>>> the v3 surface smaller.
>>>>
>>>> On Tue, Oct 18, 2022 at 11:51 AM Greg Sanders via bitcoin-dev <
>>>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>>>
>>>>> > does that effectively mark output B as unspendable once the child
>>>>> gets confirmed?
>>>>>
>>>>> Not at all. It's a normal spend like before, since the parent has been
>>>>> confirmed. It's completely unrestricted, not being bound to any
>>>>> V3/ephemeral anchor restrictions on size, version, etc.
>>>>>
>>>>> On Tue, Oct 18, 2022 at 11:47 AM Arik Sosman via bitcoin-dev <
>>>>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>>>>
>>>>>> Hi Greg,
>>>>>>
>>>>>> Thank you very much for sharing your proposal!
>>>>>>
>>>>>> I think there's one thing about the second part of your proposal that
>>>>>> I'm missing. Specifically, assuming the scenario of a v3 transaction with
>>>>>> three outputs, A, B, and the ephemeral anchor OP_TRUE. If a child
>>>>>> transaction spends A and OP_TRUE, does that effectively mark output B as
>>>>>> unspendable once the child gets confirmed? If so, isn't the implication
>>>>>> therefore that to safely spend a transaction with an ephemeral anchor, all
>>>>>> outputs must be spent? Thanks!
>>>>>>
>>>>>> Best,
>>>>>> Arik
>>>>>>
>>>>>> On Tue, Oct 18, 2022, at 6:52 AM, Greg Sanders via bitcoin-dev wrote:
>>>>>>
>>>>>> Hello Everyone,
>>>>>>
>>>>>> Following up on the "V3 Transaction" discussion here
>>>>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-September/020937.html
>>>>>> , I would like to elaborate a bit further on some potential follow-on work
>>>>>> that would make pinning severely constrained in many setups].
>>>>>>
>>>>>> V3 transactions may solve bip125 rule#3 and rule#5 pinning attacks
>>>>>> under some constraints[0]. This means that when a replacement is to be made
>>>>>> and propagated, it costs the expected amount of fees to do so. This is a
>>>>>> great start. What's left in this subset of pinning is *package limit*
>>>>>> pinning. In other words, a fee-paying transaction cannot enter the mempool
>>>>>> due to the existing mempool package it is being added to already being too
>>>>>> large in count or vsize.
>>>>>>
>>>>>> Zooming into the V3 simplified scenario for sake of discussion,
>>>>>> though this problem exists in general today:
>>>>>>
>>>>>> V3 transactions restrict the package limit of a V3 package to one
>>>>>> parent and one child. If the parent transaction includes two outputs which
>>>>>> can be immediately spent by separate parties, this allows one party to
>>>>>> disallow a spend from the other. In Gloria's proposal for ln-penalty, this
>>>>>> is worked around by reducing the number of anchors per commitment
>>>>>> transaction to 1, and each version of the commitment transaction has a
>>>>>> unique party's key on it. The honest participant can spend their version
>>>>>> with their anchor and package RBF the other commitment transaction safely.
>>>>>>
>>>>>> What if there's only one version of the commitment transaction, such
>>>>>> as in other protocols like duplex payment channels, eltoo? What about multi
>>>>>> party payments?
>>>>>>
>>>>>> In the package RBF proposal, if the parent transaction is identical
>>>>>> to an existing transaction in the mempool, the parent will be detected and
>>>>>> removed from the package proposal. You are then left with a single V3 child
>>>>>> transaction, which is then proposed for entry into the mempool. In the case
>>>>>> of another parent output already being spent, this is simply rejected,
>>>>>> regardless of feerate of the new child.
>>>>>>
>>>>>> I have two proposed solutions, of which I strongly prefer the latter:
>>>>>>
>>>>>> 1) Expand a carveout for "sibling eviction", where if the new child
>>>>>> is paying "enough" to bump spends from the same parent, it knocks its
>>>>>> sibling out of the mempool and takes the one child slot. This would solve
>>>>>> it, but is a new eviction paradigm that would need to be carefully worked
>>>>>> through.
>>>>>>
>>>>>> 2) Ephemeral Anchors (my real policy-only proposal)
>>>>>>
>>>>>> Ephemeral Anchors is a term which means an output is watermarked as
>>>>>> an output that MUST be spent in a V3 package. We mark this anchor by being
>>>>>> the bare script `OP_TRUE` and of course make these outputs standard to
>>>>>> relay and spend with empty witness data.
>>>>>>
>>>>>> Also as a simplifying assumption, we require the parent transaction
>>>>>> with such an output to be 0-fee. This makes mempool reasoning simpler in
>>>>>> case the child-spend is somehow evicted, guaranteeing the parent will be as
>>>>>> well.
>>>>>>
>>>>>> Implications:
>>>>>>
>>>>>> a) If the ephemeral anchor MUST be spent, we can allow *any* value,
>>>>>> even dust, even 0, without worrying about bloating the utxo set. We relax
>>>>>> this policy for maximum smart contract flexibility and specification
>>>>>> simplicity..
>>>>>>
>>>>>> b) Since this anchor MUST be spent, any spending of other outputs in
>>>>>> the same parent transaction MUST directly double-spend prior spends of the
>>>>>> ephemeral anchor. This causes the 1 block CSV timelock on outputs to be
>>>>>> removed in these situations. This greatly magnifies composability of smart
>>>>>> contracts, as now we can do things like safely splice directly into new
>>>>>> channels, into statechains, your custodial wallet account, your cold
>>>>>> wallet, wherever, without requiring other wallets to support arbitrary
>>>>>> scripts. Also it hurts that 1 CSV time locked scripts may not be miniscript
>>>>>> compatible to begin with...
>>>>>>
>>>>>> c) *Anyone* can bump the transaction, without any transaction key
>>>>>> material. This is essentially achieving Jeremy's Transaction Sponsors (
>>>>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-September/018168.html)
>>>>>> proposal without consensus changes. As long as someone gets a fully signed
>>>>>> parent, they can execute a bump with minimal wallet tooling. If a
>>>>>> transaction author doesn’t want a “sponsor”, do not include the output.
>>>>>>
>>>>>> d) Lightning Carve-out(
>>>>>> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/002240.html)
>>>>>> is superseded by this logic, as we are not restricted to two immediately
>>>>>> spendable output scenarios. In its place, robust multi-party fee bumping is
>>>>>> possible.
>>>>>>
>>>>>> e) This also benefits more traditional wallet scenarios, as change
>>>>>> outputs can no longer be pinned, and RBF/CPFP becomes robust. Payees in
>>>>>> simple spends cannot pin you. Batched payouts become a lot less painful.
>>>>>> This was one of the motivating use cases that created the term “pinning” in
>>>>>> the first place(
>>>>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-February/015717.html),
>>>>>> even if LN/L2 discussion has largely overtaken it due to HTLC theft risks.
>>>>>>
>>>>>> Open Question(s):
>>>>>>
>>>>>>
>>>>>> 1.
>>>>>>
>>>>>> If we allow non-zero value in ephemeral outputs, does this open
>>>>>> up a MEV we are worried about? Wallets should toss all the value directly
>>>>>> to fees, and add their own additional fees on top, otherwise miners have
>>>>>> incentive to make the smallest utxo burn transaction to claim those funds.
>>>>>> They just confirmed your parent transaction anyways, so do we care?
>>>>>> 2.
>>>>>>
>>>>>> SIGHASH_GROUP like constructs would allow uncommitted ephemeral
>>>>>> anchors to be added at spend time, depending on spending requirements.
>>>>>> SIGHASH_SINGLE already allows this.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hopefully this gives people something to consider as we move forward
>>>>>> in thinking about mempool design within the constraints we have today.
>>>>>>
>>>>>>
>>>>>> Greg
>>>>>>
>>>>>> 0: With V3 transactions where you have "veto power" over all the
>>>>>> inputs in that transaction. Therefore something like ANYONECANPAY is still
>>>>>> broken. We need a more complex solution, which I’m punting for the sake of
>>>>>> progress.
>>>>>> _______________________________________________
>>>>>> bitcoin-dev mailing list
>>>>>> bitcoin-dev@lists•linuxfoundation.org
>>>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> bitcoin-dev mailing list
>>>>>> bitcoin-dev@lists•linuxfoundation.org
>>>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>>>
>>>>> _______________________________________________
>>>>> bitcoin-dev mailing list
>>>>> bitcoin-dev@lists•linuxfoundation.org
>>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>>
>>>> _______________________________________________
>>>> bitcoin-dev mailing list
>>>> bitcoin-dev@lists•linuxfoundation.org
>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>
>>>
[-- Attachment #2: Type: text/html, Size: 26365 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning
2023-01-27 14:05 ` Greg Sanders
@ 2023-02-02 14:52 ` Peter Todd
2023-02-02 14:59 ` Greg Sanders
0 siblings, 1 reply; 22+ messages in thread
From: Peter Todd @ 2023-02-02 14:52 UTC (permalink / raw)
To: Greg Sanders, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 777 bytes --]
On Fri, Jan 27, 2023 at 09:05:20AM -0500, Greg Sanders via bitcoin-dev wrote:
> Hello again dev,
>
> Due to the interest in the proposal and the prodding of certain folks, I've
> written up a short draft BIP of the Ephemeral Anchors idea here:
> https://github.com/instagibbs/bips/blob/ephemeral_anchor/bip-ephemeralanchors.mediawiki
>
> The pull request at https://github.com/bitcoin/bitcoin/pull/26403 has been
> refreshed on top of the latest V3 proposal, but the BIP itself is
> unaffected.
The BIP states that:
Why OP_2 not OP_TRUE? OP_TRUE is often used in test vectors, using OP_2 has
the same benefits and none of these common collisions.
Why is a "collision" harmful in this case?
--
https://petertodd.org 'peter'[:-1]@petertodd.org
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning
2023-02-02 14:52 ` Peter Todd
@ 2023-02-02 14:59 ` Greg Sanders
2023-02-02 15:06 ` Peter Todd
0 siblings, 1 reply; 22+ messages in thread
From: Greg Sanders @ 2023-02-02 14:59 UTC (permalink / raw)
To: Peter Todd; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 978 bytes --]
Hi Peter,
For the most principled of reasons:
Because I have to change test vectors everywhere!
Greg
On Thu, Feb 2, 2023 at 9:52 AM Peter Todd <pete@petertodd•org> wrote:
> On Fri, Jan 27, 2023 at 09:05:20AM -0500, Greg Sanders via bitcoin-dev
> wrote:
> > Hello again dev,
> >
> > Due to the interest in the proposal and the prodding of certain folks,
> I've
> > written up a short draft BIP of the Ephemeral Anchors idea here:
> >
> https://github.com/instagibbs/bips/blob/ephemeral_anchor/bip-ephemeralanchors.mediawiki
> >
> > The pull request at https://github.com/bitcoin/bitcoin/pull/26403 has
> been
> > refreshed on top of the latest V3 proposal, but the BIP itself is
> > unaffected.
>
> The BIP states that:
>
> Why OP_2 not OP_TRUE? OP_TRUE is often used in test vectors, using
> OP_2 has
> the same benefits and none of these common collisions.
>
> Why is a "collision" harmful in this case?
>
> --
> https://petertodd.org 'peter'[:-1]@petertodd.org
>
[-- Attachment #2: Type: text/html, Size: 1817 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning
2023-02-02 14:59 ` Greg Sanders
@ 2023-02-02 15:06 ` Peter Todd
2023-02-02 18:36 ` Greg Sanders
0 siblings, 1 reply; 22+ messages in thread
From: Peter Todd @ 2023-02-02 15:06 UTC (permalink / raw)
To: Greg Sanders; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 324 bytes --]
On Thu, Feb 02, 2023 at 09:59:09AM -0500, Greg Sanders wrote:
> Hi Peter,
>
> For the most principled of reasons:
>
> Because I have to change test vectors everywhere!
Specifically, you mean you'd have to change tests that test something is
non-standard?
--
https://petertodd.org 'peter'[:-1]@petertodd.org
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning
2023-02-02 15:06 ` Peter Todd
@ 2023-02-02 18:36 ` Greg Sanders
2023-02-02 20:22 ` Peter Todd
0 siblings, 1 reply; 22+ messages in thread
From: Greg Sanders @ 2023-02-02 18:36 UTC (permalink / raw)
To: Peter Todd; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 641 bytes --]
Quickly checked, it fails a number of standardness tests in unit/functional
tests in Bitcoin Core, at least.
OP_2 was actually Luke Jr's idea circa 2017 for about the same reasons, I
just independently arrived at the same conclusion.
On Thu, Feb 2, 2023 at 10:06 AM Peter Todd <pete@petertodd•org> wrote:
> On Thu, Feb 02, 2023 at 09:59:09AM -0500, Greg Sanders wrote:
> > Hi Peter,
> >
> > For the most principled of reasons:
> >
> > Because I have to change test vectors everywhere!
>
> Specifically, you mean you'd have to change tests that test something is
> non-standard?
>
> --
> https://petertodd.org 'peter'[:-1]@petertodd.org
>
[-- Attachment #2: Type: text/html, Size: 1166 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning
2023-02-02 18:36 ` Greg Sanders
@ 2023-02-02 20:22 ` Peter Todd
2023-02-02 20:47 ` Greg Sanders
0 siblings, 1 reply; 22+ messages in thread
From: Peter Todd @ 2023-02-02 20:22 UTC (permalink / raw)
To: Greg Sanders; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 908 bytes --]
On Thu, Feb 02, 2023 at 01:36:24PM -0500, Greg Sanders wrote:
> Quickly checked, it fails a number of standardness tests in unit/functional
> tests in Bitcoin Core, at least.
>
> OP_2 was actually Luke Jr's idea circa 2017 for about the same reasons, I
> just independently arrived at the same conclusion.
Well, frankly I really don't like the idea of using OP_2 just to avoid changing
some unit tests. We're doing something that many people will use for years to
come, that's unnecessarily obscure just because we don't want to spend a bit of
some modifying some tests to pass.
OP_TRUE is the obvious way to do this, and it results with a 1 on the stack,
which plays better with other standardness rules. OP_2 means we *also* may need
to special case having a 2 on the stack in certain implementations of other
standardness rules.
--
https://petertodd.org 'peter'[:-1]@petertodd.org
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning
2023-02-02 20:22 ` Peter Todd
@ 2023-02-02 20:47 ` Greg Sanders
2023-02-03 22:10 ` Peter Todd
0 siblings, 1 reply; 22+ messages in thread
From: Greg Sanders @ 2023-02-02 20:47 UTC (permalink / raw)
To: Peter Todd; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 1222 bytes --]
> OP_TRUE is the obvious way to do this, and it results with a 1 on the
stack,
which plays better with other standardness rules.
What other standardness rules? MINAMALIF? How does that interact with the
proposal?
On Thu, Feb 2, 2023 at 3:22 PM Peter Todd <pete@petertodd•org> wrote:
> On Thu, Feb 02, 2023 at 01:36:24PM -0500, Greg Sanders wrote:
> > Quickly checked, it fails a number of standardness tests in
> unit/functional
> > tests in Bitcoin Core, at least.
> >
> > OP_2 was actually Luke Jr's idea circa 2017 for about the same reasons, I
> > just independently arrived at the same conclusion.
>
> Well, frankly I really don't like the idea of using OP_2 just to avoid
> changing
> some unit tests. We're doing something that many people will use for years
> to
> come, that's unnecessarily obscure just because we don't want to spend a
> bit of
> some modifying some tests to pass.
>
> OP_TRUE is the obvious way to do this, and it results with a 1 on the
> stack,
> which plays better with other standardness rules. OP_2 means we *also* may
> need
> to special case having a 2 on the stack in certain implementations of other
> standardness rules.
>
> --
> https://petertodd.org 'peter'[:-1]@petertodd.org
>
[-- Attachment #2: Type: text/html, Size: 1776 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning
2023-02-02 20:47 ` Greg Sanders
@ 2023-02-03 22:10 ` Peter Todd
2023-02-04 2:07 ` Greg Sanders
0 siblings, 1 reply; 22+ messages in thread
From: Peter Todd @ 2023-02-03 22:10 UTC (permalink / raw)
To: Greg Sanders; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 940 bytes --]
On Thu, Feb 02, 2023 at 03:47:28PM -0500, Greg Sanders wrote:
> > OP_TRUE is the obvious way to do this, and it results with a 1 on the
> stack,
> which plays better with other standardness rules.
>
> What other standardness rules? MINAMALIF? How does that interact with the
> proposal?
It makes sense to require scripts to leave just a single OP_TRUE on the stack
at the end of execution, as otherwise that can be a source of malleability in
certain circumstances where the scriptSig ends up providing the OP_TRUE. I
don't believe we actually implement this as a rule right now. But you could
easily imagine that happening in a future upgrade.
Leaving an OP_2 on the stack doesn't achieve that and would require a
special-cased workaround. Spending the time now to do the obvious thing - use
OP_TRUE as the canonical anyone-can-spend output - avoids this issue.
--
https://petertodd.org 'peter'[:-1]@petertodd.org
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning
2023-02-03 22:10 ` Peter Todd
@ 2023-02-04 2:07 ` Greg Sanders
2023-02-04 16:02 ` Peter Todd
0 siblings, 1 reply; 22+ messages in thread
From: Greg Sanders @ 2023-02-04 2:07 UTC (permalink / raw)
To: Peter Todd; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 1212 bytes --]
I'm not particularly persuaded, but also not wedded to either idea.
Fixed up tests for the OP_TRUE case here:
https://github.com/instagibbs/bitcoin/tree/ephemeral-anchors-true
On Fri, Feb 3, 2023 at 5:10 PM Peter Todd <pete@petertodd•org> wrote:
> On Thu, Feb 02, 2023 at 03:47:28PM -0500, Greg Sanders wrote:
> > > OP_TRUE is the obvious way to do this, and it results with a 1 on the
> > stack,
> > which plays better with other standardness rules.
> >
> > What other standardness rules? MINAMALIF? How does that interact with the
> > proposal?
>
> It makes sense to require scripts to leave just a single OP_TRUE on the
> stack
> at the end of execution, as otherwise that can be a source of malleability
> in
> certain circumstances where the scriptSig ends up providing the OP_TRUE. I
> don't believe we actually implement this as a rule right now. But you could
> easily imagine that happening in a future upgrade.
>
> Leaving an OP_2 on the stack doesn't achieve that and would require a
> special-cased workaround. Spending the time now to do the obvious thing -
> use
> OP_TRUE as the canonical anyone-can-spend output - avoids this issue.
>
> --
> https://petertodd.org 'peter'[:-1]@petertodd.org
>
[-- Attachment #2: Type: text/html, Size: 1830 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning
2023-02-04 2:07 ` Greg Sanders
@ 2023-02-04 16:02 ` Peter Todd
2023-03-13 16:38 ` Greg Sanders
0 siblings, 1 reply; 22+ messages in thread
From: Peter Todd @ 2023-02-04 16:02 UTC (permalink / raw)
To: Greg Sanders; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 488 bytes --]
On Fri, Feb 03, 2023 at 09:07:29PM -0500, Greg Sanders wrote:
> I'm not particularly persuaded, but also not wedded to either idea.
>
> Fixed up tests for the OP_TRUE case here:
> https://github.com/instagibbs/bitcoin/tree/ephemeral-anchors-true
Thanks.
Looking through that, I think a lot of those test cases don't actually need to
be changed to OP_2, as they aren't trying to test anything related to
standardness.
--
https://petertodd.org 'peter'[:-1]@petertodd.org
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage limit pinning
2023-02-04 16:02 ` Peter Todd
@ 2023-03-13 16:38 ` Greg Sanders
0 siblings, 0 replies; 22+ messages in thread
From: Greg Sanders @ 2023-03-13 16:38 UTC (permalink / raw)
To: Peter Todd; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 730 bytes --]
After getting neutral to negative feedback on the choice, I have switched
to OP_TRUE on the BIP and implementation.
Cheers,
Greg
On Sat, Feb 4, 2023 at 11:03 AM Peter Todd <pete@petertodd•org> wrote:
> On Fri, Feb 03, 2023 at 09:07:29PM -0500, Greg Sanders wrote:
> > I'm not particularly persuaded, but also not wedded to either idea.
> >
> > Fixed up tests for the OP_TRUE case here:
> > https://github.com/instagibbs/bitcoin/tree/ephemeral-anchors-true
>
> Thanks.
>
> Looking through that, I think a lot of those test cases don't actually
> need to
> be changed to OP_2, as they aren't trying to test anything related to
> standardness.
>
> --
> https://petertodd.org 'peter'[:-1]@petertodd.org
>
[-- Attachment #2: Type: text/html, Size: 1343 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2023-03-13 16:38 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-18 13:52 [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF against package limit pinning Greg Sanders
2022-10-18 15:33 ` [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF againstpackage " Arik Sosman
2022-10-18 15:51 ` Greg Sanders
2022-10-18 16:41 ` Jeremy Rubin
2022-10-18 18:18 ` Greg Sanders
2022-10-19 15:11 ` James O'Beirne
2022-10-20 13:42 ` Greg Sanders
2022-10-27 9:37 ` Johan Torås Halseth
2022-11-30 15:32 ` Greg Sanders
2023-01-27 14:05 ` Greg Sanders
2023-02-02 14:52 ` Peter Todd
2023-02-02 14:59 ` Greg Sanders
2023-02-02 15:06 ` Peter Todd
2023-02-02 18:36 ` Greg Sanders
2023-02-02 20:22 ` Peter Todd
2023-02-02 20:47 ` Greg Sanders
2023-02-03 22:10 ` Peter Todd
2023-02-04 2:07 ` Greg Sanders
2023-02-04 16:02 ` Peter Todd
2023-03-13 16:38 ` Greg Sanders
2022-10-19 0:33 ` [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF against package " Antoine Riard
2022-10-19 13:22 ` Greg Sanders
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox