{"type":"rich","version":"1.0","title":"ZmnSCPxj [ARCHIVE] wrote","author_name":"ZmnSCPxj [ARCHIVE] (npub1g5ā€¦3ms3l)","author_url":"https://yabu.me/npub1g5zswf6y48f7fy90jf3tlcuwdmjn8znhzaa4vkmtxaeskca8hpss23ms3l","provider_name":"njump","provider_url":"https://yabu.me","html":"šŸ“… Original date posted:2020-01-30\nšŸ“ Original message:\nGood morning darosior,\n\n\u003e Hi Lisa and all,\n\u003e\n\u003e Given the discussion about utxos snooping, I wondered if there was any obvious drawbacks of using a transaction chain construction ?\n\u003e\n\u003e Since the obvious target of the probing is the accepter, it seems that the opener needs to at least have something at stake in order to be revealed some of the accepter's utxos.\n\u003e Thus, the opener giving the accepter a signed transaction commited to the channel opening is one way of avoiding the opener to probe gratuitously. I was thinking of something like:\n\u003e\n\u003e A is opener, B is accepter.\n\u003e A could sign the first input (and accordingly the 2of2 output) with SIGHASH_SINGLE|SIGHASH_ANYONECANPAY. Unfortunately this doesn't handle A's change, but it can be solved using a chain of transaction.\n\u003e A creates a first transaction txA1:\n\u003e\n\u003e txA1 (SIGHASH_ALL)\n\u003e _________________ __________________________\n\u003e | A's input 1 | A's channel participation |\n\u003e |----------------|---------------------------\n\u003e | A's input 2 | A's change |\n\u003e |----------------|---------------------------\n\u003e | A's input n |\n\u003e |________________|\n\u003e\n\u003e\n\u003e And then creates /signs the funding transaction out of the first output of txA1:\n\u003e\n\u003e txA2 (SIGHASH_SINGLE|SIGHASH_ANYONECANPAY)\n\u003e _________________ _______________\n\u003e | txA1 vout 0 | 2of2 with B |\n\u003e |________________|________________\n\u003e\n\u003e Since txA2 is signed with SINGLE|ANYONECANPAY, B can add inputs to fulfill the value requirement of the 2of2, and add outputs for its own change.\n\u003e\n\u003e This comes at the cost of more setup fees opener-side, but avoids the accepter to be gratuitously probed, so this is arguably a far lesser evil.\n\u003e Is there any other downside I'm missing here ?\n\nThis is an excellent idea.\nA drawback is that anything that is not `SIGHASH_ALL` sticks out in chain analysis.\nThis is not an issue currently with Lightning since every 2-of-2 is (almost) definitely a Lightning Channel, but future improvements (Schnorr, Taproot) let us get better hiding, so the `SIGHASH_SINGLE | SIGHASH_ANYONECANPAY` is a massive flag.\nAs the point of protecting against this kind of probing is privacy, this is not a perfect privacy solution.\n\n\nWe could also consider PoDLE as used in JoinMarket, which solves a similar problem.\nhttps://gist.github.com/AdamISZ/9cbba5e9408d23813ca8#defence-2-committing-to-a-utxo-in-publicplaintext-at-the-start-of-the-handshake\nBasically, a PoDLE commits to a UTXO, without being trivially grindable from the UTXO set and also including a proof that the creator of the PoDLE knows the secret key behind it.\nIt can later be opened to reveal which UTXO the opener allocated.\nIf the opener aborts (i.e. does not provide its signatures to the funding transaction) then the acceptor can gossip the UTXO and the revealed PoDLE as well to the rest of Lightning, so that the opener at least cannot reuse the same UTXO to probe other potential acceptors.\n(though, my understanding, there is no clear way to determine *when* we can safely delete old PoDLEs: maybe each node can keep it around for a month, which might be good enough to limit the practical ability of a snoop to probe other nodes)\nI believe JoinMarket also has solved the issue of allowing a UTXO to be used at most N times (for example due to \"honest\" failures, such as connectivity interruptions which might cause an abort of the protocol); I think it involves appending a single byte to something that is hashed, and ensuring its value is less than N, so that it can only be used from 0 to N - 1 (and thus allow a UTXO to be used at most N times).\n\nGetting into contact with waxwing / Adam Gibson for this might be useful to fill out how PoDLE works and so on; basically, I believe this issue is a practically solved problem already for JoinMarket, though waxwing may be able to provide a more nuanced opinion.\n\nRegards,\nZmnSCPxj"}