summaryrefslogtreecommitdiff
path: root/4a/ed0fecd8868ca9f3011df3f944cd937f27b3f2
blob: 95913195660cf0402a1946b3737cefe31826eda7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
Return-Path: <gloriajzhao@gmail.com>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 1C35EC002D
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 17 May 2022 16:01:21 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp4.osuosl.org (Postfix) with ESMTP id 00FA041A3F
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 17 May 2022 16:01:21 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level: 
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: smtp4.osuosl.org (amavisd-new);
 dkim=pass (2048-bit key) header.d=gmail.com
Received: from smtp4.osuosl.org ([127.0.0.1])
 by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 2IB12HWNTfcM
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 17 May 2022 16:01:17 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-yw1-x112a.google.com (mail-yw1-x112a.google.com
 [IPv6:2607:f8b0:4864:20::112a])
 by smtp4.osuosl.org (Postfix) with ESMTPS id 93C8641A3A
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 17 May 2022 16:01:17 +0000 (UTC)
Received: by mail-yw1-x112a.google.com with SMTP id
 00721157ae682-2f16645872fso192112827b3.4
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 17 May 2022 09:01:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=mime-version:from:date:message-id:subject:to;
 bh=TY+9zgJI5Pod05IFCcKGjqQQ0wq3xXORiymrFSz9AUg=;
 b=AgHHLZmVewiOyzMoBURqTNqyDNWjmUiNveo+Q7TtrBGNqJguZoLdzloxzJUCj3yBN+
 RoSIX/ozCgRBH9JDjkOSWvW0IB2mzLhAT93PvSINak5CI1waZzzVLlEJY48/D+yTRr+u
 iFrRs1GICYZ261hUy6rTBnrkdoNqZ6qbyZd3L108vN9UxS3FYPXYaVCbNz8EOy/bLW2I
 NllWiOtJ152Uxp+eNAafxGOvgbY4BSnjQLe6eUg81mQdKt3/lPKnrEgE3L25SU59A1XJ
 l/GgKOnei/fHq+vK7+GpKXfj6VPlPu6U9os6kYqVEctrc4UgGqSKmKk/CBi2eZ45y/cP
 Iejg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=TY+9zgJI5Pod05IFCcKGjqQQ0wq3xXORiymrFSz9AUg=;
 b=ZYR2W46jupPoTtsWjv6eXVbcaWd7WmlzKqhjvlECoswr9plka/XL2iMXsV2U9Kvnk8
 JxDYhHQ5wGBCGJN927G4BZn88Hj8BtuBCKN3antqKpoy/H6TqWacGf7F6KHRUcAs7GdF
 RkFUp7YTzlC57qyeDqhrxemZNI5H8EoSOBSp+x0s3om9Mb4SJPHJoGVndRCmXMCx519C
 e5W2HLz5wltnjQoMHt/mkVuzaoksNXBMRWp8vtcafOkFPGoyfBNqTtpwvnHClg0QoQfw
 DIOBsZh0S+6tt4a9m3nhouuhfE4dRWc9Vnxde7EUd43K14TX0z3yvhJNuDiDn/v9GUwY
 F8JA==
X-Gm-Message-State: AOAM530TayVHlGxo8ad6yV0ZpaIOVu0kvvgMoAcKwspMpGS11FY/DW7C
 ApKqBGynprbQv3MnXGa+91XWKDvad1uUDY/ZsPc4TAB6IZU=
X-Google-Smtp-Source: ABdhPJzJdsEonBBdjB944QI/4Byja3uD74BIMY0UyWm03ejReE/tVEL7VWqnaaFfv6QQW1k813XeC/m5lbd/0g9U9FU=
X-Received: by 2002:a0d:cfc5:0:b0:2dc:48db:dda1 with SMTP id
 r188-20020a0dcfc5000000b002dc48dbdda1mr26423275ywd.83.1652803274770; Tue, 17
 May 2022 09:01:14 -0700 (PDT)
MIME-Version: 1.0
From: Gloria Zhao <gloriajzhao@gmail.com>
Date: Tue, 17 May 2022 12:01:04 -0400
Message-ID: <CAFXO6=JROe_9ih2h+_CCH-UbxehsM5RQ6YyNnPesEpveBEtdow@mail.gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="000000000000138de305df37406e"
X-Mailman-Approved-At: Tue, 17 May 2022 16:09:20 +0000
Subject: [bitcoin-dev] Package Relay Proposal
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2022 16:01:21 -0000

--000000000000138de305df37406e
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi everybody,

I=E2=80=99m writing to propose a set of p2p protocol changes to enable pack=
age
relay, soliciting feedback on the design and approach. Here is a link
to the most up-to-date proposal:

https://github.com/bitcoin/bips/pull/1324

If you have concept or approach feedback, *please respond on the
mailing list* to allow everybody to view and participate in the
discussion. If you find a typo or inaccurate wording, please feel free
to leave suggestions on the PR.

I=E2=80=99m also working on an implementation for Bitcoin Core.


The rest of this post will include the same contents as the proposal,
with a bit of reordering and additional context. If you are not 100%
up-to-date on package relay and find the proposal hard to follow, I
hope you find this format more informative and persuasive.


=3D=3DBackground and Motivation=3D=3D

Users may create and broadcast transactions that depend upon, i.e.
spend outputs of, unconfirmed transactions. A =E2=80=9Cpackage=E2=80=9D is =
the
widely-used term for a group of transactions representable by a
connected Directed Acyclic Graph (where a directed edge exists between
a transaction that spends the output of another transaction).

Incentive-compatible mempool and miner policies help create a fair,
fee-based market for block space. While miners maximize transaction
fees in order to earn higher block rewards, non-mining users
participating in transaction relay reap many benefits from employing
policies that result in a mempool with the same contents, including
faster compact block relay and more accurate fee estimation.
Additionally, users may take advantage of mempool and miner policy to
bump the priority of their transactions by attaching high-fee
descendants (Child Pays for Parent or CPFP).  Only considering
transactions one at a time for submission to the mempool creates a
limitation in the node's ability to determine which transactions have
the highest feerates, since it cannot take into account descendants
until all the transactions are in the mempool. Similarly, it cannot
use a transaction's descendants when considering which of two
conflicting transactions to keep (Replace by Fee or RBF).

When a user's transaction does not meet a mempool's minimum feerate
and they cannot create a replacement transaction directly, their
transaction will simply be rejected by this mempool. They also cannot
attach a descendant to pay for replacing a conflicting transaction.
This limitation harms users' ability to fee-bump their transactions.
Further, it presents a security issue in contracting protocols which
rely on **presigned**, time-sensitive transactions to prevent cheating
(HTLC-Timeout in LN Penalty [1] [2] [3], Unvault Cancel in Revault
[4], Refund Transaction in Discreet Log Contracts [5], Updates in
eltoo [6]). In other words, a key security assumption of many
contracting protocols is that all parties can propagate and confirm
transactions in a timely manner.

In the past few years, increasing attention [0][1][2][3][6] has been
brought to **pinning attacks**, a type of censorship in which the
attacker uses mempool policy restrictions to prevent a transaction
from being relayed or getting mined.  TLDR: revocation transactions
must meet a certain confirmation target to be effective, but their
feerates are negotiated well ahead of broadcast time. If the
forecasted feerate was too low and no fee-bumping options are
available, attackers can steal money from their counterparties. I walk
through a concrete example for stealing Lightning HTLC outputs at
~23:58 in this talk [7][8].  Note that most attacks are only possible
when the market for blockspace at broadcast time  demands much higher
feerates than originally anticipated at signing time. Always
overestimating fees may sidestep this issue temporarily (while mempool
traffic is low and predictable), but this solution is not foolproof
and wastes users' money. The feerate market can change due to sudden
spikes in traffic (e.g. huge 12sat/vB dump a few days ago [9]) or
sustained, high volume of Bitcoin payments (e.g.  April 2021 and
December 2017).

The best solution is to enable nodes to consider packages of
transactions as a unit, e.g. one or more low-fee parent transactions
with a high-fee child, instead of separately. A package-aware mempool
policy can help determine if it would actually be economically
rational to accept a transaction to the mempool if it doesn't meet fee
requirements individually. Network-wide adoption of these policies
would create a more purely-feerate-based market for block space and
allow contracting protocols to adjust fees (and therefore mining
priority) at broadcast time.  Some support for packages has existed in
Bitcoin Core for years. Since v0.13, Bitcoin Core has used ancestor
packages instead of individual transactions to evaluate the incentive
compatibility of transactions in the mempool [10] and select them for
inclusion in blocks [11].

Package Relay, the concept of {announcing, requesting, downloading}
packages between nodes on the p2p network, has also been discussed for
many years. The earliest public mention I can find is from 2015 [12].
The two most common use cases for package relay are fee-bumping
otherwise-too-low-fee transactions and reducing the amount of orphans.
It seems uncontroversial to say that everybody desires package relay
conceptually, with varying degrees of urgency. Lots of work has been
done by others over the past few years, from which I've taken
inspiration from [13][14][15][16].

My approach has been to split the project into two components: (1) Package
Mempool Accept, which includes validation logic and mempool policy.
(3) Package Relay, which includes the p2p protocol changes.

Progress so far:
After discussions with various developers of contracting protocols
(with heavier emphasis towards LN), it was determined that a
package containing a child with all of its unconfirmed parents
(child-with-unconfirmed-parents or 1-child-multi-parent package) would
be sufficient for their use case, i.e. fee-bumping presigned
transactions. A child-with-unconfirmed-parents package has several
properties that make many things easier to reason about.

A few months ago, I proposed a set of policies for safe package
validation and fee assessment for packages of this restricted
topology [17]. A series of PRs implementing this proposal have
been merged into Bitcoin Core [18].

Theoretically, developing a safe and incentive-compatible package
mempool acceptance policy is sufficient to solve this issue. Nodes
could opportunistically accept packages (e.g. by trying combinations
of transactions rejected from their mempools), but this practice would
likely be inefficient at best and open new Denial of Service attacks
at worst. Additional p2p messages may enable nodes to request and
share package validation-related information with one another in a
more communication-efficient way.

Given that only package RBF remains for package mempool accept, and we
can make progress on p2p and mempool in parallel, I think it=E2=80=99s
appropriate to put forward a package relay proposal.

=3D=3DProposal=3D=3D

This proposal contains 2 components: a =E2=80=9Cgeneric=E2=80=9D package re=
lay
protocol and an extension of it, child-with-unconfirmed-parents
packages, as version 1 package relay. Another version of packages,
=E2=80=9Ctx-with-unconfirmed-ancestors=E2=80=9D can be created to extend pa=
ckage relay
for eliminating orphans.

=3D=3D=3DGeneric Package Relay=3D=3D=3D

Two main ideas are introduced:

Download and validate packages of transactions together.

Provide information to help peers decide whether to request and/or how
to validate transactions which are part of a package.

=3D=3D=3D=3DIntended Protocol Flow=3D=3D=3D=3D

Due to the asynchronous nature of a distributed transaction relay
network, nodes may not receive all of the information needed to
validate a transaction at once. For example, after a node completes
Initial Block Download (IBD) and first starts participating in
transaction relay with an empty mempool, it is common to receive
orphans. In such scenarios where a node is aware that it is missing
information, a ''receiver-initiated'' dialogue is appropriate:

1. Receiver requests package information.

2. The sender provides package information, including the wtxids of
   the transactions in the package and anything else that might be
relevant (e.g. total fees and size).

3. The reciever uses the package information to decide how to request
   and validate the transactions.

Sometimes, no matter what order transactions are received by a node,
validating them individually is insufficient. When the sender is aware
of additional information that the receiver needs to accept a package,
a proactive ''sender-initiated'' dialogue should be enabled:

1. Sender announces they have package information pertaining to a
   transaction that might otherwise be undesired on its own.

2. The receiver requests package information.

3. The sender provides package information, including the wtxids of
   the transactions in the package and anything else that might be
relevant (e.g. total fees and size).

4. The reciever uses the package information to decide how to request
   and validate the transactions.

Package relay is negotiated between two peers during the version
handshake. Package relay requires both peers to support wtxid-based
relay because package transactions are referenced by their wtxid.

=3D=3D=3D=3DNew Messages=3D=3D=3D=3D

Three new protocol messages are added for use in any version of
package relay. Additionally, each version of package relay must define
its own inv type and "pckginfo" message version, referred to in this
document as "MSG_PCKG" and "pckginfo" respectively. See
BIP-v1-packages for a concrete example.

=3D=3D=3D=3D=3Dsendpackages=3D=3D=3D=3D=3D

{|
|  Field Name  ||  Type  ||  Size  ||  Purpose
|-
|version || uint32_t || 4 || Denotes a package version supported by the
node.
|-
|max_count || uint32_t || 4 ||Specifies the maximum number of transactions
per package this node is
willing to accept.
|-
|max_weight || uint32_t || 4 ||Specifies the maximum total weight per
package this node is willing
to accept.
|-
|}

1. The "sendpackages" message has the structure defined above, with
   pchCommand =3D=3D "sendpackages".

2. During version handshake, nodes should send a "sendpackages"
   message indicate they support package relay and may request
packages.

3. The message should contain a version supported by the node. Nodes
   should send a "sendpackages" message for each version they support.

4. The "sendpackages" message MUST be sent before sending a "verack"
   message. If a "sendpackages" message is received afer "verack", the
sender should be disconnected.

5. If 'fRelay=3D=3Dfalse' in a peer's version message, the node must not
   send "sendpackages" to them. If a "sendpackages" message is
received by a peer after sending `fRelay=3D=3Dfalse` in their version
message, the sender should be disconnected.

6.. Upon receipt of a "sendpackages" message with a version that is
not supported, a node must treat the peer as if it never received the
message.

7. If both peers send "wtxidrelay" and "sendpackages" with the same
   version, the peers should announce, request, and send package
information to each other.

=3D=3D=3D=3D=3Dgetpckgtxns=3D=3D=3D=3D=3D

{|
|  Field Name  ||  Type  ||  Size  ||   Purpose
|-
|txns_length||CompactSize||1 or 3 bytes|| The number of transactions
requested.
|-
|txns||List of wtxids||txns_length * 32|| The wtxids of each transaction in
the package.
|}

1. The "getpckgtxns" message has the structure defined above, with
   pchCommand =3D=3D "getpckgtxns".

2. A "getpckgtxns" message should be used to request all or some of
   the transactions previously announced in a "pckginfo" message,
specified by witness transactiosome id.

3. Upon receipt of a "getpckgtxns" message, a node must respond with
   either a "pckgtxns" containing the requested transactions or a
"notfound" message indicating one or more of the transactions is
unavailable. This allows the receiver to avoid downloading and storing
transactions that cannot be validated immediately.

4. A "getpckgtxns" message should only be sent if both peers agreed to
   send packages in the version handshake. If a "getpckgtxns" message
is received from a peer with which package relay was not negotiated,
the sender should be disconnected.

=3D=3D=3D=3D=3Dpckgtxns=3D=3D=3D=3D=3D

{|
|  Field Name  ||  Type  ||  Size  ||   Purpose
|-
|txns_length||CompactSize||1 or 3 bytes|| The number of transactions
provided.
|-
|txns||List of transactions||variable|| The transactions in the package.
|}

1. The "pckgtxns" message has the structure defined above, with
   pchCommand =3D=3D "pckgtxns".

2. A "pckgtxns" message should contain the transaction data requested
   using "getpckgtxns".

3. A "pckgtxns" message should only be sent to a peer that requested
   the package using "getpckgtxns". If a node receives an unsolicited
package, the sender should be disconnected.

4. A "pckgtxns" message should only be sent if both peers agreed to
   send packages in the version handshake. If a "pckgtxns" message is
received from a peer with which package relay was not negotiated, the
sender should be disconnected.

=3D=3D=3DVersion 1 Packages: child-with-unconfirmed-parents=3D=3D=3D

This extends package relay for packages consisting of one transaction
and all of its unconfirmed parents,by defining version 1 packages, a
pckginfo1 message, and a MSG_PCKG1 inv type. It enables the use case
in which a child pays for its otherwise-too-low-fee parents and their
mempool conflict(s).

=3D=3D=3D=3DIntended Protocol Flow=3D=3D=3D=3D

When relaying a package of low-fee parent(s) and high-fee child, the
sender and receiver do the following:

1. Sender announces they have a child-with-unconfirmed-parents package
   for a child that pays for otherwise-too-low-fee parent(s) using
"inv(MSG_PCKG1)".

2. The receiver requests package information using
   "getdata(MSG_PCKG1)".

3. The sender provides package information using "pckginfo1",
   including the blockhash of the sender's best block, the wtxids of
the transactions in the package, their total fees and total weight.

4. The reciever uses the package information to decide how to request
   the transactions. For example, if the receiver already has some of
the transactions in their mempool, they only request the missing ones.
They could also decide not to request the package at all based on the
fee information provided.

5. Upon receiving a "pckgtxns", the receiver submits the transactions
   together as a package.

=3D=3D=3D=3DNew Messages=3D=3D=3D=3D

A new inv type, "MSG_PCKG1", and new protocol message, "PCKGINFO1",
are added.

=3D=3D=3D=3D=3Dpckginfo1=3D=3D=3D=3D=3D

{|
|  Field Name  ||  Type  ||  Size  ||   Purpose
|-
|blockhash || uint256 || 32 || The chain tip at which this package is
defined.
|-
|pckg_fee||CAmount||4|| The sum total fees paid by all transactions in the
package.
|-
|pckg_weight||int64_t||8|| The sum total weight of all transactions in the
package.
|-
|txns_length||CompactSize||1 or 3 bytes|| The number of transactions
provided.
|-
|txns||List of wtxids||txns_length * 32|| The wtxids of each transaction in
the package.
|}


1. The "pckginfo1" message has the structure defined above, with
   pchCommand =3D=3D "pckginfo1".

2. A "pckginfo1" message contains information about a version 1
   package (defined below), referenced by the wtxid of the transaction
it pertains to and the current blockhash.

3. Upon receipt of a "pckginfo1" message, the node should decide if it
   wants to validate the package, request transaction data if
necessary, etc.

4. Upon receipt of a malformed "pckginfo1" message or package that
   does not abide by the max_count, max_weight, or other rules
specified by the version agreed upon in the initial negotiation, the
sender should be disconnected.  If a node receives a "pckginfo1"
message for which the "pckg_fee" or "pckg_weight" do not reflect the
true total fees and weight, respectively, or the transactions in the
package, the message is malformed.

5. A node MUST NOT send a "pckginfo1" message that has not been
   requested by the recipient. Upon receipt of an unsolicited
"pckginfo1", a node should disconnect the sender.

6. A "pckginfo1" message should only be sent if both peers agreed to
   send version 1 packages in the version handshake. If a "pckginfo1"
message is received from a peer with which package relay was not
negotiated, the sender should be disconnected.

=3D=3D=3D=3D=3DMSG_PCKG1=3D=3D=3D=3D=3D

1. A new inv type (MSG_PCKG1 =3D=3D 0x6) is added, for use in inv messages
   and getdata requests pertaining to version 1 packages.

2. As an inv type, it indicates that both transaction data and version
   1 package information are available for the transaction. The
transaction is referenced by its wtxid. As a getdata request type, it
indicates that the sender wants package information for the
transaction.

3. Upon receipt of a "getdata" request for "MSG_PCKG1", the node
   should respond with the version 1 package corresponding to the
requested transaction and its current chain tip, or with NOTFOUND.
The node should not assume that the sender is requesting the
transaction data as well.

=3D=3D=3D=3DChild With Parent Packages Rules=3D=3D=3D=3D

A child-with-unconfirmed-parents package sent between nodes must abide
by the rules below, otherwise the package is malformed and the sender
should be disconnected.

A version 1 or ''child-with-unconfirmed-parents'' package can be
defined for any transaction that spends unconfirmed inputs. The child
can be thought of as the "representative" of the package. This package
can be uniquely identified by the transaction's wtxid and the current
chain tip block hash.

A ''child-with-unconfirmed-parents'' package MUST be:

1. ''Sorted topologically.'' For every transaction t in the package,
   if any of t's parents are present in the package, the parent must
appear somewhere in the list before t. In other words, the
transactions must be sorted in ascending order of the number of
ancestors present in the package.

2. ''Only 1 child with unconfirmed parents.'' The package must consist
   of one transaction and its unconfirmed parents. There must not be
any other transactions in the package. Other dependency relationships
may exist within the package (e.g. one parent may spend the output of
another parent) provided that topological order is respected.

3. ''All unconfirmed parents.'' All of the child's unconfirmed parents
   must be present.

4. ''No conflicts.'' None of the transactions in the package may
   conflict with each other (i.e.  spend the same prevout).

5. ''Total fees and weight.'' The 'total_fee' and 'total_weight'
   fields must accurately represent the sum total of all transactions'
fees and weights as defined in BIP141, respectively.

Not all of the child's parents must be present; the child transaction
may also spend confirmed inputs. However, if the child has confirmed
parents, they must not be in the package.

While a child-with-unconfirmed-parents package is perhaps most
relevant when the child has a higher feerate than its parents, this
property is not required to construct a valid package.

=3D=3D=3D=3DClarifications=3D=3D=3D=3D

''Q: Under what circumstances should a sender announce a
child-with-unconfirmed-parents package?''

A child-with-unconfirmed-parents package for a transaction should be
announced when it meets the peer's fee filter but one or more of its
parents don't; a "inv(MSG_PCKG1)" instead of "inv(WTX)" should be sent
for the child. Each of the parents which meet the peer's fee filter
should still be announced normally.

''Q: What if a new block arrives in between messages?''

A child-with-unconfirmed-parents package is defined for a transaction
based on the current chain state. As such, a new block extending the
tip may decrease the number of transactions in the package (i.e. if
any of the transaction's parents were included in the block). In a
reorg, the number of transactions in the package may decrease or
increase (i.e. if any of the transaction's parents were included in a
block in the previous chain but not the new one).

If the new block arrives before the "getdata" or "pckginfo1", nothing
needs to change.

If the new block arrives before "getpckgtxns" or before "pckgtxns",
the receiver may need to re-request package information if the block
contained a transaction in the package. If the block doesn't contain
any transactions in the package, whether it extends the previous tip
or causes a reorg, nothing needs to change.

''Q: Can "getpckgtxns" and "pckgtxns" messages contain only one
transaction?''

Yes.

=3D=3D=3DFurther Protocol Extensions=3D=3D=3D

When introducing a new type of package, assign it a version number "n"
and use an additional "sendpackages" message during version handshake
to negotiate support for it. An additional package information message
"pckginfon" and inv type "MSG_PCKGn" should be defined for the type of
package.  However, "getpckgtxns" and "pckgtxns" do not need to be
changed.

Example proposal for tx-with-unconfirmed-ancestors package relay: [19]

=3D=3D=3DCompatibility=3D=3D=3D

Older clients remain fully compatible and interoperable after this
change. Clients implementing this protocol will only attempt to send
and request packages if agreed upon during the version handshake.

=3D=3D=3DPackage Erlay=3D=3D=3D

Clients using BIP330 reconciliation-based transaction relay (Erlay)
are able to use package relay without interference. In fact, a package
of transactions may be announced using both Erlay and package relay.
After reconciliation, if the initiator would have announced a
transaction by wtxid but also has package information for it, they may
send "inv(MSG_PCKG)" instead of "inv(WTX)".

=3D=3D=3DRationale=3D=3D=3D

=3D=3D=3D=3DP2P Message Design=3D=3D=3D=3D

These p2p messages are added for communication efficiency and, as
such, one should measure alternative solutions based on the resources
used to communicate (not necessarily trustworthy) information: We
would like to minimize network bandwidth, avoid downloading a
transaction more than once, avoid downloading transactions that are
eventually rejected, and minimize storage allocated for
not-yet-validated transactions.

Consider these (plausible) scenarios in transaction relay:

Alice (the "sender") is relaying transactions to Bob (the "receiver").
Alice's mempool has a minimum feerate of 1sat/vB and Bob's has a
minimum feerate of 3sat/vB. For simplicity, all transactions are
1600Wu in virtual size and 500 bytes in serialized size. Apart from
the spending relationships specified, all other inputs are from
confirmed UTXOs.

1. Package {A, B} where A pays 0 satoshis and B pays 8000 satoshis in
   fees.

2. Package {C, D} where C pays 0 satoshis and D pays 1200 satoshis in
   fees.

3. Package {E, F, G, H, J} that pays 4000, 8000, 0, 2000, and 4000
   satoshis in fees, respectively.

=3D=3D=3D=3DAlternative Designs Considered=3D=3D=3D=3D

''Package Information Only:'' Just having "pckginfo" gives enough
information for the receiver to accept the package. Omit the
"getpckgtxns" and "pckgtxns" messages. While this option is a good
fallback if batched transaction download fails for some reason, it
shouldn't be used as the default because it 'always' requires storage
of unvalidated transactions.

''No Package Information Round:'' Instead of having a package
information round, just use the child's wtxid to refer to the package
and always send the entire package together. This would cause nodes to
redownload duplicate transactions.

I have also created a slidedeck exploring various alternative designs
and some examples in which they fall flat [20]. Please feel free to
suggest other alternatives.

=3D=3D=3D=3DVersioning System=3D=3D=3D=3D

This protocol should be extensible to support multiple types of
packages based on future desired use cases. Two "flavors" of
versioning were considered:

1. When package mempool acceptance is upgraded to support more types
   of packages, increment the version number (similar to Erlay).
During version handshake, peers negotiate which version of package
relay they will use by each sending one "sendpackages" message.

2. When introducing another type of package, assign a version number
   to it and announce it as an additional supported version (similar
to Compact Block Relay). During version handshake, peers send one
"sendpackages" message for each version supported.

The second option was favored because it allows different parameters
for different versions.  For example, it should be possible to support
both "arbitrary topology but maximum 3-transaction" package as well as
"child-with-unconfirmed-parents with default mempool ancestor limits"
packages simultaneously.

=3D=3DAcknowledgements=3D=3D

I hope to have made it abundantly clear that this proposal isn=E2=80=99t
inventing the concept of package relay, and in fact builds upon years
of work by many others, including Suhas Daftuar and Antoine Riard.

Thank you to John Newbery and Martin Zumsande for input on the design.

Thank you to Matt Corallo, Christian Decker, David Harding, Antoine
Poinsot, Antoine Riard, Gregory Sanders, Chris Stewart, Bastien
Teinturier, and others for input on the desired interface for
contracting protocols.

Looking forward to hearing your thoughts!

Best,
Gloria

[0]:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/019817=
.html
[1]:
https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-April/002639=
.html
[2]:
https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-June/002758.=
html
[3]: https://github.com/t-bast/lightning-docs/blob/master/pinning-attacks.m=
d
[4]:
https://github.com/revault/practical-revault/blob/master/transactions.md#ca=
ncel_tx
[5]:
https://github.com/discreetlogcontracts/dlcspecs/blob/master/Transactions.m=
d#refund-transaction
[6]: https://gist.github.com/instagibbs/60264606e181451e977e439a49f69fe1
[7]:
https://btctranscripts.com/adopting-bitcoin/2021/2021-11-16-gloria-zhao-tra=
nsaction-relay-policy/#lightning-attacks
[8]: https://youtu.be/fbWSQvJjKFs?t=3D1438
[9]:
https://www.reddit.com/r/Bitcoin/comments/unew4e/looks_like_70_mvb_of_trans=
actions_just_got_dumped/
[10]: https://github.com/bitcoin/bitcoin/pull/7594
[11]: https://github.com/bitcoin/bitcoin/pull/7600
[12]: https://github.com/bitcoin/bitcoin/pull/6455#issuecomment-122716820
[13]: https://gist.github.com/sdaftuar/8756699bfcad4d3806ba9f3396d4e66a
[14]: https://github.com/bitcoin/bitcoin/issues/14895
[15]: https://github.com/bitcoin/bitcoin/pull/16401
[16]: https://github.com/bitcoin/bitcoin/pull/19621
[17]:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-September/0194=
64.html
[18]: https://github.com/users/glozow/projects/5/views/4?layout=3Dboard
[19]: https://gist.github.com/glozow/9b321cd3ef6505135c763112033ff2a7
[20]:
https://docs.google.com/presentation/d/1B__KlZO1VzxJGx-0DYChlWawaEmGJ9EGApE=
zrHqZpQc/edit?usp=3Dsharing

--000000000000138de305df37406e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi everybody,<br><br>I=E2=80=99m writing to propose a set =
of p2p protocol changes to enable package<br>relay, soliciting feedback on =
the design and approach. Here is a link<br>to the most up-to-date proposal:=
<br><br><a href=3D"https://github.com/bitcoin/bips/pull/1324">https://githu=
b.com/bitcoin/bips/pull/1324</a><br><br>If you have concept or approach fee=
dback, *please respond on the<br>mailing list* to allow everybody to view a=
nd participate in the<br>discussion. If you find a typo or inaccurate wordi=
ng, please feel free<br>to leave suggestions on the PR.<br><br>I=E2=80=99m =
also working on an implementation for Bitcoin Core.<br><div><br></div><div>=
<br></div>The rest of this post will include the same contents as the propo=
sal,<br>with a bit of reordering and additional context. If you are not 100=
%<br>up-to-date on package relay and find the proposal hard to follow, I<br=
><div>hope you find this format more informative and persuasive.</div><div>=
<br></div><br>=3D=3DBackground and Motivation=3D=3D<br><br>Users may create=
 and broadcast transactions that depend upon, i.e.<br>spend outputs of, unc=
onfirmed transactions. A =E2=80=9Cpackage=E2=80=9D is the<br>widely-used te=
rm for a group of transactions representable by a<br>connected Directed Acy=
clic Graph (where a directed edge exists between<br>a transaction that spen=
ds the output of another transaction).<br><br>Incentive-compatible mempool =
and miner policies help create a fair,<br>fee-based market for block space.=
 While miners maximize transaction<br>fees in order to earn higher block re=
wards, non-mining users<br>participating in transaction relay reap many ben=
efits from employing<br>policies that result in a mempool with the same con=
tents, including<br>faster compact block relay and more accurate fee estima=
tion.<br>Additionally, users may take advantage of mempool and miner policy=
 to<br>bump the priority of their transactions by attaching high-fee<br>des=
cendants (Child Pays for Parent or CPFP).=C2=A0 Only considering<br>transac=
tions one at a time for submission to the mempool creates a<br>limitation i=
n the node&#39;s ability to determine which transactions have<br>the highes=
t feerates, since it cannot take into account descendants<br>until all the =
transactions are in the mempool. Similarly, it cannot<br>use a transaction&=
#39;s descendants when considering which of two<br>conflicting transactions=
 to keep (Replace by Fee or RBF).<br><br>When a user&#39;s transaction does=
 not meet a mempool&#39;s minimum feerate<br>and they cannot create a repla=
cement transaction directly, their<br>transaction will simply be rejected b=
y this mempool. They also cannot<br>attach a descendant to pay for replacin=
g a conflicting transaction.<br>This limitation harms users&#39; ability to=
 fee-bump their transactions.<br>Further, it presents a security issue in c=
ontracting protocols which<br>rely on **presigned**, time-sensitive transac=
tions to prevent cheating<br>(HTLC-Timeout in LN Penalty [1] [2] [3], Unvau=
lt Cancel in Revault<br>[4], Refund Transaction in Discreet Log Contracts [=
5], Updates in<br>eltoo [6]). In other words, a key security assumption of =
many<br>contracting protocols is that all parties can propagate and confirm=
<br>transactions in a timely manner.<br><br>In the past few years, increasi=
ng attention [0][1][2][3][6] has been<br>brought to **pinning attacks**, a =
type of censorship in which the<br>attacker uses mempool policy restriction=
s to prevent a transaction<br>from being relayed or getting mined.=C2=A0 TL=
DR: revocation transactions<br>must meet a certain confirmation target to b=
e effective, but their<br>feerates are negotiated well ahead of broadcast t=
ime. If the<br>forecasted feerate was too low and no fee-bumping options ar=
e<br>available, attackers can steal money from their counterparties. I walk=
<br>through a concrete example for stealing Lightning HTLC outputs at<br>~2=
3:58 in this talk [7][8].=C2=A0 Note that most attacks are only possible<br=
>when the market for blockspace at broadcast time =C2=A0demands much higher=
<br>feerates than originally anticipated at signing time. Always<br>overest=
imating fees may sidestep this issue temporarily (while mempool<br>traffic =
is low and predictable), but this solution is not foolproof<br>and wastes u=
sers&#39; money. The feerate market can change due to sudden<br>spikes in t=
raffic (e.g. huge 12sat/vB dump a few days ago [9]) or<br>sustained, high v=
olume of Bitcoin payments (e.g.=C2=A0 April 2021 and<br>December 2017).<br>=
<br>The best solution is to enable nodes to consider packages of<br>transac=
tions as a unit, e.g. one or more low-fee parent transactions<br>with a hig=
h-fee child, instead of separately. A package-aware mempool<br>policy can h=
elp determine if it would actually be economically<br>rational to accept a =
transaction to the mempool if it doesn&#39;t meet fee<br>requirements indiv=
idually. Network-wide adoption of these policies<br>would create a more pur=
ely-feerate-based market for block space and<br>allow contracting protocols=
 to adjust fees (and therefore mining<br>priority) at broadcast time.=C2=A0=
 Some support for packages has existed in<br>Bitcoin Core for years. Since =
v0.13, Bitcoin Core has used ancestor<br>packages instead of individual tra=
nsactions to evaluate the incentive<br>compatibility of transactions in the=
 mempool [10] and select them for<br>inclusion in blocks [11].<br><br>Packa=
ge Relay, the concept of {announcing, requesting, downloading}<br>packages =
between nodes on the p2p network, has also been discussed for<br>many years=
. The earliest public mention I can find is from 2015 [12].<br>The two most=
 common use cases for package relay are fee-bumping<br>otherwise-too-low-fe=
e transactions and reducing the amount of orphans.<br>It seems uncontrovers=
ial to say that everybody desires package relay<br>conceptually, with varyi=
ng degrees of urgency. Lots of work has been<br>done by others over the pas=
t few years, from which I&#39;ve taken<br>inspiration from [13][14][15][16]=
.<br><br>My approach has been to split the project into two components: (1)=
 Package<br>Mempool Accept, which includes validation logic and mempool pol=
icy.<br>(3) Package Relay, which includes the p2p protocol changes.<br><br>=
Progress so far:<br>After discussions with various developers of contractin=
g protocols<br>(with heavier emphasis towards LN), it was determined that a=
<br>package containing a child with all of its unconfirmed parents<br>(chil=
d-with-unconfirmed-parents or 1-child-multi-parent package) would<br>be suf=
ficient for their use case, i.e. fee-bumping presigned<br>transactions. A c=
hild-with-unconfirmed-parents package has several<br>properties that make m=
any things easier to reason about.<br><br>A few months ago, I proposed a se=
t of policies for safe package<br>validation and fee assessment for package=
s of this restricted<br><div>topology [17]. A series of PRs implementing th=
is proposal have</div><div>been merged into Bitcoin Core [18].<br></div><br=
>Theoretically, developing a safe and incentive-compatible package<br>mempo=
ol acceptance policy is sufficient to solve this issue. Nodes<br>could oppo=
rtunistically accept packages (e.g. by trying combinations<br>of transactio=
ns rejected from their mempools), but this practice would<br>likely be inef=
ficient at best and open new Denial of Service attacks<br>at worst. Additio=
nal p2p messages may enable nodes to request and<br>share package validatio=
n-related information with one another in a<br>more communication-efficient=
 way.<br><br>Given that only package RBF remains for package mempool accept=
, and we<br>can make progress on p2p and mempool in parallel, I think it=E2=
=80=99s<br>appropriate to put forward a package relay proposal.<br><br>=3D=
=3DProposal=3D=3D<br><br>This proposal contains 2 components: a =E2=80=9Cge=
neric=E2=80=9D package relay<br>protocol and an extension of it, child-with=
-unconfirmed-parents<br>packages, as version 1 package relay. Another versi=
on of packages,<br>=E2=80=9Ctx-with-unconfirmed-ancestors=E2=80=9D can be c=
reated to extend package relay<br>for eliminating orphans.<br><br>=3D=3D=3D=
Generic Package Relay=3D=3D=3D<br><br>Two main ideas are introduced:<br><br=
>Download and validate packages of transactions together.<br><br>Provide in=
formation to help peers decide whether to request and/or how<br>to validate=
 transactions which are part of a package.<br><br>=3D=3D=3D=3DIntended Prot=
ocol Flow=3D=3D=3D=3D<br><br>Due to the asynchronous nature of a distribute=
d transaction relay<br>network, nodes may not receive all of the informatio=
n needed to<br>validate a transaction at once. For example, after a node co=
mpletes<br>Initial Block Download (IBD) and first starts participating in<b=
r>transaction relay with an empty mempool, it is common to receive<br>orpha=
ns. In such scenarios where a node is aware that it is missing<br>informati=
on, a &#39;&#39;receiver-initiated&#39;&#39; dialogue is appropriate:<br><b=
r>1. Receiver requests package information.<br><br>2. The sender provides p=
ackage information, including the wtxids of<br>=C2=A0 =C2=A0the transaction=
s in the package and anything else that might be<br>relevant (e.g. total fe=
es and size).<br><br>3. The reciever uses the package information to decide=
 how to request<br>=C2=A0 =C2=A0and validate the transactions.<br><br>Somet=
imes, no matter what order transactions are received by a node,<br>validati=
ng them individually is insufficient. When the sender is aware<br>of additi=
onal information that the receiver needs to accept a package,<br>a proactiv=
e &#39;&#39;sender-initiated&#39;&#39; dialogue should be enabled:<br><br>1=
. Sender announces they have package information pertaining to a<br>=C2=A0 =
=C2=A0transaction that might otherwise be undesired on its own.<br><br>2. T=
he receiver requests package information.<br><br>3. The sender provides pac=
kage information, including the wtxids of<br>=C2=A0 =C2=A0the transactions =
in the package and anything else that might be<br>relevant (e.g. total fees=
 and size).<br><br>4. The reciever uses the package information to decide h=
ow to request<br>=C2=A0 =C2=A0and validate the transactions.<br><br>Package=
 relay is negotiated between two peers during the version<br>handshake. Pac=
kage relay requires both peers to support wtxid-based<br>relay because pack=
age transactions are referenced by their wtxid.<br><br>=3D=3D=3D=3DNew Mess=
ages=3D=3D=3D=3D<br><br>Three new protocol messages are added for use in an=
y version of<br>package relay. Additionally, each version of package relay =
must define<br>its own inv type and &quot;pckginfo&quot; message version, r=
eferred to in this<br>document as &quot;MSG_PCKG&quot; and &quot;pckginfo&q=
uot; respectively. See<br>BIP-v1-packages for a concrete example.<br><br>=
=3D=3D=3D=3D=3Dsendpackages=3D=3D=3D=3D=3D<br><br>{|<br>| =C2=A0Field Name =
=C2=A0|| =C2=A0Type =C2=A0|| =C2=A0Size =C2=A0|| =C2=A0Purpose<br>|-<br>|ve=
rsion || uint32_t || 4 || Denotes a package version supported by the node.<=
br>|-<br>|max_count || uint32_t || 4 ||Specifies the maximum number of tran=
sactions per package this node is<br>willing to accept.<br>|-<br>|max_weigh=
t || uint32_t || 4 ||Specifies the maximum total weight per package this no=
de is willing<br>to accept.<br>|-<br>|}<br><br>1. The &quot;sendpackages&qu=
ot; message has the structure defined above, with<br>=C2=A0 =C2=A0pchComman=
d =3D=3D &quot;sendpackages&quot;.<br><br>2. During version handshake, node=
s should send a &quot;sendpackages&quot;<br>=C2=A0 =C2=A0message indicate t=
hey support package relay and may request<br>packages.<br><br>3. The messag=
e should contain a version supported by the node. Nodes<br>=C2=A0 =C2=A0sho=
uld send a &quot;sendpackages&quot; message for each version they support.<=
br><br>4. The &quot;sendpackages&quot; message MUST be sent before sending =
a &quot;verack&quot;<br>=C2=A0 =C2=A0message. If a &quot;sendpackages&quot;=
 message is received afer &quot;verack&quot;, the<br>sender should be disco=
nnected.<br><br>5. If &#39;fRelay=3D=3Dfalse&#39; in a peer&#39;s version m=
essage, the node must not<br>=C2=A0 =C2=A0send &quot;sendpackages&quot; to =
them. If a &quot;sendpackages&quot; message is<br>received by a peer after =
sending `fRelay=3D=3Dfalse` in their version<br>message, the sender should =
be disconnected.<br><br>6.. Upon receipt of a &quot;sendpackages&quot; mess=
age with a version that is<br>not supported, a node must treat the peer as =
if it never received the<br>message.<br><br>7. If both peers send &quot;wtx=
idrelay&quot; and &quot;sendpackages&quot; with the same<br>=C2=A0 =C2=A0ve=
rsion, the peers should announce, request, and send package<br>information =
to each other.<br><br>=3D=3D=3D=3D=3Dgetpckgtxns=3D=3D=3D=3D=3D<br><br>{|<b=
r>| =C2=A0Field Name =C2=A0|| =C2=A0Type =C2=A0|| =C2=A0Size =C2=A0|| =C2=
=A0 Purpose<br>|-<br>|txns_length||CompactSize||1 or 3 bytes|| The number o=
f transactions requested.<br>|-<br>|txns||List of wtxids||txns_length * 32|=
| The wtxids of each transaction in the package.<br>|}<br><br>1. The &quot;=
getpckgtxns&quot; message has the structure defined above, with<br>=C2=A0 =
=C2=A0pchCommand =3D=3D &quot;getpckgtxns&quot;.<br><br>2. A &quot;getpckgt=
xns&quot; message should be used to request all or some of<br>=C2=A0 =C2=A0=
the transactions previously announced in a &quot;pckginfo&quot; message,<br=
>specified by witness transactiosome id.<br><br>3. Upon receipt of a &quot;=
getpckgtxns&quot; message, a node must respond with<br>=C2=A0 =C2=A0either =
a &quot;pckgtxns&quot; containing the requested transactions or a<br>&quot;=
notfound&quot; message indicating one or more of the transactions is<br>una=
vailable. This allows the receiver to avoid downloading and storing<br>tran=
sactions that cannot be validated immediately.<br><br>4. A &quot;getpckgtxn=
s&quot; message should only be sent if both peers agreed to<br>=C2=A0 =C2=
=A0send packages in the version handshake. If a &quot;getpckgtxns&quot; mes=
sage<br>is received from a peer with which package relay was not negotiated=
,<br>the sender should be disconnected.<br><br>=3D=3D=3D=3D=3Dpckgtxns=3D=
=3D=3D=3D=3D<br><br>{|<br>| =C2=A0Field Name =C2=A0|| =C2=A0Type =C2=A0|| =
=C2=A0Size =C2=A0|| =C2=A0 Purpose<br>|-<br>|txns_length||CompactSize||1 or=
 3 bytes|| The number of transactions provided.<br>|-<br>|txns||List of tra=
nsactions||variable|| The transactions in the package.<br>|}<br><br>1. The =
&quot;pckgtxns&quot; message has the structure defined above, with<br>=C2=
=A0 =C2=A0pchCommand =3D=3D &quot;pckgtxns&quot;.<br><br>2. A &quot;pckgtxn=
s&quot; message should contain the transaction data requested<br>=C2=A0 =C2=
=A0using &quot;getpckgtxns&quot;.<br><br>3. A &quot;pckgtxns&quot; message =
should only be sent to a peer that requested<br>=C2=A0 =C2=A0the package us=
ing &quot;getpckgtxns&quot;. If a node receives an unsolicited<br>package, =
the sender should be disconnected.<br><br>4. A &quot;pckgtxns&quot; message=
 should only be sent if both peers agreed to<br>=C2=A0 =C2=A0send packages =
in the version handshake. If a &quot;pckgtxns&quot; message is<br>received =
from a peer with which package relay was not negotiated, the<br>sender shou=
ld be disconnected.<br><br>=3D=3D=3DVersion 1 Packages: child-with-unconfir=
med-parents=3D=3D=3D =C2=A0<br><br>This extends package relay for packages =
consisting of one transaction<br>and all of its unconfirmed parents,by defi=
ning version 1 packages, a<br>pckginfo1 message, and a MSG_PCKG1 inv type. =
It enables the use case<br>in which a child pays for its otherwise-too-low-=
fee parents and their<br>mempool conflict(s).<br><br>=3D=3D=3D=3DIntended P=
rotocol Flow=3D=3D=3D=3D<br><br>When relaying a package of low-fee parent(s=
) and high-fee child, the<br>sender and receiver do the following:<br><br>1=
. Sender announces they have a child-with-unconfirmed-parents package<br>=
=C2=A0 =C2=A0for a child that pays for otherwise-too-low-fee parent(s) usin=
g<br>&quot;inv(MSG_PCKG1)&quot;.<br><br>2. The receiver requests package in=
formation using<br>=C2=A0 =C2=A0&quot;getdata(MSG_PCKG1)&quot;.<br><br>3. T=
he sender provides package information using &quot;pckginfo1&quot;,<br>=C2=
=A0 =C2=A0including the blockhash of the sender&#39;s best block, the wtxid=
s of<br>the transactions in the package, their total fees and total weight.=
<br><br>4. The reciever uses the package information to decide how to reque=
st<br>=C2=A0 =C2=A0the transactions. For example, if the receiver already h=
as some of<br>the transactions in their mempool, they only request the miss=
ing ones.<br>They could also decide not to request the package at all based=
 on the<br>fee information provided.<br><br>5. Upon receiving a &quot;pckgt=
xns&quot;, the receiver submits the transactions<br>=C2=A0 =C2=A0together a=
s a package.<br><br>=3D=3D=3D=3DNew Messages=3D=3D=3D=3D<br><br>A new inv t=
ype, &quot;MSG_PCKG1&quot;, and new protocol message, &quot;PCKGINFO1&quot;=
,<br>are added.<br><br>=3D=3D=3D=3D=3Dpckginfo1=3D=3D=3D=3D=3D<br><br>{|<br=
>| =C2=A0Field Name =C2=A0|| =C2=A0Type =C2=A0|| =C2=A0Size =C2=A0|| =C2=A0=
 Purpose<br>|-<br>|blockhash || uint256 || 32 || The chain tip at which thi=
s package is defined.<br>|-<br>|pckg_fee||CAmount||4|| The sum total fees p=
aid by all transactions in the package.<br>|-<br>|pckg_weight||int64_t||8||=
 The sum total weight of all transactions in the package.<br>|-<br>|txns_le=
ngth||CompactSize||1 or 3 bytes|| The number of transactions provided.<br>|=
-<br>|txns||List of wtxids||txns_length * 32|| The wtxids of each transacti=
on in the package.<br>|}<br><br><br>1. The &quot;pckginfo1&quot; message ha=
s the structure defined above, with<br>=C2=A0 =C2=A0pchCommand =3D=3D &quot=
;pckginfo1&quot;.<br><br>2. A &quot;pckginfo1&quot; message contains inform=
ation about a version 1<br>=C2=A0 =C2=A0package (defined below), referenced=
 by the wtxid of the transaction<br>it pertains to and the current blockhas=
h.<br><br>3. Upon receipt of a &quot;pckginfo1&quot; message, the node shou=
ld decide if it<br>=C2=A0 =C2=A0wants to validate the package, request tran=
saction data if<br>necessary, etc.<br><br>4. Upon receipt of a malformed &q=
uot;pckginfo1&quot; message or package that<br>=C2=A0 =C2=A0does not abide =
by the max_count, max_weight, or other rules<br>specified by the version ag=
reed upon in the initial negotiation, the<br>sender should be disconnected.=
=C2=A0 If a node receives a &quot;pckginfo1&quot;<br>message for which the =
&quot;pckg_fee&quot; or &quot;pckg_weight&quot; do not reflect the<br>true =
total fees and weight, respectively, or the transactions in the<br>package,=
 the message is malformed.<br><br>5. A node MUST NOT send a &quot;pckginfo1=
&quot; message that has not been<br>=C2=A0 =C2=A0requested by the recipient=
. Upon receipt of an unsolicited<br>&quot;pckginfo1&quot;, a node should di=
sconnect the sender.<br><br>6. A &quot;pckginfo1&quot; message should only =
be sent if both peers agreed to<br>=C2=A0 =C2=A0send version 1 packages in =
the version handshake. If a &quot;pckginfo1&quot;<br>message is received fr=
om a peer with which package relay was not<br>negotiated, the sender should=
 be disconnected.<br><br>=3D=3D=3D=3D=3DMSG_PCKG1=3D=3D=3D=3D=3D<br><br>1. =
A new inv type (MSG_PCKG1 =3D=3D 0x6) is added, for use in inv messages<br>=
=C2=A0 =C2=A0and getdata requests pertaining to version 1 packages.<br><br>=
2. As an inv type, it indicates that both transaction data and version<br>=
=C2=A0 =C2=A01 package information are available for the transaction. The<b=
r>transaction is referenced by its wtxid. As a getdata request type, it<br>=
indicates that the sender wants package information for the<br>transaction.=
<br><br>3. Upon receipt of a &quot;getdata&quot; request for &quot;MSG_PCKG=
1&quot;, the node<br>=C2=A0 =C2=A0should respond with the version 1 package=
 corresponding to the<br>requested transaction and its current chain tip, o=
r with NOTFOUND.<br>The node should not assume that the sender is requestin=
g the<br>transaction data as well.<br><br>=3D=3D=3D=3DChild With Parent Pac=
kages Rules=3D=3D=3D=3D<br><br>A child-with-unconfirmed-parents package sen=
t between nodes must abide<br>by the rules below, otherwise the package is =
malformed and the sender<br>should be disconnected.<br><br>A version 1 or &=
#39;&#39;child-with-unconfirmed-parents&#39;&#39; package can be<br>defined=
 for any transaction that spends unconfirmed inputs. The child<br>can be th=
ought of as the &quot;representative&quot; of the package. This package<br>=
can be uniquely identified by the transaction&#39;s wtxid and the current<b=
r>chain tip block hash.<br><br>A &#39;&#39;child-with-unconfirmed-parents&#=
39;&#39; package MUST be:<br><br>1. &#39;&#39;Sorted topologically.&#39;&#3=
9; For every transaction t in the package,<br>=C2=A0 =C2=A0if any of t&#39;=
s parents are present in the package, the parent must<br>appear somewhere i=
n the list before t. In other words, the<br>transactions must be sorted in =
ascending order of the number of<br>ancestors present in the package.<br><b=
r>2. &#39;&#39;Only 1 child with unconfirmed parents.&#39;&#39; The package=
 must consist<br>=C2=A0 =C2=A0of one transaction and its unconfirmed parent=
s. There must not be<br>any other transactions in the package. Other depend=
ency relationships<br>may exist within the package (e.g. one parent may spe=
nd the output of<br>another parent) provided that topological order is resp=
ected.<br><br>3. &#39;&#39;All unconfirmed parents.&#39;&#39; All of the ch=
ild&#39;s unconfirmed parents<br>=C2=A0 =C2=A0must be present.<br><br>4. &#=
39;&#39;No conflicts.&#39;&#39; None of the transactions in the package may=
<br>=C2=A0 =C2=A0conflict with each other (i.e. =C2=A0spend the same prevou=
t).<br><br>5. &#39;&#39;Total fees and weight.&#39;&#39; The &#39;total_fee=
&#39; and &#39;total_weight&#39;<br>=C2=A0 =C2=A0fields must accurately rep=
resent the sum total of all transactions&#39;<br>fees and weights as define=
d in BIP141, respectively.<br><br>Not all of the child&#39;s parents must b=
e present; the child transaction<br>may also spend confirmed inputs. Howeve=
r, if the child has confirmed<br>parents, they must not be in the package.<=
br><br>While a child-with-unconfirmed-parents package is perhaps most<br>re=
levant when the child has a higher feerate than its parents, this<br>proper=
ty is not required to construct a valid package.<br><br>=3D=3D=3D=3DClarifi=
cations=3D=3D=3D=3D<br><br>&#39;&#39;Q: Under what circumstances should a s=
ender announce a<br>child-with-unconfirmed-parents package?&#39;&#39;<br><b=
r>A child-with-unconfirmed-parents package for a transaction should be<br>a=
nnounced when it meets the peer&#39;s fee filter but one or more of its<br>=
parents don&#39;t; a &quot;inv(MSG_PCKG1)&quot; instead of &quot;inv(WTX)&q=
uot; should be sent<br>for the child. Each of the parents which meet the pe=
er&#39;s fee filter<br>should still be announced normally.<br><br>&#39;&#39=
;Q: What if a new block arrives in between messages?&#39;&#39;<br><br>A chi=
ld-with-unconfirmed-parents package is defined for a transaction<br>based o=
n the current chain state. As such, a new block extending the<br>tip may de=
crease the number of transactions in the package (i.e. if<br>any of the tra=
nsaction&#39;s parents were included in the block). In a<br>reorg, the numb=
er of transactions in the package may decrease or<br>increase (i.e. if any =
of the transaction&#39;s parents were included in a<br>block in the previou=
s chain but not the new one).<br><br>If the new block arrives before the &q=
uot;getdata&quot; or &quot;pckginfo1&quot;, nothing<br>needs to change.<br>=
<br>If the new block arrives before &quot;getpckgtxns&quot; or before &quot=
;pckgtxns&quot;,<br>the receiver may need to re-request package information=
 if the block<br>contained a transaction in the package. If the block doesn=
&#39;t contain<br>any transactions in the package, whether it extends the p=
revious tip<br>or causes a reorg, nothing needs to change.<br><br>&#39;&#39=
;Q: Can &quot;getpckgtxns&quot; and &quot;pckgtxns&quot; messages contain o=
nly one<br>transaction?&#39;&#39;<br><br>Yes.<br><br>=3D=3D=3DFurther Proto=
col Extensions=3D=3D=3D<br><br>When introducing a new type of package, assi=
gn it a version number &quot;n&quot;<br>and use an additional &quot;sendpac=
kages&quot; message during version handshake<br>to negotiate support for it=
. An additional package information message<br>&quot;pckginfon&quot; and in=
v type &quot;MSG_PCKGn&quot; should be defined for the type of<br>package.=
=C2=A0 However, &quot;getpckgtxns&quot; and &quot;pckgtxns&quot; do not nee=
d to be<br>changed.<br><br>Example proposal for tx-with-unconfirmed-ancesto=
rs package relay: [19] <br><br>=3D=3D=3DCompatibility=3D=3D=3D<br><br>Older=
 clients remain fully compatible and interoperable after this<br>change. Cl=
ients implementing this protocol will only attempt to send<br>and request p=
ackages if agreed upon during the version handshake.<br><br>=3D=3D=3DPackag=
e Erlay=3D=3D=3D<br><br>Clients using BIP330 reconciliation-based transacti=
on relay (Erlay)<br>are able to use package relay without interference. In =
fact, a package<br>of transactions may be announced using both Erlay and pa=
ckage relay.<br>After reconciliation, if the initiator would have announced=
 a<br>transaction by wtxid but also has package information for it, they ma=
y<br>send &quot;inv(MSG_PCKG)&quot; instead of &quot;inv(WTX)&quot;.<br><br=
>=3D=3D=3DRationale=3D=3D=3D<br><br>=3D=3D=3D=3DP2P Message Design=3D=3D=3D=
=3D<br><br>These p2p messages are added for communication efficiency and, a=
s<br>such, one should measure alternative solutions based on the resources<=
br>used to communicate (not necessarily trustworthy) information: We<br>wou=
ld like to minimize network bandwidth, avoid downloading a<br>transaction m=
ore than once, avoid downloading transactions that are<br>eventually reject=
ed, and minimize storage allocated for<br>not-yet-validated transactions.<b=
r><br>Consider these (plausible) scenarios in transaction relay:<br><br>Ali=
ce (the &quot;sender&quot;) is relaying transactions to Bob (the &quot;rece=
iver&quot;).<br>Alice&#39;s mempool has a minimum feerate of 1sat/vB and Bo=
b&#39;s has a<br>minimum feerate of 3sat/vB. For simplicity, all transactio=
ns are<br>1600Wu in virtual size and 500 bytes in serialized size. Apart fr=
om<br>the spending relationships specified, all other inputs are from<br>co=
nfirmed UTXOs.<br><br>1. Package {A, B} where A pays 0 satoshis and B pays =
8000 satoshis in<br>=C2=A0 =C2=A0fees.<br><br>2. Package {C, D} where C pay=
s 0 satoshis and D pays 1200 satoshis in<br>=C2=A0 =C2=A0fees.<br><br>3. Pa=
ckage {E, F, G, H, J} that pays 4000, 8000, 0, 2000, and 4000<br>=C2=A0 =C2=
=A0satoshis in fees, respectively.<br><br>=3D=3D=3D=3DAlternative Designs C=
onsidered=3D=3D=3D=3D<br><br>&#39;&#39;Package Information Only:&#39;&#39; =
Just having &quot;pckginfo&quot; gives enough<br>information for the receiv=
er to accept the package. Omit the<br>&quot;getpckgtxns&quot; and &quot;pck=
gtxns&quot; messages. While this option is a good<br>fallback if batched tr=
ansaction download fails for some reason, it<br>shouldn&#39;t be used as th=
e default because it &#39;always&#39; requires storage<br>of unvalidated tr=
ansactions.<br><br>&#39;&#39;No Package Information Round:&#39;&#39; Instea=
d of having a package<br>information round, just use the child&#39;s wtxid =
to refer to the package<br>and always send the entire package together. Thi=
s would cause nodes to<br>redownload duplicate transactions.<br><br>I have =
also created a slidedeck exploring various alternative designs<br>and some =
examples in which they fall flat [20]. Please feel free to<br>suggest other=
 alternatives.<br><br>=3D=3D=3D=3DVersioning System=3D=3D=3D=3D<br><br>This=
 protocol should be extensible to support multiple types of<br>packages bas=
ed on future desired use cases. Two &quot;flavors&quot; of<br>versioning we=
re considered:<br><br>1. When package mempool acceptance is upgraded to sup=
port more types<br>=C2=A0 =C2=A0of packages, increment the version number (=
similar to Erlay).<br>During version handshake, peers negotiate which versi=
on of package<br>relay they will use by each sending one &quot;sendpackages=
&quot; message.<br><br>2. When introducing another type of package, assign =
a version number<br>=C2=A0 =C2=A0to it and announce it as an additional sup=
ported version (similar<br>to Compact Block Relay). During version handshak=
e, peers send one<br>&quot;sendpackages&quot; message for each version supp=
orted.<br><br>The second option was favored because it allows different par=
ameters<br>for different versions.=C2=A0 For example, it should be possible=
 to support<br>both &quot;arbitrary topology but maximum 3-transaction&quot=
; package as well as<br>&quot;child-with-unconfirmed-parents with default m=
empool ancestor limits&quot;<br>packages simultaneously.<br><br>=3D=3DAckno=
wledgements=3D=3D<br><br>I hope to have made it abundantly clear that this =
proposal isn=E2=80=99t<br>inventing the concept of package relay, and in fa=
ct builds upon years<br>of work by many others, including Suhas Daftuar and=
 Antoine Riard.<br><br>Thank you to John Newbery and Martin Zumsande for in=
put on the design.<br><br>Thank you to Matt Corallo, Christian Decker, Davi=
d Harding, Antoine<br>Poinsot, Antoine Riard, Gregory Sanders, Chris Stewar=
t, Bastien<br>Teinturier, and others for input on the desired interface for=
<br>contracting protocols.<br><br><div>Looking forward to hearing your thou=
ghts!</div><div><br></div><div>Best,</div><div>Gloria<br></div><div><br></d=
iv>[0]: <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/=
2022-January/019817.html">https://lists.linuxfoundation.org/pipermail/bitco=
in-dev/2022-January/019817.html</a><br>[1]: <a href=3D"https://lists.linuxf=
oundation.org/pipermail/lightning-dev/2020-April/002639.html">https://lists=
.linuxfoundation.org/pipermail/lightning-dev/2020-April/002639.html</a><br>=
[2]: <a href=3D"https://lists.linuxfoundation.org/pipermail/lightning-dev/2=
020-June/002758.html">https://lists.linuxfoundation.org/pipermail/lightning=
-dev/2020-June/002758.html</a><br>[3]: <a href=3D"https://github.com/t-bast=
/lightning-docs/blob/master/pinning-attacks.md">https://github.com/t-bast/l=
ightning-docs/blob/master/pinning-attacks.md</a><br>[4]: <a href=3D"https:/=
/github.com/revault/practical-revault/blob/master/transactions.md#cancel_tx=
">https://github.com/revault/practical-revault/blob/master/transactions.md#=
cancel_tx</a><br>[5]: <a href=3D"https://github.com/discreetlogcontracts/dl=
cspecs/blob/master/Transactions.md#refund-transaction">https://github.com/d=
iscreetlogcontracts/dlcspecs/blob/master/Transactions.md#refund-transaction=
</a><br>[6]: <a href=3D"https://gist.github.com/instagibbs/60264606e181451e=
977e439a49f69fe1">https://gist.github.com/instagibbs/60264606e181451e977e43=
9a49f69fe1</a><br>[7]: <a href=3D"https://btctranscripts.com/adopting-bitco=
in/2021/2021-11-16-gloria-zhao-transaction-relay-policy/#lightning-attacks"=
>https://btctranscripts.com/adopting-bitcoin/2021/2021-11-16-gloria-zhao-tr=
ansaction-relay-policy/#lightning-attacks</a><br>[8]: <a href=3D"https://yo=
utu.be/fbWSQvJjKFs?t=3D1438">https://youtu.be/fbWSQvJjKFs?t=3D1438</a><br>[=
9]: <a href=3D"https://www.reddit.com/r/Bitcoin/comments/unew4e/looks_like_=
70_mvb_of_transactions_just_got_dumped/">https://www.reddit.com/r/Bitcoin/c=
omments/unew4e/looks_like_70_mvb_of_transactions_just_got_dumped/</a><br>[1=
0]: <a href=3D"https://github.com/bitcoin/bitcoin/pull/7594">https://github=
.com/bitcoin/bitcoin/pull/7594</a><br>[11]: <a href=3D"https://github.com/b=
itcoin/bitcoin/pull/7600">https://github.com/bitcoin/bitcoin/pull/7600</a><=
br>[12]: <a href=3D"https://github.com/bitcoin/bitcoin/pull/6455#issuecomme=
nt-122716820">https://github.com/bitcoin/bitcoin/pull/6455#issuecomment-122=
716820</a><br>[13]: <a href=3D"https://gist.github.com/sdaftuar/8756699bfca=
d4d3806ba9f3396d4e66a">https://gist.github.com/sdaftuar/8756699bfcad4d3806b=
a9f3396d4e66a</a><br>[14]: <a href=3D"https://github.com/bitcoin/bitcoin/is=
sues/14895">https://github.com/bitcoin/bitcoin/issues/14895</a><br>[15]: <a=
 href=3D"https://github.com/bitcoin/bitcoin/pull/16401">https://github.com/=
bitcoin/bitcoin/pull/16401</a><br>[16]: <a href=3D"https://github.com/bitco=
in/bitcoin/pull/19621">https://github.com/bitcoin/bitcoin/pull/19621</a><br=
>[17]: <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2=
021-September/019464.html">https://lists.linuxfoundation.org/pipermail/bitc=
oin-dev/2021-September/019464.html</a><br>[18]: <a href=3D"https://github.c=
om/users/glozow/projects/5/views/4?layout=3Dboard">https://github.com/users=
/glozow/projects/5/views/4?layout=3Dboard</a><br>[19]: <a href=3D"https://g=
ist.github.com/glozow/9b321cd3ef6505135c763112033ff2a7">https://gist.github=
.com/glozow/9b321cd3ef6505135c763112033ff2a7</a><br>[20]: <a href=3D"https:=
//docs.google.com/presentation/d/1B__KlZO1VzxJGx-0DYChlWawaEmGJ9EGApEzrHqZp=
Qc/edit?usp=3Dsharing">https://docs.google.com/presentation/d/1B__KlZO1VzxJ=
Gx-0DYChlWawaEmGJ9EGApEzrHqZpQc/edit?usp=3Dsharing</a></div>

--000000000000138de305df37406e--