The Bitcoin Optech newsletter provides readers with a top-level summary of the most important technical news happening in Bitcoin, along with resources that help them learn more. To help our readers stay up-to-date with Bitcoin, we’re republishing the latest issue of this newsletter below. Remember to subscribe to receive this content straight to your inbox.

This week’s newsletter summarizes a discussion about the dust limit and includes our regular sections with descriptions of changes to services and client software, how you can prepare for taproot, new releases and release candidates, and notable changes to popular Bitcoin infrastructure software.

News

• Dust limit discussion: Bitcoin Core and other node software refuses by default to relay or mine any transaction with an output value below a certain amount, the dust limit (the exact amount varies by output type). This makes it more difficult for users to create uneconomical outputs—UTXOs that would cost more in fees to spend that they hold in value.This week, Jeremy Rubin posted to the Bitcoin-Dev mailing list a five-point argument for removing the dust limit and stated a belief that the reason for the limit is to prevent “spam” and “dust fingerprint attacks”. Others replied with counterarguments and noted that the limit exists not to prevent spam but to prevent users from permanently wasting the resources of full node operators by creating UTXOs that the users will have no financial incentive to ever spend. Parts of the discussion also described the impact of both the dust limit and uneconomical outputs on parts of LN.As of this writing, it did not appear any agreement was likely to be reached. At least for the short term, we expect the dust limit to remain.

Changes to services and client software

In this monthly feature, we highlight interesting updates to Bitcoin wallets and services.

• Spark Lightning Wallet adds BOLT12 support: The v0.3.0rc release of Spark adds partial support for BOLT12’s offers.

• Blockstream announces non-custodial LN cloud service, Greenlight: In a recent blog post, Blockstream details their hosted C-Lightning-nodes-in-the-cloud service that separates node operation (Blockstream) from the control of the funds held by the node (user). Sphinx and Lastbitboth currently use the Greenlight service.

• BitGo announces native segwit change outputs: Noting segwit’s adoption crossing the 75% milestone, BitGo’s blog post announces an update in their default change outputs shifting from P2SH-wrapped to native segwit outputs.

• Blockstream Green desktop 0.1.10 released: The 0.1.10 version adds segwit-by-default single-sig wallets and manual coin selection features.

Preparing for taproot #9: signature adaptors

A weekly series about how developers and service providers can prepare for the upcoming activation of taproot at block height 709,632.

Imagine someone offers to donate 1,000 BTC to a particular charity if anyone can guess that person’s favorite very large number. An easy way for the donor to do this is to create an unsigned transaction paying the 1,000 BTC and then publish an encrypted copy of their signature for the transaction, with the favorite number being the decryption key.

In theory, anyone who guesses the number can decrypt the signature and then broadcast the transaction, paying the charity. But if the donor uses a standard encryption scheme like AES, there’s no easy way for third parties to know before decryption that the signature is actually valid for that transaction. Anyone who wants to put effort into number guessing has to trust that the donor is sincere and not a troll.

Let’s extend this problem a bit further. Third parties Alice and Bob want to bet on whether or not the signature is revealed. They could perhaps ask the signer for the hash of the signature and use that as the hash in an HTLC function, but that again requires trusting the donor to act honestly. Even if the signature was eventually revealed, the donor could sabotage Alice and Bob’s contract by giving them an incorrect hash.

Adaptor magic

Signature adaptors, also commonly called adaptor signatures and one-time verifiably encrypted signatures, are a solution to these problems—and to many other problems actually faced today in production systems built on Bitcoin. Although usable with Bitcoin’s existing ECDSA signature scheme, it’s much easier to use adaptors privately and costlessly in combination with the BIP340implementation of schnorr signatures for taproot. Let’s see how our example above changes if we use adaptors.

As before, the donor prepares a 1,000 BTC transaction. They sign in almost the normal way, with the one difference being that they essentially generate their nonce in two parts: a true random nonce that they will forever keep secret, and their favorite number—which they’ll initially keep secret but which is safe for other people to discover. The donor generates a fully valid signature using both of these values, adding them together as if they were a single nonce.

BIP340 signature commitments use the nonce in two forms: a numeric representation (called a scalar), which normally only the signer knows, and as a point on the Elliptic Curve (EC), which is published to enable verification.

The donor takes the commitment part of their valid signature and subtracts out the hidden scalar. This makes the signature incomplete (and thus invalid) but allows the donor to share the (invalid) signature commitment, the (valid) point for the complete nonce, and the (valid) point for the hidden number. Together these three pieces of information are a signature adaptor.

Using a slight variant on the BIP340 signature verification algorithm, anyone can verify that the signature adaptor would provide a valid signature if the hidden scalar was simply added back in to the (currently invalid) signature commitment. This is possible to verify even without knowing what that hidden number is. In short, it is now possible for users to trustlessly begin making guesses about the value of hidden scalar, secure in the knowledge that a correct guess will allow them to get the signature and send the transaction.

Like everyone else who received the donor’s signature adaptor, Alice and Bob now have a copy of the EC point for the hidden number. Also like everyone else, they don’t know the actual scalar. But, if you recall, all the donor did to turn their valid signature into an invalid signature is subtract out the hidden number from their signature commitment while continuing to have the signature commit to the point of the hidden number. Alice can just as easily create an invalid signature by not committing to the scalar she doesn’t know but still committing to the EC point she does know. She does this by creating her own nonce pair, using the private form when creating her (invalid) signature but commiting to the aggregation of the public form of her nonce and the EC point from the donor’s signature adaptor. This produces a signature adaptor for a transaction that pays Bob. If Bob learns the scalar, he can convert that adaptor into a valid signature and send the transaction, winning the bet.

But how does Bob learn the winning number? Does he have to wait for someone else who guesses it to publish a press release? Nope. Recall one more time that the signature adaptor the donor published was their actual signature minus the scalar. When the hidden number is discovered and somebody sends the 1,000 BTC transaction, they must publish the original (valid) signature commitment. Bob can take that (valid) signature commitment and subtract from it the (invalid) signature commitment in the original signature adaptor to get the scalar. He then uses that scalar to convert Alice’s adaptor into a valid signature.

Multisignature adaptors

The previous section shows individual users modifying how they create their signatures to produce signature adaptors. It’s also possible for the parties to a multisignature to use the same trick. That’s extraordinarily useful, as many cases where signature adaptors will be used require the cooperation of two users.

For example, when Alice and Bob make the bet above, they might start by depositing funds into a script only spendable by a multisignature between them. Then Alice can produce her partial signature in the form of a signature adaptor; if Bob learns the hidden number, he can transform Alice’s adaptor into her valid partial signature and then provide his partial signature to produce a full signature spending the money.

This gives signature adaptors all the same advantages of multisignatures in general: they look like and use the same amount of space as a single signature, minimizing fees and maximizing privacy and fungibility.

In next week’s preparing for taproot column, we’ll explore one of the main ways we expect to see signature adaptors used: Point Time Locked Contracts (PTLCs), an upgrade for the venerable Hash Time Lock Contracts (HTLCs) used extensively in LN, coinswaps, and a number of other protocols.

Releases and release candidates

New releases and release candidates for popular Bitcoin infrastructure projects. Please consider upgrading to new releases or helping to test release candidates.

• Bitcoin Core 22.0rc2 is a release candidate for the next major version of this full node implementation and its associated wallet and other software. Major changes in this new version include support for I2P connections, removal of support for version 2 Tor connections, and enhanced support for hardware wallets.

• Bitcoin Core 0.21.2rc1 is a release candidate for a maintenace version of Bitcoin Core. It contains several bug fixes and small improvements.

Notable code and documentation changes

Notable changes this week in Bitcoin Core, C-Lightning, Eclair, LND, Rust-Lightning, libsecp256k1, Hardware Wallet Interface (HWI), Rust Bitcoin, BTCPay Server, Bitcoin Improvement Proposals (BIPs), and Lightning BOLTs.

• Bitcoin Core #22642 updates Bitcoin Core’s release process for upcoming version 22.0 to concatenate the GPG signatures of everyone who reproducibly built the binaries into a single file which can be batch verified (example). Signatures from deterministic builders have been available for years, but this should make them more accessible and also reduce the existing dependency on the project’s lead maintainer signing the release binaries.

• Bitcoin Core #21800 implements ancestor and descendant limits for mempool package acceptance. Bitcoin Core limits the number of related transactions in its mempool as a protection against DoS attacks and so that block construction is tractable for miners. By default, those limitsensure that no transaction in the mempool, combined with its mempool ancestors, can exceed 25 transactions or 101KvB in weight. The same rules apply to the transaction combined with its mempool descendants.Those ancestor and descendant limits are enforced when a transaction is considered for addition to the mempool. If adding the transaction would cause one of the limits to be exceeded, then the transaction is rejected. Although package semantics have not been finalized, #21800 implements ancestor and descendant limit checks for validating arbitrary packages (i.e. when multiple transactions are considered for addition to the mempool at the same time). Mempool package acceptance was implemented for testing only in #20833, and will eventually be exposed over the p2p network as part of package relay.

• Bitcoin Core #21500 updates the listdescriptors RPC with a private parameter that, when set, will return the private form of each descriptor. The private form contains any known private keys or extended private keys (xprvs), allowing this updated command to be used to backup the wallet.

• Rust-Lightning #1009 adds a max_dust_htlc_exposure_msat channel configuration option which limits the total balance of pending “dusty HTLCs” whose amounts are below the dust limit.This change is in preparation for a proposed option_dusty_htlcs_uncounted feature bit, which advertises that the node does not wish to count “dusty HTLCs” against max_accepted_htlcs. Node operators would likely want to adopt this feature bit sincemax_accepted_htlcs is mainly used to limit the potential size of the onchain transaction if a force-close were to happen and “dusty HTLCs” are unclaimable onchain and would never affect the final transaction size.The newly added max_dust_htlc_exposure_msat channel configuration option ensures that even when option_dusty_htlcs_uncounted is turned on, users can still limit the total balance of “dusty HTLCs” as this balance would be lost as fees to miners in a force-close.

Find the original post here.

Please subscribe to the Bitcoin Optech newsletter directly to receive this content straight to your inbox every month.

The Bitcoin Optech newsletter provides readers with a top-level summary of the most important technical news happening in Bitcoin, along with resources that help them learn more. To help our readers stay up-to-date with Bitcoin, we’re republishing the latest issue of this newsletter below. Remember to subscribe to receive this content straight to your inbox.

This week’s newsletter describes a proposal to change Bitcoin Core’s transaction selection algorithm for miner block templates to slightly increase miner profitability and give fee bumping users more collective leverage. Also included are our regular sections describing software releases and release candidates, plus notable changes to popular Bitcoin infrastructure software.

News

• Candidate Set Based (CSB) block template construction: Mark Erhardt posted to the Bitcoin-Dev mailing list about an analysis he and Clara Shikhelman performed on an alternative transaction selection algorithm for miners. Bitcoin’s consensus rules enforce that no transaction can be included in a block unless all of its unconfirmed ancestors are also included earlier in that same block. Bitcoin Core addresses this constraint by treating each transaction with unconfirmed ancestors as if it contained both the fees and the size of those ancestors. For example, if transaction B depends on unconfirmed transaction A, then Bitcoin Core adds together the fees paid by both transactions and divides them by the combined size of both transactions. This allows Bitcoin Core to fairly compare all transactions in the mempool based on their effective feerate whether or not those transactions have any ancestors.However, Erhardt and Shikhelman note that a more sophisticated algorithm that may require a bit more CPU can find sets of related transactions that are even more profitable to mine than Bitcoin Core’s existing simple algorithm. The authors tested their algorithm on historic mempool data and found that it would’ve collected slightly more fees than Bitcoin Core’s existing algorithm in almost all recent blocks.If implemented and used by miners, the improved algorithm could allow multiple users who each received an output from a large coinjoin or batched payment to each pay a small part of the total fee necessary to CPFP fee bump that coinjoin or payment. That would be an improvement over the current case where each user’s CPFP fee bump is considered independently and multiple related fee bumps may not have an aggregate effect on whether an ancestor transaction is mined.

Release And Release Candidates

New releases and release candidates for popular Bitcoin infrastructure projects. Please consider upgrading to new releases or helping to test release candidates.

• HWI 2.0.2 is a minor release that adds support for message signing with the BitBox02, always uses h instead of ' to indicated BIP32 paths with hardened derivation, and includes several bug fixes.

• LND 0.13.0-beta.rc3 is a release candidate that adds support for using a pruned Bitcoin full node, allows receiving and sending payments using Atomic MultiPath (AMP), and increases its PSBT capabilities, among other improvements and bug fixes.

Notable Code And Documentation Changes

Notable changes this week in Bitcoin Core, C-Lightning, Eclair, LND, Rust-Lightning, libsecp256k1, Hardware Wallet Interface (HWI), Rust Bitcoin, BTCPay Server, Bitcoin Improvement Proposals (BIPs), and Lightning BOLTs.

• Bitcoin Core #20833 is the first PR in an effort to implement mempool package acceptance in Bitcoin Core. This change allows the testmempoolaccept RPC to accept multiple transactions where later transactions may be descended from earlier transactions. Future PRs may enable testing L2 transaction chains, submitting transaction packages directly to the mempool through RPCs and communicating packages over the P2P network.

• Bitcoin Core #22017 updates the code signing certificate used for Windows releases after the previous certificate was revoked by its issuer without them providing an explicit reason. Several recent releases of Bitcoin Core might be re-released with slightly different version numbers so that their Windows binaries can use this certificate.

• Bitcoin Core #18418 increases the maximum number of UTXOs received to the same address that will be spent simultaneously if the avoid_reuse wallet flag is set. The more outputs that are spent together, the higher the fee might be relative to a wallet with default flags but, also, the less likely it becomes that third parties will be able to identify the user’s later transactions.

• C-Lightning #4501 adds JSON schemas for the output of roughly half of C-Lightning’s current commands (with schemas for the other half planned to be added in the future). Output produced during a run of C-Lightning’s test suite is validated against the schemas to ensure consistency. The schemas are also used to automatically generate C-Lightning’s documentation about what output each command produces.

• LND #5025 adds basic support for using signet. Of the other LN implementations tracked by Optech, C-Lightning also has support for signet (see Newsletter #117).

• LND #5155 adds a configuration option to randomly select which wallet UTXOs to spend in a transaction; this reduces UTXO fragmentation in the wallet over time. By contrast, the default coin selection algorithm in LND spends higher value UTXOs before lower value UTXOs; this minimizes fees in the short term but may result in needing to pay higher fees in the future when all inputs near the size of a transaction, or larger, have already been spent.

• BOLTs #672 updates BOLT2 to allow nodes to negotiate a option_shutdown_anysegwit option which, if set, allows LN closing transactions to be able to pay any segwit script version, including script types that don’t yet have consensus meaning on the network, such as addresses for taproot.

• BOLTs #872 updates BOLT3’s use of BIP69 to specify in more detail the sort order to use for commitment transaction inputs and outputs. One commentator points out that the use of BIP69 has so far caused three separate problems that may have led to accidental channel closures and small amounts of funds lost to unnecessary onchain fees. The commentator suggests that this is another reason to migrate away from explicit use of BIP69 (for other reasons, see Newsletter #19).

Find the original post here.

Please subscribe to the Bitcoin Optech newsletter directly to receive this content straight to your inbox every month.