-
Notifications
You must be signed in to change notification settings - Fork 26
How to deterministically define output containing the tweaked key for P2C schemes #92
Comments
I am thinking about this combined solution:
This will give users an option to safe satoshis on the fee when 1sat will be big money :) RBF is a standard thing used by ~10% of all txs as of today, so it would not create a flaw to be tracked by chain analysis tools. If somebody still would like to reduce probability of assuming the tx as RGB tx they will use fee and will not create RBF transaction.
My own thought on this argument is the following: the usual transaction has two outputs, so nseq=0 and 1 will cover the most of cases, and both are used by usual RBF transactions It will be interesting to check statistics on nseq rbf values for existing onchain txs, but I didn’t find which explorer is capable of getting that kind of information @fedsten proposed to look for the statistics from his sources |
However, from my opinion it's not clear why we will have such an issue with |
In order to avoid to provide information to chain analysis tools (e.i. which is the change address assuming the tx is a RGB one) we could include some off chain data to compute the output index. |
If off-chain data is used to deterministically compute the output index, than we lose the double spending protection provided by the Bitcoin blockchain. I could for example create two versions of the same proof indicating a different index, making it possible to send the same assets to multiple parties, without them being able to detect the double-spending operation. |
I did not mean to use data of the current proof, sorry. |
I believe that double spending would still be possible with the scheme you propose. If I create two alternative versions of |
It is not possible to create 2 versions of |
From #95 it follows that nSeq will be required to spend one of the outputs of the LN commitment transaction, so at least we can't use nSeq from this case, which, basically, leaves us only with |
Alekos:
|
FYI: I had today a discussion with @giacomozucco and here is an excerpt from it relating the issue under the question: Basically, from the discussion we had it follows that we need something inside the actual tx (and not in the proof itself) that deterministically defines which tx output will be used for the proof commitment. There is not a lot of variable tx parts which may be modified w/o introducing new inputs/outputs and affecting the actual amount of funds being transacted. The list of the options is the following:
Analyzing all of the options, it seems that (5) is the only reasonable way forward. One of the arguments against using the fee amount for determining tx output for commitment is that one day in the future (hopefully soon) each satoshi would become quite a sufficient value, and increasing the size of the fee even for a single satoshi can be an expensive measure! However, So, our proposal is to stick with a simple commitment scheme defining the committing output as a |
Copying here from #93 as it is relevant in the context of this issue: Me and @giacomozucco had a phone discussion on these issues and we came to the following conclusion: at RGB/Spectrum v1 we need to count all outputs and do not exclude any non-P2(W)PKH outputs from the count(outputs) value – but for now (in v1) treat all proofs that commit to non-P2(W)PKH outputs as invalid, i.e these proofs will "burn" the assets inside them. In the future (v2?), when we consider how to work with all possible cases of P2(W)SH and other possible (future) types of outputs, including all these beautiful Schnorrs-scriptless-tapgrafroots, we may "soft-fork" the spec and introduce new rule(s) that will not treat non-P2(W)PKH outputs as invalid, but will provide some options to interpret them. This is the only possible way forward, b/c if we do the other way around (exlude non-P2(W)PKH outputs from counting in v1), we will face a kind of "hard-fork" problem in the future introducing a way to double-spend RGB assets by exploring the fact that un-updated RGB nodes will not count non-P2(W)PKH outputs, and commit to the other outputs than updated RGB nodes – giving an ability to present different proofs depending to the nodes running different software versions. |
The updated proposal taking into account the last discussion during the dev's call: The algorithm is designed in a way that helps to keep information of the output containing commitment private from any party which may assume that the transaction must contain such commitment. The function combines two parameters:
The committed output number The current version of the specification uses RIPMD160 hash of the serialized proof as a source of |
The original problem is put forward by @giacomozucco: in order to avoid double spending with pay to contract commitment schemes, all future owners of the assets must be able to know exactly WHERE the proof-commitment is, in each step. Without it, one could create two versions of the same proof that commit to different outputs, allowing therefore double spends.
To demonstrate the problem he had provided such case:
Some of his suggestions are:
@fedsten had the following argument regarding this:
@giacomozucco:
@fedsten:
@giacomozucco:
The text was updated successfully, but these errors were encountered: