1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
|
Return-Path: <antoine.riard@gmail.com>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
by lists.linuxfoundation.org (Postfix) with ESMTP id 43972C0032;
Mon, 13 Nov 2023 02:18:30 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp2.osuosl.org (Postfix) with ESMTP id 175364016C;
Mon, 13 Nov 2023 02:18:30 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 175364016C
Authentication-Results: smtp2.osuosl.org;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.a=rsa-sha256 header.s=20230601 header.b=kkPIcqpV
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from smtp2.osuosl.org ([127.0.0.1])
by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id hjvrjusWZpGp; Mon, 13 Nov 2023 02:18:28 +0000 (UTC)
Received: from mail-il1-x12a.google.com (mail-il1-x12a.google.com
[IPv6:2607:f8b0:4864:20::12a])
by smtp2.osuosl.org (Postfix) with ESMTPS id 1AC4840102;
Mon, 13 Nov 2023 02:18:28 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 1AC4840102
Received: by mail-il1-x12a.google.com with SMTP id
e9e14a558f8ab-3594cb642beso16396565ab.3;
Sun, 12 Nov 2023 18:18:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1699841907; x=1700446707;
darn=lists.linuxfoundation.org;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:from:to:cc:subject:date:message-id:reply-to;
bh=vmCnxqrzD/uYw+qAwCeYqnPqkuGdKFX9IxEfTghPdyo=;
b=kkPIcqpVCjyB8YiXnI6gCTPir8+4qG1rRonU8Fu2GdiUnYW7bJZHiYk1sGVpSxUsbR
mjx9UgMHRpsIO/LqSWs266ooH6Tc9oYGyNY+na9MDBEA+EkJ3DDu5vW2yz03MtByvFik
VTavWH0YKEJDtIGN10u3Zn7sAPSySEwGXznGO5UNnBc2JnrObtJx3qQ/QSSoNAUhvYns
vaxneVxXBmM8mADYC8sp3sECox9tlrhjDNMN60H+pHpmHbj3Gy0xlrhLfngZM4VWF0aD
QwxJZsq0VFklgXLNsQF2aR2+IdMoyvKuizAdaXWLdsqvOkjCZUzHgipol/dvzgVx/BrV
45dQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1699841907; x=1700446707;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=vmCnxqrzD/uYw+qAwCeYqnPqkuGdKFX9IxEfTghPdyo=;
b=MPR9d6YuC+X1BaBO57aDq7NWcG6XiOtP72uFhEJl9km2VujDhfBsWqHaOou0GnrUA6
ZG+SAcnxrvrkT4WiGO4duvcpNBPJ4NHar3L8TZxoKdwM9K9E5Y58uh++Vga6FYstRv36
i0Eb3BQJvED8q6c2jCiLEQDCnIxBKXXz4OhAeTJitfUB6UZrH/QWZ+9hpq186wGx0SV+
BoFso58BuDUCssqWOXLhjOK95yJ689CYXjn2D4fTUtiZea/wZvz86qLU1V9MMKbAazgG
dYsSWCZchpSvpo0PC0Y2WC0Ed7QgrgzLV94FU1sBZPBD1UORHUaZM95gueRR0EDKl6xr
uecQ==
X-Gm-Message-State: AOJu0YxAPBWvukZL/BfU2NqbjLBSqTJ5n/zuWInzZGcFmtut+yiXZtw9
trcLEvP4z4UqVNd+DeuV9LZtsyjVMjCQ7wjELp4=
X-Google-Smtp-Source: AGHT+IEGL32SJoht3HB73yCdkxUNbnR6p7IY8A+Xc895w3ZNWf7XA9Sx8r9diLonYZ38jpb/hx1agYB4f4+3HejQVmk=
X-Received: by 2002:a05:6e02:20c5:b0:359:47b9:7bef with SMTP id
5-20020a056e0220c500b0035947b97befmr7980892ilq.1.1699841907035; Sun, 12 Nov
2023 18:18:27 -0800 (PST)
MIME-Version: 1.0
References: <CALZpt+EZqfj=G=E37hA+k9pKYfvE0jkc3UU+H8sJVm=H3CO-JA@mail.gmail.com>
<CALZpt+GXGBbo0JjOyMr3B-3dVY2Q_DuzF6Sn3xE5W24x77PRYg@mail.gmail.com>
<ZUrbk9a9jiL87pxd@petertodd.org> <ZUrtHyQBOEZTM3Bj@petertodd.org>
In-Reply-To: <ZUrtHyQBOEZTM3Bj@petertodd.org>
From: Antoine Riard <antoine.riard@gmail.com>
Date: Mon, 13 Nov 2023 02:18:16 +0000
Message-ID: <CALZpt+FEwjwQQWY6TBFuWeZbqC6Ywa7eSTcpqYuQPZ6+6QBzaw@mail.gmail.com>
To: Peter Todd <pete@petertodd.org>
Content-Type: multipart/alternative; boundary="0000000000000b13670609ff49e6"
X-Mailman-Approved-At: Mon, 13 Nov 2023 10:19:55 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
security@ariard.me, "lightning-dev\\\\@lists.linuxfoundation.org"
<lightning-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making
HTLCs Safer by Letting Transactions Expire Safely
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Nov 2023 02:18:30 -0000
--0000000000000b13670609ff49e6
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Your two latest mails.
> The problem that OP_Expire aims to solve is the fact that Carol could
prevent
> Bob from learning about the preimage in time, while still getting a
chance to
> use the preimage herself. OP_Expire thoroughly solves that problem by
ensuring
> that the preimage is either broadcast in the blockchain in a timely
fashion, or
> becomes useless.
I respectfully disagree - There is a more general underlying issue for
outdated states in multi-party off-chain constructions, where any "revoked"
or "updated" consensus-valid state can be used to jam the latest off-chain
agreed-on, through techniques like replacement cycling or pinning.
> My suggestion of pre-signing RBF replacements, without anchor outputs,
and with
> all outputs rendered unspendable with 1 CSV, is clearly superior: there
are
> zero degrees of freedom to the attacker, other than the possibility of
> increasing the fee paid or broadcasting a revoked commitment. The latter
of
> course risks the other party punishing the fraud.
Assuming the max RBF replacement is pre-signed at 200 sats / vb, with
commitment transaction of ~268 vbytes and at least one second-stage HTLC
transaction of ~175 vbytes including witness size, a channel counterparty
must keep at worst a fee-bumping reserve of 35 268 sats, whatever payment
value. As of today, any payment under $13 has to become trimmed HTLCs.
Trimmed HTLCs are coming with their own wormhole of issues, notably making
them a target to be stolen by low-hashrate capabilities attackers [0].
[0]
https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-May/002714.h=
tml
> This does have the practical problem that a set of refund transactions
will
> also need to be signed for each fee variant. But, eg, signing 10x of each
isn't
> so burdensome. And in the future that problem could be avoided with
> SIGHASH_NOINPUT, or replacing the pre-signed refund transaction mechanism
with
> a covenant.
I think if you wish to be safe against fees griefing games between
counterparties, both counterparties have to maintain their own fee-bumping
reserves, which make channel usage less capital efficient, rather than
being drawn from a common reserve.
> Using RBF rather than CPFP with package relay also has the advantage of
being
> more efficient, as no blockspace needs to be consumed by the anchor
outputs or
> transactions spending them. Of course, there are special circumstances
where
> BIP125 rules can cause CPFP to be cheaper. But we can easily fix that, eg
by
> reducing the replacement relay fee, or by delta-encoding transaction
updates.
It is left as an exercise to the reader how to break the RBF approach for
LN channels as proposed.
> As SIGHASH_NOINPUT is desirable for LN-Symmetry, a softfork containing
both it
> and OP_Expire could make sense.
I think there is one obvious issue of pre-signing RBF replacements combined
with LN-symmetry, namely every state has to pre-commit to fee values
attached and such states might spend each other in chain. So now you would
need `max-rbf-replacement` * `max-theoretical-number-of-states` of
fee-bumping reserves unless you can pipe fee value with some covenant
magic, I think.
> In existing anchor output transactions, this type of attack wouldn't work
as
> when broadcasting the transaction, Alice would be spending her anchor
output,
> which Bob can't double spend.
However Bob can double-spend Alice's commitment transaction with his own
commitment transaction and a CPFP, as long as it's a better ancestor
feerate and absolute fee package, then double-spend his own CPFP. Which is
exactly what my test is doing so I don't think your statement of saying
this type of advanced replacement cycling attack wouldn't work isn't
correct.
Best,
Antoine
Le mer. 8 nov. 2023 =C3=A0 02:06, Peter Todd <pete@petertodd.org> a =C3=A9c=
rit :
> On Wed, Nov 08, 2023 at 12:51:31AM +0000, Peter Todd via bitcoin-dev wrot=
e:
> > > In a post-package relay world, I think this is possible. And that
> > > replacement cycling attacks are breaking future dynamic fee-bumping o=
f
> > > pre-signed transactions concerns me a lot.
> >
> > Well the answer here is pretty clear: v3 package relay with anchors is
> broken.
>
> BTW a subtlety of this that may not be obvious is that in v3 package rela=
y,
> with zero value outputs, the outputs must be spent in the same package.
> Thus
> _unlike_ existing anchor-using transactions, there would be only one anch=
or
> output on the commitment transaction.
>
> In existing anchor output transactions, this type of attack wouldn't work
> as
> when broadcasting the transaction, Alice would be spending her anchor
> output,
> which Bob can't double spend. But that doesn't work in v3, which intends =
to
> limit UTXO growth by requiring that anchors be spent in the same package.
> Thus
> unlike existing anchor outputs, an anchor would be truly a OP_1 output
> without
> a signature, and thus belong to either Alice nor Bob uniquely.
>
> --
> https://petertodd.org 'peter'[:-1]@petertodd.org
>
--0000000000000b13670609ff49e6
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Your two latest mails.<div><br></div><div>> The problem=
that OP_Expire aims to solve is the fact that Carol could prevent<br>> =
Bob from learning about the preimage in time, while still getting a chance =
to<br>> use the preimage herself. OP_Expire thoroughly solves that probl=
em by ensuring<br>> that the preimage is either broadcast in the blockch=
ain in a timely fashion, or<br>> becomes useless.<br></div><div><br></di=
v><div>I respectfully disagree - There is a more general underlying issue f=
or outdated states in multi-party off-chain constructions, where any "=
revoked" or "updated" consensus-valid state can be used to j=
am the latest off-chain agreed-on, through techniques like replacement cycl=
ing or pinning.</div><div><br></div><div>> My suggestion of pre-signing =
RBF replacements, without anchor outputs, and with<br>> all outputs rend=
ered unspendable with 1 CSV, is clearly superior: there are<br>> zero de=
grees of freedom to the attacker, other than the possibility of<br>> inc=
reasing the fee paid or broadcasting a revoked commitment. The latter of<br=
>> course risks the other party punishing the fraud.<br></div><div><br><=
/div><div>Assuming the max RBF replacement is pre-signed at 200 sats / vb, =
with commitment transaction of ~268 vbytes and at least one second-stage HT=
LC transaction of ~175 vbytes including witness size, a channel counterpart=
y must keep at worst a fee-bumping reserve of 35 268 sats, whatever payment=
value. As of today, any payment under $13 has to become trimmed HTLCs. Tri=
mmed HTLCs are coming with their own wormhole of issues, notably making the=
m a target to be stolen by low-hashrate capabilities attackers [0].</div><d=
iv><br></div><div>[0] <a href=3D"https://lists.linuxfoundation.org/pipermai=
l/lightning-dev/2020-May/002714.html">https://lists.linuxfoundation.org/pip=
ermail/lightning-dev/2020-May/002714.html</a></div><div><br></div><div>>=
This does have the practical problem that a set of refund transactions wil=
l</div>> also need to be signed for each fee variant. But, eg, signing 1=
0x of each isn't<br>> so burdensome. And in the future that problem =
could be avoided with<br>> SIGHASH_NOINPUT, or replacing the pre-signed =
refund transaction mechanism with<br>> a covenant.<div><br></div><div>I =
think if you wish to be safe against fees griefing games between counterpar=
ties, both counterparties have to maintain their own fee-bumping reserves, =
which make channel usage less capital efficient, rather than being drawn fr=
om a common reserve.</div><div><br></div><div>> Using RBF rather than CP=
FP with package relay also has the advantage of being<br>> more efficien=
t, as no blockspace needs to be consumed by the anchor outputs or<br>> t=
ransactions spending them. Of course, there are special circumstances where=
<br>> BIP125 rules can cause CPFP to be cheaper. But we can easily fix t=
hat, eg by<br>> reducing the replacement relay fee, or by delta-encoding=
transaction updates.<br></div><div><br></div><div>It is left as an exercis=
e to the reader how to break the RBF approach for LN channels as proposed.<=
/div><div><br></div><div>> As SIGHASH_NOINPUT is desirable for LN-Symmet=
ry, a softfork containing both it<br>> and OP_Expire could make sense.<b=
r></div><div><br></div><div>I think there is one obvious issue of pre-signi=
ng RBF replacements combined with LN-symmetry, namely every state has to pr=
e-commit to fee values attached and such states might spend each other in c=
hain. So now you would need `max-rbf-replacement` * =C2=A0`max-theoretical-=
number-of-states` of fee-bumping reserves unless you can pipe fee value wit=
h some covenant magic, I think.</div><div><br></div><div>> In existing a=
nchor output transactions, this type of attack wouldn't work as<br>>=
when broadcasting the transaction, Alice would be spending her anchor outp=
ut,<br>> which Bob can't double spend.<br></div><div><br></div><div>=
However Bob can double-spend Alice's commitment transaction with his ow=
n commitment transaction and a CPFP, as long as it's a better ancestor =
feerate and absolute fee package, then double-spend his own CPFP. Which is =
exactly what my test is doing so I don't think your statement of saying=
this type of advanced replacement cycling attack wouldn't work isn'=
;t correct.</div><div><br></div><div>Best,</div><div>Antoine</div></div><br=
><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">Le=C2=A0m=
er. 8 nov. 2023 =C3=A0=C2=A002:06, Peter Todd <<a href=3D"mailto:pete@pe=
tertodd.org">pete@petertodd.org</a>> a =C3=A9crit=C2=A0:<br></div><block=
quote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-w=
idth:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding=
-left:1ex">On Wed, Nov 08, 2023 at 12:51:31AM +0000, Peter Todd via bitcoin=
-dev wrote:<br>
> > In a post-package relay world, I think this is possible. And that=
<br>
> > replacement cycling attacks are breaking future dynamic fee-bumpi=
ng of<br>
> > pre-signed transactions concerns me a lot.<br>
> <br>
> Well the answer here is pretty clear: v3 package relay with anchors is=
broken.<br>
<br>
BTW a subtlety of this that may not be obvious is that in v3 package relay,=
<br>
with zero value outputs, the outputs must be spent in the same package. Thu=
s<br>
_unlike_ existing anchor-using transactions, there would be only one anchor=
<br>
output on the commitment transaction.<br>
<br>
In existing anchor output transactions, this type of attack wouldn't wo=
rk as<br>
when broadcasting the transaction, Alice would be spending her anchor outpu=
t,<br>
which Bob can't double spend. But that doesn't work in v3, which in=
tends to<br>
limit UTXO growth by requiring that anchors be spent in the same package. T=
hus<br>
unlike existing anchor outputs, an anchor would be truly a OP_1 output with=
out<br>
a signature, and thus belong to either Alice nor Bob uniquely.<br>
<br>
-- <br>
<a href=3D"https://petertodd.org" rel=3D"noreferrer" target=3D"_blank">http=
s://petertodd.org</a> 'peter'[:-1]@<a href=3D"http://petertodd.org"=
rel=3D"noreferrer" target=3D"_blank">petertodd.org</a><br>
</blockquote></div>
--0000000000000b13670609ff49e6--
|
