mimblewimble team mailing list archive
Mailing list archive
Re: Scriptless scripting and deniable swaps
On Fri, Feb 03, 2017 at 10:42:14PM +0000, Andrew Poelstra wrote:
> Pieter Wuille in particular has stressed to me what a great feature of MW it is
> that everything looks the same, and that breaking this property should be taken
> very seriously.
In this line of thinking, I gave a presentation at MIT recently about the
various things you can do just with kernel signatures. The slides are here:
Kanzure has kindly written a transcript of the talk, though the audio was
a bit choppy:
> At the Stanford BPASE Conference  I gave a talk where I briefly mentioned that
> it was possible to do atomic swaps with no preimages at all. I'll explain how to
> do this in a second, but first I want to revise my proposal from my last mail.
> * Each kernel (née excess value) K signs the challenge H(K || f || L), where
> K is the kernel itself, f is the fee it is attesting must exist in this
> transaction, and L is an optional locktime, measured in blockheight.
> * By default L is the empty string, there needs to be a special flag to indicate
> that it is nontrivial. Hopefully the actual presence of nontrivial locktimes
> will be rare since they are only used in the adversarial backout case of most
> protocols. Since a locktime L must stay in the blockchain forever we should
> discourage their use somehow.
> So I'm removing all script support, even for just hash preimages.
At the end of my talk I mentioned that I didn't know how to do locktimes in a
scriptless script way and therefore we need this explicit L. I'm happy to say
that this is no longer true. Ethan Heilman pointed out that it is possible to
make a "timelocked signature" that requires grinding through a sequential
proof-of-work to do. This is described here:
He also suggested the locktime should be cancellable and extendable by having
the would-be recipient reveal a key to the sender, but we didn't work out all
the details. If this works then we should be able to get the effect of a
relative lock-time, having indefinitely-open lightning channels, and so forth.
Therefore I revise my proposal again, to remove the explicit locktime, and
have only the fee.
Mathematics Department, Blockstream
Email: apoelstra at wpsoftware.net
"A goose alone, I suppose, can know the loneliness of geese
who can never find their peace,
whether north or south or west or east"
Description: PGP signature