mimblewimble team mailing list archive

[Andrew Poelstra <apoelstra@xxxxxxxxxxxxxx>]

On Fri, Feb 03, 2017 at 10:42:14PM +0000, Andrew Poelstra wrote:
> 
> Pieter Wuille in particular has stressed to me what a great feature of MW it is
> that everything looks the same, and that breaking this property should be taken
> very seriously.
>

In this line of thinking, I gave a presentation at MIT recently about the
various things you can do just with kernel signatures. The slides are here:

https://download.wpsoftware.net/bitcoin/wizardry/mw-slides/2017-03-mit-bitcoin-expo/slides.pdf

Kanzure has kindly written a transcript of the talk, though the audio was
a bit choppy:

https://github.com/kanzure/diyhpluswiki/blob/master/transcripts/mit-bitcoin-expo-2017/mimblewimble-and-scriptless-scripts.mdwn
 
> At the Stanford BPASE Conference [2] I gave a talk where I briefly mentioned that
> it was possible to do atomic swaps with no preimages at all. I'll explain how to
> do this in a second, but first I want to revise my proposal from my last mail.
> 
>   * Each kernel (née excess value) K signs the challenge H(K || f || L), where
>     K is the kernel itself, f is the fee it is attesting must exist in this
>     transaction, and L is an optional locktime, measured in blockheight.
> 
>   * By default L is the empty string, there needs to be a special flag to indicate
>     that it is nontrivial. Hopefully the actual presence of nontrivial locktimes
>     will be rare since they are only used in the adversarial backout case of most
>     protocols. Since a locktime L must stay in the blockchain forever we should
>     discourage their use somehow.
> 
> So I'm removing all script support, even for just hash preimages.
> 

At the end of my talk I mentioned that I didn't know how to do locktimes in a
scriptless script way and therefore we need this explicit L. I'm happy to say
that this is no longer true. Ethan Heilman pointed out that it is possible to
make a "timelocked signature" that requires grinding through a sequential
proof-of-work to do. This is described here:

https://www.reddit.com/r/Mimblewimble/comments/5xo9ri/scriptless_scripts_in_mimblewimble_mit_bitcoin/dem9kpj/

He also suggested the locktime should be cancellable and extendable by having
the would-be recipient reveal a key to the sender, but we didn't work out all
the details. If this works then we should be able to get the effect of a
relative lock-time, having indefinitely-open lightning channels, and so forth.
Exciting times.

Therefore I revise my proposal again, to remove the explicit locktime, and
have only the fee.


Cheers
Andrew



-- 
Andrew Poelstra
Mathematics Department, Blockstream
Email: apoelstra at wpsoftware.net
Web:   https://www.wpsoftware.net/andrew

"A goose alone, I suppose, can know the loneliness of geese
 who can never find their peace,
 whether north or south or west or east"
       --Joanna Newsom

Attachment: signature.asc
Description: PGP signature