Return-Path: Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 43972C0032; Mon, 13 Nov 2023 02:18:30 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 175364016C; Mon, 13 Nov 2023 02:18:30 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 175364016C Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=kkPIcqpV X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hjvrjusWZpGp; Mon, 13 Nov 2023 02:18:28 +0000 (UTC) Received: from mail-il1-x12a.google.com (mail-il1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) by smtp2.osuosl.org (Postfix) with ESMTPS id 1AC4840102; Mon, 13 Nov 2023 02:18:28 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 1AC4840102 Received: by mail-il1-x12a.google.com with SMTP id e9e14a558f8ab-3594cb642beso16396565ab.3; Sun, 12 Nov 2023 18:18:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699841907; x=1700446707; darn=lists.linuxfoundation.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=vmCnxqrzD/uYw+qAwCeYqnPqkuGdKFX9IxEfTghPdyo=; b=kkPIcqpVCjyB8YiXnI6gCTPir8+4qG1rRonU8Fu2GdiUnYW7bJZHiYk1sGVpSxUsbR mjx9UgMHRpsIO/LqSWs266ooH6Tc9oYGyNY+na9MDBEA+EkJ3DDu5vW2yz03MtByvFik VTavWH0YKEJDtIGN10u3Zn7sAPSySEwGXznGO5UNnBc2JnrObtJx3qQ/QSSoNAUhvYns vaxneVxXBmM8mADYC8sp3sECox9tlrhjDNMN60H+pHpmHbj3Gy0xlrhLfngZM4VWF0aD QwxJZsq0VFklgXLNsQF2aR2+IdMoyvKuizAdaXWLdsqvOkjCZUzHgipol/dvzgVx/BrV 45dQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699841907; x=1700446707; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vmCnxqrzD/uYw+qAwCeYqnPqkuGdKFX9IxEfTghPdyo=; b=MPR9d6YuC+X1BaBO57aDq7NWcG6XiOtP72uFhEJl9km2VujDhfBsWqHaOou0GnrUA6 ZG+SAcnxrvrkT4WiGO4duvcpNBPJ4NHar3L8TZxoKdwM9K9E5Y58uh++Vga6FYstRv36 i0Eb3BQJvED8q6c2jCiLEQDCnIxBKXXz4OhAeTJitfUB6UZrH/QWZ+9hpq186wGx0SV+ BoFso58BuDUCssqWOXLhjOK95yJ689CYXjn2D4fTUtiZea/wZvz86qLU1V9MMKbAazgG dYsSWCZchpSvpo0PC0Y2WC0Ed7QgrgzLV94FU1sBZPBD1UORHUaZM95gueRR0EDKl6xr uecQ== X-Gm-Message-State: AOJu0YxAPBWvukZL/BfU2NqbjLBSqTJ5n/zuWInzZGcFmtut+yiXZtw9 trcLEvP4z4UqVNd+DeuV9LZtsyjVMjCQ7wjELp4= X-Google-Smtp-Source: AGHT+IEGL32SJoht3HB73yCdkxUNbnR6p7IY8A+Xc895w3ZNWf7XA9Sx8r9diLonYZ38jpb/hx1agYB4f4+3HejQVmk= X-Received: by 2002:a05:6e02:20c5:b0:359:47b9:7bef with SMTP id 5-20020a056e0220c500b0035947b97befmr7980892ilq.1.1699841907035; Sun, 12 Nov 2023 18:18:27 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Antoine Riard Date: Mon, 13 Nov 2023 02:18:16 +0000 Message-ID: To: Peter Todd Content-Type: multipart/alternative; boundary="0000000000000b13670609ff49e6" X-Mailman-Approved-At: Mon, 13 Nov 2023 10:19:55 +0000 Cc: Bitcoin Protocol Discussion , security@ariard.me, "lightning-dev\\\\@lists.linuxfoundation.org" Subject: Re: [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Nov 2023 02:18:30 -0000 --0000000000000b13670609ff49e6 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Your two latest mails. > The problem that OP_Expire aims to solve is the fact that Carol could prevent > Bob from learning about the preimage in time, while still getting a chance to > use the preimage herself. OP_Expire thoroughly solves that problem by ensuring > that the preimage is either broadcast in the blockchain in a timely fashion, or > becomes useless. I respectfully disagree - There is a more general underlying issue for outdated states in multi-party off-chain constructions, where any "revoked" or "updated" consensus-valid state can be used to jam the latest off-chain agreed-on, through techniques like replacement cycling or pinning. > My suggestion of pre-signing RBF replacements, without anchor outputs, and with > all outputs rendered unspendable with 1 CSV, is clearly superior: there are > zero degrees of freedom to the attacker, other than the possibility of > increasing the fee paid or broadcasting a revoked commitment. The latter of > course risks the other party punishing the fraud. Assuming the max RBF replacement is pre-signed at 200 sats / vb, with commitment transaction of ~268 vbytes and at least one second-stage HTLC transaction of ~175 vbytes including witness size, a channel counterparty must keep at worst a fee-bumping reserve of 35 268 sats, whatever payment value. As of today, any payment under $13 has to become trimmed HTLCs. Trimmed HTLCs are coming with their own wormhole of issues, notably making them a target to be stolen by low-hashrate capabilities attackers [0]. [0] https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-May/002714.h= tml > This does have the practical problem that a set of refund transactions will > also need to be signed for each fee variant. But, eg, signing 10x of each isn't > so burdensome. And in the future that problem could be avoided with > SIGHASH_NOINPUT, or replacing the pre-signed refund transaction mechanism with > a covenant. I think if you wish to be safe against fees griefing games between counterparties, both counterparties have to maintain their own fee-bumping reserves, which make channel usage less capital efficient, rather than being drawn from a common reserve. > Using RBF rather than CPFP with package relay also has the advantage of being > more efficient, as no blockspace needs to be consumed by the anchor outputs or > transactions spending them. Of course, there are special circumstances where > BIP125 rules can cause CPFP to be cheaper. But we can easily fix that, eg by > reducing the replacement relay fee, or by delta-encoding transaction updates. It is left as an exercise to the reader how to break the RBF approach for LN channels as proposed. > As SIGHASH_NOINPUT is desirable for LN-Symmetry, a softfork containing both it > and OP_Expire could make sense. I think there is one obvious issue of pre-signing RBF replacements combined with LN-symmetry, namely every state has to pre-commit to fee values attached and such states might spend each other in chain. So now you would need `max-rbf-replacement` * `max-theoretical-number-of-states` of fee-bumping reserves unless you can pipe fee value with some covenant magic, I think. > In existing anchor output transactions, this type of attack wouldn't work as > when broadcasting the transaction, Alice would be spending her anchor output, > which Bob can't double spend. However Bob can double-spend Alice's commitment transaction with his own commitment transaction and a CPFP, as long as it's a better ancestor feerate and absolute fee package, then double-spend his own CPFP. Which is exactly what my test is doing so I don't think your statement of saying this type of advanced replacement cycling attack wouldn't work isn't correct. Best, Antoine Le mer. 8 nov. 2023 =C3=A0 02:06, Peter Todd a =C3=A9c= rit : > On Wed, Nov 08, 2023 at 12:51:31AM +0000, Peter Todd via bitcoin-dev wrot= e: > > > In a post-package relay world, I think this is possible. And that > > > replacement cycling attacks are breaking future dynamic fee-bumping o= f > > > pre-signed transactions concerns me a lot. > > > > Well the answer here is pretty clear: v3 package relay with anchors is > broken. > > BTW a subtlety of this that may not be obvious is that in v3 package rela= y, > with zero value outputs, the outputs must be spent in the same package. > Thus > _unlike_ existing anchor-using transactions, there would be only one anch= or > output on the commitment transaction. > > In existing anchor output transactions, this type of attack wouldn't work > as > when broadcasting the transaction, Alice would be spending her anchor > output, > which Bob can't double spend. But that doesn't work in v3, which intends = to > limit UTXO growth by requiring that anchors be spent in the same package. > Thus > unlike existing anchor outputs, an anchor would be truly a OP_1 output > without > a signature, and thus belong to either Alice nor Bob uniquely. > > -- > https://petertodd.org 'peter'[:-1]@petertodd.org > --0000000000000b13670609ff49e6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Your two latest mails.

> The problem= that OP_Expire aims to solve is the fact that Carol could prevent
> = Bob from learning about the preimage in time, while still getting a chance = to
> use the preimage herself. OP_Expire thoroughly solves that probl= em by ensuring
> that the preimage is either broadcast in the blockch= ain in a timely fashion, or
> becomes useless.

I respectfully disagree - There is a more general underlying issue f= or outdated states in multi-party off-chain constructions, where any "= revoked" or "updated" consensus-valid state can be used to j= am the latest off-chain agreed-on, through techniques like replacement cycl= ing or pinning.

> My suggestion of pre-signing = RBF replacements, without anchor outputs, and with
> all outputs rend= ered unspendable with 1 CSV, is clearly superior: there are
> zero de= grees of freedom to the attacker, other than the possibility of
> inc= reasing the fee paid or broadcasting a revoked commitment. The latter of> course risks the other party punishing the fraud.

<= /div>
Assuming the max RBF replacement is pre-signed at 200 sats / vb, = with commitment transaction of ~268 vbytes and at least one second-stage HT= LC transaction of ~175 vbytes including witness size, a channel counterpart= y must keep at worst a fee-bumping reserve of 35 268 sats, whatever payment= value. As of today, any payment under $13 has to become trimmed HTLCs. Tri= mmed HTLCs are coming with their own wormhole of issues, notably making the= m a target to be stolen by low-hashrate capabilities attackers [0].


>= This does have the practical problem that a set of refund transactions wil= l
> also need to be signed for each fee variant. But, eg, signing 1= 0x of each isn't
> so burdensome. And in the future that problem = could be avoided with
> SIGHASH_NOINPUT, or replacing the pre-signed = refund transaction mechanism with
> a covenant.

I = think if you wish to be safe against fees griefing games between counterpar= ties, both counterparties have to maintain their own fee-bumping reserves, = which make channel usage less capital efficient, rather than being drawn fr= om a common reserve.

> Using RBF rather than CP= FP with package relay also has the advantage of being
> more efficien= t, as no blockspace needs to be consumed by the anchor outputs or
> t= ransactions spending them. Of course, there are special circumstances where=
> BIP125 rules can cause CPFP to be cheaper. But we can easily fix t= hat, eg by
> reducing the replacement relay fee, or by delta-encoding= transaction updates.

It is left as an exercis= e to the reader how to break the RBF approach for LN channels as proposed.<= /div>

> As SIGHASH_NOINPUT is desirable for LN-Symmet= ry, a softfork containing both it
> and OP_Expire could make sense.

I think there is one obvious issue of pre-signi= ng RBF replacements combined with LN-symmetry, namely every state has to pr= e-commit to fee values attached and such states might spend each other in c= hain. So now you would need `max-rbf-replacement` * =C2=A0`max-theoretical-= number-of-states` of fee-bumping reserves unless you can pipe fee value wit= h some covenant magic, I think.

> In existing a= nchor output transactions, this type of attack wouldn't work as
>= when broadcasting the transaction, Alice would be spending her anchor outp= ut,
> which Bob can't double spend.

= However Bob can double-spend Alice's commitment transaction with his ow= n commitment transaction and a CPFP, as long as it's a better ancestor = feerate and absolute fee package, then double-spend his own CPFP. Which is = exactly what my test is doing so I don't think your statement of saying= this type of advanced replacement cycling attack wouldn't work isn'= ;t correct.

Best,
Antoine
Le=C2=A0m= er. 8 nov. 2023 =C3=A0=C2=A002:06, Peter Todd <pete@petertodd.org> a =C3=A9crit=C2=A0:
On Wed, Nov 08, 2023 at 12:51:31AM +0000, Peter Todd via bitcoin= -dev wrote:
> > In a post-package relay world, I think this is possible. And that=
> > replacement cycling attacks are breaking future dynamic fee-bumpi= ng of
> > pre-signed transactions concerns me a lot.
>
> Well the answer here is pretty clear: v3 package relay with anchors is= broken.

BTW a subtlety of this that may not be obvious is that in v3 package relay,=
with zero value outputs, the outputs must be spent in the same package. Thu= s
_unlike_ existing anchor-using transactions, there would be only one anchor=
output on the commitment transaction.

In existing anchor output transactions, this type of attack wouldn't wo= rk as
when broadcasting the transaction, Alice would be spending her anchor outpu= t,
which Bob can't double spend. But that doesn't work in v3, which in= tends to
limit UTXO growth by requiring that anchors be spent in the same package. T= hus
unlike existing anchor outputs, an anchor would be truly a OP_1 output with= out
a signature, and thus belong to either Alice nor Bob uniquely.

--
http= s://petertodd.org 'peter'[:-1]@petertodd.org
--0000000000000b13670609ff49e6--