Return-Path: <pete@petertodd.org>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
 by lists.linuxfoundation.org (Postfix) with ESMTP id C26E5C0032
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Sat, 21 Oct 2023 10:31:17 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp2.osuosl.org (Postfix) with ESMTP id 75ACD416B4
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Sat, 21 Oct 2023 10:31:17 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 75ACD416B4
Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key,
 unprotected) header.d=messagingengine.com header.i=@messagingengine.com
 header.a=rsa-sha256 header.s=fm3 header.b=mqKMqUY8
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level: 
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
 autolearn=ham autolearn_force=no
Received: from smtp2.osuosl.org ([127.0.0.1])
 by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id C1HGZ9-oaJ6Y
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Sat, 21 Oct 2023 10:31:12 +0000 (UTC)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com
 [66.111.4.27])
 by smtp2.osuosl.org (Postfix) with ESMTPS id 91CBE416A4
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Sat, 21 Oct 2023 10:31:12 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 91CBE416A4
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
 by mailout.nyi.internal (Postfix) with ESMTP id 4C6BB5C0151;
 Sat, 21 Oct 2023 06:31:09 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute2.internal (MEProxy); Sat, 21 Oct 2023 06:31:09 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-type:content-type:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
 :message-id:mime-version:references:reply-to:sender:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm3; t=1697884269; x=1697970669; bh=Z5lYHv42cT18x
 ELdx/yNDK2Ak7bkIe9PTZ1CgQ5MsOU=; b=mqKMqUY8JTNlfzF2t1q/aIYy+kPqM
 kNmVl5qA8smYeZFMF+9FFr3Ve2p5nz7azKMpugWZSrnuL96rH6kBXkQjsO0sbtJs
 YpBUdP2BEtljXBFkBNXVUrlFg61TCYah8R4FfTapwuNUIABrYxHedw1fXC7mfwbm
 ZcybB2PMt+/aHGb5fwCxpIyKkR7bJBspSHHZYVtfHo+syWV6lzBcMBZEth7+jTn1
 1V3KXvWpHvzyi85nFPvV1iJ0Vjqjqz0XwWjT0ddTGO9Gqy/vSJk3O87/MbQOb8vZ
 bfg7DZ/kRTPQ4935jg94Z3K+QSL0toCmmVwgdsk9Q14x2pbUwVBnbSB9A==
X-ME-Sender: <xms:bKgzZezUIPf2ioVE81nLc3ZyGS5dJjCnQ9gro-2GJwCUomEu_tE85w>
 <xme:bKgzZaTMzPH_KTNn1cxIWyJ6gqTaQz3eQ01yYxWSIC6RIxPYUTjhDUxb8Hm9dNPHW
 UFxdc8Py1LjL-Cv2Ug>
X-ME-Received: <xmr:bKgzZQXSnspRJPj3tLs3euE9icFyNVDP4E9lFrnqZ6PuivKuUFhAaAnQ7A>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrkedtgddviecutefuodetggdotefrodftvf
 curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
 uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvfevuffkfhggtggujgesghdtro
 ertddtvdenucfhrhhomheprfgvthgvrhcuvfhougguuceophgvthgvsehpvghtvghrthho
 uggurdhorhhgqeenucggtffrrghtthgvrhhnpedutdffleekiedtfefgteefjefhffeiff
 evleegtdfhueeffeejveeljeekfefhieenucffohhmrghinhepphgvthgvrhhtohguugdr
 ohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe
 hpvghtvgesphgvthgvrhhtohguugdrohhrgh
X-ME-Proxy: <xmx:bKgzZUhWzy0rW4J0_YFN9YqH2v8S_EXJrqkUDAwWsWf__uysjTkchA>
 <xmx:bKgzZQAxcP-41BDqDdY0eaFvTV0HqPbQG8cQw1z7jCjAhLFblCUKlA>
 <xmx:bKgzZVJ5sTvpKVR17Wi2BrnzNa4bYMUBLaZLrB3jCNRVf1-GnXRBvw>
 <xmx:bagzZT-yJLSX52r4qKBG6P5MRVQ7It-Mg0m1wgdnT3v_JL9WO8DHuQ>
Feedback-ID: i525146e8:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat,
 21 Oct 2023 06:31:08 -0400 (EDT)
Received: by localhost (Postfix, from userid 1000)
 id 1BD7A5F86A; Sat, 21 Oct 2023 10:31:05 +0000 (UTC)
Date: Sat, 21 Oct 2023 10:31:05 +0000
From: Peter Todd <pete@petertodd.org>
To: "David A. Harding" <dave@dtrt.org>
Message-ID: <ZTOoadyBiuKnzsgJ@petertodd.org>
References: <CALZpt+GdyfDotdhrrVkjTALg5DbxJyiS8ruO2S7Ggmi9Ra5B9g@mail.gmail.com>
 <ZTMWrJ6DjxtslJBn@petertodd.org>
 <d8227003b4a6065414d32a31a7020a93@dtrt.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="Lqg97VChZWNaQLNt"
Content-Disposition: inline
In-Reply-To: <d8227003b4a6065414d32a31a7020a93@dtrt.org>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
 "lightning-dev@lists.linuxfoundation.org"
 <lightning-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making
 HTLCs Safer by Letting Transactions Expire Safely
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Oct 2023 10:31:17 -0000


--Lqg97VChZWNaQLNt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Oct 20, 2023 at 10:58:32PM -1000, David A. Harding wrote:
> On 2023-10-20 14:09, Peter Todd via bitcoin-dev wrote:
> > The basic problem here is after the HTLC-timeout path becomes spendable,
> > the
> > HTLC-preimage path remains spendable. That's bad, because in this case
> > we want
> > spending the HTLC-preimage - if possible - to have an urgency attached
> > to it to
> > ensure that it happens before the previous HTLC-timeout is mined.
> >=20
> > So, why can't we make the HTLC-preimage path expire?
>=20
> If the goal is to ensure the HTLC-preimage should be mined before an
> upstream HTLC-timeout becomes mineable, then I don't think a consensus
> change is required.  We can just make the HTLC-preimage claimable by anyo=
ne
> some time after the HTLC-timeout becomes mineable.
>=20
> For example, imagine that Alice offers Bob an HTLC with a timeout at block
> t+200.  Bob offers Carol an HTLC with a timeout at block t+100.  The
> Bob-Carol HTLC script looks like this:
>=20
> If
>   # Does someone have the preimage?
>   Hash <digest> EqualVerify
>   If
>     # Carol has the preimage at any time
>     <Carol key> CheckSig
>   Else
>     # Anyone else has the preimage after t+150
>     <t+150> CLTV
>   EndIf
> Else
>   # Bob is allowed a refund after t+100
>   <Bob key> CheckSigVerify
>   <t+100> CLTV
> EndIf
>=20
> In English:
>=20
> - At any time, Carol can spend the output by releasing the preimage
> - After t+100, Bob can spend the output
> - After t+150, anyone with the preimage can spend the output

This is a clever idea. But it doesn't prevent this attack.

Think about it this way: where previously there was one Carol who could per=
form
the replacement cycling attack, with the anyone-can-spend branch the situat=
ion
eventually transforms into a situation where there is an unlimited set of
Carols who can perform the attack and, if they are a miner, benefit from it.

Either way Bob is in a position where they might not learn about the preima=
ge
in time, and thus fail to redeem the received HTLC output.

=46rom Carol's point of view the situation didn't significantly change. Eit=
her
they manage to succesfully spend the offered HTLC output after the redeemed
HTLC output times out. Or they fail. Whether or not that failure happens
because Bob got their refund, or someone else spent the offered HTLC output=
 via
the anyone-can-spend path is not relevant to Carol.


Finally, this solution is inferior to OP_Expire in another important way: t=
he
anyone-can-spend branch represents a strict deadline for Bob too. With
OP_Expire, once HTLC preimage branch has expired, Bob can spend the offered
HTLC output at their leisure, as they are the only party with the ability t=
o do
that (assuming of course that we're talking about a valid commitment
transaction, not an illegitmate revoked once).

> [2] Although miners may want to consider running code that allows them to
> rewrite any malleable transactions to pay themselve

With full-RBF _anyone_ can run that code on behalf of miners, modulo edge c=
ases
where the replacement isn't possible due to the RBF anti-DoS rules. Indeed,
people are apparently already doing this to screw over signature-less ordin=
al
transactions.

--=20
https://petertodd.org 'peter'[:-1]@petertodd.org

--Lqg97VChZWNaQLNt
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0RcYcKRzsEwFZ3N5Lly11TVRLzcFAmUzqGMACgkQLly11TVR
LzdnNg//ZASXljy3w1Pl34linoqQS/fExNLvCWDCMr0zTCrfIeG5umt+YWqTSjJx
WaXf/w8JybyYkl6aHe4Mvd/9EKplBZCX2/d0UmL493GhHwFoWlt+HJxnvZUlTU1p
gAJr3m/cGPIV20C/Hdv78wAfu2ktrtD8StNa6UYYuU06qjAtS5OcTrPXjo7c593e
Nl35FpNmKtxIP9Z7ecOibhDAvDw9K7TkZiIaYH4+XZDG8E0X0KOyeVQjnMClK3Z+
oyEq2E/bwXSqtxdvFAqywICa7fjIDnc3KnO5xgomj4Rz1/HbgXUZeqS3qDxwCPtc
NZJeaurIRFnOc/Rrcvf3Bo1Rr575KwO4OAS8Wis6BJaweW5aVJ8hCBWQfORk1JH5
CEIPQExaX+DYpmUAQN0zJuQ+fdtPDwy3wtySQYTAe9UPD7vQyUEw0dpN67QZJPH4
D6YIYxN2tAUSRVvQQKU9pOCnyxyDlTgkgE3Ci+MotxQEZUePSufpmQIyHiiM8TtV
+eobV7JP0xYtLaMaaqW5peeHtUd4VxKTzh4mmqSYcDakMs2F6N3lTJCzMde3AJrB
urk0f0pkNeZgUX0hS/rtdPimjdh38tBYih2XfoEfEmBABvBuUpjYMMIFBlpe7BNF
nYp3yXUIvJNl6OqgkiW5TmJMXvzQM11oJkQ+Ae4qTV2PEmgM48A=
=+1cE
-----END PGP SIGNATURE-----

--Lqg97VChZWNaQLNt--