MIME-Version: 1.0
In-Reply-To: <87bmdzgu4v.fsf@gmail.com>
References: <874ljsitvx.fsf@gmail.com>
	<CADZtCSgSJsU+j1teT4A9+nc+cuzBz+dhL+sC3dyGniQAsxPUxw@mail.gmail.com>
	<87vac7hakf.fsf@gmail.com>
	<CADZtCShihv1PR4yD_xATD2mv5CSMqH385HWVLdZQSG_9ZyJ7Jw@mail.gmail.com>
	<87in87gx0q.fsf@gmail.com>
	<CADZtCShvsaUpHKqRkkDm1XEmiSgj4Aa_VPdFFhaMQd9fcvxyZA@mail.gmail.com>
	<87bmdzgu4v.fsf@gmail.com>
From: Jim Posen <jim.posen@gmail.com>
Date: Tue, 1 May 2018 18:15:10 -0700
Message-ID: <CADZtCSgHmyYbumDw6bwfYpoqc9b-0JmHM5-22=Y1FXNDiTghrA@mail.gmail.com>
To: Christian Decker <decker.christian@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000008d9e47056b2ed19d"
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] eltoo: A Simplified update Mechanism for
 Lightning and Off-Chain Contracts
Precedence: list

--0000000000008d9e47056b2ed19d
Content-Type: text/plain; charset="UTF-8"

OK, I see what you are saying. You are effectively suggesting pipelining
the broadcasts of the update transactions. I think this introduces a
problem that a node in the circuit that withholds the preimage for too long
can force all upstream channels to be closed, at only the expense of their
one upstream channel being closed. I believe such an attack could
significantly disrupt the network.

Let me elaborate on the way I'm thinking about this:

So say I'm a routing node with an upstream HTLC with CLTV = X. I need to
ensure that if I learn the preimage, that I have time to broadcast and
confirm an HTLC-success transaction before height X. We'll call this number
of blocks D_success. So if I know the preimage, let's say X - D_success is
the latest height that I can safely broadcast the HTLC-success transaction,
assuming the settlement transaction is already final (ie. the update
transaction is confirmed and the CSV delay has passed). So now I also need
to know when to close the channel with the update transaction. I'll assume
it will take at most D_update blocks from the time I broadcast the update
transaction for it to be mined. So unless the downstream HTLC is already
failed, I should always close the upstream channel at height X - D_success
- CSV_update - D_update.

Now we'll look at the downstream HTLC with CLTV = Y. In order to minimize
the safe delta between the upstream and downstream CLTVs, I will want to
broadcast and confirm an HTLC-timeout transaction as soon after height Y as
possible. So assuming that the downstream settlement transaction is final
at height Y and it takes at most D_timeout blocks for the HTLC timeout
transaction to confirm once it is final assuming no double spends, then Y +
D_timeout is very latest I might learn the payment preimage from the
downstream channel on-chain. So I should be safe as long as X - D_success >
Y + D_timeout. This assumes that the update transaction for the downstream
channel is already mined and the CSV has passed. However, we know from
above that I had to close the upstream channel at time X - D_success -
CSV_update - D_update, which may very well be before Y. So if the
downstream hop waits until just before Y to publish the preimage, they can
force me to close my upstream channel. This applies transitively for
further upstream hops, assuming a large enough CSV value.

Granted, upstream hops can watch the blockchain for preimage reveals in
other closings transaction and perhaps fulfill off-chain if there is
sufficient time. This would not be possible with payment decorrelation
through scriptless scripts or the like.

Does that logic sound right to you?

On Tue, May 1, 2018 at 10:31 AM, Christian Decker <
decker.christian@gmail.com> wrote:

> Jim Posen <jim.posen@gmail.com> writes:
> > I'm still not following why this doesn't accumulate.
> >
> > In the example route, let's look at it from the point of view of C. C
> sees
> > the following regardless of whether D or E or someone behind E is the
> last
> > hop in the route:
> >
> > B -> HTLC(expire = X + delta) -> C -> HTLC(expire = X) -> D
> >
> > So D is not required to reveal the preimage before time X, and in the
> case
> > of an on-chain settle, C needs to be able to redeem the HTLC output
> through
> > the timeout clause before time X + delta. C can't redeem the HTLC (with
> > sufficient confirmations) at least until the settlement transaction is
> > confirmed. So it seems to me that regardless of the overall route and the
> > maximum CSV on it, the delta for the C hop has to be greater than the CSV
> > delay on the update transaction. And that this must be true at every hop
> > for the same reason.
>
> That'd be a purely reactionary behavior, i.e., chosing the delta in such
> a way that I can both settle the channel and have enough time to react
> to turn around and reveal the preimage. So with the assumptions we had
> before (CSV = 144 and CLTV delta = 144) you'd have an effective delta of
> 288 on each hop, yes. That's basically the case in which each channel
> reacts serially.
>
> You can trivially parallelize these closures by looking ahead and
> noticing that each hop really just cares about its own closure deadline,
> i.e., each node just cares to close 288 blocks before the CLTV expires,
> not that its delta w.r.t. to the downstream channel is that far in the
> future. So all we care about is that once we are due to give the
> upstream hop the preimage we've already closed the downstream channel
> and can now read the HTLC preimage from that channel.
>
> The CSV timeout isn't part of the delta on each hop, but we need to
> implement the deadline computation as:
>
> ```
> CLTV - CLTV delta - CSV
> ```
>
> instead of LN-penaltiy's
>
> ```
> CLTV - CLTV delta
> ```
>

--0000000000008d9e47056b2ed19d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">OK, I see what you are saying. You are effectively suggest=
ing pipelining the broadcasts of the update transactions. I think this intr=
oduces a problem that a node in the circuit that withholds the preimage for=
 too long can force all upstream channels to be closed, at only the expense=
 of their one upstream channel being closed. I believe such an attack could=
 significantly disrupt the network.<div><br></div><div>Let me elaborate on =
the way I&#39;m thinking about this:<br><div><br></div><div>So say I&#39;m =
a routing node with an upstream HTLC with CLTV =3D X. I need to ensure that=
 if I learn the preimage, that I have time to broadcast and confirm an HTLC=
-success transaction before height X. We&#39;ll call this number of blocks =
D_success. So if I know the preimage, let&#39;s say X - D_success is the la=
test height that I can safely broadcast the HTLC-success transaction, assum=
ing the settlement transaction is already final (ie. the update transaction=
 is confirmed and the CSV delay has passed). So now I also need to know whe=
n to close the channel with the update transaction. I&#39;ll assume it will=
 take at most D_update blocks from the time I broadcast the update transact=
ion for it to be mined. So unless the downstream HTLC is already failed, I =
should always close the upstream channel at height X - D_success - CSV_upda=
te - D_update.</div></div><div><br></div><div>Now we&#39;ll look at the dow=
nstream HTLC with CLTV =3D Y. In order to minimize the safe delta between t=
he upstream and downstream CLTVs, I will want to broadcast and confirm an H=
TLC-timeout transaction as soon after height Y as possible. So assuming tha=
t the downstream settlement transaction is final at height Y and it takes a=
t most D_timeout blocks for the HTLC timeout transaction to confirm once it=
 is final assuming no double spends, then Y + D_timeout is very latest I mi=
ght learn the payment preimage from the downstream channel on-chain. So I s=
hould be safe as long as X - D_success &gt; Y + D_timeout. This assumes tha=
t the update transaction for the downstream channel is already mined and th=
e CSV has passed. However, we know from above that I had to close the upstr=
eam channel at time X - D_success - CSV_update - D_update, which may very w=
ell be before Y. So if the downstream hop waits until just before Y to publ=
ish the preimage, they can force me to close my upstream channel. This appl=
ies transitively for further upstream hops, assuming a large enough CSV val=
ue.</div><div><br></div><div>Granted, upstream hops can watch the blockchai=
n for preimage reveals in other closings transaction and perhaps fulfill of=
f-chain if there is sufficient time. This would not be possible with paymen=
t decorrelation through scriptless scripts or the like.</div><div><br></div=
><div>Does that logic sound right to you?</div></div><div class=3D"gmail_ex=
tra"><br><div class=3D"gmail_quote">On Tue, May 1, 2018 at 10:31 AM, Christ=
ian Decker <span dir=3D"ltr">&lt;<a href=3D"mailto:decker.christian@gmail.c=
om" target=3D"_blank">decker.christian@gmail.com</a>&gt;</span> wrote:<br><=
blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px=
 #ccc solid;padding-left:1ex"><span class=3D"">Jim Posen &lt;<a href=3D"mai=
lto:jim.posen@gmail.com">jim.posen@gmail.com</a>&gt; writes:<br>
&gt; I&#39;m still not following why this doesn&#39;t accumulate.<br>
&gt;<br>
&gt; In the example route, let&#39;s look at it from the point of view of C=
. C sees<br>
&gt; the following regardless of whether D or E or someone behind E is the =
last<br>
&gt; hop in the route:<br>
&gt;<br>
&gt; B -&gt; HTLC(expire =3D X + delta) -&gt; C -&gt; HTLC(expire =3D X) -&=
gt; D<br>
&gt;<br>
&gt; So D is not required to reveal the preimage before time X, and in the =
case<br>
&gt; of an on-chain settle, C needs to be able to redeem the HTLC output th=
rough<br>
&gt; the timeout clause before time X + delta. C can&#39;t redeem the HTLC =
(with<br>
&gt; sufficient confirmations) at least until the settlement transaction is=
<br>
&gt; confirmed. So it seems to me that regardless of the overall route and =
the<br>
&gt; maximum CSV on it, the delta for the C hop has to be greater than the =
CSV<br>
&gt; delay on the update transaction. And that this must be true at every h=
op<br>
&gt; for the same reason.<br>
<br>
</span>That&#39;d be a purely reactionary behavior, i.e., chosing the delta=
 in such<br>
a way that I can both settle the channel and have enough time to react<br>
to turn around and reveal the preimage. So with the assumptions we had<br>
before (CSV =3D 144 and CLTV delta =3D 144) you&#39;d have an effective del=
ta of<br>
288 on each hop, yes. That&#39;s basically the case in which each channel<b=
r>
reacts serially.<br>
<br>
You can trivially parallelize these closures by looking ahead and<br>
noticing that each hop really just cares about its own closure deadline,<br=
>
i.e., each node just cares to close 288 blocks before the CLTV expires,<br>
not that its delta w.r.t. to the downstream channel is that far in the<br>
future. So all we care about is that once we are due to give the<br>
upstream hop the preimage we&#39;ve already closed the downstream channel<b=
r>
and can now read the HTLC preimage from that channel.<br>
<br>
The CSV timeout isn&#39;t part of the delta on each hop, but we need to<br>
implement the deadline computation as:<br>
<br>
```<br>
CLTV - CLTV delta - CSV<br>
```<br>
<br>
instead of LN-penaltiy&#39;s<br>
<br>
```<br>
CLTV - CLTV delta<br>
```<br>
</blockquote></div><br></div>

--0000000000008d9e47056b2ed19d--