Bastien Teinturier: Sure. So right now, when we announced the channel on the network, we explicitly announced node IDs and the Bitcoin keys that are inside the multisig 2-of-2, and people verified that the output that we are referencing is actually locked with the script hash of multisig 2-of-2 of those two keys, so you can only use it with scripts that really follow the format of Lightning channels without taproot. There’s no serialization format, and there’s strong recommendations against not doing this, right? There’s another one that’s much simpler that just lets you add another secret and add an additional round trip between the recipient and the sender, and this is the same thing as a stepless payment. And they’re going to be tweaked at every hop, which means that even if you have multiple nodes that are on the path of the same payment, it’s not going to be payment hash, you’re going to see a different point, a different secret than in both nodes.
So, if you want to learn more about that topic, it’s not too long, something like an hour or so, walking through all the details of that proposal. We had a great podcast out in the Chaincode podcast, where we talked to Elle Mouton and Oliver Gugger about simple taproot channels, which basically is this proposal. Maybe, t-bast, you can give an overview of why the current gossip protocol is incompatible with taproot and MuSig2 channels, and what the different options were discussed during the meeting about how to upgrade it. Mike Schmidt: The taproot and MuSig2 channel discussion somewhat leads into the updated channel announcement discussion and how gossip protocol would need to be upgraded in order to support moving to P2TR outputs. Mike Schmidt: Murch or t-bast, any other comments on taproot and MuSig2 channels? But I don’t think we’ll allow you to have any kind of multiplier, because one of the other ideas was that you could also just announce some UTXOs that you own, with the proof that you own them, with a total value of, for example, 2 bitcoin, and then that would grant you the ability to announce up to X times that in channels without having to point to any specific onchain output.
So right now, the way channels are announced, it has to be specific 2-of-2 multisig, looks exactly like ln-penalty channels. And we’ve always gone back and forth between those, because we don’t know if we should do a simpler version first and wait for later to do a much more complex version, or his response if we should just jump to the more complex version right now. So a first version of PTLC will not have redundant overpayment, in my opinion, because there are different ways that could be achieved, and they have different trade-offs that need to be explored a bit more. So, those have just not been thoroughly explored and I don’t think there’s a real solution for that yet. So once you split it, there’s a risk. You have more risk that one of those shards will not get to the recipient because there’s a buggy node somewhere in the middle. For LN-Symmetry, I didn’t have to pull this around because there’s no penalties, so I just, in memory, hold these nonces and then complete signatures just in time. So, unless there’s obvious timing, amount, and expiry values that lets you know that this is actually the same payment, at least the cryptography of the secrets that are shared will not let you correlate those two payments.
Those are the two I know of. What are PTLCs, what are redundant overpayments, and why are these two being discussed together? Mike Schmidt: Next section from the Summit discussed PTLCs and redundant overpayments. Bastien Teinturier: Okay, so PTLCs are a change that is allowed by taproot and adaptor signatures. So, we need to change that, because we need to allow taproot, which means allowing also input, especially if we use MuSig2; we don’t want to reveal the internal keys. So, you can point out any output that has sufficient funds to have basically funded that channel; I assume that means enough or more. 27) where an attacker who can get a specially-crafted 64-byte transaction confirmed into a block can use it to convince SPV lightweight clients that one or more other arbitrary transactions have been confirmed, such as fake transactions that pay to lightweight wallets. Create any number of wallets to organize your funds as you see fit. At the same time, you will not have to worry about your artwork being handled twice as much when you want it showcased in a gallery where potential buyers can see it.