Re: [Lightning-dev] Interesting thing about Offered HTLCs

2022-03-07 Thread Antoine Riard
Hi Eugene,

> Since the remote party gives them a signature, after the timeout, the
offering party can
claim with the remote's signature + preimage, but can only spend with the
HTLC-timeout transaction because of SIGHASH_ALL.

I've not exercised the witness against our test framework though the
description sounds to me correct.

The offering counterparty spends the offered HTLC output with a
HTLC-timeout transaction where the witness is <
>. SIGHASH_ALL is not committing to the spent Script
branch intended to be used. As you raised, it doesn't alleviate the
offering counterparty to respect the CLTV delay and as such the offered
HTLC timespan cannot be shortened. The implication I can think of, in case
of competing HTLC race, once the absolute timelock is expired, the offering
counterparty is able to compete against the receiving one with a more
feerate-efficient witness. However, from a receiving counterparty safety
viewpoint, if you're already suffering a contest, it means your HTLC-claim
on your own local commitment transaction inbound HTLC output has been
inefficient, and your fee-bumping strategy is to blame.

If we think the issue is relevant, I believe splitting the Script branches
in two tapleaves and having bip342 signature digest committing to the
tapleaf_hash solves it.

Antoine

Le lun. 7 mars 2022 à 15:27, Eugene Siegel  a écrit :

> I'm not sure if this is known, but I'm pretty sure it's benign and so I
> thought I'd share since I found it interesting and maybe someone else will
> too. I'm not sure if this is already known either.
>
>
> https://github.com/lightning/bolts/blob/master/03-transactions.md#offered-htlc-outputs
> Offered HTLCs have three claim paths: the revocation case, the offerer
> claiming through the HTLC-timeout transaction, and the receiver claiming
> via their sig + preimage. The offering party can claim via the HTLC-timeout
> case on their commitment transaction with their signature and the remote's
> signature (SIGHASH_ALL) after the cltv_expiry timeout. Since the remote
> party gives them a signature, after the timeout, the offering party can
> claim with the remote's signature + preimage, but can only spend with the
> HTLC-timeout transaction because of SIGHASH_ALL. This assumes that the
> remote party doesn't claim it first. I can't think of any cases where the
> offering party would know the preimage AND want to force close, so that's
> why I think it's benign. It does make the witness smaller. The same trick
> isn't possible with the Received HTLC's due to OP_CHECKLOCKTIMEVERIFY.
>
> Eugene (Crypt-iQ on github)
> ___
> Lightning-dev mailing list
> Lightning-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>
___
Lightning-dev mailing list
Lightning-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev


[Lightning-dev] Interesting thing about Offered HTLCs

2022-03-07 Thread Eugene Siegel
I'm not sure if this is known, but I'm pretty sure it's benign and so I
thought I'd share since I found it interesting and maybe someone else will
too. I'm not sure if this is already known either.

https://github.com/lightning/bolts/blob/master/03-transactions.md#offered-htlc-outputs
Offered HTLCs have three claim paths: the revocation case, the offerer
claiming through the HTLC-timeout transaction, and the receiver claiming
via their sig + preimage. The offering party can claim via the HTLC-timeout
case on their commitment transaction with their signature and the remote's
signature (SIGHASH_ALL) after the cltv_expiry timeout. Since the remote
party gives them a signature, after the timeout, the offering party can
claim with the remote's signature + preimage, but can only spend with the
HTLC-timeout transaction because of SIGHASH_ALL. This assumes that the
remote party doesn't claim it first. I can't think of any cases where the
offering party would know the preimage AND want to force close, so that's
why I think it's benign. It does make the witness smaller. The same trick
isn't possible with the Received HTLC's due to OP_CHECKLOCKTIMEVERIFY.

Eugene (Crypt-iQ on github)
___
Lightning-dev mailing list
Lightning-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev