Re: [Lightning-dev] [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely

2023-11-15 Thread Antoine Riard
> No, that's not a general underlying issue. You've found two separate
issues.

> Furthermore, revoked states are clearly different than HTLCs: they're
> fraudulent, and thus in punishment-using protocols they are always
associated
> with high risks of loss if they do in fact get detected or mined. There's
> probably tweaks we can do to improve this security. But the general
principle
> there is certainly true.

I see your point in saying we have two separate issues, one the on-chain
inclusion of "expired" off-chain output spend (e.g the HTLC-preimage), the
other one the usage of revoked or updated or asymmetric states to jam the
confirmation of a valid off-chain state. I do think the second one would
bring a solution to the first one, as you will be always sure that your
counterparty cannot "replay" an "expired" off-chain output at its advantage.

Even for solving the first issue, I'm not sure op_expire is enough, you
need to expire the worthiness of an off-chain revealed witness secret too
(here the preimage). E.g using short-lived proofs, i.e after a specified
period of time, the proof is no longer convincing.

I still think op_exire is interesting on its own, beyond solving any
security issue. E.g for Discreet Log Contract, one can build a time-bounded
sequential claim of the same output fund among a set of counterparties.

> For a lightning channel to be economical at all in a general routing
> environment, the highest likely fee has to be small enough for it to
represent
> a small percentage of the total value tied up in the Lightning channel.
Tying
> up a small percentage of the overall capacity for future fee usage is not
a
> significant expense.

Sure, I still think this introduces the corollary for lightning nodes that
any payment under the highest likely fee now has a probabilistic security,
where the lightning node should make guesses on the worst-level of mempools
feerate that can happen between the timelock duration of said payment.

> That attack doesn't make sense. HTLCs go to fees at a certain feerate. In
a
> normal environment where there is a constant supply of fee paying
transactions,
> the profit for the miner is not the total HTLC value, but the increase in
> feerate compared to the transactions they had to give up to mine the
commitment
> transaction.

The attack makes sense in an environment where the level of HTLC trimmed as
fees on the commitment transaction renders the feerates of this transaction
more interesting than the marginal known transaction in a miner block
template. If there is an environment where you're always guaranteed there
is a constant supply of fee paying transactions paying a better feerate
than the highest-fee rate that trimmed HTLCs can be a commitment
transaction, of course the attack wouldn't be plausible.

In a world where you have a dynamic blockspace demand market and
asymmetries of information, Lightning routing nodes will be always exposed
to such attacks.

> Second, it's obvious that the total trimmed HTLCs should be limited to
what
> would be a reasonable transaction fee. A situation where you have 80% of
the
> channel value going to fees due to a bunch of small HTLCs is obviously
> ridiculous, and to the extent that existing implementations have this
issue,
> should be fixed.

This is the hard thing, the existence of asymmetries of information in what
is a reasonable transaction fee and what is the level of mempools fee rates
at time of broadcast. One could imagine a consensus change where trimmed
HTLCs not worthy at the last X blocks of feerates are automatically
aggregated or trimmed (think median-time-past though for median fee rates
over X blocks).

> Yes, obviously. But as I said above, it just doesn't make sense for
channels to
> be in a situation where closing them costs a significant % of the channel
value
> in fees, so we're not changing the status quo much.

Evaluation of the significant % of the channel value burned in fees in the
worst-case at time of off-chain state commitment is the hard thing.

> Do you have a concrete attack?

I don't have a concrete attack with sufficient testing to say with a
satisfying level of certainty that I have a concrete attack.

> No, you are missing the point. RBF replacements can use SIGHASH_NOINPUT
to sign
> HTLC refund transactions, removing the need for a set of different HTLC
refund
> transactions for each different feerate of the commitment transaction.

See above, I think this solution with RBF replacement is robust on the
assumption you cannot use the commitment transaction to jam the
HTLC-preimage until your HTLC-refund transaction is valid (under
nLocktime). Though my point here was only about the LN-symmetry states, not
second-stage transactions on top of them.

> I'm making no comment on how to do RBF replacements with LN-Symmetry,
which I
> consider to be a broken idea in non-trusted situations anyway
> Removing justice from Lightning is always going to be hopelessly insecure
when you can't at

Re: [Lightning-dev] [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely

2023-11-15 Thread Peter Todd
On Mon, Nov 13, 2023 at 02:18:16AM +, Antoine Riard wrote:
> Your two latest mails.
> 
> > The problem that OP_Expire aims to solve is the fact that Carol could
> prevent
> > Bob from learning about the preimage in time, while still getting a
> chance to
> > use the preimage herself. OP_Expire thoroughly solves that problem by
> ensuring
> > that the preimage is either broadcast in the blockchain in a timely
> fashion, or
> > becomes useless.
> 
> I respectfully disagree - There is a more general underlying issue for
> outdated states in multi-party off-chain constructions, where any "revoked"
> or "updated" consensus-valid state can be used to jam the latest off-chain
> agreed-on, through techniques like replacement cycling or pinning.

No, that's not a general underlying issue. You've found two separate issues.

Furthermore, revoked states are clearly different than HTLCs: they're
fraudulent, and thus in punishment-using protocols they are always associated
with high risks of loss if they do in fact get detected or mined. There's
probably tweaks we can do to improve this security. But the general principle
there is certainly true.

> > My suggestion of pre-signing RBF replacements, without anchor outputs,
> and with
> > all outputs rendered unspendable with 1 CSV, is clearly superior: there
> are
> > zero degrees of freedom to the attacker, other than the possibility of
> > increasing the fee paid or broadcasting a revoked commitment. The latter
> of
> > course risks the other party punishing the fraud.
> 
> Assuming the max RBF replacement is pre-signed at 200 sats / vb, with
> commitment transaction of ~268 vbytes and at least one second-stage HTLC
> transaction of ~175 vbytes including witness size, a channel counterparty
> must keep at worst a fee-bumping reserve of 35 268 sats, whatever payment
> value.

For a lightning channel to be economical at all in a general routing
environment, the highest likely fee has to be small enough for it to represent
a small percentage of the total value tied up in the Lightning channel. Tying
up a small percentage of the overall capacity for future fee usage is not a
significant expense.

> As of today, any payment under $13 has to become trimmed HTLCs.
> Trimmed HTLCs are coming with their own wormhole of issues, notably making
> them a target to be stolen by low-hashrate capabilities attackers [0].
> 
> [0]
> https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-May/002714.html

That attack doesn't make sense. HTLCs go to fees at a certain feerate. In a
normal environment where there is a constant supply of fee paying transactions,
the profit for the miner is not the total HTLC value, but the increase in
feerate compared to the transactions they had to give up to mine the commitment
transaction.

Second, it's obvious that the total trimmed HTLCs should be limited to what
would be a reasonable transaction fee. A situation where you have 80% of the
channel value going to fees due to a bunch of small HTLCs is obviously
ridiculous, and to the extent that existing implementations have this issue,
should be fixed.

For RBF fee bumping, obviously you can take the increased channel fees from the
party choosing to broadcast the commitment transaction.

> > This does have the practical problem that a set of refund transactions
> will
> > also need to be signed for each fee variant. But, eg, signing 10x of each
> isn't
> > so burdensome. And in the future that problem could be avoided with
> > SIGHASH_NOINPUT, or replacing the pre-signed refund transaction mechanism
> with
> > a covenant.
> 
> I think if you wish to be safe against fees griefing games between
> counterparties, both counterparties have to maintain their own fee-bumping
> reserves, which make channel usage less capital efficient, rather than
> being drawn from a common reserve.

Yes, obviously. But as I said above, it just doesn't make sense for channels to
be in a situation where closing them costs a significant % of the channel value
in fees, so we're not changing the status quo much.

> > Using RBF rather than CPFP with package relay also has the advantage of
> being
> > more efficient, as no blockspace needs to be consumed by the anchor
> outputs or
> > transactions spending them. Of course, there are special circumstances
> where
> > BIP125 rules can cause CPFP to be cheaper. But we can easily fix that, eg
> by
> > reducing the replacement relay fee, or by delta-encoding transaction
> updates.
> 
> It is left as an exercise to the reader how to break the RBF approach for
> LN channels as proposed.

Do you have a concrete attack?

> > As SIGHASH_NOINPUT is desirable for LN-Symmetry, a softfork containing
> both it
> > and OP_Expire could make sense.
> 
> I think there is one obvious issue of pre-signing RBF replacements combined
> with LN-symmetry, namely every state has to pre-commit to fee values
> attached and such states might spend each other in chain. So now you would
> need `max-rbf-rep

Re: [Lightning-dev] [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely

2023-11-13 Thread Antoine Riard
Your two latest mails.

> The problem that OP_Expire aims to solve is the fact that Carol could
prevent
> Bob from learning about the preimage in time, while still getting a
chance to
> use the preimage herself. OP_Expire thoroughly solves that problem by
ensuring
> that the preimage is either broadcast in the blockchain in a timely
fashion, or
> becomes useless.

I respectfully disagree - There is a more general underlying issue for
outdated states in multi-party off-chain constructions, where any "revoked"
or "updated" consensus-valid state can be used to jam the latest off-chain
agreed-on, through techniques like replacement cycling or pinning.

> My suggestion of pre-signing RBF replacements, without anchor outputs,
and with
> all outputs rendered unspendable with 1 CSV, is clearly superior: there
are
> zero degrees of freedom to the attacker, other than the possibility of
> increasing the fee paid or broadcasting a revoked commitment. The latter
of
> course risks the other party punishing the fraud.

Assuming the max RBF replacement is pre-signed at 200 sats / vb, with
commitment transaction of ~268 vbytes and at least one second-stage HTLC
transaction of ~175 vbytes including witness size, a channel counterparty
must keep at worst a fee-bumping reserve of 35 268 sats, whatever payment
value. As of today, any payment under $13 has to become trimmed HTLCs.
Trimmed HTLCs are coming with their own wormhole of issues, notably making
them a target to be stolen by low-hashrate capabilities attackers [0].

[0]
https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-May/002714.html

> This does have the practical problem that a set of refund transactions
will
> also need to be signed for each fee variant. But, eg, signing 10x of each
isn't
> so burdensome. And in the future that problem could be avoided with
> SIGHASH_NOINPUT, or replacing the pre-signed refund transaction mechanism
with
> a covenant.

I think if you wish to be safe against fees griefing games between
counterparties, both counterparties have to maintain their own fee-bumping
reserves, which make channel usage less capital efficient, rather than
being drawn from a common reserve.

> Using RBF rather than CPFP with package relay also has the advantage of
being
> more efficient, as no blockspace needs to be consumed by the anchor
outputs or
> transactions spending them. Of course, there are special circumstances
where
> BIP125 rules can cause CPFP to be cheaper. But we can easily fix that, eg
by
> reducing the replacement relay fee, or by delta-encoding transaction
updates.

It is left as an exercise to the reader how to break the RBF approach for
LN channels as proposed.

> As SIGHASH_NOINPUT is desirable for LN-Symmetry, a softfork containing
both it
> and OP_Expire could make sense.

I think there is one obvious issue of pre-signing RBF replacements combined
with LN-symmetry, namely every state has to pre-commit to fee values
attached and such states might spend each other in chain. So now you would
need `max-rbf-replacement` *  `max-theoretical-number-of-states` of
fee-bumping reserves unless you can pipe fee value with some covenant
magic, I think.

> In existing anchor output transactions, this type of attack wouldn't work
as
> when broadcasting the transaction, Alice would be spending her anchor
output,
> which Bob can't double spend.

However Bob can double-spend Alice's commitment transaction with his own
commitment transaction and a CPFP, as long as it's a better ancestor
feerate and absolute fee package, then double-spend his own CPFP. Which is
exactly what my test is doing so I don't think your statement of saying
this type of advanced replacement cycling attack wouldn't work isn't
correct.

Best,
Antoine

Le mer. 8 nov. 2023 à 02:06, Peter Todd  a écrit :

> On Wed, Nov 08, 2023 at 12:51:31AM +, Peter Todd via bitcoin-dev wrote:
> > > In a post-package relay world, I think this is possible. And that
> > > replacement cycling attacks are breaking future dynamic fee-bumping of
> > > pre-signed transactions concerns me a lot.
> >
> > Well the answer here is pretty clear: v3 package relay with anchors is
> broken.
>
> BTW a subtlety of this that may not be obvious is that in v3 package relay,
> with zero value outputs, the outputs must be spent in the same package.
> Thus
> _unlike_ existing anchor-using transactions, there would be only one anchor
> output on the commitment transaction.
>
> In existing anchor output transactions, this type of attack wouldn't work
> as
> when broadcasting the transaction, Alice would be spending her anchor
> output,
> which Bob can't double spend. But that doesn't work in v3, which intends to
> limit UTXO growth by requiring that anchors be spent in the same package.
> Thus
> unlike existing anchor outputs, an anchor would be truly a OP_1 output
> without
> a signature, and thus belong to either Alice nor Bob uniquely.
>
> --
> https://petertodd.org 'peter'[:-1]@petertodd.org
>
__

Re: [Lightning-dev] [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely

2023-11-08 Thread Peter Todd
On Wed, Nov 08, 2023 at 12:51:31AM +, Peter Todd via bitcoin-dev wrote:
> > In a post-package relay world, I think this is possible. And that
> > replacement cycling attacks are breaking future dynamic fee-bumping of
> > pre-signed transactions concerns me a lot.
> 
> Well the answer here is pretty clear: v3 package relay with anchors is broken.

BTW a subtlety of this that may not be obvious is that in v3 package relay,
with zero value outputs, the outputs must be spent in the same package. Thus
_unlike_ existing anchor-using transactions, there would be only one anchor
output on the commitment transaction.

In existing anchor output transactions, this type of attack wouldn't work as
when broadcasting the transaction, Alice would be spending her anchor output,
which Bob can't double spend. But that doesn't work in v3, which intends to
limit UTXO growth by requiring that anchors be spent in the same package. Thus
unlike existing anchor outputs, an anchor would be truly a OP_1 output without
a signature, and thus belong to either Alice nor Bob uniquely.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org


signature.asc
Description: PGP signature
___
Lightning-dev mailing list
Lightning-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev


Re: [Lightning-dev] [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely

2023-11-03 Thread Antoine Riard
> The idea with package relay is that commitment transaction fees will
> be zero and that fees will always be paid via CPFP on the anchor
> output.

Yes, even if multiple commitment transactions are pre-signed with a RBF
range of more than zero, an attacker can always select the lowest fees
pre-signed states and adjust in consequence the CPFP paid, and then evict
out the bumping CPFP.

Le jeu. 2 nov. 2023 à 17:07, Matt Morehouse  a
écrit :

> On Thu, Nov 2, 2023 at 6:27 AM Peter Todd via bitcoin-dev
>  wrote:
> >
> > On Thu, Nov 02, 2023 at 05:24:36AM +, Antoine Riard wrote:
> > > Hi Peter,
> > >
> > > > So, why can't we make the HTLC-preimage path expire? Traditionally,
> we've
> > > tried
> > > > to ensure that transactions - once valid - remain valid forever. We
> do
> > > this
> > > > because we don't want transactions to become impossible to mine in
> the
> > > event of
> > > > a large reorganization.
> > >
> > > I don't know if reverse time-lock where a lightning spending path
> becomes
> > > invalid after a block height or epoch point solves the more advanced
> > > replacement cycling attacks, where a malicious commitment transaction
> > > itself replaces out a honest commitment transaction, and the
> > > child-pay-for-parent of this malicious transaction is itself replaced
> out
> > > by the attacker, leading to the automatic trimming of the malicious
> > > commitment transaction.
> >
> > To be clear, are you talking about anchor channels or non-anchor
> channels?
> > Because in anchor channels, all outputs other than the anchor outputs
> provided
> > for fee bumping can't be spent until the commitment transaction is
> mined, which
> > means RBF/CPFP isn't relevant.
>
> IIUC, Antoine is talking about a cycling attack of the commitment
> transaction itself, not the HTLC transactions.  It seems possible for
> future (ephemeral) anchor channels in a world with package relay.
>
> The idea with package relay is that commitment transaction fees will
> be zero and that fees will always be paid via CPFP on the anchor
> output.
>
> Consider this scenario:  Mallory1 -> Alice -> Mallory2.
> Mallory2 claims an HTLC from Alice off chain via the preimage.  Alice
> attempts to claim the corresponding HTLC from Mallory1, but Mallory1
> refuses to cooperate.  So Alice publishes her commitment transaction
> along with a CPFP on the anchor output.  Mallory1 publishes her
> competing commitment transaction with a higher CPFP fee on the anchor
> output, thereby replacing Alice's package in the mempool.  Mallory1
> then replacement-cycles the anchor output child transaction, causing
> her commitment transaction to lose its CPFP and the package feerate to
> go to zero, which is below the minimum relay fee.  Thus, Mallory1's
> commitment transaction is also evicted from the mempool.  Mallory1
> repeats this process every time Alice broadcasts her commitment, until
> the HTLC timeout expires.  At that point the preimage path becomes
> unspendable, and Mallory1 can claim the HTLC via timeout at her
> leisure.
>
> >
> >
> > --
> > https://petertodd.org 'peter'[:-1]@petertodd.org
> > ___
> > bitcoin-dev mailing list
> > bitcoin-...@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
___
Lightning-dev mailing list
Lightning-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev


Re: [Lightning-dev] [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely

2023-11-03 Thread Matt Morehouse
On Thu, Nov 2, 2023 at 6:27 AM Peter Todd via bitcoin-dev
 wrote:
>
> On Thu, Nov 02, 2023 at 05:24:36AM +, Antoine Riard wrote:
> > Hi Peter,
> >
> > > So, why can't we make the HTLC-preimage path expire? Traditionally, we've
> > tried
> > > to ensure that transactions - once valid - remain valid forever. We do
> > this
> > > because we don't want transactions to become impossible to mine in the
> > event of
> > > a large reorganization.
> >
> > I don't know if reverse time-lock where a lightning spending path becomes
> > invalid after a block height or epoch point solves the more advanced
> > replacement cycling attacks, where a malicious commitment transaction
> > itself replaces out a honest commitment transaction, and the
> > child-pay-for-parent of this malicious transaction is itself replaced out
> > by the attacker, leading to the automatic trimming of the malicious
> > commitment transaction.
>
> To be clear, are you talking about anchor channels or non-anchor channels?
> Because in anchor channels, all outputs other than the anchor outputs provided
> for fee bumping can't be spent until the commitment transaction is mined, 
> which
> means RBF/CPFP isn't relevant.

IIUC, Antoine is talking about a cycling attack of the commitment
transaction itself, not the HTLC transactions.  It seems possible for
future (ephemeral) anchor channels in a world with package relay.

The idea with package relay is that commitment transaction fees will
be zero and that fees will always be paid via CPFP on the anchor
output.

Consider this scenario:  Mallory1 -> Alice -> Mallory2.
Mallory2 claims an HTLC from Alice off chain via the preimage.  Alice
attempts to claim the corresponding HTLC from Mallory1, but Mallory1
refuses to cooperate.  So Alice publishes her commitment transaction
along with a CPFP on the anchor output.  Mallory1 publishes her
competing commitment transaction with a higher CPFP fee on the anchor
output, thereby replacing Alice's package in the mempool.  Mallory1
then replacement-cycles the anchor output child transaction, causing
her commitment transaction to lose its CPFP and the package feerate to
go to zero, which is below the minimum relay fee.  Thus, Mallory1's
commitment transaction is also evicted from the mempool.  Mallory1
repeats this process every time Alice broadcasts her commitment, until
the HTLC timeout expires.  At that point the preimage path becomes
unspendable, and Mallory1 can claim the HTLC via timeout at her
leisure.

>
>
> --
> https://petertodd.org 'peter'[:-1]@petertodd.org
> ___
> bitcoin-dev mailing list
> bitcoin-...@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
___
Lightning-dev mailing list
Lightning-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev


Re: [Lightning-dev] [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely

2023-10-22 Thread Peter Todd
On Fri, Oct 20, 2023 at 10:58:32PM -1000, David A. Harding wrote:
> On 2023-10-20 14:09, Peter Todd via bitcoin-dev wrote:
> > The basic problem here is after the HTLC-timeout path becomes spendable,
> > the
> > HTLC-preimage path remains spendable. That's bad, because in this case
> > we want
> > spending the HTLC-preimage - if possible - to have an urgency attached
> > to it to
> > ensure that it happens before the previous HTLC-timeout is mined.
> > 
> > So, why can't we make the HTLC-preimage path expire?
> 
> If the goal is to ensure the HTLC-preimage should be mined before an
> upstream HTLC-timeout becomes mineable, then I don't think a consensus
> change is required.  We can just make the HTLC-preimage claimable by anyone
> some time after the HTLC-timeout becomes mineable.
> 
> For example, imagine that Alice offers Bob an HTLC with a timeout at block
> t+200.  Bob offers Carol an HTLC with a timeout at block t+100.  The
> Bob-Carol HTLC script looks like this:
> 
> If
>   # Does someone have the preimage?
>   Hash  EqualVerify
>   If
> # Carol has the preimage at any time
>  CheckSig
>   Else
> # Anyone else has the preimage after t+150
>  CLTV
>   EndIf
> Else
>   # Bob is allowed a refund after t+100
>CheckSigVerify
>CLTV
> EndIf
> 
> In English:
> 
> - At any time, Carol can spend the output by releasing the preimage
> - After t+100, Bob can spend the output
> - After t+150, anyone with the preimage can spend the output

This is a clever idea. But it doesn't prevent this attack.

Think about it this way: where previously there was one Carol who could perform
the replacement cycling attack, with the anyone-can-spend branch the situation
eventually transforms into a situation where there is an unlimited set of
Carols who can perform the attack and, if they are a miner, benefit from it.

Either way Bob is in a position where they might not learn about the preimage
in time, and thus fail to redeem the received HTLC output.

From Carol's point of view the situation didn't significantly change. Either
they manage to succesfully spend the offered HTLC output after the redeemed
HTLC output times out. Or they fail. Whether or not that failure happens
because Bob got their refund, or someone else spent the offered HTLC output via
the anyone-can-spend path is not relevant to Carol.


Finally, this solution is inferior to OP_Expire in another important way: the
anyone-can-spend branch represents a strict deadline for Bob too. With
OP_Expire, once HTLC preimage branch has expired, Bob can spend the offered
HTLC output at their leisure, as they are the only party with the ability to do
that (assuming of course that we're talking about a valid commitment
transaction, not an illegitmate revoked once).

> [2] Although miners may want to consider running code that allows them to
> rewrite any malleable transactions to pay themselve

With full-RBF _anyone_ can run that code on behalf of miners, modulo edge cases
where the replacement isn't possible due to the RBF anti-DoS rules. Indeed,
people are apparently already doing this to screw over signature-less ordinal
transactions.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org


signature.asc
Description: PGP signature
___
Lightning-dev mailing list
Lightning-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev


Re: [Lightning-dev] [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely

2023-10-22 Thread vjudeu
> By redefining a bit of the nVersion field, eg the most significant bit, we 
> can apply coinbase-like txout handling to arbitrary transactions.
 
We already have that in OP_CHECKSEQUENCEVERIFY. You can have a system with no 
coinbase transactions at all, and use only OP_CHECKSEQUENCEVERIFY on the first 
transaction, and set sequence numbers to put a relative locktime of 100 blocks. 
Also, if you think some soft-fork is needed anyway, then I recommend building 
it around already existing OP_CHECKSEQUENCEVERIFY, than reinvent the wheel.
 
> Redefining an existing OP_Nop opcode, OP_Expire would terminate script 
> evaluation with an error
 
This one is also already there. We have reserved opcodes, like OP_RESERVED. You 
can do something like " OP_IF OP_RESERVED OP_ENDIF", and then, if 
"" is triggered in the Script, the whole transaction is marked as 
invalid. But if that condition is false, then everything is fine, and you can 
continue executing next opcodes. Again, the situation is the same as in 
previous case: build it around OP_RESERVED, that is just "OP_EXPIRE" with a 
different name than you want, and then the only thing you need, is soft-forking 
a proper condition on the stack.
 
On 2023-10-21 02:09:55 user Peter Todd via bitcoin-dev 
 wrote:
On Mon, Oct 16, 2023 at 05:57:36PM +0100, Antoine Riard via bitcoin-dev wrote: 
> Here enter a replacement cycling attack. A malicious channel counterparty > 
can broadcast its HTLC-preimage transaction with a higher absolute fee and > 
higher feerate than the honest HTLC-timeout of the victim lightning node > and 
triggers a replacement. Both for legacy and anchor output channels, a > 
HTLC-preimage on a counterparty commitment transaction is malleable, i.e > 
additional inputs or outputs can be added. The HTLC-preimage spends an > 
unconfirmed and unrelated to the channel parent transaction M and conflicts > 
its child. The basic problem here is after the HTLC-timeout path becomes 
spendable, the HTLC-preimage path remains spendable. That's bad, because in 
this case we want spending the HTLC-preimage - if possible - to have an urgency 
attached to it to ensure that it happens before the previous HTLC-timeout is 
mined. So, why can't we make the HTLC-preimage path expire? Traditionally, 
we've tried to ensure that transactions - once valid - remain valid forever. We 
do this because we don't want transactions to become impossible to mine in the 
event of a large reorganization. A notable example of this design philosophy is 
seen in Bitcoin's rules around coinbase outputs: they only become spendable 
after 100 more blocks have been found; a 100 block reorg is quite unlikely. 
Enter the OP_Expire and the Coinbase Bit soft-fork upgrade. # Coinbase Bit By 
redefining a bit of the nVersion field, eg the most significant bit, we can 
apply coinbase-like txout handling to arbitrary transactions. Such a 
transaction's outputs would be treated similarly to a coinbase transaction, and 
would be spendable only after 100 more blocks had been mined. Due to this 
requirement, these transactions will pose no greater risk to reorg safety than 
the existing hazard of coinbase transactions themselves becoming invalid. Note 
how such a transaction is non-standard right now, ensuring compatibility with 
existing nodes in a soft-fork upgrade. # OP_Expire Redefining an existing 
OP_Nop opcode, OP_Expire would terminate script evaluation with an error if: 1) 
the Coinbase Bit was not set; or 2) the stack is empty; or 3) the top item on 
the stack was >= the block height of the containing block This is conceptually 
an AntiCheckLockTimeVerify: where CLTV _allows_ a txout to become spendable in 
a particular way in the future, Expire _prevents_ a txout from being spent in a 
particular way. Since OP_Expire requires the Coinbase Bit to be set, the reorg 
security of OP_Expire-using transactions is no worse than transactions spending 
miner coinbases. # How HTLC's Would Use OP_Expire Whenever revealing the 
preimage on-chain is necessary to the secure functioning of the HTLC-using 
protocol, we simply add an appropriate OP_Expire to the pre-image branch of the 
script along the lines of: If Expire Drop Hash EqualVerify CheckSig ElseIf # 
HTLC Expiration conditions ... EndIf Now the party receiving the pre-image has 
a deadline. Either they get a transaction spending the preimage mined, 
notifying the other party via the blockchain itself, or they fail to get the 
preimage mined in time, reverting control to the other party who can spend the 
HTLC output at their leisure, without strict time constraints. Since the 
HTLC-expired branch does *not* execute OP_Expire, the transaction spending the 
HTLC-expired branch does *not* need to set the Coinbase Bit. Thus it can be 
spent in a perfectly normal transaction, without restrictions. # Delta Encoding 
Expiration Rather than having a specific Coinbase Bit, it may also be feasible 
to encode the expiration height as a delta against a bloc

Re: [Lightning-dev] [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely

2023-10-22 Thread David A. Harding

On 2023-10-20 14:09, Peter Todd via bitcoin-dev wrote:
The basic problem here is after the HTLC-timeout path becomes 
spendable, the
HTLC-preimage path remains spendable. That's bad, because in this case 
we want
spending the HTLC-preimage - if possible - to have an urgency attached 
to it to

ensure that it happens before the previous HTLC-timeout is mined.

So, why can't we make the HTLC-preimage path expire?


If the goal is to ensure the HTLC-preimage should be mined before an 
upstream HTLC-timeout becomes mineable, then I don't think a consensus 
change is required.  We can just make the HTLC-preimage claimable by 
anyone some time after the HTLC-timeout becomes mineable.


For example, imagine that Alice offers Bob an HTLC with a timeout at 
block t+200.  Bob offers Carol an HTLC with a timeout at block t+100.  
The Bob-Carol HTLC script looks like this:


If
  # Does someone have the preimage?
  Hash  EqualVerify
  If
# Carol has the preimage at any time
 CheckSig
  Else
# Anyone else has the preimage after t+150
 CLTV
  EndIf
Else
  # Bob is allowed a refund after t+100
   CheckSigVerify
   CLTV
EndIf

In English:

- At any time, Carol can spend the output by releasing the preimage
- After t+100, Bob can spend the output
- After t+150, anyone with the preimage can spend the output



Let's consider this in the wider context of the forwarded payment 
Alice->Bob->Carol:


- If Carol attempts to spend the output by releasing the preimage but 
pays too low of a feerate to get it confirmed by block t+100, Bob can 
spend the output in block t+101.  He then has 99 blocks to settle 
(revoke) the Alice-Bob HTLC offchain.


- If Carol releases the preimage to the network in general but prevents 
Bob from using it (e.g. using a replacement cycling attack), anyone who 
saw the preimage can take Carol's output at t+150 and, by doing so, will 
put the preimage in the block chain where Bob will learn about it.  
He'll then have 49 blocks to settle (revoke) the Alice-Bob HTLC 
offchain.


- (All the normal cases when the HTLC is settled offchain, or where 
onchain operations occur in a timely manner)




I think that adequately satisfies the concern about the effect on LN 
from replacement cycling.  Looking at potential complications:


- If all miners acted together[1], they are incentivized to not mine 
Carol's preimage transaction before t+150 because its fees are less than 
the HTLC value they can receive at t+150.  I think this level of miner 
centralization would result in a general failure for LN given that 
miners could be any LN user's counterparty (or bribed by a user's 
counterparty).  E.g., stuff like this: 
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-June/017997.html


- To allow anyone with the preimage to spend the output after t+150, 
they need to know the script.  For taproot, that means the t+150 tapleaf 
script needs to follow a standard (e.g. a BOLT) and that any internal 
merkle nodes needed to connect it to the taproot commitment need to be 
shown in Carol's preimage transaction (or inferable from it or other 
data).


- Classic RBF pinning of the t+150 transaction to prevent it from 
confirming by block t+200 might be an issue.  E.g., including it in a 
400,000 weight low-feerate transaction.


- Full RBF might be required to ensure the t+150 transaction isn't sent 
with a low feerate and no opt-in signal.




Deployment considerations:

- No changes are required to full nodes (no consensus change required)

- No changes are required to mining Bitcoin nodes[2]

- At least one well-connected Bitcoin relay node will need to be updated 
to store preimages and related data, and to send the preimage claim 
transactions.  Data only needs to be kept for a rolling window of a few 
thousand blocks for the LN case, bounding storage requirements.  No 
changes are required to other relaying Bitcoin nodes


- LN nodes will need to update to new HTLC scripts, but this should be 
doable without closing/re-opening channels.  Both anchor and non-anchor 
channels can continue to be used




Compared to OP_EXPIRE:

- OP_EXPIRE requires consensus and policy changes; this does not

- OP_EXPIRE does not depend on special software; this depends on at 
least one person running special software




Although this proposal is an alternative to Peter's proposal and is 
primarily inspired by his idea, it's also a variation on a previous 
suggestion of mine: 
https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-April/002664.html


-Dave

[1] Perhaps under block censorship threat from a mining majority or a 
sub-majority performing selfish mining.


[2] Although miners may want to consider running code that allows them 
to rewrite any malleable transactions to pay themselve

___
Lightning-dev mailing list
Lightning-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev