Return-Path: <antoine.riard@gmail.com> Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 43972C0032; Mon, 13 Nov 2023 02:18:30 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 175364016C; Mon, 13 Nov 2023 02:18:30 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 175364016C Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=kkPIcqpV X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hjvrjusWZpGp; Mon, 13 Nov 2023 02:18:28 +0000 (UTC) Received: from mail-il1-x12a.google.com (mail-il1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) by smtp2.osuosl.org (Postfix) with ESMTPS id 1AC4840102; Mon, 13 Nov 2023 02:18:28 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 1AC4840102 Received: by mail-il1-x12a.google.com with SMTP id e9e14a558f8ab-3594cb642beso16396565ab.3; Sun, 12 Nov 2023 18:18:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699841907; x=1700446707; darn=lists.linuxfoundation.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=vmCnxqrzD/uYw+qAwCeYqnPqkuGdKFX9IxEfTghPdyo=; b=kkPIcqpVCjyB8YiXnI6gCTPir8+4qG1rRonU8Fu2GdiUnYW7bJZHiYk1sGVpSxUsbR mjx9UgMHRpsIO/LqSWs266ooH6Tc9oYGyNY+na9MDBEA+EkJ3DDu5vW2yz03MtByvFik VTavWH0YKEJDtIGN10u3Zn7sAPSySEwGXznGO5UNnBc2JnrObtJx3qQ/QSSoNAUhvYns vaxneVxXBmM8mADYC8sp3sECox9tlrhjDNMN60H+pHpmHbj3Gy0xlrhLfngZM4VWF0aD QwxJZsq0VFklgXLNsQF2aR2+IdMoyvKuizAdaXWLdsqvOkjCZUzHgipol/dvzgVx/BrV 45dQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699841907; x=1700446707; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vmCnxqrzD/uYw+qAwCeYqnPqkuGdKFX9IxEfTghPdyo=; b=MPR9d6YuC+X1BaBO57aDq7NWcG6XiOtP72uFhEJl9km2VujDhfBsWqHaOou0GnrUA6 ZG+SAcnxrvrkT4WiGO4duvcpNBPJ4NHar3L8TZxoKdwM9K9E5Y58uh++Vga6FYstRv36 i0Eb3BQJvED8q6c2jCiLEQDCnIxBKXXz4OhAeTJitfUB6UZrH/QWZ+9hpq186wGx0SV+ BoFso58BuDUCssqWOXLhjOK95yJ689CYXjn2D4fTUtiZea/wZvz86qLU1V9MMKbAazgG dYsSWCZchpSvpo0PC0Y2WC0Ed7QgrgzLV94FU1sBZPBD1UORHUaZM95gueRR0EDKl6xr uecQ== X-Gm-Message-State: AOJu0YxAPBWvukZL/BfU2NqbjLBSqTJ5n/zuWInzZGcFmtut+yiXZtw9 trcLEvP4z4UqVNd+DeuV9LZtsyjVMjCQ7wjELp4= X-Google-Smtp-Source: AGHT+IEGL32SJoht3HB73yCdkxUNbnR6p7IY8A+Xc895w3ZNWf7XA9Sx8r9diLonYZ38jpb/hx1agYB4f4+3HejQVmk= X-Received: by 2002:a05:6e02:20c5:b0:359:47b9:7bef with SMTP id 5-20020a056e0220c500b0035947b97befmr7980892ilq.1.1699841907035; Sun, 12 Nov 2023 18:18:27 -0800 (PST) MIME-Version: 1.0 References: <CALZpt+EZqfj=G=E37hA+k9pKYfvE0jkc3UU+H8sJVm=H3CO-JA@mail.gmail.com> <CALZpt+GXGBbo0JjOyMr3B-3dVY2Q_DuzF6Sn3xE5W24x77PRYg@mail.gmail.com> <ZUrbk9a9jiL87pxd@petertodd.org> <ZUrtHyQBOEZTM3Bj@petertodd.org> In-Reply-To: <ZUrtHyQBOEZTM3Bj@petertodd.org> From: Antoine Riard <antoine.riard@gmail.com> Date: Mon, 13 Nov 2023 02:18:16 +0000 Message-ID: <CALZpt+FEwjwQQWY6TBFuWeZbqC6Ywa7eSTcpqYuQPZ6+6QBzaw@mail.gmail.com> To: Peter Todd <pete@petertodd.org> Content-Type: multipart/alternative; boundary="0000000000000b13670609ff49e6" X-Mailman-Approved-At: Mon, 13 Nov 2023 10:19:55 +0000 Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>, security@ariard.me, "lightning-dev\\\\@lists.linuxfoundation.org" <lightning-dev@lists.linuxfoundation.org> Subject: Re: [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org> List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe> List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/> List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org> List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help> List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe> X-List-Received-Date: Mon, 13 Nov 2023 02:18:30 -0000 --0000000000000b13670609ff49e6 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Your two latest mails. > The problem that OP_Expire aims to solve is the fact that Carol could prevent > Bob from learning about the preimage in time, while still getting a chance to > use the preimage herself. OP_Expire thoroughly solves that problem by ensuring > that the preimage is either broadcast in the blockchain in a timely fashion, or > becomes useless. I respectfully disagree - There is a more general underlying issue for outdated states in multi-party off-chain constructions, where any "revoked" or "updated" consensus-valid state can be used to jam the latest off-chain agreed-on, through techniques like replacement cycling or pinning. > My suggestion of pre-signing RBF replacements, without anchor outputs, and with > all outputs rendered unspendable with 1 CSV, is clearly superior: there are > zero degrees of freedom to the attacker, other than the possibility of > increasing the fee paid or broadcasting a revoked commitment. The latter of > course risks the other party punishing the fraud. Assuming the max RBF replacement is pre-signed at 200 sats / vb, with commitment transaction of ~268 vbytes and at least one second-stage HTLC transaction of ~175 vbytes including witness size, a channel counterparty must keep at worst a fee-bumping reserve of 35 268 sats, whatever payment value. As of today, any payment under $13 has to become trimmed HTLCs. Trimmed HTLCs are coming with their own wormhole of issues, notably making them a target to be stolen by low-hashrate capabilities attackers [0]. [0] https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-May/002714.h= tml > This does have the practical problem that a set of refund transactions will > also need to be signed for each fee variant. But, eg, signing 10x of each isn't > so burdensome. And in the future that problem could be avoided with > SIGHASH_NOINPUT, or replacing the pre-signed refund transaction mechanism with > a covenant. I think if you wish to be safe against fees griefing games between counterparties, both counterparties have to maintain their own fee-bumping reserves, which make channel usage less capital efficient, rather than being drawn from a common reserve. > Using RBF rather than CPFP with package relay also has the advantage of being > more efficient, as no blockspace needs to be consumed by the anchor outputs or > transactions spending them. Of course, there are special circumstances where > BIP125 rules can cause CPFP to be cheaper. But we can easily fix that, eg by > reducing the replacement relay fee, or by delta-encoding transaction updates. It is left as an exercise to the reader how to break the RBF approach for LN channels as proposed. > As SIGHASH_NOINPUT is desirable for LN-Symmetry, a softfork containing both it > and OP_Expire could make sense. I think there is one obvious issue of pre-signing RBF replacements combined with LN-symmetry, namely every state has to pre-commit to fee values attached and such states might spend each other in chain. So now you would need `max-rbf-replacement` * `max-theoretical-number-of-states` of fee-bumping reserves unless you can pipe fee value with some covenant magic, I think. > In existing anchor output transactions, this type of attack wouldn't work as > when broadcasting the transaction, Alice would be spending her anchor output, > which Bob can't double spend. However Bob can double-spend Alice's commitment transaction with his own commitment transaction and a CPFP, as long as it's a better ancestor feerate and absolute fee package, then double-spend his own CPFP. Which is exactly what my test is doing so I don't think your statement of saying this type of advanced replacement cycling attack wouldn't work isn't correct. Best, Antoine Le mer. 8 nov. 2023 =C3=A0 02:06, Peter Todd <pete@petertodd.org> a =C3=A9c= rit : > On Wed, Nov 08, 2023 at 12:51:31AM +0000, Peter Todd via bitcoin-dev wrot= e: > > > In a post-package relay world, I think this is possible. And that > > > replacement cycling attacks are breaking future dynamic fee-bumping o= f > > > pre-signed transactions concerns me a lot. > > > > Well the answer here is pretty clear: v3 package relay with anchors is > broken. > > BTW a subtlety of this that may not be obvious is that in v3 package rela= y, > with zero value outputs, the outputs must be spent in the same package. > Thus > _unlike_ existing anchor-using transactions, there would be only one anch= or > output on the commitment transaction. > > In existing anchor output transactions, this type of attack wouldn't work > as > when broadcasting the transaction, Alice would be spending her anchor > output, > which Bob can't double spend. But that doesn't work in v3, which intends = to > limit UTXO growth by requiring that anchors be spent in the same package. > Thus > unlike existing anchor outputs, an anchor would be truly a OP_1 output > without > a signature, and thus belong to either Alice nor Bob uniquely. > > -- > https://petertodd.org 'peter'[:-1]@petertodd.org > --0000000000000b13670609ff49e6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">Your two latest mails.<div><br></div><div>> The problem= that OP_Expire aims to solve is the fact that Carol could prevent<br>> = Bob from learning about the preimage in time, while still getting a chance = to<br>> use the preimage herself. OP_Expire thoroughly solves that probl= em by ensuring<br>> that the preimage is either broadcast in the blockch= ain in a timely fashion, or<br>> becomes useless.<br></div><div><br></di= v><div>I respectfully disagree - There is a more general underlying issue f= or outdated states in multi-party off-chain constructions, where any "= revoked" or "updated" consensus-valid state can be used to j= am the latest off-chain agreed-on, through techniques like replacement cycl= ing or pinning.</div><div><br></div><div>> My suggestion of pre-signing = RBF replacements, without anchor outputs, and with<br>> all outputs rend= ered unspendable with 1 CSV, is clearly superior: there are<br>> zero de= grees of freedom to the attacker, other than the possibility of<br>> inc= reasing the fee paid or broadcasting a revoked commitment. The latter of<br= >> course risks the other party punishing the fraud.<br></div><div><br><= /div><div>Assuming the max RBF replacement is pre-signed at 200 sats / vb, = with commitment transaction of ~268 vbytes and at least one second-stage HT= LC transaction of ~175 vbytes including witness size, a channel counterpart= y must keep at worst a fee-bumping reserve of 35 268 sats, whatever payment= value. As of today, any payment under $13 has to become trimmed HTLCs. Tri= mmed HTLCs are coming with their own wormhole of issues, notably making the= m a target to be stolen by low-hashrate capabilities attackers [0].</div><d= iv><br></div><div>[0] <a href=3D"https://lists.linuxfoundation.org/pipermai= l/lightning-dev/2020-May/002714.html">https://lists.linuxfoundation.org/pip= ermail/lightning-dev/2020-May/002714.html</a></div><div><br></div><div>>= This does have the practical problem that a set of refund transactions wil= l</div>> also need to be signed for each fee variant. But, eg, signing 1= 0x of each isn't<br>> so burdensome. And in the future that problem = could be avoided with<br>> SIGHASH_NOINPUT, or replacing the pre-signed = refund transaction mechanism with<br>> a covenant.<div><br></div><div>I = think if you wish to be safe against fees griefing games between counterpar= ties, both counterparties have to maintain their own fee-bumping reserves, = which make channel usage less capital efficient, rather than being drawn fr= om a common reserve.</div><div><br></div><div>> Using RBF rather than CP= FP with package relay also has the advantage of being<br>> more efficien= t, as no blockspace needs to be consumed by the anchor outputs or<br>> t= ransactions spending them. Of course, there are special circumstances where= <br>> BIP125 rules can cause CPFP to be cheaper. But we can easily fix t= hat, eg by<br>> reducing the replacement relay fee, or by delta-encoding= transaction updates.<br></div><div><br></div><div>It is left as an exercis= e to the reader how to break the RBF approach for LN channels as proposed.<= /div><div><br></div><div>> As SIGHASH_NOINPUT is desirable for LN-Symmet= ry, a softfork containing both it<br>> and OP_Expire could make sense.<b= r></div><div><br></div><div>I think there is one obvious issue of pre-signi= ng RBF replacements combined with LN-symmetry, namely every state has to pr= e-commit to fee values attached and such states might spend each other in c= hain. So now you would need `max-rbf-replacement` * =C2=A0`max-theoretical-= number-of-states` of fee-bumping reserves unless you can pipe fee value wit= h some covenant magic, I think.</div><div><br></div><div>> In existing a= nchor output transactions, this type of attack wouldn't work as<br>>= when broadcasting the transaction, Alice would be spending her anchor outp= ut,<br>> which Bob can't double spend.<br></div><div><br></div><div>= However Bob can double-spend Alice's commitment transaction with his ow= n commitment transaction and a CPFP, as long as it's a better ancestor = feerate and absolute fee package, then double-spend his own CPFP. Which is = exactly what my test is doing so I don't think your statement of saying= this type of advanced replacement cycling attack wouldn't work isn'= ;t correct.</div><div><br></div><div>Best,</div><div>Antoine</div></div><br= ><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">Le=C2=A0m= er. 8 nov. 2023 =C3=A0=C2=A002:06, Peter Todd <<a href=3D"mailto:pete@pe= tertodd.org">pete@petertodd.org</a>> a =C3=A9crit=C2=A0:<br></div><block= quote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-w= idth:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding= -left:1ex">On Wed, Nov 08, 2023 at 12:51:31AM +0000, Peter Todd via bitcoin= -dev wrote:<br> > > In a post-package relay world, I think this is possible. And that= <br> > > replacement cycling attacks are breaking future dynamic fee-bumpi= ng of<br> > > pre-signed transactions concerns me a lot.<br> > <br> > Well the answer here is pretty clear: v3 package relay with anchors is= broken.<br> <br> BTW a subtlety of this that may not be obvious is that in v3 package relay,= <br> with zero value outputs, the outputs must be spent in the same package. Thu= s<br> _unlike_ existing anchor-using transactions, there would be only one anchor= <br> output on the commitment transaction.<br> <br> In existing anchor output transactions, this type of attack wouldn't wo= rk as<br> when broadcasting the transaction, Alice would be spending her anchor outpu= t,<br> which Bob can't double spend. But that doesn't work in v3, which in= tends to<br> limit UTXO growth by requiring that anchors be spent in the same package. T= hus<br> unlike existing anchor outputs, an anchor would be truly a OP_1 output with= out<br> a signature, and thus belong to either Alice nor Bob uniquely.<br> <br> -- <br> <a href=3D"https://petertodd.org" rel=3D"noreferrer" target=3D"_blank">http= s://petertodd.org</a> 'peter'[:-1]@<a href=3D"http://petertodd.org"= rel=3D"noreferrer" target=3D"_blank">petertodd.org</a><br> </blockquote></div> --0000000000000b13670609ff49e6--