Return-Path: Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0786DC002D for ; Wed, 19 Oct 2022 00:33:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id D29876002E for ; Wed, 19 Oct 2022 00:33:27 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org D29876002E Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=nH2L3L4K X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.088 X-Spam-Level: X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AfKWA7PXBvVg for ; Wed, 19 Oct 2022 00:33:26 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org DD50961136 Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) by smtp3.osuosl.org (Postfix) with ESMTPS id DD50961136 for ; Wed, 19 Oct 2022 00:33:25 +0000 (UTC) Received: by mail-il1-x12d.google.com with SMTP id q11so8361236ilj.10 for ; Tue, 18 Oct 2022 17:33:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=h+F78upnMZb3SwF/RBUy/f9D4Dz/zBB9rfSfb1CCkdQ=; b=nH2L3L4KIPIwVdkPnK8UpJDz5Od4OqiUsN/SuF6GPg2HUJujnfshJWkZRU464zH7cw jawr2UpP/X4Dm2Hp2nAae8dJKLNswEEoK1EaHH2X9wYJi7rrjMEWduIi0yzDmYJGFePH DpETk8nOZ2+6C70Z0j1M+v3mdk88BHBlhK5bt8kIY+s+k0DylDBj61SHcLoRPe1ac3IN 0wpL/LUAgM+Rjv71cLq3bSr1sJYAiHripvUm+5clmkQz/YZ/Pw1GyuyzLSTxHxDD/5gT O6wK21Y/en+ep867+cvDkzuVkuhFB+Fv0W+sjb98vnUQdS8e8ykQVttwA0Ks5l8e/AHm uJ+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=h+F78upnMZb3SwF/RBUy/f9D4Dz/zBB9rfSfb1CCkdQ=; b=eIgtP5wxs+NV/Sc18I88t3uFOUxUO4/BQutYjN/mZO65yj4cZzPOGrHOx6lsWSSiqf Mrnryw44BVMCJvWDQxLknQ0zUfcC7cMYJ08f8PSWosmWYe5TJj559Wiuq9x6NkdXCSJu uZRxDDn9eIh11yeNMyqVNlEcfTiFbePR1ytjeDlJ4ymwwGm6ICKz1qn8h9wb4lIRlrv0 RZzMz+QhXOQDDOEdkyGWFoIz20Phf7m6PjqhQmvtcdbhEXZ5nXPWgR93ROFce30qQ044 g2keIbn8Kvis83U8tGwzIPJPFbmMcrFjlw8/OSL4cno9WJPpWfIW6yhW/1D2TSxh/K7g jhNQ== X-Gm-Message-State: ACrzQf1d1NLWEiOphVjShHUo6Kzhm0DTwfAx4W63IYa+XsFXzOZ5DEAX DWqcse/QZu4ncswD6Dg6Mo8dKp5zNLEyoMcYOEM+uUAjy6XdCQ== X-Google-Smtp-Source: AMsMyM7sQfmTyk73rbz3j3HLiYUqSDEeyL8yKFgujbMCb2AcyD7dOv1dg/Ohvmo512VeyazYZVlUnKPA/BSsIC+nnGo= X-Received: by 2002:a92:c904:0:b0:2f8:ddd9:d49c with SMTP id t4-20020a92c904000000b002f8ddd9d49cmr3985682ilp.114.1666139604886; Tue, 18 Oct 2022 17:33:24 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Antoine Riard Date: Tue, 18 Oct 2022 20:33:13 -0400 Message-ID: To: Greg Sanders , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="0000000000004bab2905eb585bb1" X-Mailman-Approved-At: Wed, 19 Oct 2022 00:34:29 +0000 Subject: Re: [bitcoin-dev] Ephemeral Anchors: Fixing V3 Package RBF against package limit pinning X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Oct 2022 00:33:28 -0000 --0000000000004bab2905eb585bb1 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Greg, Thanks for proposing forward the "ephemeral anchors" policy change. > In Gloria's proposal for ln-penalty, this is worked > around by reducing the number of anchors per commitment transaction to 1, > and each version of the commitment transaction has a unique party's key o= n > it. The honest participant can spend their version with their anchor and > package RBF the other commitment transaction safely. IIRC, here I think we also need _package relay_ in strict addition of _package RBF_, otherwise if your Lightning transactions are still relayed and accepted one by one, your version of the commitment transaction won't succeed to replace the other counterparties's commitments sleeping in network mempools. The presence of a remote anchor output on the counterparty commitment still offers an ability to fee-bump, albeit in practice more a lucky shot as you might have partitioned network mempools between your local commitment and the remote commitment disputing the spend of the same funding UTXO. > 1) Expand a carveout for "sibling eviction", where if the new child is > paying "enough" to bump spends from the same parent, it knocks its siblin= g > out of the mempool and takes the one child slot. This would solve it, but > is a new eviction paradigm that would need to be carefully worked through= . Note, I wonder about the robustness of such a "sibling eviction" mechanism in the context of multi-party construction. E.g, a batching payout, where the participants are competing to each other in a blind way, as they do want their CPFPs paying back to them to confirm first, enforcing their individual liquidity preferences. I would think it might artificially lead the participants to overbid far beyond the top mempool block fees. > If we allow non-zero value in ephemeral outputs, does this open up a MEV > we are worried about? Wallets should toss all the value directly to fees= , > and add their own additional fees on top, otherwise miners have incentiv= e > to make the smallest utxo burn transaction to claim those funds. They just > confirmed your parent transaction anyways, so do we care? If we allow non-zero value in ephemeral outputs, I think we're slightly modifying the incentives games of the channels counterparties, in the sense if you have a link Alice-Bob, Bob could circular loop a bunch of dust offered HTLC deduced from Alice balance and committed as fees in the ephemeral output value, then break the channel on-chain to pocket in the trimmed value sum (in the limit of your Lightning implementation dust exposure). Note, this is already possible today if your counterparty is a miner however iiuc the proposal, here we're lowering the bar. > SIGHASH_GROUP like constructs would allow uncommitted ephemeral anchors > to be added at spend time, depending on spending requirements. > SIGHASH_SINGLE already allows this. Note, with SIGHASH_GROUP, you're still allowed to aggregate in a single bundle multiple ln-penalty commitments or eltoo settlement transactions, with only one fee-bumping output. It's a cool space performance trick, but a) I think this is still more a whiteboard idea than a sound proposal and b) sounds more a long-term, low-hanging fruit optimization of blockspace consumption. Best, Antoine Le mar. 18 oct. 2022 =C3=A0 09:53, Greg Sanders via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> a =C3=A9crit : > Hello Everyone, > > Following up on the "V3 Transaction" discussion here > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-September/02= 0937.html > , I would like to elaborate a bit further on some potential follow-on wor= k > that would make pinning severely constrained in many setups]. > > V3 transactions may solve bip125 rule#3 and rule#5 pinning attacks under > some constraints[0]. This means that when a replacement is to be made and > propagated, it costs the expected amount of fees to do so. This is a grea= t > start. What's left in this subset of pinning is *package limit* pinning. = In > other words, a fee-paying transaction cannot enter the mempool due to the > existing mempool package it is being added to already being too large in > count or vsize. > > Zooming into the V3 simplified scenario for sake of discussion, though > this problem exists in general today: > > V3 transactions restrict the package limit of a V3 package to one parent > and one child. If the parent transaction includes two outputs which can b= e > immediately spent by separate parties, this allows one party to disallow = a > spend from the other. In Gloria's proposal for ln-penalty, this is worked > around by reducing the number of anchors per commitment transaction to 1, > and each version of the commitment transaction has a unique party's key o= n > it. The honest participant can spend their version with their anchor and > package RBF the other commitment transaction safely. > > What if there's only one version of the commitment transaction, such as i= n > other protocols like duplex payment channels, eltoo? What about multi par= ty > payments? > > In the package RBF proposal, if the parent transaction is identical to an > existing transaction in the mempool, the parent will be detected and > removed from the package proposal. You are then left with a single V3 chi= ld > transaction, which is then proposed for entry into the mempool. In the ca= se > of another parent output already being spent, this is simply rejected, > regardless of feerate of the new child. > > I have two proposed solutions, of which I strongly prefer the latter: > > 1) Expand a carveout for "sibling eviction", where if the new child is > paying "enough" to bump spends from the same parent, it knocks its siblin= g > out of the mempool and takes the one child slot. This would solve it, but > is a new eviction paradigm that would need to be carefully worked through= . > > 2) Ephemeral Anchors (my real policy-only proposal) > > Ephemeral Anchors is a term which means an output is watermarked as an > output that MUST be spent in a V3 package. We mark this anchor by being t= he > bare script `OP_TRUE` and of course make these outputs standard to relay > and spend with empty witness data. > > Also as a simplifying assumption, we require the parent transaction with > such an output to be 0-fee. This makes mempool reasoning simpler in case > the child-spend is somehow evicted, guaranteeing the parent will be as we= ll. > > Implications: > > a) If the ephemeral anchor MUST be spent, we can allow *any* value, even > dust, even 0, without worrying about bloating the utxo set. We relax this > policy for maximum smart contract flexibility and specification simplicit= y.. > > b) Since this anchor MUST be spent, any spending of other outputs in the > same parent transaction MUST directly double-spend prior spends of the > ephemeral anchor. This causes the 1 block CSV timelock on outputs to be > removed in these situations. This greatly magnifies composability of smar= t > contracts, as now we can do things like safely splice directly into new > channels, into statechains, your custodial wallet account, your cold > wallet, wherever, without requiring other wallets to support arbitrary > scripts. Also it hurts that 1 CSV time locked scripts may not be miniscri= pt > compatible to begin with... > > c) *Anyone* can bump the transaction, without any transaction key > material. This is essentially achieving Jeremy's Transaction Sponsors ( > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-September/01= 8168.html) > proposal without consensus changes. As long as someone gets a fully signe= d > parent, they can execute a bump with minimal wallet tooling. If a > transaction author doesn=E2=80=99t want a =E2=80=9Csponsor=E2=80=9D, do n= ot include the output. > > d) Lightning Carve-out( > https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-October/00= 2240.html) > is superseded by this logic, as we are not restricted to two immediately > spendable output scenarios. In its place, robust multi-party fee bumping = is > possible. > > e) This also benefits more traditional wallet scenarios, as change output= s > can no longer be pinned, and RBF/CPFP becomes robust. Payees in simple > spends cannot pin you. Batched payouts become a lot less painful. This wa= s > one of the motivating use cases that created the term =E2=80=9Cpinning=E2= =80=9D in the > first place( > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-February/015= 717.html), > even if LN/L2 discussion has largely overtaken it due to HTLC theft risks= . > > Open Question(s): > > > 1. > > If we allow non-zero value in ephemeral outputs, does this open up a > MEV we are worried about? Wallets should toss all the value directly t= o > fees, and add their own additional fees on top, otherwise miners have > incentive to make the smallest utxo burn transaction to claim those fu= nds. > They just confirmed your parent transaction anyways, so do we care? > 2. > > SIGHASH_GROUP like constructs would allow uncommitted ephemeral > anchors to be added at spend time, depending on spending requirements. > SIGHASH_SINGLE already allows this. > > > > > Hopefully this gives people something to consider as we move forward in > thinking about mempool design within the constraints we have today. > > > Greg > > 0: With V3 transactions where you have "veto power" over all the inputs i= n > that transaction. Therefore something like ANYONECANPAY is still broken. = We > need a more complex solution, which I=E2=80=99m punting for the sake of p= rogress. > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --0000000000004bab2905eb585bb1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Greg,

Thanks for proposing forward the "eph= emeral anchors" policy change.

> In Gloria's proposal fo= r ln-penalty, this is worked
> around by reducing the number of ancho= rs per commitment transaction to 1,
> and each version of the commitm= ent transaction has a unique party's key on
> it. The honest part= icipant can spend their version with their anchor and
> package RBF t= he other commitment transaction safely.

IIRC, here I think we also n= eed _package relay_ in strict addition of _package RBF_, otherwise if your = Lightning transactions are still relayed and accepted one by one, your vers= ion of the commitment transaction won't succeed to replace the other co= unterparties's commitments sleeping in network mempools. The presence o= f a remote anchor output on the counterparty commitment still offers an abi= lity to fee-bump, albeit in practice more a lucky shot as you might have pa= rtitioned network mempools between your local commitment and the remote com= mitment disputing the spend of the same funding UTXO.

> 1) Expand= a carveout for "sibling eviction", where if the new child is
= > paying "enough" to bump spends from the same parent, it knoc= ks its sibling
> out of the mempool and takes the one child slot. Thi= s would solve it, but
> is a new eviction paradigm that would need to= be carefully worked through.

Note, I wonder about the robustness of= such a "sibling eviction" mechanism in the context of multi-part= y construction. E.g, a batching payout, where the participants are competin= g to each other in a blind way, as they do want their CPFPs paying back to = them to confirm first, enforcing their individual liquidity preferences. I = would think it might artificially lead the participants to overbid far beyo= nd the top mempool block fees.

> =C2=A0If we allow non-zero value= in ephemeral outputs, does this open up a MEV
> =C2=A0we are worried= about? Wallets should toss all the value directly to fees,
> =C2=A0a= nd add their own additional fees on top, otherwise miners have incentive> =C2=A0to make the smallest utxo burn transaction to claim those funds= . They just
> =C2=A0confirmed your parent transaction anyways, so do = we care?

If we allow non-zero value in ephemeral outputs, I think we= 're slightly modifying the incentives games of the channels counterpart= ies, in the sense if you have a link Alice-Bob, Bob could circular loop a b= unch of dust offered HTLC deduced from Alice balance and committed as fees = in the ephemeral output value, then break the channel on-chain to pocket in= the trimmed value sum (in the limit of your Lightning implementation dust = exposure). Note, this is already possible today if your counterparty is a m= iner however iiuc the proposal, here we're lowering the bar.

>= ; =C2=A0SIGHASH_GROUP like constructs would allow uncommitted ephemeral anc= hors
> =C2=A0to be added at spend time, depending on spending require= ments.
> =C2=A0SIGHASH_SINGLE already allows this.

Note, with = SIGHASH_GROUP, you're still allowed to aggregate in a single bundle mul= tiple ln-penalty commitments or eltoo settlement transactions, with only on= e fee-bumping output. It's a cool space performance trick, but a) I thi= nk this is still more a whiteboard idea than a sound proposal and b) sounds= more a long-term, low-hanging fruit optimization of blockspace consumption= .

Best,
Antoine

Le=C2=A0mar. 18 oct. 2022 =C3=A0=C2=A009:53, = Greg Sanders via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> a =C3=A9crit= =C2=A0:

Hello Everyone,


Following up on the "V3 Transaction" discussion here https://lists.linuxfoundation.org/piperm= ail/bitcoin-dev/2022-September/020937.html , I would like to elaborate = a bit further on some potential follow-on work that would make pinning seve= rely constrained in many setups].


V3 transactions may solve bip125 rule#3 and rule#5 pi= nning attacks under some constraints[0]. This means that when a replacement= is to be made and propagated, it costs the expected amount of fees to do s= o. This is a great start. What's left in this subset of pinning is *pac= kage limit* pinning. In other words, a fee-paying transaction cannot enter = the mempool due to the existing mempool package it is being added to alread= y being too large in count or vsize.


Zooming into the V3 simplified scenario for sake o= f discussion, though this problem exists in general today:


V3 transactions restrict the= package limit of a V3 package to one parent and one child. If the parent t= ransaction includes two outputs which can be immediately spent by separate = parties, this allows one party to disallow a spend from the other. In Glori= a's proposal for ln-penalty, this is worked around by reducing the numb= er of anchors per commitment transaction to 1, and each version of the comm= itment transaction has a unique party's key on it. The honest participa= nt can spend their version with their anchor and package RBF the other comm= itment transaction safely.


What if there's only one version of the commitment trans= action, such as in other protocols like duplex payment channels, eltoo? Wha= t about multi party payments?


In the package RBF proposal, if the parent transaction is= identical to an existing transaction in the mempool, the parent will be de= tected and removed from the package proposal. You are then left with a sing= le V3 child transaction, which is then proposed for entry into the mempool.= In the case of another parent output already being spent, this is simply r= ejected, regardless of feerate of the new child.


I have two proposed solutions, of whi= ch I strongly prefer the latter:


1) Expand a carveout for "sibling eviction",= where if the new child is paying "enough" to bump spends from th= e same parent, it knocks its sibling out of the mempool and takes the one c= hild slot. This would solve it, but is a new eviction paradigm that would n= eed to be carefully worked through.


2) Ephemeral Anchors (my real policy-only proposal)=


Ephemeral A= nchors is a term which means an output is watermarked as an output that MUS= T be spent in a V3 package. We mark this anchor by being the bare script `O= P_TRUE` and of course make these outputs standard to relay and spend with e= mpty witness data.


Also as a simplifying assumption, we require the parent transaction = with such an output to be 0-fee. This makes mempool reasoning simpler in ca= se the child-spend is somehow evicted, guaranteeing the parent will be as w= ell.


Implica= tions:


a) If= the ephemeral anchor MUST be spent, we can allow *any* value, even dust, e= ven 0, without worrying about bloating the utxo set. We relax this policy f= or maximum smart contract flexibility and specification simplicity..=


b) Since this anch= or MUST be spent, any spending of other outputs in the same parent transact= ion MUST directly double-spend prior spends of the ephemeral anchor. This c= auses the 1 block CSV timelock on outputs to be removed in these situations= . This greatly magnifies composability of smart contracts, as now we can do= things like safely splice directly into new channels, into statechains, yo= ur custodial wallet account, your cold wallet, wherever, without requiring = other wallets to support arbitrary scripts. Also it hurts that 1 CSV time l= ocked scripts may not be miniscript compatible to begin with...

<= br>

c) *Anyone* can bump th= e transaction, without any transaction key material. This is essentially ac= hieving Jeremy's Transaction Sponsors (https://lists.linuxfoundation.org/pipe= rmail/bitcoin-dev/2020-September/018168.html) proposal without consensus changes. As long = as someone gets a fully signed parent, they can execute a bump with minimal= wallet tooling. If a transaction author doesn=E2=80=99t want a =E2=80=9Csp= onsor=E2=80=9D, do not include the output.


d) Lightning Carve-out(https://lists.linuxfoundati= on.org/pipermail/lightning-dev/2019-October/002240.html)=C2=A0 is superseded by this logic= , as we are not restricted to two immediately spendable output scenarios. I= n its place, robust multi-party fee bumping is possible.


e) This also benefits more tra= ditional wallet scenarios, as change outputs can no longer be pinned, and R= BF/CPFP becomes robust. Payees in simple spends cannot pin you. Batched pay= outs become a lot less painful. This was one of the motivating use cases th= at created the term =E2=80=9Cpinning=E2=80=9D in the first place(https://lists.lin= uxfoundation.org/pipermail/bitcoin-dev/2018-February/015717.html= ), even if LN/L2 discussio= n has largely overtaken it due to HTLC theft risks.


Open Question(s):


  • <= span style=3D"font-size:11pt;background-color:transparent;font-variant-nume= ric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-spa= ce:pre-wrap">If we allow non-zero value in ephemeral outputs, does this ope= n up a MEV we are worried about? Wallets should toss all the value directly= to fees, and add their own additional fees on top, otherwise miners have i= ncentive to make the smallest utxo burn transaction to claim those funds. T= hey just confirmed your parent transaction anyways, so do we care?

  • SIGHASH_GROUP like const= ructs would allow uncommitted ephemeral anchors to be added at spend time, = depending on spending requirements. SIGHASH_SINGLE already allows this.




  • Hopefully this gives people something to consider as we move forward in = thinking about mempool design within the constraints we have today.<= /p>

    Greg

    =

    0: With V3 transaction= s where you have "veto power" over all the inputs in that transac= tion. Therefore something like ANYONECANPAY is still broken. We need a more= complex solution, which I=E2=80=99m punting for the sake of progress.


    _______________________________________________
    bitcoin-dev mailing list
    = bitcoin-dev@lists.linuxfoundation.org
    https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
    --0000000000004bab2905eb585bb1--