I love lightning, but it’s very frustrating at the same time. It’s simply cheaper to use custodians.. and I believe that it isn’t necessary. The crucial part of sovereignty is ability to sign the message. Which doesn’t require any costs. Therefore I believe that there is some way how to make self-custody fast and cheap. And here is my current way of thinking. This approach is kind of naive but maybe there is some potential. Maybe it motivates you to improve it into something even better.

Last mile transactions

💡 Is it possible to use lightning network without the initial funding transaction?
So that on-chain transactions are only used in case of a dispute?

What are the requirements?

Dishonesty must be disadvantageous. Let's try to use the game theory for securing the transfers.

Simple example

Alice owns UTXO with 10 bitcoin
Alice decides to send 1 bitcoin to Bob

Transaction outputs	Alice	Bob	Punishment Fee
Status transaction	9	1	0

It's a normal transaction that Alice or Bob can broadcast. However, to save on fees, they will keep it with them and delay disclosure.

Problems

Alice can create another transaction at any time to send the UTXO to anyone else.
Alice can make similar promise to infinite recipients. But at most one will receive the funds.
Bob may not have time to respond if Alice sends the transaction directly to the miner (or is a miner herself).

1. How to prevent Alice from creating another transaction?

Bob won't be satisfied with a signed transaction with the new status. He'll also want a defense transaction. The defense transaction will use the identical input as the main transaction (10 BTC) and two outputs.

Transaction outputs	Alice	Bob	Punishment Fee
Defense transaction	8	0.5	1.5

If Alice creates a fraudulent transaction, Bob can share a defense transaction. While he will hurt himself a bit (he will only get 0.5 bitcoin instead of 1), he will also punish Alice, who will only get 8 bitcoin instead of 9. This defense transaction will burn most of the funds to pay the miners. This ensures that miners have an incentive to mine this transaction before any other transaction that Alice would have come up with. In theory, Alice could create a higher priority transaction, but she would have to damage herself even more.

Bob has no incentive to use a defense transaction unless he is in danger. Because he has fewer resources in it than in a status transaction.

2. How to prevent Alice from making promises to more people?

Alice will need to disclose information that a given UTXO is partially pledged to a particular bitcoin address. This information can be shared with nodes that would have the assigned counter addresses in addition to a list of valid UTXOs. Or, for example, Alice can share this information via nostr on generally know relay (or more of them).

Bob will only consider a transaction valid if he sees the information shared by Alice through a standardized channel, and at the same time he does not see a similar binding to any other bitcoin address.

If Bob discovers a connection to a another address at any later time, he should immediately post a defense transaction.
Using one UTXO for multiple addresses would require more complex coordination.

3. How to protect yourself against the collaboration of miners?

For miner is economical to mine a defense rather than attack a transaction. However, it is possible that they will not have access to the defense transaction. Miner can communicate proof that he has an attack transaction from Alice. So the Bob is motivated to broadcast the defense transaction.

Problem remains when Alice is able to mine by herself.

Other optional steps:

Alice can send Bob additional funds (up to one half the size of the original UTXO in total)
Bob can send the funds back to Alice
Maybe Bob could pay other people via LN if Bob has open channels

Summary

🟢 Regular bitcoin addresses can be used
🟢 Annyone could accept bitcoin and being connected to Lightning Network non-custodial way without necesity of opening channel fee
🟢 Immediate transactions
🟢 There can be multiple users in a single UTXO channel
⚪ Up to half the size of the UTXO can be used in one channel
⚪ Might be more useful for relatively smaller UTXOs
🟡 All participants must be online to update the transactions
🟡 Risk that the counterparty gets nervous and you both lose part of the funds
🔴 The risk that the counterparty is also a miner and can steal some funds (in case of receiver) or even all the funds (in case o UTXO owner/initial sender)

Managed version is available here

21 sats \ 2 replies \ @fiksn 1 Apr

This is like coming to a business negotiation with a hand granade. "If I suspect you cheat we're both gonna die". I mean it could work in practice but it requires careful tuning of the blast radius so to say.

Always when there is an asymmetry there could be some DoS. Like lots of "Bobs" blackmailing Alice since she has more to lose.

10 sats \ 0 replies \ @hynek OP 2 Apr

I don't know what would be the best use case.. I had in my mind option to offer cheap self-custody to newcomers.

0 sats \ 0 replies \ @Scoresby 1 Apr

This is my concern. Bob has too much power. If Bob is richer than Alice and it is worth it to him to put her out of business he can.

21 sats \ 0 replies \ @DarthCoin 1 Apr freebie

Interesting, I need to read it more and understand the mechanics of this method. Bookmarked. Thank you.

0 sats \ 0 replies \ @hynek OP 8 Apr

I've updated the proposal. See: https://github.com/hynek-jina/Hynek/blob/main/blog/Last%20mile%20transactions.md

0 sats \ 0 replies \ @UCantDoThatDotNet 2 Apr

In combination with a multisig requiring signing by a 3rd party they both agree on, would be almost as good as money orders :D

0 sats \ 0 replies \ @BitcoinIsTheFuture 2 Apr

Um be my own bank and trust no one!

0 sats \ 2 replies \ @fiksn 1 Apr

Simple attack, Bob says hey Alice additionally to the 1 BTC you owe me give me 0.9 BTC off-chain or I will punish you and you will lose another bitcoin. A rational actor would go for that deal but even if not it hurts Alice more. And what can she do: defense always overrides status by definition.

Therefore the network soon runs out of Alices.

0 sats \ 1 reply \ @fiksn 1 Apr

Trick is Bob needs to provably "defuse" defense or else the blackmail won't work.

Which means just a tx with a new input from Alice and new output for Bob beside the original ones. Bob can prepare everything and just give it to Alice to add their 0.9 input and sign. So either he sees the thing confirmed in an hour or so or he broadcasts defense and everything goes boom.

20 sats \ 0 replies \ @hynek OP 2 Apr

I didn't want to go into technical details yet.. but imagine that the defense transaction looks similar to commitment transaction in lightning.

In our example there will be two outputs:

8 BTC for Alice - spendable without restrictions
0.5 BTC for Bob
- Alice can spend immediately if she has some secret from Bob (this way can Bob invalidate this transaction)
- Bob can spend after CSV_delay

0 sats \ 1 reply \ @nout 1 Apr freebie

If I would be a miner I'd provide a service Submit here your defense transaction and we split the punishment fee, which is then a win for Bob and for the miner (but stolen funds from Alice).

In that case the defense transaction may as well go to https://opensats.org/ as that would be imo more trustworthy trusted party than miners :)

Or rather in the case of conflict you would go to some trusted arbiter (agreed on ahead of time) that would get the coins, get some fee and divide the coins back to you based your transaction logs...