1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
|
Return-Path: <antoine.riard@gmail.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])
by lists.linuxfoundation.org (Postfix) with ESMTP id C3210C000B;
Sat, 19 Jun 2021 01:34:44 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp1.osuosl.org (Postfix) with ESMTP id 9CDC9842BD;
Sat, 19 Jun 2021 01:34:44 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: smtp1.osuosl.org (amavisd-new);
dkim=pass (2048-bit key) header.d=gmail.com
Received: from smtp1.osuosl.org ([127.0.0.1])
by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id fOuLmKfErDGi; Sat, 19 Jun 2021 01:34:42 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com
[IPv6:2a00:1450:4864:20::42c])
by smtp1.osuosl.org (Postfix) with ESMTPS id 5256882C75;
Sat, 19 Jun 2021 01:34:42 +0000 (UTC)
Received: by mail-wr1-x42c.google.com with SMTP id o3so12675230wri.8;
Fri, 18 Jun 2021 18:34:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
bh=3WBqKoVHy52fhE16nmli/gfE/bzgngPEBC/G6dzVSO4=;
b=TUxHx48tJq67PMKvQBl/z7Cn4ugwyrWGW6tlvlRwiuzZTqL3JfyHt1hLB9mvqt5nZQ
Qak7hXazG+s534iMDgOu7RM/DlHJ0vqOa6zGBY6QU2tQb3/M7AT8KpXQ8h4jn7SfYdWB
2uVF+x9y23TXSGbnkZBwqeoVBmvX2wNqUZKiqYmaIN/I0KWA3Hc8oB/kLCK/l1HfAxbW
1J+pTg0bDm8xqlpCuSvTAiN5oU2QFt9DbbRr4k3INU/uWesSot8U+LHP4UNpCbzplJKj
ACa2nCbNEcZK+lEf1CRl92OCWxBRRS+LRXU8VuYAHRrs4fj8SeKiN+7wMAjYgtTSB3AD
HuQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to;
bh=3WBqKoVHy52fhE16nmli/gfE/bzgngPEBC/G6dzVSO4=;
b=j5v25bsq2OdkuOcF7s3lR7scAPG+agXpT6VszegnvNqEVqc7eHk+fE63Za+NE2jIYU
aMyWQ273bMVs2Kvug7ZyEeuhD0PYfwANROIauNo+s+KVvjVevtwPKSF92eHVORwF3Ts3
o50uB+3VtyGzUNUDZ6sKfKWYWcmDbgxj+EUKAmL3vIqvyOeiJfFLYvIvpbPgeAo5ijFO
2qMoqRclteN/x0UZaMYzilOqIfkOvJNQMGMY0aixhYH1SmouEpmR/5ZQ9DgTXF6cpuOu
VNi7sHjEZv6Q4KlhueeGBJnNm4esDxn3ZQ0cnflGnTaC1XSWRpM08sAfHTl8FqdlqqDy
5gpg==
X-Gm-Message-State: AOAM5308cShuf/kBh/+hnQN2etl21TjSqU6SeQY1DFlMPoSSdvseO92U
UKZ0zKHsFgraHbe8CDVol4A9yVDRLEKlGTSntWYWtVzb2NU=
X-Google-Smtp-Source: ABdhPJwsXzgPXrucsFL6AsCILbopKaCXMHg55tffwzryjZq9T2Comr0aGrfJlLMFVhqJYPN/hmwkrfYDP95NgXFH52M=
X-Received: by 2002:a5d:40c7:: with SMTP id b7mr5836184wrq.224.1624066480178;
Fri, 18 Jun 2021 18:34:40 -0700 (PDT)
MIME-Version: 1.0
References: <CALZpt+FF_TT_K3wjWhhaDE6Ue=RAsM2JWO7-mYjm5LtHqJvNmg@mail.gmail.com>
In-Reply-To: <CALZpt+FF_TT_K3wjWhhaDE6Ue=RAsM2JWO7-mYjm5LtHqJvNmg@mail.gmail.com>
From: Antoine Riard <antoine.riard@gmail.com>
Date: Fri, 18 Jun 2021 21:34:28 -0400
Message-ID: <CALZpt+FZWm=cV-RJTWgCQg4F+Jnbt=zSOsDpe8L4UCLe9SB-dA@mail.gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
"lightning-dev\\\\@lists.linuxfoundation.org"
<lightning-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="000000000000a48a0005c5147135"
X-Mailman-Approved-At: Sat, 19 Jun 2021 02:23:32 +0000
Subject: Re: [bitcoin-dev] Waiting SIGHASH_ANYPREVOUT and Packing Packages
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jun 2021 01:34:44 -0000
--000000000000a48a0005c5147135
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
> That's a question I hope we'll gather feedback during next Thursday's
transaction relay workshops.
As someone kindly pointed out to me, workshop is happening Tuesday, June
22th. Not Thursday, mistake of mine :/
Le ven. 18 juin 2021 =C3=A0 18:11, Antoine Riard <antoine.riard@gmail.com> =
a
=C3=A9crit :
> Hi,
>
> It's a big chunk, so if you don't have time browse parts 1 and 2 and shar=
e
> your 2 sats on the deployment timeline :p
>
> This post recalls some unsolved safety holes about Lightning, how
> package-relay or SIGHASH_ANYPREVOUT can solve the first one, how a mempoo=
l
> hardening can solve the second one, few considerations on package-relay
> design trade-offs and propose a rough deployment timeline.
>
> 1) Lightning Safety Holes : Pre-Signed Feerate and Tx-Pinning (to skip if
> you're a LN dev)
>
> As of today, Lightning is suffering from 2 safety holes w.r.t to
> base-layer interactions, widely discussed among ln devs.
>
> The first one, the pre-signed feerate issue with future broadcasted
> time-sensitive transactions is laid out clearly in Matt Corallo's "CPFP
> Carve-Out Fee-Prediction Issues in Contracting Applications (eg Lightning=
)"
> [0]. This issue might provoke loss of funds, even in non-adversarial
> settings, i.e a Lightning routing hub not being able to settle backward
> onchain a successful HTLC during occurrences of sudden mempool congestion=
.
>
> As blockspace demand increases with an always growing number of
> onchain/offchain bitcoin users, coupling effects are more likely to happe=
n
> and this pre-signed feerate issue is going to become more urgent to solve
> [1]. For e.g, few percentiles of increases in feerate being overpriced by
> Lightning routing hubs to close "fractional-reserve" backed anchor
> channels, driving mempools congestions, provoking anchor channels
> fee-bumping reserves becoming even more under-provisioned and thus close
> down, etc.
>
> The second issue, malicious transaction pinnings, is documented in Bastie=
n
> Teinturier's "Pinning Attacks" [2]. AFAIK, there is a rough consensus amo=
ng
> devs on the conceptual feasibility of such a class of attacks against a L=
N
> node, though so far we have not seen them executed in the wild and I'm no=
t
> aware of anyone having realized them in real-world conditions. Note, ther=
e
> is a variety of attack scenarios to consider which is function of a wide
> matrix (channel types, LN implementation's `update_fee` policy, LN
> implementation's `cltv_delta` policy, mempool congestion feerate groups,
> routing hubs or end nodes) Demoing against deployed LN implementations wi=
th
> default settings has been on my todo for a while, though a priori One
> Scenario To Exploit Them All doesn't fit well.
>
> Side-note, as a LN operator, if you're worried about those security risks=
,
> you can bump your `cltv_delta`/`cltv_expiry_delta` to significantly coars=
e
> the attacks.
>
> I think there is an important point to underscore. Considering the state
> of knowledge we have today, I believe there is no strong interdependency
> between solving pre-signed feerate and tx-pinning with the same mechanism
> from a safety/usability standpoint. Or last such mechanism can be deploye=
d
> by stages.
>
> 2) Solving the Pre-Signed Feerate problem : Package-Relay or
> SIGHASH_ANYPREVOUT
>
> For Lightning, either package-relay or SIGHASH_ANYPREVOUT should be able
> to solve the pre-signed feerate issue [3]
>
> One of the interesting points recalled during the first transaction relay
> workshops was that L2s making unbounded security assumptions on
> non-normative tx-relay/mempool acceptance rules sounds a wrong direction
> for the Bitcoin ecosystem long-term, and more prone to subtle bugs/safety
> risks across the ecosystem.
>
> I did express the contrary, public opinion a while back [4]. That said, I
> start to agree it's wiser ecosystem-wise to keep those non-normatives rul=
es
> as only a groundwork for weaker assumptions than consensus ones. Though i=
t
> would be nice for long-term L2s stability to consider them with more care
> than today in our base-layer protocol development process [4]
>
> On this rational, I now share the opinion it's better long-term to solve
> the pre-signed feerate problem with a consensus change such as
> SIGHASH_ANYPREVOUT rather than having too much off-chain coins relying on
> the weaker assumptions offered by bitcoin core's tx-relay/mempool
> acceptance rules, and far harder to replicate and disseminate across the
> ecosystem.
>
> However, if SIGHASH_ANYPREVOUT is Things Done Right(tm), should we discar=
d
> package-relay ?
>
> Sadly, in the worst-case scenario we might never reach consensus again
> across the ecosystem and Taproot is the last softfork. Ever :/ *sad violo=
ns
> and tissues jingle*
>
> With this dilemma in mind, it might be wise for the LN/L2 ecosystems to
> have a fall-back plan to solve their safety/usability issues and
> package-relay sounds a reasonable, temporary "patch".
>
> Even if package-relay requires serious engineering effort in Bitcoin Core
> to avoid introducing new DoSes, swallowing well the complexity increase i=
n
> critical code paths such as the mempool/p2p stack and a gentle API design
> for our friends the L2 devs, I believe it's worthy the engineering
> resources cost. From-my-completely-biased-LN-dev viewpoint :p
>
> In the best-case scenario, we'll activate SIGHASH_ANYPREVOUT and better
> fee-bumping primitives softforks [5] slowly strip off the "L2 fee-bumping
> primitive" semantic from "package-relay", friendly nudge the L2 ecosystem
> to seat their fee-bumping on safer, consensus assumptions and maybe keep
> the p2p packages to improve on the malicious mempool-partitions-side or a=
s
> a replacement of our orphan logic.
>
> 3) Solving Tx-Pinnings : Hardening the Mempool against Tx-Relay Jammings
> attacks
>
> Current Mempool anti-DoS rules have been mostly designed at a time where
> the shared-utxo model with competing time-sensitive transactions was stil=
l
> an idea on the whiteboard. The last few years have revealed those anti-Do=
S
> rules as a source of security vulnerabilities for Lightning and a researc=
h
> concern for L2s still in the early-phase of deployment [6].
>
> Beyond real-world pinning exercises against production software as a
> complement of the current pinning attacks research, it would be better to
> agree on a common L2 attacker model before to modify widely-relied subset
> of the mempool, such as the replace-by-fee logic or the in-mempool packag=
e
> limits [7]. One risk of uncareful changes in this area would be to solve =
a
> pinning vector for a L2-alice but introduce a new vuln for a L2-bob.
>
> I believe the first part of such a revamp could hopefully land somehow
> next year. Though, IMHO, in the years to come, we'll have to do more hard
> reasoning to ensure the mempool supports advanced Bitcoin protocols (e.g
> OP_CTV congestion tree, CoinPool, interactive cut-through, ...)
>
> Note the opinion I raised above on quality of assumptions on mempool
> behavior, even if we harden it on the base-layer side, L2s should be
> well-aware the product is shipped with a guarantee limitation :p
>
> 4) Considerations on Package-Relay Design
>
> Package relay relies on at least two cleanly separate components (awesome=
,
> if we schedule to deprecate the higher half in the future!)
> * "the higher half" : extension of the mempool logic, with a new
> package-level policy, not strictly intersecting with the tx-level policy
> * "the lower half" : at least three different designs, receiver initiated=
,
> sender-initiated and relay-initiated
>
> One open design question for the "higher half" is the package-size of the
> acceptance logic, which is ultimately a function of the L2 ecosystem stat=
e.
> Do we have deployed or in deployment phase L2 protocols with a need for
> more than 2-stage and if yes what API bounds do they expect ? That's a
> question I hope we'll gather feedback during next Thursday's transaction
> relay workshops. IMO, such package API should come out with a specificati=
on
> on which L2-community can be gathered and public consensus established. F=
or
> the same communications reasons towards downstream projects, we have a
> BIP125 standard. And especially in this case the bitcoin core protocol
> development process should carefully listen to the needs of actual L2
> users. Also, a lot of those L2 devs, they don't speak C++ :)
>
> One could imagine those mempool standards as "perishable" contracts
> between a base-layer implementation and the upper layers, with ultimately
> the full-node implementation reserving itself the right to deprecate them=
,
> maybe with a lengthy-warning period ?
>
> Beyond that, I believe there is another remaining interdependency between
> "the lower half" design and L2s behaviors, namely bandwidth waste in case
> of a high-frequency of package redundancy. Let's say if a package is
> composed of {A, B}, and the package broadcaster fee-bump, triggering the
> transformation to {A, B'}, A bandwidth at first propagation is going to b=
e
> wasted. Note, if we assume a dynamic fee-market, this package rebroadcast
> behavior should be common across the ecosystem. Though ultimately, the
> seriousness of this issue is going to be a function of the number of
> Lightning nodes relying on base-layer tx-relay and the number of fee-bump=
ed
> onchain operations per Lightning node.
>
> I believe it would be great to come up with simulations on this front,
> just to avoid silently nullifying all the tedious, small improvements whi=
ch
> have been done in the last years to minimize bitcoin core node's bandwidt=
h.
>
> Another alternative would be to come with a cost-effective
> package-replacement policy, so likely more complexity. But might it not
> make sense to not economically outlaw Lightning nodes with a small fee
> budget ?
>
> Lastly, there is a consideration to have around anti-DoS measures we'll
> have to deploy for package-relay. Too easy, and that's a security concern
> for the base-layer, too hard, and that's introducing yet-another tx-relay
> jamming vector against L2, this time at the p2p layer (though won't be th=
e
> first time [8]
>
> In any-case we should carefully consider the upgradeability of
> package-relay v.0, like if we upgrade some components of it such as packa=
ge
> format or package-announcement scheme.
>
> So yeah why not early 0.24 ? Maybe a bit too short with all those p2p
> questions to clear up among core devs. Ideally, we would land in the
> beginning/middle of the cycle to have time for beta-testing on the L2-sid=
e
> and share feedback.
>
> Though ultimately, this question of p2p design belongs to the bitcoin cor=
e
> dev process.
>
> # Deployment timeline
>
> So what I believe as a rough deployment timeline.
>
> * "package-relay" in bitcoin core, early 0.24 or 0.25: a Core's release
> cycle offered to the LN/L2 ecosystem to integrate/exercise/provide feedba=
ck
> on package API
>
> * "mempool hardening" in bitcoin core, early 0.26 or 0.27, a Core's
> release cycle offered to the whole Bitcoin ecosystem to adapt their Bitco=
in
> clients, maybe with a boolean setting to smooth the new policy deployment
>
> * SIGHASH_ANYPREVOUT softfork in the coming year(s), opt-in of any LN/L2
> implementation to migrate its fee-bumping backend on top of it
>
> * "optimized/multi-party fee-bumping primitive" softfork (one of tx
> mutation/sigash_iomap/sponsorship proposals) softfork in the coming decad=
e,
> friendly uplift of the L2 ecosystem
>
> Glad to answer any unclarity or uncorrectness of mine :)
>
> Cheers,
> Antoine,
>
> [0] see
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-November/016=
518.html
>
> [1] "The Coupling Principle states that as things get larger, they often
> exhibit increased interdependence between components".
>
> [2] see
> https://github.com/t-bast/lightning-docs/blob/master/pinning-attacks.md
>
> [2] see "Advances in Bitcoin Contracting : Uniform Policy and Package
> Relay"
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-July/018063.=
html
>
> [3] I don't think there is a clear discussion on how SIGHASH_ANYPREVOUT
> solves pinnings beyond those LN meetings logs:
> https://gnusha.org/lightning-dev/2020-06-08.log
>
> [4] And I believe such great example has been done with this recent chang=
e
> proposed for bitcoin core addr-relay policy:
> https://github.com/bitcoin/bitcoin/pull/21528#issuecomment-809906430,
> where the PR author did bear the burden of reaching out potentially
> affected downstream projects.
>
> [5] Like one of tx_mutation/sighash_iomap/sponsorship proposal proposed i=
n
> the thread "A Stroll through Fee-Bumping Techniques: Input-based vs
> Child-Pay-for-Parent" :
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-May/019031.h=
tml
>
> [6] For a discussion about fee-bumping issues for L2s extended beyond LN
> see the analysis of the Revault protocol :
> https://arxiv.org/pdf/2102.09392.pdf
>
> [7] As a WIP towards establishing an attacker model, see "Secure
> Fee-Bumping for L2s"
> https://bitcoin-problems.github.io/problems/fee-bumping.html
>
> [8] Tx-relay rules as a concern for second-layers has been raised early
> on, at least during p2p segwit review
> https://github.com/bitcoin/bitcoin/issues/8279
>
--000000000000a48a0005c5147135
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div><div>> That's a question I hope we'll gath=
er feedback during next Thursday's transaction relay workshops.<br><br>=
</div>As someone kindly pointed out to me, workshop is happening Tuesday, J=
une 22th. Not Thursday, mistake of mine :/<br><br></div><br></div><br><div =
class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">Le=C2=A0ven. 18=
juin 2021 =C3=A0=C2=A018:11, Antoine Riard <<a href=3D"mailto:antoine.r=
iard@gmail.com">antoine.riard@gmail.com</a>> a =C3=A9crit=C2=A0:<br></di=
v><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;borde=
r-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div><=
div>Hi,<br><br>It's a big chunk, so if you don't have time browse p=
arts 1 and 2 and share your 2 sats on the deployment timeline :p<br><br>Thi=
s post recalls some unsolved safety holes about Lightning, how package-rela=
y or SIGHASH_ANYPREVOUT can solve the first one, how a mempool hardening ca=
n solve the second one, few considerations on package-relay design trade-of=
fs and propose a rough deployment timeline.<br><br>1) Lightning Safety Hole=
s : Pre-Signed Feerate and Tx-Pinning (to skip if you're a LN dev)<br><=
br>As of today, Lightning is suffering from 2 safety holes w.r.t to base-la=
yer interactions, widely discussed among ln devs.<br><br>The first one, the=
pre-signed feerate issue with future broadcasted time-sensitive transactio=
ns is laid out clearly in Matt Corallo's "CPFP Carve-Out Fee-Predi=
ction Issues in Contracting Applications (eg Lightning)" [0]. This iss=
ue might provoke loss of funds, even in non-adversarial settings, i.e a Lig=
htning routing hub not being able to settle backward onchain a successful H=
TLC during occurrences of sudden mempool congestion.<br><br>As blockspace d=
emand increases with an always growing number of onchain/offchain bitcoin u=
sers, coupling effects are more likely to happen and this pre-signed feerat=
e issue is going to become more urgent to solve [1]. For e.g, few percentil=
es of increases in feerate being overpriced by Lightning routing hubs to cl=
ose "fractional-reserve" backed anchor channels, driving mempools=
congestions, provoking anchor channels fee-bumping reserves becoming even =
more under-provisioned and thus close down, etc.<br><br>The second issue, m=
alicious transaction pinnings, is documented in Bastien Teinturier's &q=
uot;Pinning Attacks" [2]. AFAIK, there is a rough consensus among devs=
on the conceptual feasibility of such a class of attacks against a LN node=
, though so far we have not seen them executed in the wild and I'm not =
aware of anyone having realized them in real-world conditions. Note, there =
is a variety of attack scenarios to consider which is function of a wide ma=
trix (channel types, LN implementation's `update_fee` policy, LN implem=
entation's `cltv_delta` policy, mempool congestion feerate groups, rout=
ing hubs or end nodes) Demoing against deployed LN implementations with def=
ault settings has been on my todo for a while, though a priori One Scenario=
To Exploit Them All doesn't fit well.<br><br>Side-note, as a LN operat=
or, if you're worried about those security risks, you can bump your `cl=
tv_delta`/`cltv_expiry_delta` to significantly coarse the attacks.<br><br>I=
think there is an important point to underscore. Considering the state of =
knowledge we have today, I believe there is no strong interdependency betwe=
en solving pre-signed feerate and tx-pinning with the same mechanism from a=
safety/usability standpoint. Or last such mechanism can be deployed by sta=
ges.<br><br>2) Solving the Pre-Signed Feerate problem : Package-Relay or SI=
GHASH_ANYPREVOUT<br><br>For Lightning, either package-relay or SIGHASH_ANYP=
REVOUT should be able to solve the pre-signed feerate issue [3]<br><br>One =
of the interesting points recalled during the first transaction relay works=
hops was that L2s making unbounded security assumptions on non-normative tx=
-relay/mempool acceptance rules sounds a wrong direction for the Bitcoin ec=
osystem long-term, and more prone to subtle bugs/safety risks across the ec=
osystem.<br><br>I did express the contrary, public opinion a while back [4]=
. That said, I start to agree it's wiser ecosystem-wise to keep those n=
on-normatives rules as only a groundwork for weaker assumptions than consen=
sus ones. Though it would be nice for long-term L2s stability to consider t=
hem with more care than today in our base-layer protocol development proces=
s [4]<br><br>On this rational, I now share the opinion it's better long=
-term to solve the pre-signed feerate problem with a consensus change such =
as SIGHASH_ANYPREVOUT rather than having too much off-chain coins relying o=
n the weaker assumptions offered by bitcoin core's tx-relay/mempool acc=
eptance rules, and far harder to replicate and disseminate across the ecosy=
stem.<br><br>However, if SIGHASH_ANYPREVOUT is Things Done Right(tm), shoul=
d we discard package-relay ?<br><br>Sadly, in the worst-case scenario we mi=
ght never reach consensus again across the ecosystem and Taproot is the las=
t softfork. Ever :/ *sad violons and tissues jingle*<br><br>With this dilem=
ma in mind, it might be wise for the LN/L2 ecosystems to have a fall-back p=
lan to solve their safety/usability issues and package-relay sounds a reaso=
nable, temporary "patch".<br><br>Even if package-relay requires s=
erious engineering effort in Bitcoin Core to avoid introducing new DoSes, s=
wallowing well the complexity increase in critical code paths such as the m=
empool/p2p stack and a gentle API design for our friends the L2 devs, I bel=
ieve it's worthy the engineering resources cost. From-my-completely-bia=
sed-LN-dev viewpoint :p<br><br>In the best-case scenario, we'll activat=
e SIGHASH_ANYPREVOUT and better fee-bumping primitives softforks [5] slowly=
strip off the "L2 fee-bumping primitive" semantic from "pac=
kage-relay", friendly nudge the L2 ecosystem to seat their fee-bumping=
on safer, consensus assumptions and maybe keep the p2p packages to improve=
on the malicious mempool-partitions-side or as a replacement of our orphan=
logic.<br><br>3) Solving Tx-Pinnings : Hardening the Mempool against Tx-Re=
lay Jammings attacks<br><br>Current Mempool anti-DoS rules have been mostly=
designed at a time where the shared-utxo model with competing time-sensiti=
ve transactions was still an idea on the whiteboard. The last few years hav=
e revealed those anti-DoS rules as a source of security vulnerabilities for=
Lightning and a research concern for L2s still in the early-phase of deplo=
yment [6].<br><br>Beyond real-world pinning exercises against production so=
ftware as a complement of the current pinning attacks research, it would be=
better to agree on a common L2 attacker model before to modify widely-reli=
ed subset of the mempool, such as the replace-by-fee logic or the in-mempoo=
l package limits [7]. One risk of uncareful changes in this area would be t=
o solve a pinning vector for a L2-alice but introduce a new vuln for a L2-b=
ob.<br><br>I believe the first part of such a revamp could hopefully land s=
omehow next year. Though, IMHO, in the years to come, we'll have to do =
more hard reasoning to ensure the mempool supports advanced Bitcoin protoco=
ls (e.g OP_CTV congestion tree,=C2=A0 CoinPool, interactive cut-through, ..=
.)<br><br>Note the opinion I raised above on quality of assumptions on memp=
ool behavior, even if we harden it on the base-layer side,=C2=A0 L2s should=
be well-aware the product is shipped with a guarantee limitation :p<br><br=
>4) Considerations on Package-Relay Design<br><br>Package relay relies on a=
t least two cleanly separate components (awesome, if we schedule to depreca=
te the higher half in the future!)<br>* "the higher half" : exten=
sion of the mempool logic, with a new package-level policy, not strictly in=
tersecting with the tx-level policy<br>* "the lower half" : at le=
ast three different designs, receiver initiated, sender-initiated and relay=
-initiated<br><br></div>One open design question for the "higher half&=
quot; is the package-size of the acceptance logic, which is ultimately a fu=
nction of the L2 ecosystem state. Do we have deployed or in deployment phas=
e L2 protocols with a need for more than 2-stage and if yes what API bounds=
do they expect ? That's a question I hope we'll gather feedback du=
ring next Thursday's transaction relay workshops. IMO, such package API=
should come out with a specification on which L2-community can be gathered=
and public consensus established. For the same communications reasons towa=
rds downstream projects, we have a BIP125 standard. And especially in this =
case the bitcoin core protocol development process should carefully listen =
to the needs of actual L2 users. Also, a lot of those L2 devs, they don'=
;t speak C++ :)<br></div><div><br>One could imagine those mempool standards=
as "perishable" contracts between a base-layer implementation an=
d the upper layers, with ultimately the full-node implementation reserving =
itself the right to deprecate them, maybe with a lengthy-warning period ?<b=
r><br>Beyond that, I believe there is another remaining interdependency bet=
ween "the lower half" design and L2s behaviors, namely bandwidth =
waste in case of a high-frequency of package redundancy. Let's say if a=
package is composed of {A, B}, and the package broadcaster fee-bump, trigg=
ering the transformation to {A, B'}, A bandwidth at first propagation i=
s going to be wasted. Note, if we assume a dynamic fee-market, this package=
rebroadcast behavior should be common across the ecosystem. Though ultimat=
ely, the seriousness of this issue is going to be a function of the number =
of Lightning nodes relying on base-layer tx-relay and the number of fee-bum=
ped onchain operations per Lightning node.<br><br>I believe it would be gre=
at to come up with simulations on this front, just to avoid silently nullif=
ying all the tedious, small improvements which have been done in the last y=
ears to minimize bitcoin core node's bandwidth.<br><br>Another alternat=
ive would be to come with a cost-effective package-replacement policy, so l=
ikely more complexity. But might it not make sense to not economically outl=
aw Lightning nodes with a small fee budget ?<br><br>Lastly, there is a cons=
ideration to have around anti-DoS measures we'll have to deploy for pac=
kage-relay. Too easy, and that's a security concern for the base-layer,=
too hard, and that's introducing yet-another tx-relay jamming vector a=
gainst L2, this time at the p2p layer (though won't be the first time [=
8]<br><br>In any-case we should carefully consider the upgradeability of pa=
ckage-relay v.0, like if we upgrade some components of it such as package f=
ormat or package-announcement scheme.<br><br>So yeah why not early 0.24 ? M=
aybe a bit too short with all those p2p questions to clear up among core de=
vs. Ideally, we would land in the beginning/middle of the cycle to have tim=
e for beta-testing on the L2-side and share feedback.<br><br>Though ultimat=
ely, this question of p2p design belongs to the bitcoin core dev process.<b=
r><br># Deployment timeline<br><br>So what I believe as a rough deployment =
timeline.<br><br>* "package-relay" in bitcoin core, early 0.24 or=
0.25: a Core's release cycle offered to the LN/L2 ecosystem to integra=
te/exercise/provide feedback on package API<br><br>* "mempool hardenin=
g" in bitcoin core, early 0.26 or 0.27, a Core's release cycle off=
ered to the whole Bitcoin ecosystem to adapt their Bitcoin clients, maybe w=
ith a boolean setting to smooth the new policy deployment<br><br>* SIGHASH_=
ANYPREVOUT softfork in the coming year(s), opt-in of any LN/L2 implementati=
on to migrate its fee-bumping backend on top of it<br><br>* "optimized=
/multi-party fee-bumping primitive" softfork (one of tx mutation/sigas=
h_iomap/sponsorship proposals) softfork in the coming decade, friendly upli=
ft of the L2 ecosystem<br><br>Glad to answer any unclarity or uncorrectness=
of mine :)<br><br>Cheers,<br>Antoine,<br><br>[0] see <a href=3D"https://li=
sts.linuxfoundation.org/pipermail/bitcoin-dev/2018-November/016518.html" ta=
rget=3D"_blank">https://lists.linuxfoundation.org/pipermail/bitcoin-dev/201=
8-November/016518.html</a><br><br>[1] "The Coupling Principle states t=
hat as things get larger, they often exhibit increased interdependence betw=
een components".<br><br>[2] see <a href=3D"https://github.com/t-bast/l=
ightning-docs/blob/master/pinning-attacks.md" target=3D"_blank">https://git=
hub.com/t-bast/lightning-docs/blob/master/pinning-attacks.md</a><br><br>[2]=
see "Advances in Bitcoin Contracting : Uniform Policy and Package Rel=
ay" <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev=
/2020-July/018063.html" target=3D"_blank">https://lists.linuxfoundation.org=
/pipermail/bitcoin-dev/2020-July/018063.html</a><br><br>[3] I don't thi=
nk there is a clear discussion on how SIGHASH_ANYPREVOUT solves pinnings be=
yond those LN meetings logs: <a href=3D"https://gnusha.org/lightning-dev/20=
20-06-08.log" target=3D"_blank">https://gnusha.org/lightning-dev/2020-06-08=
.log</a><br><br></div><div>[4] And I believe such great example has been do=
ne with this recent change proposed for bitcoin core addr-relay policy: <a =
href=3D"https://github.com/bitcoin/bitcoin/pull/21528#issuecomment-80990643=
0" target=3D"_blank">https://github.com/bitcoin/bitcoin/pull/21528#issuecom=
ment-809906430</a>, where the PR author did bear the burden of reaching out=
potentially affected downstream projects.<br></div><div><br>[5] Like one o=
f tx_mutation/sighash_iomap/sponsorship proposal proposed in the thread &qu=
ot;A Stroll through Fee-Bumping Techniques: Input-based vs Child-Pay-for-Pa=
rent" : <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin=
-dev/2021-May/019031.html" target=3D"_blank">https://lists.linuxfoundation.=
org/pipermail/bitcoin-dev/2021-May/019031.html</a><br><br>[6] For a discuss=
ion about fee-bumping issues for L2s extended beyond LN see the analysis of=
the Revault protocol : <a href=3D"https://arxiv.org/pdf/2102.09392.pdf" ta=
rget=3D"_blank">https://arxiv.org/pdf/2102.09392.pdf</a><br><br>[7] As a WI=
P towards establishing an attacker model, see "Secure Fee-Bumping for =
L2s" <a href=3D"https://bitcoin-problems.github.io/problems/fee-bumpin=
g.html" target=3D"_blank">https://bitcoin-problems.github.io/problems/fee-b=
umping.html</a><br><br>[8] Tx-relay rules as a concern for second-layers ha=
s been raised early on, at least during p2p segwit review <a href=3D"https:=
//github.com/bitcoin/bitcoin/issues/8279" target=3D"_blank">https://github.=
com/bitcoin/bitcoin/issues/8279</a><br></div></div>
</blockquote></div>
--000000000000a48a0005c5147135--
|