[Bitcoin-development] Anti DoS for tx replacement

Mike Hearn mike at plan99.net
Wed Apr 17 09:19:43 UTC 2013

> Or are you talking about some sort of new decentralized high frequency
> trading system that is self-matching and self-clearing? (I'd be very
> interested in hearing more if this is the case).

I'm using the term "high frequency trading" because Satoshi did. Like the
way he used the word "contract" it is perhaps a bit misleading, but we lack
anything better to describe this new concept.

Today HFT typically means companies that submits tons of micro-trades to
centralised asset exchanges to try and exploit statistically expected
correlations. HFT using tx replacement has nothing to do this with - it is
instead a way that N parties can negotiate amongst themselves as fast as
they can compute and verify signatures.

Here is how Satoshi explained it to me, in his words:

An unrecorded open transaction can keep being replaced until nLockTime.  It
may contain payments by multiple parties.  Each input owner signs their
input.  For a new version to be written, each must sign a higher sequence
number (see IsNewerThan).  By signing, an input owner says "I agree to put
my money in, if everyone puts their money in and the outputs are this."
 There are other options in SignatureHash such as SIGHASH_SINGLE which
means "I agree, as long as this one output (i.e. mine) is what I want, I
don't care what you do with the other outputs.".  If that's written with a
high nSequenceNumber, the party can bow out of the negotiation except for
that one stipulation, or sign SIGHASH_NONE and bow out completely.

The parties could create a pre-agreed default option by creating a higher
nSequenceNumber tx using OP_CHECKMULTISIG that requires a subset of parties
to sign to complete the signature.  The parties hold this tx in reserve and
if need be, pass it around until it has enough signatures.

One use of nLockTime is high frequency trades between a set of parties.
 They can keep updating a tx by unanimous agreement.  The party giving
money would be the first to sign the next version.  If one party stops
agreeing to changes, then the last state will be recorded at nLockTime.  If
desired, a default transaction can be prepared after each version so n-1
parties can push an unresponsive party out.  Intermediate transactions do
not need to be broadcast.  Only the final outcome gets recorded by the
network.  Just before nLockTime, the parties and a few witness nodes
broadcast the highest sequence tx they saw.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20130417/d5a479ab/attachment.html>

More information about the bitcoin-dev mailing list