Feedback-ID: i525146e8:Fastmail
Date: Sat, 21 Oct 2023 02:43:31 +0000
From: Peter Todd <pete@petertodd.org>
To: Matt Corallo <lf-lists@mattcorallo.com>
Message-ID: <ZTM607UFnxgXPSNp@petertodd.org>
References: <eW4O0HQJ2cbrzZhXSlgeDRWuhgRHXcAxIQCHJiqPh1zUxr270xPvl_tb7C4DUauZy56HaCq6BqGN9p4k-bkqQmLb4EHzPgIxZIZGVPlqyF0=@protonmail.com>
 <64VpLnXQLbeoc895Z9aR7C1CfH6IFxPFDrk0om-md1eqvdMczLSnhwH29T6EWCXgiGQiRqQnAYsezbvNvoPCdcfvCvp__Y8BA1ow5UwY2yQ=@protonmail.com>
 <ZTJW59wQ/4WLZt2h@petertodd.org> <ZTJej/ipIl5hZIUn@petertodd.org>
 <CAGyamEVGe+z96Rc52V0j=a+He3frzhHEk_NPunXA-g1MwXXdGw@mail.gmail.com>
 <1a84a36c-ec23-43b5-9a61-1aafdc188892@mattcorallo.com>
 <ZTMYGcRvHh0Iwe2y@petertodd.org>
 <24a18bdd-eef6-4f96-b8a5-05f64130a5c5@mattcorallo.com>
 <ZTModpNyIQ3qFFI3@petertodd.org>
 <c7ca9861-0734-4065-851a-8af9cabd7e87@mattcorallo.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="CedIk7JjJKWOfgrM"
Content-Disposition: inline
In-Reply-To: <c7ca9861-0734-4065-851a-8af9cabd7e87@mattcorallo.com>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
 security@ariard.me,
 "lightning-dev\\\\\\\\\\\\\\\\@lists.linuxfoundation.org"
 <lightning-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] [Lightning-dev] Full Disclosure: CVE-2023-40231 /
 CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are
 belong to us"
Precedence: list


--CedIk7JjJKWOfgrM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Oct 20, 2023 at 09:55:12PM -0400, Matt Corallo wrote:
> > Quite the contrary. Schnorr signatures are 64 bytes, so in situations l=
ike
> > lightning where the transaction form is deterministically derived, sign=
ing 100
> > extra transactions requires just 6400 extra bytes. Even a very slow 100=
KB/s
> > connection can transfer that in 64ms; latency will still dominate.
>=20
> Lightning today isn't all that much data, but multiply it by 100 and we
> start racking up data enough that people may start to have to store a rea=
lly
> material amount of data for larger nodes and dealing with that starts to =
be
> a much bigger pain then when we're talking about a GiB or twenty.

We are talking about storing ephemeral data here, HTLC transactions and
possibly commitment transactions. Since lightning uses disclosed secrets to
invalidate old state, you do not need to keep every signature from your
counterparty indefinitely.

Per channel, with the above numbers, you'd need <10KB worth of extra signat=
ures
to fee bump the current commitment (with pre-signed txs), and if HTLCs happ=
en
to be in flight, say <10KB of extra signatures per HTLC.

Amazon AWS charges $0.125/GB/month for their most expensive SSD volumes. Le=
t's
round that up to $1/GB/month to account for RAID and backups. Let's say each
channel constantly has 483 HTLC's in flight, and each HTLC is associated wi=
th
~10KB of extra data for pre-signed transactions.

That's ~5MB/channel of data you constantly need to store, or $0.005/month.

In what world is that too expensive or too much of a pain to deal with? If
you're node is actually that busy, you're probably making that cost back per
channel every minute, or better.

> > RBF has a minimum incremental relay fee of 1sat/vByte by default. So if=
 you use
> > those 100 pre-signed transaction variants to do nothing more than sign =
every
> > possible minimum incremental relay, you've covered a range of 1sat/vByt=
e to
> > 100sat/vByte. I believe that is sufficient to get mined for any block in
> > Bitcoin's entire modern history.
> >=20
> > CPFP meanwhile requires two transactions, and thus extra bytes. Other t=
han edge
> > cases with very large transactions in low-fee environments, there's no
> > circumstance where CPFP beats RBF.
>=20
> What I was referring to is that if we have the SIGHASH_SINGLE|ANYONECANPAY
> we can combine many HTLC claims into one transaction, vs pre-signing means
> we're stuck with a ton of individual transactions.

Since SIGHASH_SINGLE requires one output per input, the savings you get by
combining multiple SIGHASH_SINGLE transactions together aren't very
significant. Just 18 bytes for nVersion, nLockTime, and the txin and txout =
size
fields. The HTLC-timeout transaction is 166.5 vBytes, so that's a savings of
just 11%

Of course, if you _do_ need to fee bump and add an additional input, that i=
nput
takes up space, and you'll probably need a change output. At which point you
again would probably have been better off with a pre-signed transaction.

You are also assuming there's lots of HTLC's in flight that need to be spen=
t.
That's very often not the case.

--=20
https://petertodd.org 'peter'[:-1]@petertodd.org

--CedIk7JjJKWOfgrM
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0RcYcKRzsEwFZ3N5Lly11TVRLzcFAmUzOtEACgkQLly11TVR
LzeyLw/8DjdYmEWuCDfdXUX3j8NY0wH5RdOQvp5sojBjD8eoj9SZathHnQNk91Fs
GBhXNNw+Ib8EpH8EtzZN67lYlhPVe0xyGZfjN1yulgkPjsugLmpagHbNQ6em6ACq
eU/R12sjc7LFZ1ncbTIuj9HUY/TSbcbUrnH9R7BetR1YQnlZBtAAj+O3Pt8cQLxX
PMEnWhDXfYELFzWr/jMQPw61wioK40TAL8iD4CfYqg617VhfgTp3oMIQD3LwP+eT
fpANHyaMyvL3jcJvIWSSBwLz5peMMUujo+gRfcKLTF2UNF5q+Zyc69xfFqtgqp59
vAQ7c2J2oJWHe42c7GzEBurfulMAy8Rk3t1ry4zooCFbotQRVFLC/9p0KOEBE4BE
goPE1FBI2EsS0nQZxa3VG1AmRX9Bv+9h9OXWcX2N9zW/IpfcgEUmMvv2VdyCZ4vj
bx94px6IzzHgZIXKUjgBku8r6Lc4k7QqqPzcimNmLFjWj4gUytvE1hXiu1o534Xw
IGnLoG/51yRavbbmj9rVAV4mowMRL2kVexJwSbetIDAjpCQ0K5teoshkQkAmxIdp
W7wWpWiTPMdXduTFXis26a0dZePaJHOzwFaFwTqA7kNZPdKjPjD4TbO+BH5lhjjX
pDqSRnMGfHttQrIAfmJXe9Ne4SJbTiUehD2KJEmzhS9oIkD2/ZE=
=axbj
-----END PGP SIGNATURE-----

--CedIk7JjJKWOfgrM--