Good morning Richard,
> I believe using the eltoo update scheme as a way to consolidate blocks of
> off-chain transactions is an interesting idea worth exploring.
>
> ZmnSCPxj brings up some limitations on arbitrary outputs scripts in eltoo.
> Although using CSV is more complicated and outputs must also use
> SIGHASH_NOINPUT [1], the ability to have multiple party channels and the most
> used types of scripts makes eltoo compelling compared to LN-Penalty for this
> kind of application.
I broadly agree.
I imagine a future where most people do not typically have single-signer
ownership of coins onchain, but are instead share-owners of coins, with
single-signer ownership occurring onchain only in the case of dispute or for
long-term cold storage.
>
> The multiple party aspect in particular introduces an interesting way to
> unify concepts from different second layer protocols like federated
> sidechains and statechains (ht. aakselrod [2]).
>
> Though the Statechains proposal relies on eltoo [3], I think what Christian
> suggested does not try to solve the dynamic membership problem. That's why I
> think of this as more an evolution of the channel factory paper towards
> something like a federated sidechain.
>
> > I think this reconciliation between the off-chain model and the on-chain
> > model, with many concepts cleanly mapping from one context to another
> > (state outputs = UTXO, off-chain update = on-chain transactions,
> > cut-through = confirmation, operation batching = block creation) is
> > rather nice :-)
>
> One additional concept that could be new to this off-chain blockchain model
> would be something like batched multi-party loop-in/out. In a Schnorr/Taproot
> world you could add signers/inputs and remove signers/outputs with a single
> multi-signature negotiated off-chain. You'd still like to limit these onchain
> txs, even if they are small, but updating channels periodically seems like a
> straight forward way to address the dynamic membership problem.
Indeed.
Such a change-in-membership transaction would be a 1-input 1-output
transaction, and with use of n-of-n MuSig would be as small (and as private,
modulo the fact that you are coordinating this with a bunch of other
participants) as a single-sig user making a 1-input 1-output transaction (which
generally is not very private because such transactions are usually
"send-to-self" and changing membership generally means ownership does not
actually change much).
The cost of this transaction would be small (certainly smaller than the
update+state transactions needed in Decker-Russell-Osuntokun)
For setting this up, it might be useful to have the below ritual.
This assumes only a change in the membership set is desired, without a
simultaneous change in the UTXO set.
1. Create a new update+state transaction for the current
Decker-Russell-Osuntokun mechanism.
The state transaction pays out to a single output paying to the new
membership set rather than the current UTXO set of the mechanism.
Do *not* sign this yet.
Call this the "final" update+state transaction.
2. Create a new Decker-Russell-Osuntokun mechanism initial update+state
transaction.
This pays out to the current UTXO set of the previous mechanism.
This will spend from the new membership set.
Completely sign these transactions.
* The update transaction can spend the above "final" transaction, as it is
`SIGHASH_NOINPUT`.
3. Sign the final update+state transaction of the previous
Decker-Russell-Osuntokun mechanism.
Do *not* broadcast the update+state transaction yet.
4. Create and sign the membership-change onchain transaction.
This spends the current onchain funding transaction output and outputs to
the same new membership set.
Broadcast this onchain.
The above ritual ensures that, after step 3 completes, the mechanism can
continue operating without waiting for onchain activity to complete.
It ensures that, even if the membership-change onchain transaction becomes
invalid later (by somebody bribing a miner to publish a previous update
transaction from the older membership set), we will still enter an update that
will eventually put the new membership set onchain.
This reduces the critical path to only steps 1 to 3, and we can continue
operating with the new membership set as soon as step 3 completes and we do not
need to wait for the membership-change transaction to be deeply-confirmed in
order to use the new membership set mechanism.
However, it has the drawback that, until the membership-change onchain
transaction is deeply-confirmed onchain, the CSV parameter is temporarily
doubled (as there is the possibility that the previous mechanism is closed).
Also, the mechanism cannot be mutually closed until the membership-change
onchain transaction is deeply-confirmed, as there is no stable txid we can
spend from (we would strongly prefer to use `SIGHASH_ALL` for cooperative
closes to improve our privacy).
>
> I guess this all gets back to how to design an off-chain protocol for
> managing these negotiations. Ultimately I can imagine a sort of multi-party
> eltoo based 'signet' with the same RPC interface, but different transaction
> validation and block creation logic. Perhaps there would be a new message
> where the channel parties would add their signature before forwarding a valid
> block, and the block wouldn't be built on until all parties had signed.
The "block" that would need to be signed by the participants would actually be
a Decker-Russell-Osuntokun update+state transaction, and would commit to the
UTXO set rather than the transaction set.
Unless I misunderstand your meaning here.
Regards,
ZmnSCPxj
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
