Return-Path: Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id EF6E3C000B for ; Mon, 14 Feb 2022 20:29:05 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id D65598186B for ; Mon, 14 Feb 2022 20:29:05 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: smtp1.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ydqTZMIquW_d for ; Mon, 14 Feb 2022 20:29:05 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) by smtp1.osuosl.org (Postfix) with ESMTPS id CE7F881836 for ; Mon, 14 Feb 2022 20:29:04 +0000 (UTC) Received: by mail-yb1-xb36.google.com with SMTP id p5so49521444ybd.13 for ; Mon, 14 Feb 2022 12:29:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ogoxxD94MWQ3YIOCf8fTXkvysDjcxhXYfhAql/yneeA=; b=Q6kmPrrU4ohGqsT7lH+Dwou6RdrC037pKEuz/2SY5ZYlLAJ9zx/jzW9MC+0MeqceSj jAzLbWcqRQJZ8gT8dBloIxwMyMVD/4Tgey68Kq3VGrHptu7o0/gPViUFp8Io/nBrj04O x4GYJz9ADneYsRYg2C8jp97yu46IhkemPF6oDtlUxMwTdA9Ftb5UX3JevCn08LMFD7Pw bNnfFbVULwEn/4d1ocn+fwr5lCENSwkadGZRckl/0lV8bBGbikVD1mdnyH3u11ca5dlf AGIIVz79hCanK7dIvk+Gp8sc52u105QOuF6tXNDhjKG7jUHSrjqRbcye8vPtOBsRX2OY NwfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ogoxxD94MWQ3YIOCf8fTXkvysDjcxhXYfhAql/yneeA=; b=74f+kR9mpVsZvOlPp7vuZm7mcNp0wy6DuMzi9g3l4aEHd9CWIsXkVG0LJnZ/Kckx5t hh8HjMZBhAaIniNfZQfwHwzztR7AN5N4vcYLkpI7vFuCxH/6V0vnVYlyHoFLKHHLburE yrDZkC0hE+LzbmfcTeJ2M1TVcUYqP/wiWbInGwUK1/ht1L99O42qIUej6NWLC0kIuCB1 Y1d4k9YDsXrXID5epFMNUT4Iv8rRplm6EkXfCfEBf5fz0x1pyjQiL7jY5hG3TdrJs0gN KcVuRg5C5bh8tP4wTIKxPY6svCGfrFE+sjwmjTyalA+wcHZrpVzIQsk12MgVR0cvRkKf oPfw== X-Gm-Message-State: AOAM5321XoMIpNdfU9fLj0WycNOEXWkXtiXX/wi5szKj4vLhogCiizW1 /nXJKbxetq2kMYFjL+7HDn3jPIoEIl/bdxS9dPjQKu44JKbJmA== X-Google-Smtp-Source: ABdhPJzTCaAp2/TJDSUxhRZmw/iibEErHdSwVCbzhgmvsnPO81abc3xrC1If5s8wGDnBcX9TQ01+uoKetjeX7UQBZ/k= X-Received: by 2002:a05:6902:18c:: with SMTP id t12mr807221ybh.429.1644870543728; Mon, 14 Feb 2022 12:29:03 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: "James O'Beirne" Date: Mon, 14 Feb 2022 15:28:51 -0500 Message-ID: To: Antoine Riard Content-Type: multipart/alternative; boundary="00000000000075e2bf05d80044ca" Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Thoughts on fee bumping X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2022 20:29:06 -0000 --00000000000075e2bf05d80044ca Content-Type: text/plain; charset="UTF-8" Thanks for your thoughtful reply Antoine. > In a distributed system such as the Bitcoin p2p network, you might > have transaction A and transaction B broadcast at the same time and > your peer topology might fluctuate between original send and > broadcast of the diff, you don't know who's seen what... You might > inefficiently announce diff A on top of B and diff B on top A. We > might leverage set reconciliation there a la Erlay, though likely > with increased round-trips. In the context of fee bumping, I don't see how this is a criticism unique to transaction sponsors, since it also applies to CPFP: if you tried to bump fees for transaction A with child txn B, if some mempool hasn't seen parent A, it will reject B. > Have you heard about SIGHASH_GROUP [0] ? I haven't - I'll spend some time reviewing this. Thanks. > > [me complaining CPFP requires lock-in to keys] > > It's true it requires to pre-specify the fee-bumping key. Though note > the fee-bumping key can be fully separated from the > "vaults"/"channels" set of main keys and hosted on replicated > infrastructure such as watchtowers. This still doesn't address the issue I'm talking about, which is if you pre-commit to some "fee-bumping" key in your CPFP outputs and that key ends up being compromised. This isn't a matter of data availability or redundancy. Note that this failure may be unique to vault use cases, when you're pre-generating potentially large numbers of transactions or covenants that cannot be altered after the fact. If you generate vault txns that assume the use of some key for CPFP-based fee bumping and that key winds up being compromised, that puts you in a an uncomfortable situation: you can no longer bump fees on unvaulting transactions, rendering the vaults possibly unretrievable depending on the fee market. > As a L2 transaction issuer you can't be sure the transaction you wish > to point to is already in the mempool, or have not been replaced by > your counterparty spending the same shared-utxo, either competitively > or maliciously. So as a measure of caution, you should broadcast > sponsor + target transactions in the same package, thus cancelling > the bandwidth saving (I think). As I mentioned in the reply to Matt's message, I'm not quite understanding this idea of wanting to bump the fee for something without knowing what it is; that doesn't make much sense to me. The "bump fee" operation seems contingent on knowing what you want to bump. And if you're, say, trying to broadcast a lightning channel close and you know you need to bump the fee right away, before even broadcasting it, either you're going to - reformulate the txn to bring up the fee rate (e.g. add inputs with some yet-undeployed sighash) as you would have done with RBF, or - you'd have the same "package relay" problem with CPFP that you would with transaction sponsors. So I don't understand the objection here. Also, I didn't mean to discourage existing work on package relay or fixing RBF, which seem clearly important. Maybe I should have noted that explicitly in the original message > I don't think a sponsor is a silver-bullet to solve all the > L2-related mempool issues. It won't solve the most concerning pinning > attacks, as I think the bottleneck is replace-by-fee. Neither solve > the issues encumbered by the L2s by the dust limit. I'm not familiar with the L2 dust-limit issues, and I do think that "fixing" RBF behavior is *probably* worthwhile. Those issues aside, I think the transaction sponsors idea may be closer to a silver bullet than you're giving it credit for, because designing specifically for the fee-management use case has some big benefits. For one, it makes migration easier. That is to say: there is none, whereas there is existing RBF policy that needs consideration. But maybe more importantly, transaction sponsors' limited use case also allows for specifying much more targeted "replacement" policy since sponsors are special-purpose transactions that only exist to dynamically bump feerate. E.g. my SIGHASH_{NONE,SINGLE}|ANYONECANPAY proposal might make complete sense for the sponsors/fee-management use case, and clarify the replacement problem, but obviously wouldn't work for more general transaction replacement. In other words, RBF's general nature might make it a much harder problem to solve well. --00000000000075e2bf05d80044ca Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks for your thoughtful reply Antoine.

> In a= distributed system such as the Bitcoin p2p network, you might
> have= transaction A and transaction B =C2=A0broadcast at the same time and
&g= t; your peer topology might fluctuate between original send and
> bro= adcast of the diff, you don't know who's seen what... You might
= > inefficiently announce diff A on top of B and diff B on top A. We
&= gt; might leverage set reconciliation there a la Erlay, though likely
&g= t; with increased round-trips.

In the context of fee bumping, I don&= #39;t see how this is a criticism
unique to transaction sponsors, since = it also applies to CPFP: if you
tried to bump fees for transaction A wit= h child txn B, if some mempool
hasn't seen parent A, it will reject = B.

> Have you heard about SIGHASH_GROUP [0] ?

I haven= 9;t - I'll spend some time reviewing this. Thanks.

> > [me complaining CPFP requires lock-in to keys]
><= br>
> It's true it requires to pre-specify the fee-bumping key.= Though note
> the fee-bumping key can be fully separated from the> "vaults"/"channels" set of main keys and hosted o= n replicated
> infrastructure such as watchtowers.

This still = doesn't address the issue I'm talking about, which is if you
pre= -commit to some "fee-bumping" key in your CPFP outputs and that k= ey
ends up being compromised. This isn't a matter of data availabili= ty or
redundancy.

Note that this failure may be unique to vault = use cases, when you're
pre-generating potentially large numbers of t= ransactions or covenants
that cannot be altered after the fact. If you g= enerate vault txns that
assume the use of some key for CPFP-based fee bu= mping and that key
winds up being compromised, that puts you in a an unc= omfortable
situation: you can no longer bump fees on unvaulting transact= ions,
rendering the vaults possibly unretrievable depending on the fee m= arket.

> As a L2 transaction issuer you can't be sure the tra= nsaction you wish
> to point to is already in the mempool, or have no= t been replaced by
> your counterparty spending the same shared-utxo,= either competitively
> or maliciously. So as a measure of caution, y= ou should broadcast
> sponsor + target transactions in the same packa= ge, thus cancelling
> the bandwidth saving (I think).

As I men= tioned in the reply to Matt's message, I'm not quite
understandi= ng this idea of wanting to bump the fee for something
without knowi= ng what it is; that doesn't make much sense to me.
The &= quot;bump fee" operation seems contingent on knowing
wha= t you want to bump.

And if you're, say, trying to broadcas= t a lightning channel close and
you know you need to bump the fee right = away, before even broadcasting
it, either you're going to

- r= eformulate the txn to bring up the fee rate (e.g. add inputs
=C2=A0 with= some yet-undeployed sighash) as you would have done with RBF, or

- = you'd have the same "package relay" problem with CPFP that yo= u
=C2=A0 would with transaction sponsors.

So I don't understa= nd the objection here.

Also, I didn't mean to discourage existin= g work on package relay or
fixing RBF, which seem clearly important. May= be I should have noted
that explicitly in the original message

&g= t; I don't think a sponsor is a silver-bullet to solve all the
> = L2-related mempool issues. It won't solve the most concerning pinning> attacks, as I think the bottleneck is replace-by-fee. Neither solve<= br>> the issues encumbered by the L2s by the dust limit.

I'm = not familiar with the L2 dust-limit issues, and I do think that
"fi= xing" RBF behavior is *probably* worthwhile. Those issues aside, I
=
think the transaction sponsors idea may be closer to a silver bullet <= br>
than you're giving it credit for, because designing speci= fically for the
fee-management use case has some big benefits.
=
For one, it makes migration easier. That is to say: there is none,
w= hereas there is existing RBF policy that needs consideration.

But m= aybe more importantly, transaction sponsors' limited use case also
a= llows for specifying much more targeted "replacement" policy sinc= e
sponsors are special-purpose transactions that only exist to
dynami= cally bump feerate. E.g. my SIGHASH_{NONE,SINGLE}|ANYONECANPAY
proposal = might make complete sense for the sponsors/fee-management use
case, and = clarify the replacement problem, but obviously wouldn't work
for mor= e general transaction replacement. In other words, RBF's
general nat= ure might make it a much harder problem to solve well.
--00000000000075e2bf05d80044ca--