NUT-XX: Offline Spilman (unidirectional) channel #296
Conversation
|
.. based on various ideas from multiple people in this Nostr thread: https://iris.to/note1es2eewq59msy3espdxn24s6y04vlz6987t6yrwr3jxvwr33aahyqvjm2qn |
XX.md
Outdated
| Alice shall prepare one proof for every other power of 2: 2-millisats, 4-millisats, 8-millisats, ..., up to some pre-agreed maximum. | ||
| The total value of all those proofs is the channel capacity and is the maximum amount that Alice can send to Bob through this channel | ||
|
|
||
| Bob can verify all of these proofs with the mint, before going offline. |
There was a problem hiding this comment.
Perhaps Bob doesn't need to check with the mint before going offline if Bob maintains a redeemed stack, because bob can verify that the proofs are locked to his pub key, that they were signed by the mint and that Bob hasn't redeemed them yet.
There was a problem hiding this comment.
because bob can verify that the proofs are locked to his pub key, that they were signed by the min
I think I agree. Do you mean this offline check that Bob can do via Nut-12?
https://github.com/cashubtc/nuts/blob/main/12.md
I don't understand that fully yet myself
There was a problem hiding this comment.
Indeed, based on the following LLM summary of NUT-12, it seems to be the right tool for the job. I didn't realize this is so involved. I just assumed anyone would be able to verify that proofs are signed by the mint.. Happy to try to understand it together next time we cowork :)
Previously, only the mint itself could verify its own signatures. NUT-12 introduces DLEQ proofs, which allow users like Alice (who interacts with the mint) and Carol (who receives ecash from Alice) to verify that the mint (Bob) used the correct private key for signing.
The core idea is to prove that the private key used to create the mint's public key (A) is the same private key used to sign a blinded message (B').
|
I haven't had chance to read through properly yet, but in general Cashu terms, "Bob" is usually the mint. "Alice" and "Carol" would be peers. You might consider changing to keep the mental model clean and prevent misunderstandings? EDIT: This concept is very cool, BTW! |
|
Good point, I'll change that when I have time to go over this again in more details. So Alice and Carol have a channel, and Bob is the mint I've had success implementing it, and found lots of interesting implementations challenges. Some mints don't support everything correctly. Some mints only have partial support for P2PK; they don't support SIG_ALL and they don't seem to support locktime correctly either. So I'll likely include details on the support needed if and when I get a chance to overhaul this proposal based on what I learned coding it up I made a tool to check which mints support various P2PK features that we need: Youtube and Github
|
Nice tool! The The mint auditor is quite useful to cross reference the flavor / version software the mint is using: I also saw your video processing thousands of sats per second. Love it!! |
SatsAndSports
changed the title
|
Big rewrite, primarily for the new deterministic-output-to-1-of-1-P2PK scheme. Also, trying to bring more clarity and (hopefully) proving how little work Bob needs to do when Alice opens a channel and makes a payment to him without any input from him I see there are other comments here that I haven't responded to yet! I'll try to check them now |
Yes indeed. In fact, the precise details of the sig_all message is changing (https://github.com/cashubtc/nuts/pull/302/files). So hopefully, we can get
Ah yes! Even before thinking about this channel idea, I was thinking that the auditor should check many different usage patterns. A mint operator could set up their system to behave flawlessly with the auditor's usages, but rug everybody when the user deviates from what is covered by the auditor 😀
Thanks! I'm kinda thinking of integrating it with some basic realistic use-case, like a streaming video where cashu must be paid to keep the stream going. But that's for slightly later |
For now, I'm sticking with Alice and Bob, as I find it convenient to be able to use 'his' and 'hers' without ambiguity. |
Charlie works great - the only well established names are Alice (consumer) and Bob (Mint). Having a "Charlie" so you can refer to his and hers is a great idea, |
SatsAndSports
force-pushed
the
offline-spillman-channel
branch
from
25ba950 to
546e728
Compare
|
Fees (I link to here from the Description) I think there are four different policies that we could have to deal with fees. But really only two of them are, I think, of interest Imagine:
Q: What is the 'capacity' of this channel? Which of those four numbers SatsAndSports: I currently think the capacity is 100, primarily because that's the easiest to code up. But maybe that's not the right motivation! An alternative is to say that it's 98, as that's the maximum value that Bob can extract. (Well actually, he could extract 99, if his wallet is intelligent enough to store his deterministic P2PK proofs as-is) |
3 participants
Update: 2025-11-17: big rewrite. Less discussion, more details, deterministic outputs
With this NUT, Alice and Bob can - using any mint supporting P2PK (NUT-11) - set up a channel where, once this 'cashu channel' is opened, Alice can decrease her own balance and increase Bob's balance. After each update, Bob can verify the new balance without needing to contact the mint for every update of the balance.
This allows a very large number (billions) of balance updates, where each update may be very small (millisat), but with only using a small number (dozens) of proofs prepared in advance.