Anthony Towns [ARCHIVE] on Nostr: 📅 Original date posted:2015-11-27 📝 Original message: On Fri, Nov 27, 2015 at ...
📅 Original date posted:2015-11-27
📝 Original message:
On Fri, Nov 27, 2015 at 04:37:04PM +0900, Nicolas Dorier wrote:
> By adapting an idea from gmaxwell (
> https://bitcointalk.org/index.php?topic=303088.0) it is possible to open a
> channel without suffering from malleability attack.
> The process for A to open channel with B is the following:
> * A asks B pubkey
> * A create the first commitment transaction
> * A extract the hash that B needs to sign to be able to broadcast the
> commitment
> * A asks B to sign the hash, but do not disclose the commitment
> * A broadcast the anchor
> * After confirmation, A announce the anchor to B.
A also passes the original unsigned commitment to B, who verifies that
it's in the right format (ie, can be revoked), and hashes to the hash
that he signed.
> B can't identify A's anchor before announcement because he does not know
> the P2SH of the multisig.
> Am I missing something ?
Someone other than B (ie a third party) could malleate the anchor between
broadcast and confirmation just for their own amusement.
B can't reuse pubkeys between different channels with this protocol
either, but that's good practice anyway.
>From the same forum post, using child-pays-for-parent seems plausible.
Doing:
txA: spend 6 BTC to
5 BTC to A&B
1 BTC to A
txB: spend 1 BTC from txA:1 to
0.999 BTC to A
should be pretty safe: either someone malleates txA and mines it for
0 fee; or they mine both txA+txB for 0.001 BTC fee, and txA can't be
malleated. But CPFP doesn't work yet, and segregated witness seems like
it'll happen sooner anyway?
Cheers,
aj
📝 Original message:
On Fri, Nov 27, 2015 at 04:37:04PM +0900, Nicolas Dorier wrote:
> By adapting an idea from gmaxwell (
> https://bitcointalk.org/index.php?topic=303088.0) it is possible to open a
> channel without suffering from malleability attack.
> The process for A to open channel with B is the following:
> * A asks B pubkey
> * A create the first commitment transaction
> * A extract the hash that B needs to sign to be able to broadcast the
> commitment
> * A asks B to sign the hash, but do not disclose the commitment
> * A broadcast the anchor
> * After confirmation, A announce the anchor to B.
A also passes the original unsigned commitment to B, who verifies that
it's in the right format (ie, can be revoked), and hashes to the hash
that he signed.
> B can't identify A's anchor before announcement because he does not know
> the P2SH of the multisig.
> Am I missing something ?
Someone other than B (ie a third party) could malleate the anchor between
broadcast and confirmation just for their own amusement.
B can't reuse pubkeys between different channels with this protocol
either, but that's good practice anyway.
>From the same forum post, using child-pays-for-parent seems plausible.
Doing:
txA: spend 6 BTC to
5 BTC to A&B
1 BTC to A
txB: spend 1 BTC from txA:1 to
0.999 BTC to A
should be pretty safe: either someone malleates txA and mines it for
0 fee; or they mine both txA+txB for 0.001 BTC fee, and txA can't be
malleated. But CPFP doesn't work yet, and segregated witness seems like
it'll happen sooner anyway?
Cheers,
aj