Tags: 

  • catherinekeller
    Participant
    Post count: 0

    <br> Before bitcoin sold off in December last year, Rogoff told last October that estimates of the digital currency would “collapse” amid attempts by governments to regulate the space. In the past, energy consumption estimates typically included an assumption on what machines were still active and how they were distributed, in order to arrive at a certain number of Watts consumed per Gigahash/sec (GH/s). By now you probably know that some of the people that claim to have made millions after investing in Bitcoin managed to make that money because they invested when the price of Bitcoin was still low. So this would really simplify the proposal, but is it really worth it, because it still makes the commitment transactions weakness bigger than if we just spend the MuSig2 output. And there was an idea that instead of using the MuSig2 output, the commitment transaction, actually, the funding output would have both a keypath spend that would be MuSig2, but also a scriptpath spend that would use a plain, normal 2-of-2 multisig, so that all the commitment transactions would use the scriptpath spend.<br>
    <br> Bastien Teinturier: Yeah, I think also one of the reasons we don’t see pinning is that really, it’s harder to pin right now and make it work your while, because right now, commitment transactions do pay some fees. The main question that we had during the Summit is that there’s work when the current proposal spends the MuSig2 output for both commitment transactions and splices and mutual closes, which means that we have to manage nonce-state, MuSig2 nonce-state in many places, and it’s potentially dangerous because managing those nonces correctly is really important for security. This is the main issue here, in my opinion, where you’re basically holding on extra key material. The four main features of the bitcoin network are a public transaction ledger (in fact a transaction log because it exhibits cryptographically enforced append only properties), a p2p network for p2p transactions and distributed management of the security of the transaction log, a novel inflation controlled whole network mining difficulty allowing the creation of virtual scarce bitcoins, and finally smart contracts. Kassa first heard about Bitcoin in 2013, when his roommate was mining it at Chapman University.
    And we’ve always gone back and forth between those, because we don’t know if we should do a simpler version first and wait for later to do a much more complex version, or if we should just jump to the more complex version right now. And even with that one, I think we’ve ironed out almost all the details, and I think both LND and LDK have a first version, a first prototype that is working almost end-to-end. Bastien Teinturier: Okay, so for now, the first thing we are doing with taproot is just moving the funding transactions, the channel output to use the MuSig2 taproot output. Mike Schmidt: Murch, you good to wrap up this first bullet? Mike Schmidt: The taproot and MuSig2 channel discussion somewhat leads into the updated channel announcement discussion and how gossip protocol would need to be upgraded in order to support moving to P2TR outputs. This way, it’s indistinguishable from any other taproot output, whereas right now, funding outputs are witness script hash of 2-of-2 multisig, which is really easy to distinguish onchain. Because we’ve always been discussing the fact that announcing, having the channel announcement point to a specific onchain output, was quite bad for privacy and that we could probably d<br>t<br>.
    And I’m curious how Lightning engineers are thinking about taproot and MuSig2 related channels and how the audience should think about their nearer term uses in Lightning, in contrast to something that I think a lot of Bitcoin hopefuls are thinking about, https://www.youtube.com which is Point Time Locked Contracts (PTLCs) involving schnorr signatures and adaptor signatures. Anyway, my entire point is that the (fabricated) complexity increased exponentially without much of an increase in practicality and usability. The rest seems okay to me, actually, as far as complexity is concerned. I’d say, to me, I have some experience working. So I think that’s, to me, the biggest red flag. I didn’t think it was too bad, but the one key difference here is that for the payment channels with penalties as currently designed, it’s necessitating that you store these secret nonces forever until channel close. Bastien Teinturier: Sure. So right now, when we announced the channel on the network, we explicitly announced node IDs and the Bitcoin keys that are inside the multisig 2-of-2, and people verified that the output that we are referencing is actually locked with the script hash of multisig 2-of-2 of those two keys, so you can only use it with scripts that really follow the format of Lightning channels w<br>ut taproot.

You must be logged in to reply to this topic.