Hi Eric,

> In paying fees externally one must find another way to associate a fee with 
> its transaction. This of course increases the possibility of taint, as you 
> describe in part here:

I'm not sure I follow, do you see a problem beyond the facts that miners
would need to authenticate somehow? This can be done in a privacy
preserving way per block. I don't think transactions would need to
change in any way. The bounty-transaction link is upheld by a third
party service which the miners have to trust that it will pay out if the
transaction is included (not perfect, but a business decision they can
make).

> It is also the case that the "bounty" must be associated with the 
> transaction. Even with miner and payer mutual anonymity, the fee inputs and 
> outputs will be associated with the transaction inputs and outputs by the 
> miner, rendering the proposal counterproductive.
> Total transaction sizing is not reduced by paying fees externally, in fact it 
> would be increased. The only possible reduction would come from aggregation 
> of fees. Yet it is not clear how that aggregation would occur privately in 
> less overall block space. At least with integral fees, it's *possible* to 
> spend and pay a fee with a single input and output. That is not the case with 
> externalized fees.

I should have made this more clear, I don't imagine anyone to pay these
fees with L1 transactions, but rather some L2 system like Lightning or a
BTC backed chaumian token issued for that purpose by the bounty service
provider. Even Lightning would be far more private for the use cases I
described that don't allow fee deduction from inputs. But if one accepts
more counter party risk with e.g. some centrally pegged chaumian token
it can be anonymous.

I see that this might not be very useful today, but I imagine a future
in which Bitcoin is mostly a settlement and reserve layer. This would
make it feasible to keep most UTXOs in common sizes. Only large, round
transactions happen on-chain, the rest can happen on L2. This would
allow tumbling these already evenly-sized UTXOs on spend without toxic
waste if we can somehow tackle the fee payment problem. I know of the
following solutions:

 * everyone has to add a second UTXO per input
 * Someone is chosen fairly at random to pay the total fee
 * pay a service on L2 to add an input/output for fee payment
 * out-of-band L2 fee payments

Only L2 fee payments can hide who is involved in such a tumbling
operation as additional fee inputs that get reused would indicate the
same entity was present in two tumbling operations. The out-of-band
approach saves one input and one output and appears more general (e.g.
could be used like rbf).

This is also not a general solution for fee payments. In many cases it
will still be preferable to pay on-chain fees. But having the option to
avoid that in a standardized way could help some protocols imo.

Best,
Sebastian


> -----Original Message-----
> From: bitcoin-dev <[email protected]> On Behalf 
> Of Sebastian Geisler via bitcoin-dev
> Sent: Monday, November 30, 2020 3:03 PM
> To: [email protected]
> Subject: [bitcoin-dev] Out-of-band transaction fees
> 
> Hi all,
> 
> the possibility of out of band transaction fee payments is a well known fact. 
> Yet it has been mostly discussed as an annoying inevitability that can be 
> problematic if on-chain fees are to be used as a consensus parameter. The 
> potential use cases have seen little interest though (please correct me if 
> I'm wrong).
> 
> One such use case is sending UTXOs "intact". Let's assume we get to a point 
> where Bitcoin is primarily a settlement layer for L2 systems.
> These L2 systems might want to protect their privacy and keep UTXOs of a 
> common sizes (e.g. 1 BTC, 10 BTC, …). For certain settlement applications 
> these can be transferred as a whole, but currently fee requirements force the 
> system to add another input for fees which will introduce taint (because it's 
> used repeatedly). If instead a fee could be paid out of band in a privacy 
> preserving way the TXO chain would leak little about the intermediate holders.
> 
> Taking this concept even further CoinJoin-like protocols could also be used 
> to introduce further ambiguity without leaking that a certain entity took 
> part in the CJ (which fee inputs/reused "toxic waste"
> inevitably do afaik). Such a mechanism would probably also make CJ 
> transactions much smaller as _no_ fee inputs had to be provided (assuming the 
> inputs already have the right size).
> 
> Out-of-band transaction "accelerators" already exist and taking fee payment 
> out-of-band can not be effectively prevented. So even though any such 
> proposal will probably have slight centralizing effects I believe that having 
> a standard for it is preferable to having every pool implement their own API 
> making it harder for small pools to get into the market.
> 
> Imo the central questions are:
>  * how to build such a out-of-band "transaction bounty" system
>  * how to standardized it
>  * how can the centralizing effects from it be mitigated
> 
> Imo fees are small enough to not really care about counter party risk that 
> much. It's more important that it is easy to run so that there is some choice 
> for users and miners. In that sense I consider single-operator services 
> providing both standardized user and miner APIs as well as an optional UI 
> suitable. I would still take into account that this could change and might 
> consider the needs of federated services in the protocol.
> 
> Each such service would need to announce which means of payment it supports 
> and allow users and miners to choose when paying/redeeming fees. Users should 
> be able to submit transactions and either be presented with a single payment 
> method dependent "invoice" or one per input (for the CoinJoin use case). As 
> soon as all invoices are paid the bounty goes live and is visible to miners 
> through an API.
> 
> Miners that included a transaction need a way to authenticate when claiming 
> the bounty. One possibility would be to optionally include a unique public 
> key e.g. in the coinbase scriptsig after the height push (is this feasible?). 
> This could be used to claim any bounties after 100, 120, or even a 
> user-defined confirmation threshold is met. If the key is unique for every 
> block there won't be a problem with pool accountability which might become a 
> risk down the road (so this should also be enforced at least in the bounty 
> protocol to avoid lazy implementations leading to dangerous precedents).
> 
> Any feedback is welcome :)
> 
> tl;dr Out-of-band fee payment services are inevitable and useful, so we 
> should at least standardize them and mitigate negative effects as much as 
> possible.
> 
> Best,
> Sebastian
> 
> _______________________________________________
> bitcoin-dev mailing list
> [email protected]
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> 

_______________________________________________
bitcoin-dev mailing list
[email protected]
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Reply via email to