[bitcoin-dev] BIP 118 and SIGHASH_ANYPREVOUT

Richard Myers rich at gotenna.com
Mon Aug 3 19:27:13 UTC 2020


Thanks AJ for the updated BIP - very exciting!

I'm also interested in this in the context of a Taproot version of
Decker-Russell-Osuntokun (eltoo). Thanks ZmnSCPxj for summarizing your
thoughts on how this would work. I have had some difficulty understanding
when someone might want to use ANYPREVOUT vs. ANYPREVOUTANYSCRIPT and this
is a clever demonstration of how the differences can be exploited.

I sketched out the protocol you described to help my understand it (below)
and some questions came to mind:

1) If you do a collaborative close, would you need to use script-path
spending, or could you use key-path spending instead to improve privacy?

2) You mention 1.5 round trips for the (two party) MuSig signing session.
Must there be separate 1.5 round trips for each of the two signatures
produced (update, settlement) for each state update?

3) A related question: can the 1.5 round trips for signing be combined with
the 1.5 round trips required to update the channel (ie. A signs settlement
tx, B signs settlement & update txs, A signs update tx)?

Perhaps something like this:
 -> A provides partial signature for settlement tx
 <- B provides complete signature for settlement tx and partial signature
for update tx
 -> A provides complete signature for update tx

4) I'm not sure why AJ's formulation included an addition sig(X), but
otherwise is it similar to what you're suggesting?

https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-May/001996.html

All the best,

  -- Richard

------- my interpretation of your scheme ----


  [Fund Channel]
    |
    |
    |
    v
   P=Musig(A,B)+scripts (Taproot internal key, aka script path key?)
   Q=Musig(A,B) (Taproot output key, aka root key?)

   OR ----------- [Cooperative Close]
   |||            Sig(Q) -----+
   |||                        |----> Sig(A)...
   |||                        |
   |||                        |----> Sig(B)...
   |||
   |||
   ||+-->[Update(n)]
   ||    nlocktime/state > n
   ||    Sig(P)+ANYPREVOUTANYSCRIPT
   ||
   ||     OR ---------->[Settle(n)]           [Uncooperative Close @
state n]
   ||      |            Sig(P)+ANYPREVOUT
   ||      |            csv [delay] --------+---> Sig(A)...    [HTLCs
& Settled
   ||      |                                |
Outputs ]
   ||      |                                |---> Sig(B)...
   ||      v
   |+---->[Update(n+1)]
   |      nlocktime/state > n+1
   |      Sig(P)+ANYPREVOUTANYSCRIPT
   |
   |      OR ----------->[Settle(n+1)]        [Uncooperative Close @
state n+1]
   |       |             Sig(P)+ANYPREVOUT
   |       |             csv [delay] -------+---> Sig(A)...    [HTLCs
& Settled
   |       |                                |
Outputs ]
   v       v                                |---> Sig(B)...





On Fri, Jul 10, 2020 at 5:30 AM ZmnSCPxj via bitcoin-dev
<bitcoin-dev at lists.linuxfoundation.org> wrote:

...

> Slightly off-topic, but I suppose a Decker-Russell-Osuntokun construction
> could, in theory, have only a single internal taproot pubkey, `P = MuSig(A,
> B)` for a channel between A and B.
>
> So the funding outpoint would be spent with a taprooted P + a single
> tapscript `<1> OP_CHECKSIG`.
>
> Update transactions would be signed with the internal taproot pubkey using
> `SIGHASH_ANYPREVOUTANYSCRIPT`.
> The update transaction output would be spendable with a taprooted P + a
> single tapscript `<index + 1> OP_CHECKLOCKTIMEVERIFY OP_DROP <1>
> OP_CHECKSIG`.
> Each update transaction would have a monotonically-increasing `nLockTime`,
> i.e. the above `index`.
>
> Then a state transaction would be signed with the internal taproot pubkey
> using `SIGHASH_ANYPREVOUT`, which commits to the exact script including
> `<index + 1>`, which is unique for each update transaction.
> Thus a state transaction can only spend the specific update transaction,
> but the update transaction can spend the funding outpoint or any update
> transaction outpoint.
> State transaction input would have an `nSequence` requiring a relative
> locktime of the agreed-upon unilateral close delay.
>
> The above assumes MuSig signing, which requires 1.5 round trips for a
> channel, or three broadcast rounds for a multiparticipant (n >= 3)
> construction.
>
>
> Regards,
> ZmnSCPxj
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20200803/fadaa364/attachment.html>


More information about the bitcoin-dev mailing list