MIME-Version: 1.0
From: Antoine Riard <antoine.riard@gmail.com>
Date: Tue, 1 Nov 2022 22:21:59 -0400
Message-ID: <CALZpt+GZAd-vYMzUMicg0c9OyyWExtT5EH61Hms6NNOM19ddZA@mail.gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="00000000000004554305ec738234"
Subject: [bitcoin-dev] Solving Multi-Party Flows Pinning with Opt-in
	Full-RBF Spent-nVersion Signaling
Precedence: list

--00000000000004554305ec738234
Content-Type: text/plain; charset="UTF-8"

Hi list,

Reading Suhas's post on mempool policy consistency rules, and the grounded
suggestion that as protocol developers we should work on special policy
rules to support each reasonable use case on the network rather to arbiter
between class of use-cases in the design of an
unified set of rules, reminded me there is another solution to solve
multi-party funding pinning rather than wide deployment of fullrbf. This
was communicated to me a while back, and it was originally dismissed
because of the privacy trade-offs (and potential slight fees overhead
cost). However, if widely adopted, they might sound acceptable to
contracting protocol developers and operators.

## The Problem: Pinning Contracting Protocols Funding Flows with Opt-out
Double-Spend

As originally laid out [0], multi-party collaborative flows
(coinjoin/dual-funding/swaps/splicing/etc), where every participant
contributes at least one input, are suffering from a low-cost and
high-success DoS vector with asymmetric damages. E.g with lightning
interactive transaction construction protocols limits of 252 inputs, 1
single input can bleed the timevalue of the remaining 251 inputs, or engage
in a MEV attack where the fee-bumping entity is lured to inflate feerate
beyond the current blockspace demand. The attack can be hidden and a
posteriori assigning blame consistently stays an open question in the lack
of a consensus mechanism between participants on the network mempools
states.

The issue lies in the fact that participants joining inputs together don't
have control, or even view, of the replacement signaling of any potential
double-spend of the other participants inputs. Indeed the opt-in fullrbf
signaling is enforced based on the nSequence field, and this one is fully
malleable by the UTXO spender. There is no current mechanism to require
replacement signaling provable to a third-party only on the knowledge of
the UTXO spents.

# The Solution: Opt-in Full-Replace-by-Fee Spent-nVersion Signaling

A new policy is specified in a new way a transaction can signal that it is
replaceable.

1. A confirmed transaction is considered to have opted in to allowing
replacement of any of its spends (or their descendants), if the last bit of
the nVersion field is set.

Rational: The future replacement status of any UTXO spend can be determined
by inspecting the nVersion, therefore protecting the collaborative
participants of a multi-party flows that the target transaction should
propagate to the miners, if the fee/feerate offered are the best ones
without opt-out based pinning. It can be required the UTXOs to have few
confirmations in case of shallow reorgs to increase DoS protection.

## Solution trade-offs

On the validation-side, there is one engineering issue, as I think there is
no access to the spent nversion fields by the mempool logic. This would
presume we add some new cache of all the confirmed UTXOs, so ~50M * 4bytes,
300 MB of additional state for policy-enforcing full-nodes. I don't know if
there is another strong drawback, even the reorg logic the replaceable
spends shouldn't be evicted if the confirmed ancestor is back to the
mempool, as mempool validity shouldn't be reevaluated before a replacement
candidate shows up. A fee penalty could be requested for nVersion-signaling
transactions to compensate for the additional state stored by full-node
operators (even if obviously they're not the ones earning the fees).

For the contracting protocols wallets, as you don't know in advance which
coins are going to be used for a collaborative flow, you're better off to
mark all your coins nVersion fields opting fullrbf. Otherwise, you will
have to go through an on-chain fee cost to change the replacement status of
the spends of your coins. However, this policy bookmarking comes as a
protocol fingerprint leak for an observer of the transaction logs. If all
the second-layers used by default, this is constituting a single anonymity
set, though it might still be the privacy gains we're harvesting from
Taproot output usage in the optimistic case (e.g in Lightning no commitment
+ HTLC transactions broadcast).

For the zeroconf operators, assuming they have access to the UTXO set, they
can inspect the receiving transactions ancestors nVersion fields, and sort
those transactions in the wider set of the replaceable ones, as they're
currently doing for BIP125 opt-in ones.

Long-term, the annoying privacy issue and the assumption that any wallet
will be a Lightning one could lead to the majority of wallets signaling RBF
for their spends. Therefore making those wallets incompatible with zeroconf
services, slowly economically outlawing them. From my perspective, though
it might be a simplification, it sounds an alternative full rbf way
forward, where rather than having miners deciding on the policy
enforcement, we let the users decide with their coins. However, this new
policy enforcement efficiency is still dependent on the existence of relay
paths and support at the endpoints that matter, the miner mempools. So in
fine we might have to realize incentive alignment with hashrate is what
matters in terms of transaction-relay rules ?

Credit to Greg Maxwell for this idea.

Cheers,
Antoine

[0]
https://lists.linuxfoundation.org/pipermail/lightning-dev/2021-May/003033.html

--00000000000004554305ec738234
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi list,<br><br>Reading Suhas&#39;s post on mempool p=
olicy consistency rules, and the grounded suggestion that as protocol devel=
opers we should work on special policy rules to support each reasonable use=
 case on the network rather to arbiter between class of use-cases in the de=
sign of an<br>unified set of rules, reminded me there is another solution t=
o solve multi-party funding pinning rather than wide deployment of fullrbf.=
 This was communicated to me a while back, and it was originally dismissed =
because of the privacy trade-offs (and potential slight fees overhead cost)=
. However, if widely adopted, they might sound acceptable to contracting pr=
otocol developers and operators.<br><br>## The Problem: Pinning Contracting=
 Protocols Funding Flows with Opt-out Double-Spend<br><br>As originally lai=
d out [0], multi-party collaborative flows (coinjoin/dual-funding/swaps/spl=
icing/etc), where every participant contributes at least one input, are suf=
fering from a low-cost and high-success DoS vector with asymmetric damages.=
 E.g with lightning interactive transaction construction protocols limits o=
f 252 inputs, 1 single input can bleed the timevalue of the remaining 251 i=
nputs, or engage in a MEV attack where the fee-bumping entity is lured to i=
nflate feerate beyond the current blockspace demand. The attack can be hidd=
en and a posteriori assigning blame consistently stays an open question in =
the lack of a consensus mechanism between participants on the network mempo=
ols states.<br><br>The issue lies in the fact that participants joining inp=
uts together don&#39;t have control, or even view, of the replacement signa=
ling of any potential double-spend of the other participants inputs. Indeed=
 the opt-in fullrbf signaling is enforced based on the nSequence field, and=
 this one is fully malleable by the UTXO spender. There is no current mecha=
nism to require replacement signaling provable to a third-party only on the=
 knowledge of the UTXO spents.<br><br># The Solution: Opt-in Full-Replace-b=
y-Fee Spent-nVersion Signaling<br><br>A new policy is specified in a new wa=
y a transaction can signal that it is replaceable.<br><br>1. A confirmed tr=
ansaction is considered to have opted in to allowing replacement of any of =
its spends (or their descendants), if the last bit of the nVersion field is=
 set.<br><br>Rational: The future replacement status of any UTXO spend can =
be determined by inspecting the nVersion, therefore protecting the collabor=
ative participants of a multi-party flows that the target transaction shoul=
d propagate to the miners, if the fee/feerate offered are the best ones wit=
hout opt-out based pinning. It can be required the UTXOs to have few confir=
mations in case of shallow reorgs to increase DoS protection.<br></div><div=
><br>## Solution trade-offs<br><br>On the validation-side, there is one eng=
ineering issue, as I think there is no access to the spent nversion fields =
by the mempool logic. This would presume we add some new cache of all the c=
onfirmed UTXOs, so ~50M * 4bytes, 300 MB of additional state for policy-enf=
orcing full-nodes. I don&#39;t know if there is another strong drawback, ev=
en the reorg logic the replaceable spends shouldn&#39;t be evicted if the c=
onfirmed ancestor is back to the mempool, as mempool validity shouldn&#39;t=
 be reevaluated before a replacement candidate shows up. A fee penalty coul=
d be requested for nVersion-signaling transactions to compensate for the ad=
ditional state stored by full-node operators (even if obviously they&#39;re=
 not the ones earning the fees).<br><br>For the contracting protocols walle=
ts, as you don&#39;t know in advance which coins are going to be used for a=
 collaborative flow, you&#39;re better off to mark all your coins nVersion =
fields opting fullrbf. Otherwise, you will have to go through an on-chain f=
ee cost to change the replacement status of the spends of your coins. Howev=
er, this policy bookmarking comes as a protocol fingerprint leak for an obs=
erver of the transaction logs. If all the second-layers used by default, th=
is is constituting a single anonymity set, though it might still be the pri=
vacy gains we&#39;re harvesting from Taproot output usage in the optimistic=
 case (e.g in Lightning no commitment + HTLC transactions broadcast).<br><b=
r>For the zeroconf operators, assuming they have access to the UTXO set, th=
ey can inspect the receiving transactions ancestors nVersion fields, and so=
rt those transactions in the wider set of the replaceable ones, as they&#39=
;re currently doing for BIP125 opt-in ones.<br><br>Long-term, the annoying =
privacy issue and the assumption that any wallet will be a Lightning one co=
uld lead to the majority of wallets signaling RBF for their spends. Therefo=
re making those wallets incompatible with zeroconf services, slowly economi=
cally outlawing them. From my perspective, though it might be a simplificat=
ion, it sounds an alternative full rbf way forward, where rather than havin=
g miners deciding on the policy enforcement, we let the users decide with t=
heir coins. However, this new policy enforcement efficiency is still depend=
ent on the existence of relay paths and support at the endpoints that matte=
r, the miner mempools. So in fine we might have to realize incentive alignm=
ent with hashrate is what matters in terms of transaction-relay rules ?<br>=
<br>Credit to Greg Maxwell for this idea.<br><br>Cheers,<br>Antoine<br><br>=
[0] <a href=3D"https://lists.linuxfoundation.org/pipermail/lightning-dev/20=
21-May/003033.html">https://lists.linuxfoundation.org/pipermail/lightning-d=
ev/2021-May/003033.html</a><br></div></div>

--00000000000004554305ec738234--