[bitcoin-dev] [Lightning-dev] Reconciling the off-chain and on-chain models with eltoo

[ZmnSCPxj]

Good morning Richard,

> I believe using the eltoo update scheme as a way to consolidate blocks of off-chain transactions is an interesting idea worth exploring.  
>
> ZmnSCPxj brings up some limitations on arbitrary outputs scripts in eltoo. Although using CSV is more complicated and outputs must also use SIGHASH_NOINPUT [1], the ability to have multiple party channels and the most used types of scripts makes eltoo compelling compared to LN-Penalty for this kind of application.

I broadly agree.

I imagine a future where most people do not typically have single-signer ownership of coins onchain, but are instead share-owners of coins, with single-signer ownership occurring onchain only in the case of dispute or for long-term cold storage.

>
> The multiple party aspect in particular introduces an interesting way to unify concepts from different second layer protocols like federated sidechains and statechains (ht. aakselrod [2]).
>
> Though the Statechains proposal relies on eltoo [3], I think what Christian suggested does not try to solve the dynamic membership problem. That's why I think of this as more an evolution of the channel factory paper towards something like a federated sidechain.
>
> > I think this reconciliation between the off-chain model and the on-chain
> > model, with many concepts cleanly mapping from one context to another
> > (state outputs = UTXO, off-chain update = on-chain transactions,
> > cut-through = confirmation, operation batching = block creation) is
> > rather nice :-)
>
> One additional concept that could be new to this off-chain blockchain model would be something like batched multi-party loop-in/out. In a Schnorr/Taproot world you could add signers/inputs and remove signers/outputs with a single multi-signature negotiated off-chain. You'd still like to limit these onchain txs, even if they are small, but updating channels periodically seems like a straight forward way to address the dynamic membership problem.

Indeed.
Such a change-in-membership transaction would be a 1-input 1-output transaction, and with use of n-of-n MuSig would be as small (and as private, modulo the fact that you are coordinating this with a bunch of other participants) as a single-sig user making a 1-input 1-output transaction (which generally is not very private because such transactions are usually "send-to-self" and changing membership generally means ownership does not actually change much).
The cost of this transaction would be small (certainly smaller than the update+state transactions needed in Decker-Russell-Osuntokun)

For setting this up, it might be useful to have the below ritual.
This assumes only a change in the membership set is desired, without a simultaneous change in the UTXO set.

1.  Create a new update+state transaction for the current Decker-Russell-Osuntokun mechanism.
    The state transaction pays out to a single output paying to the new membership set rather than the current UTXO set of the mechanism.
    Do *not* sign this yet.
    Call this the "final" update+state transaction.
2.  Create a new Decker-Russell-Osuntokun mechanism initial update+state transaction.
    This pays out to the current UTXO set of the previous mechanism.
    This will spend from the new membership set.
    Completely sign these transactions.
    * The update transaction can spend the above "final" transaction, as it is `SIGHASH_NOINPUT`.
3.  Sign the final update+state transaction of the previous Decker-Russell-Osuntokun mechanism.
    Do *not* broadcast the update+state transaction yet.
4.  Create and sign the membership-change onchain transaction.
    This spends the current onchain funding transaction output and outputs to the same new membership set.
    Broadcast this onchain.

The above ritual ensures that, after step 3 completes, the mechanism can continue operating without waiting for onchain activity to complete.
It ensures that, even if the membership-change onchain transaction becomes invalid later (by somebody bribing a miner to publish a previous update transaction from the older membership set), we will still enter an update that will eventually put the new membership set onchain.
This reduces the critical path to only steps 1 to 3, and we can continue operating with the new membership set as soon as step 3 completes and we do not need to wait for the membership-change transaction to be deeply-confirmed in order to use the new membership set mechanism.

However, it has the drawback that, until the membership-change onchain transaction is deeply-confirmed onchain, the CSV parameter is temporarily doubled (as there is the possibility that the previous mechanism is closed).
Also, the mechanism cannot be mutually closed until the membership-change onchain transaction is deeply-confirmed, as there is no stable txid we can spend from (we would strongly prefer to use `SIGHASH_ALL` for cooperative closes to improve our privacy).

>
> I guess this all gets back to how to design an off-chain protocol for managing these negotiations. Ultimately I can imagine a sort of multi-party eltoo based 'signet' with the same RPC interface, but different transaction validation and block creation logic.  Perhaps there would be a new message where the channel parties would add their signature before forwarding a valid block, and the block wouldn't be built on until all parties had signed.

The "block" that would need to be signed by the participants would actually be a Decker-Russell-Osuntokun update+state transaction, and would commit to the UTXO set rather than the transaction set.
Unless I misunderstand your meaning here.

Regards,
ZmnSCPxj