1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
|
Return-Path: <jim.posen@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id F29DE728
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 2 May 2018 01:15:13 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-qt0-f182.google.com (mail-qt0-f182.google.com
[209.85.216.182])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 0ED7D675
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 2 May 2018 01:15:12 +0000 (UTC)
Received: by mail-qt0-f182.google.com with SMTP id q6-v6so16525938qtn.3
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 01 May 2018 18:15:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:cc; bh=2BEv/fWJvYFeo3fwbwIagVaoXbtkdUHeq5ESuOoh0QY=;
b=evYcNasUH8RLuZqdyY8lI6q5crh3uj9US7DLZYNEs1Dw1jgMVMrrY3JpPD8wQuofCQ
Sx1/ds5pYSPOjoIIcPeyUhmD5bOSG5wpgrh6NBEMBZ/NhaojTxtlG8dsJM54tQp58DaB
8tyw1icIeuRXRZdbw8KWxvZIYgoDw+7h5ZVTmKwWug7IW2x6GRvvJRIrqGk39aJ0iKlk
fsN1dFvuFBJ/zb0J6zT5rQAtQozrsJB11ZUZ/Qs/TqQxyNC1WQ/rdKy6iifjg2j+E/TT
aRUHZ4sCBqJXavfi+I5l5c0NHMDcx2AJJN07jEyo7k80AnidtEIMyw3vAgZ+ICcYO5eo
chlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to:cc;
bh=2BEv/fWJvYFeo3fwbwIagVaoXbtkdUHeq5ESuOoh0QY=;
b=b+WvXEduKdSJsNrgTh5+TqFCmZN3FQnYJvBEJJ0g/omj2v2rhgloGe9KlRXsC/4IiF
LmmcX0SLQA3rddjry/DZUo7G9Xpd1sIJQ9eqIVXwiVfF56MIT5UoRrRxd3GXcRtxD/qU
rvormSGdg96vTzVL6Hb2fRhIJYGj2KvXanTh1m1TL0c50KOimKzWeI4JYUMJlOhaVy2M
HuIpl8XJ7nKJ+ik8srlUzmH4wJxqV7BMaeusmJOKBosvVXk8KZLuhOOmPxEDM8H5fPZg
zalqpqvRmDl4WGiWQjxniwL+2hsiwClVMtxEPiGzcQsQrrZdXz/YCZqo39rUOaz3heVp
mvSg==
X-Gm-Message-State: ALQs6tDIT0OfKMx5n9rkm1RK0yQdugWiLvuFlp34yJo69QvM5aEGoOL3
cn9Fl2L0YP8FmHDTI/5FnBPUJrDGd3+wXQH1AU8=
X-Google-Smtp-Source: AB8JxZqVdNIJ15F1WGFxzLx3o0eztd3MTu8wmT4/NjyJwGPuu49hhLdnaPeZMx2kUg2gq4nrGqDEXY9xZWbr290KwKo=
X-Received: by 2002:a0c:b691:: with SMTP id
u17-v6mr14934116qvd.92.1525223711938;
Tue, 01 May 2018 18:15:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.200.50.92 with HTTP; Tue, 1 May 2018 18:15:10 -0700 (PDT)
In-Reply-To: <87bmdzgu4v.fsf@gmail.com>
References: <874ljsitvx.fsf@gmail.com>
<CADZtCSgSJsU+j1teT4A9+nc+cuzBz+dhL+sC3dyGniQAsxPUxw@mail.gmail.com>
<87vac7hakf.fsf@gmail.com>
<CADZtCShihv1PR4yD_xATD2mv5CSMqH385HWVLdZQSG_9ZyJ7Jw@mail.gmail.com>
<87in87gx0q.fsf@gmail.com>
<CADZtCShvsaUpHKqRkkDm1XEmiSgj4Aa_VPdFFhaMQd9fcvxyZA@mail.gmail.com>
<87bmdzgu4v.fsf@gmail.com>
From: Jim Posen <jim.posen@gmail.com>
Date: Tue, 1 May 2018 18:15:10 -0700
Message-ID: <CADZtCSgHmyYbumDw6bwfYpoqc9b-0JmHM5-22=Y1FXNDiTghrA@mail.gmail.com>
To: Christian Decker <decker.christian@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000008d9e47056b2ed19d"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Wed, 02 May 2018 01:15:32 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] eltoo: A Simplified update Mechanism for
Lightning and Off-Chain Contracts
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2018 01:15:14 -0000
--0000000000008d9e47056b2ed19d
Content-Type: text/plain; charset="UTF-8"
OK, I see what you are saying. You are effectively suggesting pipelining
the broadcasts of the update transactions. I think this introduces a
problem that a node in the circuit that withholds the preimage for too long
can force all upstream channels to be closed, at only the expense of their
one upstream channel being closed. I believe such an attack could
significantly disrupt the network.
Let me elaborate on the way I'm thinking about this:
So say I'm a routing node with an upstream HTLC with CLTV = X. I need to
ensure that if I learn the preimage, that I have time to broadcast and
confirm an HTLC-success transaction before height X. We'll call this number
of blocks D_success. So if I know the preimage, let's say X - D_success is
the latest height that I can safely broadcast the HTLC-success transaction,
assuming the settlement transaction is already final (ie. the update
transaction is confirmed and the CSV delay has passed). So now I also need
to know when to close the channel with the update transaction. I'll assume
it will take at most D_update blocks from the time I broadcast the update
transaction for it to be mined. So unless the downstream HTLC is already
failed, I should always close the upstream channel at height X - D_success
- CSV_update - D_update.
Now we'll look at the downstream HTLC with CLTV = Y. In order to minimize
the safe delta between the upstream and downstream CLTVs, I will want to
broadcast and confirm an HTLC-timeout transaction as soon after height Y as
possible. So assuming that the downstream settlement transaction is final
at height Y and it takes at most D_timeout blocks for the HTLC timeout
transaction to confirm once it is final assuming no double spends, then Y +
D_timeout is very latest I might learn the payment preimage from the
downstream channel on-chain. So I should be safe as long as X - D_success >
Y + D_timeout. This assumes that the update transaction for the downstream
channel is already mined and the CSV has passed. However, we know from
above that I had to close the upstream channel at time X - D_success -
CSV_update - D_update, which may very well be before Y. So if the
downstream hop waits until just before Y to publish the preimage, they can
force me to close my upstream channel. This applies transitively for
further upstream hops, assuming a large enough CSV value.
Granted, upstream hops can watch the blockchain for preimage reveals in
other closings transaction and perhaps fulfill off-chain if there is
sufficient time. This would not be possible with payment decorrelation
through scriptless scripts or the like.
Does that logic sound right to you?
On Tue, May 1, 2018 at 10:31 AM, Christian Decker <
decker.christian@gmail.com> wrote:
> Jim Posen <jim.posen@gmail.com> writes:
> > I'm still not following why this doesn't accumulate.
> >
> > In the example route, let's look at it from the point of view of C. C
> sees
> > the following regardless of whether D or E or someone behind E is the
> last
> > hop in the route:
> >
> > B -> HTLC(expire = X + delta) -> C -> HTLC(expire = X) -> D
> >
> > So D is not required to reveal the preimage before time X, and in the
> case
> > of an on-chain settle, C needs to be able to redeem the HTLC output
> through
> > the timeout clause before time X + delta. C can't redeem the HTLC (with
> > sufficient confirmations) at least until the settlement transaction is
> > confirmed. So it seems to me that regardless of the overall route and the
> > maximum CSV on it, the delta for the C hop has to be greater than the CSV
> > delay on the update transaction. And that this must be true at every hop
> > for the same reason.
>
> That'd be a purely reactionary behavior, i.e., chosing the delta in such
> a way that I can both settle the channel and have enough time to react
> to turn around and reveal the preimage. So with the assumptions we had
> before (CSV = 144 and CLTV delta = 144) you'd have an effective delta of
> 288 on each hop, yes. That's basically the case in which each channel
> reacts serially.
>
> You can trivially parallelize these closures by looking ahead and
> noticing that each hop really just cares about its own closure deadline,
> i.e., each node just cares to close 288 blocks before the CLTV expires,
> not that its delta w.r.t. to the downstream channel is that far in the
> future. So all we care about is that once we are due to give the
> upstream hop the preimage we've already closed the downstream channel
> and can now read the HTLC preimage from that channel.
>
> The CSV timeout isn't part of the delta on each hop, but we need to
> implement the deadline computation as:
>
> ```
> CLTV - CLTV delta - CSV
> ```
>
> instead of LN-penaltiy's
>
> ```
> CLTV - CLTV delta
> ```
>
--0000000000008d9e47056b2ed19d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">OK, I see what you are saying. You are effectively suggest=
ing pipelining the broadcasts of the update transactions. I think this intr=
oduces a problem that a node in the circuit that withholds the preimage for=
too long can force all upstream channels to be closed, at only the expense=
of their one upstream channel being closed. I believe such an attack could=
significantly disrupt the network.<div><br></div><div>Let me elaborate on =
the way I'm thinking about this:<br><div><br></div><div>So say I'm =
a routing node with an upstream HTLC with CLTV =3D X. I need to ensure that=
if I learn the preimage, that I have time to broadcast and confirm an HTLC=
-success transaction before height X. We'll call this number of blocks =
D_success. So if I know the preimage, let's say X - D_success is the la=
test height that I can safely broadcast the HTLC-success transaction, assum=
ing the settlement transaction is already final (ie. the update transaction=
is confirmed and the CSV delay has passed). So now I also need to know whe=
n to close the channel with the update transaction. I'll assume it will=
take at most D_update blocks from the time I broadcast the update transact=
ion for it to be mined. So unless the downstream HTLC is already failed, I =
should always close the upstream channel at height X - D_success - CSV_upda=
te - D_update.</div></div><div><br></div><div>Now we'll look at the dow=
nstream HTLC with CLTV =3D Y. In order to minimize the safe delta between t=
he upstream and downstream CLTVs, I will want to broadcast and confirm an H=
TLC-timeout transaction as soon after height Y as possible. So assuming tha=
t the downstream settlement transaction is final at height Y and it takes a=
t most D_timeout blocks for the HTLC timeout transaction to confirm once it=
is final assuming no double spends, then Y + D_timeout is very latest I mi=
ght learn the payment preimage from the downstream channel on-chain. So I s=
hould be safe as long as X - D_success > Y + D_timeout. This assumes tha=
t the update transaction for the downstream channel is already mined and th=
e CSV has passed. However, we know from above that I had to close the upstr=
eam channel at time X - D_success - CSV_update - D_update, which may very w=
ell be before Y. So if the downstream hop waits until just before Y to publ=
ish the preimage, they can force me to close my upstream channel. This appl=
ies transitively for further upstream hops, assuming a large enough CSV val=
ue.</div><div><br></div><div>Granted, upstream hops can watch the blockchai=
n for preimage reveals in other closings transaction and perhaps fulfill of=
f-chain if there is sufficient time. This would not be possible with paymen=
t decorrelation through scriptless scripts or the like.</div><div><br></div=
><div>Does that logic sound right to you?</div></div><div class=3D"gmail_ex=
tra"><br><div class=3D"gmail_quote">On Tue, May 1, 2018 at 10:31 AM, Christ=
ian Decker <span dir=3D"ltr"><<a href=3D"mailto:decker.christian@gmail.c=
om" target=3D"_blank">decker.christian@gmail.com</a>></span> wrote:<br><=
blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px=
#ccc solid;padding-left:1ex"><span class=3D"">Jim Posen <<a href=3D"mai=
lto:jim.posen@gmail.com">jim.posen@gmail.com</a>> writes:<br>
> I'm still not following why this doesn't accumulate.<br>
><br>
> In the example route, let's look at it from the point of view of C=
. C sees<br>
> the following regardless of whether D or E or someone behind E is the =
last<br>
> hop in the route:<br>
><br>
> B -> HTLC(expire =3D X + delta) -> C -> HTLC(expire =3D X) -&=
gt; D<br>
><br>
> So D is not required to reveal the preimage before time X, and in the =
case<br>
> of an on-chain settle, C needs to be able to redeem the HTLC output th=
rough<br>
> the timeout clause before time X + delta. C can't redeem the HTLC =
(with<br>
> sufficient confirmations) at least until the settlement transaction is=
<br>
> confirmed. So it seems to me that regardless of the overall route and =
the<br>
> maximum CSV on it, the delta for the C hop has to be greater than the =
CSV<br>
> delay on the update transaction. And that this must be true at every h=
op<br>
> for the same reason.<br>
<br>
</span>That'd be a purely reactionary behavior, i.e., chosing the delta=
in such<br>
a way that I can both settle the channel and have enough time to react<br>
to turn around and reveal the preimage. So with the assumptions we had<br>
before (CSV =3D 144 and CLTV delta =3D 144) you'd have an effective del=
ta of<br>
288 on each hop, yes. That's basically the case in which each channel<b=
r>
reacts serially.<br>
<br>
You can trivially parallelize these closures by looking ahead and<br>
noticing that each hop really just cares about its own closure deadline,<br=
>
i.e., each node just cares to close 288 blocks before the CLTV expires,<br>
not that its delta w.r.t. to the downstream channel is that far in the<br>
future. So all we care about is that once we are due to give the<br>
upstream hop the preimage we've already closed the downstream channel<b=
r>
and can now read the HTLC preimage from that channel.<br>
<br>
The CSV timeout isn't part of the delta on each hop, but we need to<br>
implement the deadline computation as:<br>
<br>
```<br>
CLTV - CLTV delta - CSV<br>
```<br>
<br>
instead of LN-penaltiy's<br>
<br>
```<br>
CLTV - CLTV delta<br>
```<br>
</blockquote></div><br></div>
--0000000000008d9e47056b2ed19d--
|