Published on: 2015-11-27T21:46:34+00:00
Nicolas Dorier and AJ discuss a protocol for creating a Bitcoin channel between two parties, A and B. The process involves A sending an unsigned commitment to B, who verifies that it is in the correct format and hashes to the hash that he signed. However, there is a concern that if A passes the unsigned commitment to B before the anchor is confirmed in the blockchain, B can malleate the anchor. To address this, it is suggested that the step of passing the commitment to B should happen after the anchor is confirmed and A has informed B about the anchor.The issue of pubkeys and redeem hashes being reused between different channels is also discussed. It is noted that if A reuses a key, B can guess the redeem hash and identify the transaction to malleate at broadcast time, before A's announcement. However, B will be providing a signature for a transaction that has the anchor as input and a single refund output payable to (A && OP_CSV) | (B && OP_HASH OP_EQUALVERIFY). B will not be able to guess the hash, so won't be able to correlate with potential anchor transactions.There are concerns raised about random vandalism, but opening the channel as described is considered a good enough workaround until segregated witness is implemented. It is also mentioned that B won't be able to guess the hash, so won't be able to correlate with potential anchor transactions.Nicolas Dorier proposes a method to open a payment channel without being vulnerable to malleability attacks. This idea is adapted from gmaxwell. The process involves A asking B for their public key, creating the first commitment transaction, extracting the hash that B needs to sign, asking B to sign the hash, and then broadcasting the anchor only after confirmation. It is emphasized that neither A nor B should reuse public keys between channels, which is considered good practice. It is also mentioned that child-pays-for-parent does not work yet, and segregated witness is expected to be implemented sooner.The email thread discusses a way to open a channel without suffering from malleability attacks. The process involves A asking B for their public key, creating the first commitment transaction, extracting the hash that B needs to sign, asking B to sign the hash without disclosing the commitment, broadcasting the anchor after confirmation, and then announcing the anchor to B. Some concerns are raised regarding the process, including the fact that "without timeout" is only possible with OP_CSV and the need for B to be sure that A cannot get her money back in the future. It is also mentioned that the current setup protects against targeted attacks but leaves a chance for someone to lose money.Nicolas Dorier suggests a method to open channels without being vulnerable to malleability attacks by adapting an idea from gmaxwell. The process involves A asking B for their public key, creating the first commitment transaction, extracting the hash that B needs to sign, asking B to sign the hash without disclosing the commitment, broadcasting the anchor, and after confirmation, announcing the anchor to B. However, there is a potential risk for someone other than B to malleate the anchor between broadcast and confirmation. It is noted that B cannot identify A's anchor before announcement because they do not know the P2SH of the multisig. Additionally, B cannot reuse pubkeys between different channels with this protocol. Child-pays-for-parent (CPFP) is considered as a potential solution, but it does not work yet. Segregated witness is seen as a more likely solution.In summary, a new method of opening a channel without suffering from a malleability attack has been adapted from an idea by gmaxwell. The process involves A asking B for their pubkey, creating the first commitment transaction, extracting the hash that B needs to sign, asking B to sign the hash without disclosing the commitment, broadcasting the anchor, and after confirmation, announcing the anchor to B. There are concerns about potential malleability attacks and the reuse of pubkeys between different channels. It is mentioned that child-pays-for-parent does not work yet and segregated witness is expected to be implemented sooner.
Updated on: 2023-07-31T18:42:07.956676+00:00