Hi AJ,<br /><br />&gt; I don't believe being able to pay for censorship on-chain is any more<br />&gt; threatening than being able to pay for censorship off-chain.<br />&gt; <br />&gt; The bitmex blog post there relies on having a trusted oracle to release<br />&gt; DLC payments if the target tx wasn't mined. If you have that level of<br />&gt; trust anyway, then just putting funds in escrow, having miners register<br />&gt; bolt12 invoices with the oracle, and having the oracle make the payments<br />&gt; when it's satisfied blocks are sufficiently confirmed has a pretty<br />&gt; similar risk profile.<br /><br />I think your reasoning point out exactly what is the "unknown" part of such<br />tx-withholding risk in bitcoin, and what Gleb never formalized further in the<br />bitmex blog or his email on costless bribes to miner, as far as I know. Namely<br />"If you have that level of trust anyway", which I'm understanding that we're<br />putting here in the shoes of the attacker to evaluate a tx-withhold attacks _cost_.<br /><br />Generally, when we evaluate a threat model (e.g for internet DDoS) we'll have<br />few notions like a goal (e.g DoS a Minecraft server), knowledge (e.g know-how<br />on do to the most efficient DDoS) and capabilities (e.g number of botnet available<br />to reach a DoS threshold), all 3 elements combined in an attack scenario.<br /><br />Here, if we reason by analogy to mount a tx-withholding attack as an attacker,<br />we'll have a goal, i.e censor a LN commitment-tx, a knowledge, i.e txid of the<br />commitment transaction to be withheld and inner know-how of the LN protocol and<br />about capabilities i.e DLC oracles available and what can be paid as bribing<br />on-chain fees (to simplify, let's say on-chain fees == off-chain fees).<br /><br />Now, in this tx-withholding attack, we can consider that the attacker capabilities<br />are constituted, among others, of the number of trusted oracles available to release<br />DLC payment signing the equivalent of a "proof-of-target-UTXO-mining" for a<br />tx-withholding "bribing" contract.<br /><br />And that's where your remark on "If you have that level of trust anyway" is<br />pertinent, I think as this underscores the _accumulation cost_ for an attacker<br />to build _trust_ in the given DLC oracles that will be used for a tx-withhold<br />attack. Accumulation or acquisition cost of a Sybil node is a metric considered<br />in the litterature about Sybil attacks.<br /><br />Now, and this where is the crux of my interrogation, by extending the expressivity<br />of bitcoin script and removing the necessity to use an off-chain twist, are we<br />slashing the _accumulation_ cost for a tx-withholding attack ? An attacker could<br />from now on just rely on the "blockchain-as-a-judge" paradigm, which is the one<br />explained in the LN paper iirc and attacks become far more practical.<br /><br />If you have another methodology to evaluate such tx-censorship risk, I'm of<br />course curious...The bitmex blog post have also a recension of the literature<br />in Ethereum analyzing HTLC-attacks, among fews.<br /><br />&gt; It's &lt;signature&gt; &lt;message&gt; &lt;pubkey&gt; with pubkey at the top of the stack.<br />https://github.com/bitcoin/bips/blob/master/bip-0348.md<br /><br />&gt; The same is also true of both Elements' CSFS and Bitcoin-Cash's CHECKDATASIG.<br /><br />Okay, so this is the latest CSFS draft. I still had in mind the O'Connor's FS'17<br />paper where it was &lt;signature&gt; &lt;message&gt; &lt;pubkey&gt; with sig-first as a stack order,<br />as example. Fwiw, what matters is that you can freely sign a &lt;message&gt;, which is<br />not iself the implicit signature digest, though exact code matters to analyze <br />opcode composability, of course.<br /><br />Best,<br />Antoine<br />OTS hash: 2e731833f7408e21832605e904e5db0cb21d29a453fbb1cd232eb6c766441f2a<br /><br /><div class="gmail_quote"><div dir="auto" class="gmail_attr">Le vendredi 7 mars 2025 à 21:27:01 UTC, Anthony Towns a écrit :<br/></div><blockquote class="gmail_quote" style="margin: 0 0 0 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">On Wed, Mar 05, 2025 at 02:46:08PM -0800, Antoine Riard wrote:
<br>&gt; &gt; I don&#39;t believe the existence of a construction like this poses any 
<br>&gt; &gt; problems in practice, however if there is going to be a push to activate 
<br>&gt; &gt; BIP 119 in parallel with features that directly undermine its claimed 
<br>&gt; &gt; motivation, then it would presumably be sensible to at least update 
<br>&gt; &gt; the BIP text to describe a motivation that would actually be achieved by 
<br>&gt; &gt; deployment. 
<br>&gt; I do...
<br>&gt; <a href="https://gnusha.org/pi/bitcoindev/f594c2f8-d712-48e4-a010-778dd4d0cadb@Spark/" target="_blank" rel="nofollow" data-saferedirecturl="https://www.google.com/url?hl=fr&amp;q=https://gnusha.org/pi/bitcoindev/f594c2f8-d712-48e4-a010-778dd4d0cadb@Spark/&amp;source=gmail&amp;ust=1741732469476000&amp;usg=AOvVaw0CFkhlQcIiEIB-Eg38bNJj">https://gnusha.org/pi/bitcoindev/f594c2f8-d712-48e4-a010-778dd4d0cadb@Spark/</a>
<br>&gt; <a href="https://blog.bitmex.com/txwithhold-smart-contracts/" target="_blank" rel="nofollow" data-saferedirecturl="https://www.google.com/url?hl=fr&amp;q=https://blog.bitmex.com/txwithhold-smart-contracts/&amp;source=gmail&amp;ust=1741732469476000&amp;usg=AOvVaw3Ek3yDMLKC_Fd_VDrE6WDt">https://blog.bitmex.com/txwithhold-smart-contracts/</a>
<br>
<br>I don&#39;t believe being able to pay for censorship on-chain is any more
<br>threatening than being able to pay for censorship off-chain.
<br>
<br>The bitmex blog post there relies on having a trusted oracle to release
<br>DLC payments if the target tx wasn&#39;t mined. If you have that level of
<br>trust anyway, then just putting funds in escrow, having miners register
<br>bolt12 invoices with the oracle, and having the oracle make the payments
<br>when it&#39;s satisfied blocks are sufficiently confirmed has a pretty
<br>similar risk profile.
<br>
<br>&gt; With OP_CHECKSIGFROMSTACK, which is iirc &lt;signature&gt; &lt;pubkey&gt; &lt;message&gt;
<br>
<br>It&#39;s &lt;signature&gt; &lt;message&gt; &lt;pubkey&gt; with pubkey at the top of the stack.
<br><a href="https://github.com/bitcoin/bips/blob/master/bip-0348.md" target="_blank" rel="nofollow" data-saferedirecturl="https://www.google.com/url?hl=fr&amp;q=https://github.com/bitcoin/bips/blob/master/bip-0348.md&amp;source=gmail&amp;ust=1741732469476000&amp;usg=AOvVaw2-6DFCgDW5XiE1jaPwsN7_">https://github.com/bitcoin/bips/blob/master/bip-0348.md</a>
<br>
<br>The same is also true of both Elements&#39; CSFS and Bitcoin-Cash&#39;s CHECKDATASIG.
<br>
<br>Cheers,
<br>aj
<br></blockquote></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoindev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href="https://groups.google.com/d/msgid/bitcoindev/b9a11745-4e5e-45f7-8036-f27b8d401ff5n%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.com/d/msgid/bitcoindev/b9a11745-4e5e-45f7-8036-f27b8d401ff5n%40googlegroups.com</a>.<br />