Citrea, which has been live on mainnet since January, uses b...
npub1vadcfln4ugt2h9ruwsuwu5vu5am4xaka7pw6m7axy79aqyhp6u5q9knuu7
hex
a1351381b0e27bc34a517ef0ac5e86a342e0ea221df05ccd76bc6bc723bdb746nevent
nevent1qqs2zdgnsxcwy77rffghau9vt6r2xshqag3pmuzue4mtc678yw7mw3sprpmhxue69uhhyetvv9ujuem4d36kwatvw5hx6mm9qgsxwkuyle67y94tj378gw8w2xw2wa6nwmwlqhddlwnz0z7sztsaw2qn6qnaqKind-1 (TextNote)
Citrea, which has been live on mainnet since January, uses basically the entire BitVM stack to create ~ trustless proof of a valid withdrawal.
https://eprint.iacr.org/2025/776
But then it also lets N of N signers just sign off an exit unconditionally?. Section 8 of their Clementine bridge protocol paper:
"Optimistic Payout. The protocol we described above guarantees that any peg out is completed even if all Signers are offline and all but one are malicious. However, if all Signers are honest and online, they have some time (in Clementine, it is ≃ 1 hour) to sign an issue a user’s peg out by posting an OptimisticPayout transaction. This transaction resembles the Payout transaction, with only two differences: (i) it spends the output of the MoveToVault transaction, so that the funds given to the user do not come from the Operator, and (ii) there is no OP RETURN output. If no OptimisticPayout transaction appears on-chain within some time, the peg out request is picked up by the Operator and the Clementine continue as described in Section 5. To enable the optimistic payout, Signers must not erase their keys, making the protocol secure against a non-adaptive adversary."
I've spent the last half hour trying to find any discussion of this. It looks like a very bizarre decision as it seems to throw away most advantages over multisig federation control. Notice how the signing keys have to remain essentially hot.
原始 JSON
{
"kind": 1,
"id": "a1351381b0e27bc34a517ef0ac5e86a342e0ea221df05ccd76bc6bc723bdb746",
"pubkey": "675b84fe75e216ab947c7438ee519ca7775376ddf05dadfba6278bd012e1d728",
"created_at": 1777386111,
"tags": [
[
"alt",
"A short note: Citrea, which has been live on mainnet since Janua..."
],
[
"r",
"https://eprint.iacr.org/2025/776"
]
],
"content": "Citrea, which has been live on mainnet since January, uses basically the entire BitVM stack to create ~ trustless proof of a valid withdrawal.\n\nhttps://eprint.iacr.org/2025/776\n\nBut then it also lets N of N signers just sign off an exit unconditionally?. Section 8 of their Clementine bridge protocol paper:\n\n\"Optimistic Payout. The protocol we described above guarantees that any peg out is completed\neven if all Signers are offline and all but one are malicious. However, if all Signers are honest and\nonline, they have some time (in Clementine, it is ≃ 1 hour) to sign an issue a user’s peg out by\nposting an OptimisticPayout transaction. This transaction resembles the Payout transaction, with\nonly two differences: (i) it spends the output of the MoveToVault transaction, so that the funds\ngiven to the user do not come from the Operator, and (ii) there is no OP RETURN output. If no\nOptimisticPayout transaction appears on-chain within some time, the peg out request is picked\nup by the Operator and the Clementine continue as described in Section 5. To enable the optimistic\npayout, Signers must not erase their keys, making the protocol secure against a non-adaptive adversary.\"\n\nI've spent the last half hour trying to find any discussion of this. It looks like a very bizarre decision as it seems to throw away most advantages over multisig federation control. Notice how the signing keys have to remain essentially hot.",
"sig": "9d9d0c0d782180ae4648ea1313c1533196c1c7ec9e737ed4806a46dfc8ace2ccc4f3d9e047d9af702f9857a8dd75c37b44937508066434bde539d37d0c9d180f"
}