* [bitcoin-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning)
@ 2018-11-29 19:37 Matt Corallo
2018-11-30 17:38 ` Russell O'Connor
` (2 more replies)
0 siblings, 3 replies; 19+ messages in thread
From: Matt Corallo @ 2018-11-29 19:37 UTC (permalink / raw)
To: bitcoin-dev; +Cc: lightning-dev
(cross-posted to both lists to make lightning-dev folks aware, please
take lightning-dev off CC when responding).
As I'm sure everyone is aware, Lightning (and other similar systems)
work by exchanging pre-signed transactions for future broadcast. Of
course in many cases this requires either (a) predicting what the
feerate required for timely confirmation will be at some (or, really,
any) point in the future, or (b) utilizing CPFP and dependent
transaction relay to allow parties to broadcast low-feerate transactions
with children created at broadcast-time to increase the effective
feerate. Ideally transactions could be constructed to allow for
after-the-fact addition of inputs to increase fee without CPFP but it is
not always possible to do so.
Option (a) is rather obviously intractible, and implementation
complexity has led to channel failures in lightning in practice (as both
sides must agree on a reasonable-in-the-future feerate). Option (b) is a
much more natural choice (assuming some form of as-yet-unimplemented
package relay on the P2P network) but is made difficult due to
complexity around RBF/CPFP anti-DoS rules.
For example, if we take a simplified lightning design with pre-signed
commitment transaction A with one 0-value anyone-can-spend output
available for use as a CPFP output, a counterparty can prevent
confirmation of/significantly increase the fee cost of confirming A by
chaining a large-but-only-moderate-feerate transaction off of this
anyone-can-spend output. This transaction, B, will have a large absolute
fee while making the package (A, B) have a low-ish feerate, placing it
solidly at the bottom of the mempool but without significant risk of it
getting evicted during memory limiting. This large absolute fee forces a
counterparty which wishes to have the commitment transaction confirm to
increase on this absolute fee in order to meet RBF rules.
For this reason (and many other similar attacks utilizing the package
size limits), in discussing the security model around CPFP, we've
generally considered it too-difficulty-to-prevent third parties which
are able to spend an output of a transaction from delaying its
confirmation, at least until/unless the prevailing feerates decline and
some of the mempool backlog gets confirmed.
You'll note, however, that this attack doesn't have to be permanent to
work - Lightning's (and other contracting/payment channel systems')
security model assumes the ability to get such commitment transactions
confirmed in a timely manner, as otherwise HTLCs may time out and
counterparties can claim the timeout-refund before we can claim the HTLC
using the hash-preimage.
To partially-address the CPFP security model considerations, a next step
might involve tweaking Lightning's commitment transaction to have two
small-value outputs which are immediately spendable, one by each channel
participant, allowing them to chain children off without allowng
unrelated third-parties to chain children. Obviously this does not
address the specific attack so we need a small tweak to the anti-DoS
CPFP rules in Bitcoin Core/BIP 125:
The last transaction which is added to a package of dependent
transactions in the mempool must:
* Have no more than one unconfirmed parent,
* Be of size no greater than 1K in virtual size.
(for implementation sanity, this would effectively reduce all mempool
package size limits by 1 1K-virtual-size transaction, and the last would
be "allowed to violate the limits" as long as it meets the above criteria).
For contracting applications like lightning, this means that as long as
the transaction we wish to confirm (in this case the commitment transaction)
* Has only two immediately-spendable (ie non-CSV) outputs,
* where each immediately-spendable output is only spendable by one
counterparty,
* and is no larger than MAX_PACKAGE_VIRTUAL_SIZE - 1001 Vsize,
each counterparty will always be able to independantly CPFP the
transaction in question. ie because if the "malicious" (ie
transaction-delaying) party bradcasts A with a child, it can never meet
the "last transaction" carve-out as its transaction cannot both meet the
package limit and have only one unconfirmed ancestor. Thus, the
non-delaying counterparty can always independently add its own CPFP
transaction, increasing the (A, Tx2) package feerate and confirming A
without having to concern themselves with the (A, Tx1) package.
As an alternative proposal, at various points there have been
discussions around solving the "RBF-pinning" problem by allowing
transactors to mark their transactions as "likely-to-be-RBF'ed", which
could enable a relay policy where children of such transactions would be
rejected unless the resulting package would be "near the top of the
mempool". This would theoretically imply such attacks are not possible
to pull off consistently, as any "transaction-delaying" channel
participant will have to place the package containing A at an effective
feerate which makes confirmation to occur soon with some likelihood. It
is, however, possible to pull off this attack with low probability in
case of feerate spikes right after broadcast.
Note that this clearly relies on some form of package relay, which comes
with its own challenges, but I'll start a separate thread on that.
See-also: lightning-dev thread about the changes to lightning spec
required to incorporate this:
https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-November/001643.html
Matt
^ permalink raw reply [flat|nested] 19+ messages in thread* Re: [bitcoin-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) 2018-11-29 19:37 [bitcoin-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) Matt Corallo @ 2018-11-30 17:38 ` Russell O'Connor 2018-11-30 19:33 ` Matt Corallo 2018-12-02 15:08 ` Bob McElrath 2018-12-04 3:33 ` Rusty Russell 2 siblings, 1 reply; 19+ messages in thread From: Russell O'Connor @ 2018-11-30 17:38 UTC (permalink / raw) To: Matt Corallo, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 2050 bytes --] On Fri, Nov 30, 2018 at 9:50 AM Matt Corallo via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org> wrote: > To partially-address the CPFP security model considerations, a next step > might involve tweaking Lightning's commitment transaction to have two > small-value outputs which are immediately spendable, one by each channel > participant, allowing them to chain children off without allowng > unrelated third-parties to chain children. Obviously this does not > address the specific attack so we need a small tweak to the anti-DoS > CPFP rules in Bitcoin Core/BIP 125: > It seems to me that this two-output scheme does address the specific attack without tweaking the RBF rules of BIP 125, since you are not doing an RBF at all. Suppose we have a 1k-vbyte unconfirmed transaction, TX0, with outputs Z, A, and B, where A and B are small outputs controlled by the participants Alice and Bob respectively, with a 1ksat fee, yielding a fee rate of 1sat/vbyte. Someone, maybe Alice, attempts to pin the transaction, maliciously or not, by attaching a 10k-vbyte transaction, TX1, to either output Z or output A, with a fee of 21ksats. This brings the fee rate for the TX0-TX1 package to 2sat/vbyte, being 11k-vbyte total size with 22ksats in total fees. Now Bob wants to CPFP to increase the effective fee rate of TX0 to 3sats/vbyte using output B. He attaches a 1k-vbyte transaction, TX2, to output B with a fee of 5ksats. This ought to create a new TX0-TX2 package with a 3sat/vbyte fee rate, being 2k-vbyte total size with 6ksats in total fees. TX1 has now been excluded from the package containing TX0. But TX1 hasn't been replaced, so the RBF rules from BIP125 don't apply. TX1 is still a valid unconfirmed transaction operating at a fee rate of 2.1sats/vbyte. That said, I'm not an expert on how packages and package fee rates are calculated in Bitcoin Core, so I am speculating a bit. And, because I'm talking with Matt, it's more likely that I'm mistaken. AFAIK, any rules about CPFP's behaviour in Bitcoin Core is undocumented. [-- Attachment #2: Type: text/html, Size: 2510 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [bitcoin-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) 2018-11-30 17:38 ` Russell O'Connor @ 2018-11-30 19:33 ` Matt Corallo 0 siblings, 0 replies; 19+ messages in thread From: Matt Corallo @ 2018-11-30 19:33 UTC (permalink / raw) To: Russell O'Connor, Bitcoin Protocol Discussion Hmm, you may be correct that this doesn't (striclty speaking) imply a change to the BIP 125 itself, though the high-level protocol here is likely of interest to the list, as well as likely to generate feedback. Note that in your example, output Z must be CSV-delayed (ie you cannot construct a packeg using that output as it must be spent in a different block than TX0 is confirmed in) in order for the proposal to be secure as otherwise Alice could use output A to pin the transaction, and then "use up" the proposed "last-transaction" rule by spending output Z, leaving Bob unable to spend output B without meeting the (expensive) RBF criteria. It was further pointed out to me that while the original mail states that this relies on package relay, this isn't really entirely true. The status quo today may leave a commitment transaction unable to be broadcast if feerates spike much higher than the feerate negotiated at the time of construction. Under this proposal this is not changed, it is only the implementation proposal which implies the commitment transaction feerate negotiation will simply be replaced with a 1sat/vbyte constant which relies on some form of package relay. Matt On 11/30/18 5:38 PM, Russell O'Connor wrote: > On Fri, Nov 30, 2018 at 9:50 AM Matt Corallo via bitcoin-dev > <bitcoin-dev@lists•linuxfoundation.org > <mailto:bitcoin-dev@lists•linuxfoundation.org>> wrote: > > To partially-address the CPFP security model considerations, a next > step > might involve tweaking Lightning's commitment transaction to have two > small-value outputs which are immediately spendable, one by each > channel > participant, allowing them to chain children off without allowng > unrelated third-parties to chain children. Obviously this does not > address the specific attack so we need a small tweak to the anti-DoS > CPFP rules in Bitcoin Core/BIP 125: > > > It seems to me that this two-output scheme does address the specific > attack without tweaking the RBF rules of BIP 125, since you are not > doing an RBF at all. > > Suppose we have a 1k-vbyte unconfirmed transaction, TX0, with outputs Z, > A, and B, where A and B are small outputs controlled by the participants > Alice and Bob respectively, with a 1ksat fee, yielding a fee rate of > 1sat/vbyte. > Someone, maybe Alice, attempts to pin the transaction, maliciously or > not, by attaching a 10k-vbyte transaction, TX1, to either output Z or > output A, with a fee of 21ksats. This brings the fee rate for the > TX0-TX1 package to 2sat/vbyte, being 11k-vbyte total size with 22ksats > in total fees. > > Now Bob wants to CPFP to increase the effective fee rate of TX0 to > 3sats/vbyte using output B. He attaches a 1k-vbyte transaction, TX2, to > output B with a fee of 5ksats. This ought to create a new TX0-TX2 > package with a 3sat/vbyte fee rate, being 2k-vbyte total size with > 6ksats in total fees. TX1 has now been excluded from the package > containing TX0. But TX1 hasn't been replaced, so the RBF rules from > BIP125 don't apply. TX1 is still a valid unconfirmed transaction > operating at a fee rate of 2.1sats/vbyte. > > That said, I'm not an expert on how packages and package fee rates are > calculated in Bitcoin Core, so I am speculating a bit. And, because I'm > talking with Matt, it's more likely that I'm mistaken. AFAIK, any rules > about CPFP's behaviour in Bitcoin Core is undocumented. > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [bitcoin-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) 2018-11-29 19:37 [bitcoin-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) Matt Corallo 2018-11-30 17:38 ` Russell O'Connor @ 2018-12-02 15:08 ` Bob McElrath 2018-12-03 4:16 ` [bitcoin-dev] [Lightning-dev] " ZmnSCPxj 2018-12-04 3:33 ` Rusty Russell 2 siblings, 1 reply; 19+ messages in thread From: Bob McElrath @ 2018-12-02 15:08 UTC (permalink / raw) To: Matt Corallo, Bitcoin Protocol Discussion; +Cc: lightning-dev I've long thought about using SIGHASH_SINGLE, then either party can add inputs to cover whatever fee they want on channel close and it doesn't have to be pre-planned at setup. For Lightning I think you'd want to cross-sign, e.g. Alice signs her input and Bob's output, while Bob signs his input and Alice's output. This would demotivate the two parties from picking apart the transaction and broadcasting one of the two SIGHASH_SINGLE's in a Lightning transaction. Matt Corallo via bitcoin-dev [bitcoin-dev@lists•linuxfoundation.org] wrote: > (cross-posted to both lists to make lightning-dev folks aware, please take > lightning-dev off CC when responding). > > As I'm sure everyone is aware, Lightning (and other similar systems) work by > exchanging pre-signed transactions for future broadcast. Of course in many > cases this requires either (a) predicting what the feerate required for > timely confirmation will be at some (or, really, any) point in the future, > or (b) utilizing CPFP and dependent transaction relay to allow parties to > broadcast low-feerate transactions with children created at broadcast-time > to increase the effective feerate. Ideally transactions could be constructed > to allow for after-the-fact addition of inputs to increase fee without CPFP > but it is not always possible to do so. > > Option (a) is rather obviously intractible, and implementation complexity > has led to channel failures in lightning in practice (as both sides must > agree on a reasonable-in-the-future feerate). Option (b) is a much more > natural choice (assuming some form of as-yet-unimplemented package relay on > the P2P network) but is made difficult due to complexity around RBF/CPFP > anti-DoS rules. > > For example, if we take a simplified lightning design with pre-signed > commitment transaction A with one 0-value anyone-can-spend output available > for use as a CPFP output, a counterparty can prevent confirmation > of/significantly increase the fee cost of confirming A by chaining a > large-but-only-moderate-feerate transaction off of this anyone-can-spend > output. This transaction, B, will have a large absolute fee while making the > package (A, B) have a low-ish feerate, placing it solidly at the bottom of > the mempool but without significant risk of it getting evicted during memory > limiting. This large absolute fee forces a counterparty which wishes to have > the commitment transaction confirm to increase on this absolute fee in order > to meet RBF rules. > > For this reason (and many other similar attacks utilizing the package size > limits), in discussing the security model around CPFP, we've generally > considered it too-difficulty-to-prevent third parties which are able to > spend an output of a transaction from delaying its confirmation, at least > until/unless the prevailing feerates decline and some of the mempool backlog > gets confirmed. > > You'll note, however, that this attack doesn't have to be permanent to work > - Lightning's (and other contracting/payment channel systems') security > model assumes the ability to get such commitment transactions confirmed in a > timely manner, as otherwise HTLCs may time out and counterparties can claim > the timeout-refund before we can claim the HTLC using the hash-preimage. > > To partially-address the CPFP security model considerations, a next step > might involve tweaking Lightning's commitment transaction to have two > small-value outputs which are immediately spendable, one by each channel > participant, allowing them to chain children off without allowng unrelated > third-parties to chain children. Obviously this does not address the > specific attack so we need a small tweak to the anti-DoS CPFP rules in > Bitcoin Core/BIP 125: > > The last transaction which is added to a package of dependent transactions > in the mempool must: > * Have no more than one unconfirmed parent, > * Be of size no greater than 1K in virtual size. > (for implementation sanity, this would effectively reduce all mempool > package size limits by 1 1K-virtual-size transaction, and the last would be > "allowed to violate the limits" as long as it meets the above criteria). > > For contracting applications like lightning, this means that as long as the > transaction we wish to confirm (in this case the commitment transaction) > * Has only two immediately-spendable (ie non-CSV) outputs, > * where each immediately-spendable output is only spendable by one > counterparty, > * and is no larger than MAX_PACKAGE_VIRTUAL_SIZE - 1001 Vsize, > each counterparty will always be able to independantly CPFP the transaction > in question. ie because if the "malicious" (ie transaction-delaying) party > bradcasts A with a child, it can never meet the "last transaction" carve-out > as its transaction cannot both meet the package limit and have only one > unconfirmed ancestor. Thus, the non-delaying counterparty can always > independently add its own CPFP transaction, increasing the (A, Tx2) package > feerate and confirming A without having to concern themselves with the (A, > Tx1) package. > > As an alternative proposal, at various points there have been discussions > around solving the "RBF-pinning" problem by allowing transactors to mark > their transactions as "likely-to-be-RBF'ed", which could enable a relay > policy where children of such transactions would be rejected unless the > resulting package would be "near the top of the mempool". This would > theoretically imply such attacks are not possible to pull off consistently, > as any "transaction-delaying" channel participant will have to place the > package containing A at an effective feerate which makes confirmation to > occur soon with some likelihood. It is, however, possible to pull off this > attack with low probability in case of feerate spikes right after broadcast. > > Note that this clearly relies on some form of package relay, which comes > with its own challenges, but I'll start a separate thread on that. > > See-also: lightning-dev thread about the changes to lightning spec required > to incorporate this: https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-November/001643.html > > Matt > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > > !DSPAM:5c014daf168271726154759! -- Cheers, Bob McElrath "For every complex problem, there is a solution that is simple, neat, and wrong." -- H. L. Mencken ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [bitcoin-dev] [Lightning-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) 2018-12-02 15:08 ` Bob McElrath @ 2018-12-03 4:16 ` ZmnSCPxj 0 siblings, 0 replies; 19+ messages in thread From: ZmnSCPxj @ 2018-12-03 4:16 UTC (permalink / raw) To: Bob McElrath; +Cc: Bitcoin Protocol Discussion Good morning Bob, Would `SIGHASH_SINGLE` work? Commitment transactions have a single input but multiple outputs. Regards, ZmnSCPxj Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Sunday, December 2, 2018 11:08 PM, Bob McElrath <bob@mcelrath•org> wrote: > I've long thought about using SIGHASH_SINGLE, then either party can add inputs > to cover whatever fee they want on channel close and it doesn't have to be > pre-planned at setup. > > For Lightning I think you'd want to cross-sign, e.g. Alice signs her input > and Bob's output, while Bob signs his input and Alice's output. This would > demotivate the two parties from picking apart the transaction and broadcasting > one of the two SIGHASH_SINGLE's in a Lightning transaction. > > Matt Corallo via bitcoin-dev [bitcoin-dev@lists•linuxfoundation.org] wrote: > > > (cross-posted to both lists to make lightning-dev folks aware, please take > > lightning-dev off CC when responding). > > As I'm sure everyone is aware, Lightning (and other similar systems) work by > > exchanging pre-signed transactions for future broadcast. Of course in many > > cases this requires either (a) predicting what the feerate required for > > timely confirmation will be at some (or, really, any) point in the future, > > or (b) utilizing CPFP and dependent transaction relay to allow parties to > > broadcast low-feerate transactions with children created at broadcast-time > > to increase the effective feerate. Ideally transactions could be constructed > > to allow for after-the-fact addition of inputs to increase fee without CPFP > > but it is not always possible to do so. > > Option (a) is rather obviously intractible, and implementation complexity > > has led to channel failures in lightning in practice (as both sides must > > agree on a reasonable-in-the-future feerate). Option (b) is a much more > > natural choice (assuming some form of as-yet-unimplemented package relay on > > the P2P network) but is made difficult due to complexity around RBF/CPFP > > anti-DoS rules. > > For example, if we take a simplified lightning design with pre-signed > > commitment transaction A with one 0-value anyone-can-spend output available > > for use as a CPFP output, a counterparty can prevent confirmation > > of/significantly increase the fee cost of confirming A by chaining a > > large-but-only-moderate-feerate transaction off of this anyone-can-spend > > output. This transaction, B, will have a large absolute fee while making the > > package (A, B) have a low-ish feerate, placing it solidly at the bottom of > > the mempool but without significant risk of it getting evicted during memory > > limiting. This large absolute fee forces a counterparty which wishes to have > > the commitment transaction confirm to increase on this absolute fee in order > > to meet RBF rules. > > For this reason (and many other similar attacks utilizing the package size > > limits), in discussing the security model around CPFP, we've generally > > considered it too-difficulty-to-prevent third parties which are able to > > spend an output of a transaction from delaying its confirmation, at least > > until/unless the prevailing feerates decline and some of the mempool backlog > > gets confirmed. > > You'll note, however, that this attack doesn't have to be permanent to work > > > > - Lightning's (and other contracting/payment channel systems') security > > model assumes the ability to get such commitment transactions confirmed in a > > timely manner, as otherwise HTLCs may time out and counterparties can claim > > the timeout-refund before we can claim the HTLC using the hash-preimage. > > > > > > To partially-address the CPFP security model considerations, a next step > > might involve tweaking Lightning's commitment transaction to have two > > small-value outputs which are immediately spendable, one by each channel > > participant, allowing them to chain children off without allowng unrelated > > third-parties to chain children. Obviously this does not address the > > specific attack so we need a small tweak to the anti-DoS CPFP rules in > > Bitcoin Core/BIP 125: > > The last transaction which is added to a package of dependent transactions > > in the mempool must: > > > > - Have no more than one unconfirmed parent, > > - Be of size no greater than 1K in virtual size. > > (for implementation sanity, this would effectively reduce all mempool > > package size limits by 1 1K-virtual-size transaction, and the last would be > > "allowed to violate the limits" as long as it meets the above criteria). > > > > > > For contracting applications like lightning, this means that as long as the > > transaction we wish to confirm (in this case the commitment transaction) > > > > - Has only two immediately-spendable (ie non-CSV) outputs, > > - where each immediately-spendable output is only spendable by one > > counterparty, > > > > - and is no larger than MAX_PACKAGE_VIRTUAL_SIZE - 1001 Vsize, > > each counterparty will always be able to independantly CPFP the transaction > > in question. ie because if the "malicious" (ie transaction-delaying) party > > bradcasts A with a child, it can never meet the "last transaction" carve-out > > as its transaction cannot both meet the package limit and have only one > > unconfirmed ancestor. Thus, the non-delaying counterparty can always > > independently add its own CPFP transaction, increasing the (A, Tx2) package > > feerate and confirming A without having to concern themselves with the (A, > > Tx1) package. > > > > > > As an alternative proposal, at various points there have been discussions > > around solving the "RBF-pinning" problem by allowing transactors to mark > > their transactions as "likely-to-be-RBF'ed", which could enable a relay > > policy where children of such transactions would be rejected unless the > > resulting package would be "near the top of the mempool". This would > > theoretically imply such attacks are not possible to pull off consistently, > > as any "transaction-delaying" channel participant will have to place the > > package containing A at an effective feerate which makes confirmation to > > occur soon with some likelihood. It is, however, possible to pull off this > > attack with low probability in case of feerate spikes right after broadcast. > > Note that this clearly relies on some form of package relay, which comes > > with its own challenges, but I'll start a separate thread on that. > > See-also: lightning-dev thread about the changes to lightning spec required > > to incorporate this: https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-November/001643.html > > Matt > > > > bitcoin-dev mailing list > > bitcoin-dev@lists•linuxfoundation.org > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > !DSPAM:5c014daf168271726154759! > > -- > Cheers, Bob McElrath > > "For every complex problem, there is a solution that is simple, neat, and wrong." > -- H. L. Mencken > > Lightning-dev mailing list > Lightning-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [bitcoin-dev] [Lightning-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) 2018-11-29 19:37 [bitcoin-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) Matt Corallo 2018-11-30 17:38 ` Russell O'Connor 2018-12-02 15:08 ` Bob McElrath @ 2018-12-04 3:33 ` Rusty Russell 2019-01-07 15:18 ` Matt Corallo 2 siblings, 1 reply; 19+ messages in thread From: Rusty Russell @ 2018-12-04 3:33 UTC (permalink / raw) To: Matt Corallo, bitcoin-dev; +Cc: lightning-dev Matt Corallo <lf-lists@mattcorallo•com> writes: > As an alternative proposal, at various points there have been > discussions around solving the "RBF-pinning" problem by allowing > transactors to mark their transactions as "likely-to-be-RBF'ed", which > could enable a relay policy where children of such transactions would be > rejected unless the resulting package would be "near the top of the > mempool". This would theoretically imply such attacks are not possible > to pull off consistently, as any "transaction-delaying" channel > participant will have to place the package containing A at an effective > feerate which makes confirmation to occur soon with some likelihood. It > is, however, possible to pull off this attack with low probability in > case of feerate spikes right after broadcast. I like this idea. Firstly, it's incentive-compatible[1]: assuming blocks are full, miners should always take a higher feerate tx if that tx would be in the current block and the replaced txs would not.[2] Secondly, it reduces the problem that the current lightning proposal adds to the UTXO set with two anyone-can-spend txs for 1000 satoshis, which might be too small to cleanup later. This rule would allow a simple single P2WSH(OP_TRUE) output, or, with IsStandard changed, a literal OP_TRUE. > Note that this clearly relies on some form of package relay, which comes > with its own challenges, but I'll start a separate thread on that. Could be done client-side, right? Do a quick check if this is above 250 satoshi per kweight but below minrelayfee, put it in a side-cache with a 60 second timeout sweep. If something comes in which depends on it which is above minrelayfee, then process them as a pair[3]. Cheers, Rusty. [1] Miners have generally been happy with Defaults Which Are Good For The Network, but I feel a long term development aim should to be reduce such cases to smaller and smaller corners. [2] The actual condition is subtler, but this is a clear subset AFAICT. [3] For Lightning, we don't care about child-pays-for-grandparent etc. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [bitcoin-dev] [Lightning-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) 2018-12-04 3:33 ` Rusty Russell @ 2019-01-07 15:18 ` Matt Corallo 2019-01-08 5:50 ` Rusty Russell 0 siblings, 1 reply; 19+ messages in thread From: Matt Corallo @ 2019-01-07 15:18 UTC (permalink / raw) To: Rusty Russell; +Cc: bitcoin-dev, lightning-dev Sorry for the late reply. Hmm, I included the old RBF-pinning proposal as a comparison. Personally, I find it both less clean and less convincingly secure. Ultimately, defining a "near the top of the mempool" criteria is fraught with issues. While it's probably OK for the original problem (large batched transactions where you don't want a single counterparty to prevent confirmation), lightning's requirements are very different. Instead is wanting a high probability that the transaction in question confirms "soon", we need certainty that it will confirm by some deadline. Thus, even if you imagine a steady-state mempool growth, unless the "near the top of the mempool" criteria is "near the top of the next block" (which is obviously *not* incentive-compatible), its easy to see how the package would fail to confirm within a handful of blocks given block time variance. Giving up the ability to RBF/CPFP more than once in case the fee moves away from us seems to be a rather significant restriction. THe original proposal is somewhat of a hack, but its a hack on the boundary condition where packages meet our local anti-DoS rules in violation of the "incentive compatible" goal anyway (essentially, though miners also care about anti-DoS). This proposal is very different and, similar to how it doesn't work if blocks randomly come in a bit slow for an hour or two, isn't incentive compatible if blocks come in a bit fast for an hour or two, as all of a sudden that "near the top of the mempool" criteria makes no sense and you should have accepted the new transaction(s). As for package relay, indeed, we can probably do soemthing simpler for this specific case, but itdepends on what the scope of that design is. Suhas opened an issue to try to scope it out a bit more at https://github.com/bitcoin/bitcoin/issues/14895 Matt > On Dec 3, 2018, at 22:33, Rusty Russell <rusty@rustcorp•com.au> wrote: > > Matt Corallo <lf-lists@mattcorallo•com> writes: >> As an alternative proposal, at various points there have been >> discussions around solving the "RBF-pinning" problem by allowing >> transactors to mark their transactions as "likely-to-be-RBF'ed", which >> could enable a relay policy where children of such transactions would be >> rejected unless the resulting package would be "near the top of the >> mempool". This would theoretically imply such attacks are not possible >> to pull off consistently, as any "transaction-delaying" channel >> participant will have to place the package containing A at an effective >> feerate which makes confirmation to occur soon with some likelihood. It >> is, however, possible to pull off this attack with low probability in >> case of feerate spikes right after broadcast. > > I like this idea. > > Firstly, it's incentive-compatible[1]: assuming blocks are full, miners > should always take a higher feerate tx if that tx would be in the > current block and the replaced txs would not.[2] > > Secondly, it reduces the problem that the current lightning proposal > adds to the UTXO set with two anyone-can-spend txs for 1000 satoshis, > which might be too small to cleanup later. This rule would allow a > simple single P2WSH(OP_TRUE) output, or, with IsStandard changed, > a literal OP_TRUE. > >> Note that this clearly relies on some form of package relay, which comes >> with its own challenges, but I'll start a separate thread on that. > > Could be done client-side, right? Do a quick check if this is above 250 > satoshi per kweight but below minrelayfee, put it in a side-cache with a > 60 second timeout sweep. If something comes in which depends on it > which is above minrelayfee, then process them as a pair[3]. > > Cheers, > Rusty. > [1] Miners have generally been happy with Defaults Which Are Good For The > Network, but I feel a long term development aim should to be reduce > such cases to smaller and smaller corners. > [2] The actual condition is subtler, but this is a clear subset AFAICT. > [3] For Lightning, we don't care about child-pays-for-grandparent etc. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [bitcoin-dev] [Lightning-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) 2019-01-07 15:18 ` Matt Corallo @ 2019-01-08 5:50 ` Rusty Russell 2019-01-08 14:46 ` Matt Corallo 0 siblings, 1 reply; 19+ messages in thread From: Rusty Russell @ 2019-01-08 5:50 UTC (permalink / raw) To: Matt Corallo; +Cc: bitcoin-dev, lightning-dev Matt Corallo <lf-lists@mattcorallo•com> writes: > Ultimately, defining a "near the top of the mempool" criteria is fraught > with issues. While it's probably OK for the original problem (large > batched transactions where you don't want a single counterparty to > prevent confirmation), lightning's requirements are very different. > Instead is wanting a high probability that the transaction in question > confirms "soon", we need certainty that it will confirm by some deadline. I don't think it's different, in practice. > Thus, even if you imagine a steady-state mempool growth, unless the > "near the top of the mempool" criteria is "near the top of the next > block" (which is obviously *not* incentive-compatible) I was defining "top of mempool" as "in the first 4 MSipa", ie. next block, and assumed you'd only allow RBF if the old package wasn't in the top and the replacement would be. That seems incentive compatible; more than the current scheme? The attack against this is to make a 100k package which would just get into this "top", then push it out with a separate tx at slightly higher fee, then repeat. Of course, timing makes that hard to get right, and you're paying real fees for it too. Sure, an attacker can make you pay next-block high fees, but it's still better than our current "*always* overpay and hope!", and you can always decide at the time based on whether the expiring HTLC(s) are worth it. But I think whatever's simplest to implement should win, and I'm not in a position to judge that accurately. Thanks, Rusty. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [bitcoin-dev] [Lightning-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) 2019-01-08 5:50 ` Rusty Russell @ 2019-01-08 14:46 ` Matt Corallo 2019-02-13 4:22 ` Rusty Russell 0 siblings, 1 reply; 19+ messages in thread From: Matt Corallo @ 2019-01-08 14:46 UTC (permalink / raw) To: Rusty Russell; +Cc: bitcoin-dev, lightning-dev I responded to a few things in-line before realizing I think we're out of sync on what this alternative proposal actually implies. In my understanding is it, it does *not* imply that you are guaranteed the ability to RBF as fees change. The previous problem is still there - your counterparty can announce a bogus package and leave you unable to add a new transaction to it, the difference being it may be significantly more expensive to do so. If it were the case the you could RBF after the fact, I would likely agree with you. > On Jan 8, 2019, at 00:50, Rusty Russell <rusty@rustcorp•com.au> wrote: > > Matt Corallo <lf-lists@mattcorallo•com> writes: >> Ultimately, defining a "near the top of the mempool" criteria is fraught >> with issues. While it's probably OK for the original problem (large >> batched transactions where you don't want a single counterparty to >> prevent confirmation), lightning's requirements are very different. >> Instead is wanting a high probability that the transaction in question >> confirms "soon", we need certainty that it will confirm by some deadline. > > I don't think it's different, in practice. I strongly disagree. If you're someone sending a batched payment, 5% chance it takes 13 blocks is perfectly acceptable. If you're a lightning operator, that quickly turns into "5% chance, or 35% chance if your counterparty is malicious and knows more about the market structure than you". Eg in the past it's been the case that transaction volume would spike every day at the same time when Bitmex proceed a flood of withdrawals all at once in separate transactions. Worse, it's probably still the case that, in case is sudden market movement, transaction volume can spike while people arb exchanges and move coins into exchanges to sell. >> Thus, even if you imagine a steady-state mempool growth, unless the >> "near the top of the mempool" criteria is "near the top of the next >> block" (which is obviously *not* incentive-compatible) > > I was defining "top of mempool" as "in the first 4 MSipa", ie. next > block, and assumed you'd only allow RBF if the old package wasn't in the > top and the replacement would be. That seems incentive compatible; more > than the current scheme? My point was, because of block time variance, even that criteria doesn't hold up. If you assume a steady flow of new transactions and one or two blocks come in "late", suddenly "top 4MWeight" isn't likely to get confirmed until a few blocks come in "early". Given block variance within a 12 block window, this is a relatively likely scenario. > The attack against this is to make a 100k package which would just get > into this "top", then push it out with a separate tx at slightly higher > fee, then repeat. Of course, timing makes that hard to get right, and > you're paying real fees for it too. > > Sure, an attacker can make you pay next-block high fees, but it's still > better than our current "*always* overpay and hope!", and you can always > decide at the time based on whether the expiring HTLC(s) are worth it. > > But I think whatever's simplest to implement should win, and I'm not in > a position to judge that accurately. > > Thanks, > Rusty. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [bitcoin-dev] [Lightning-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) 2019-01-08 14:46 ` Matt Corallo @ 2019-02-13 4:22 ` Rusty Russell 2019-10-24 13:49 ` Johan Torås Halseth 0 siblings, 1 reply; 19+ messages in thread From: Rusty Russell @ 2019-02-13 4:22 UTC (permalink / raw) To: Matt Corallo; +Cc: bitcoin-dev, lightning-dev Matt Corallo <lf-lists@mattcorallo•com> writes: >>> Thus, even if you imagine a steady-state mempool growth, unless the >>> "near the top of the mempool" criteria is "near the top of the next >>> block" (which is obviously *not* incentive-compatible) >> >> I was defining "top of mempool" as "in the first 4 MSipa", ie. next >> block, and assumed you'd only allow RBF if the old package wasn't in the >> top and the replacement would be. That seems incentive compatible; more >> than the current scheme? > > My point was, because of block time variance, even that criteria doesn't hold up. If you assume a steady flow of new transactions and one or two blocks come in "late", suddenly "top 4MWeight" isn't likely to get confirmed until a few blocks come in "early". Given block variance within a 12 block window, this is a relatively likely scenario. [ Digging through old mail. ] Doesn't really matter. Lightning close algorithm would be: 1. Give bitcoind unileratal close. 2. Ask bitcoind what current expidited fee is (or survey your mempool). 3. Give bitcoind child "push" tx at that total feerate. 4. If next block doesn't contain unilateral close tx, goto 2. In this case, if you allow a simpified RBF where 'you can replace if 1. feerate is higher, 2. new tx is in first 4Msipa of mempool, 3. old tx isnt', it works. It allows someone 100k of free tx spam, sure. But it's simple. We could further restrict it by marking the unilateral close somehow to say "gonna be pushed" and further limiting the child tx weight (say, 5kSipa?) in that case. Cheers, Rusty. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [bitcoin-dev] [Lightning-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) 2019-02-13 4:22 ` Rusty Russell @ 2019-10-24 13:49 ` Johan Torås Halseth 2019-10-24 21:25 ` Matt Corallo 2019-10-27 22:54 ` David A. Harding 0 siblings, 2 replies; 19+ messages in thread From: Johan Torås Halseth @ 2019-10-24 13:49 UTC (permalink / raw) To: Rusty Russell; +Cc: Bitcoin Protocol Discussion, lightning-dev [-- Attachment #1: Type: text/plain, Size: 3377 bytes --] Reviving this old thread now that the recently released RC for bitcoind 0.19 includes the above mentioned carve-out rule. In an attempt to pave the way for more robust CPFP of on-chain contracts (Lightning commitment transactions), the carve-out rule was added in https://github.com/bitcoin/bitcoin/pull/15681. However, having worked on an implementation of a new commitment format for utilizing the Bring Your Own Fees strategy using CPFP, I’m wondering if the special case rule should have been relaxed a bit, to avoid the need for adding a 1 CSV to all outputs (in case of Lightning this means HTLC scripts would need to be changed to add the CSV delay). Instead, what about letting the rule be The last transaction which is added to a package of dependent transactions in the mempool must: * Have no more than one unconfirmed parent. This would of course allow adding a large transaction to each output of the unconfirmed parent, which in effect would allow an attacker to exceed the MAX_PACKAGE_VIRTUAL_SIZE limit in some cases. However, is this a problem with the current mempool acceptance code in bitcoind? I would imagine evicting transactions based on feerate when the max mempool size is met handles this, but I’m asking since it seems like there has been several changes to the acceptance code and eviction policy since the limit was first introduced. - Johan On Wed, Feb 13, 2019 at 6:57 AM Rusty Russell <rusty@rustcorp•com.au> wrote: > Matt Corallo <lf-lists@mattcorallo•com> writes: > >>> Thus, even if you imagine a steady-state mempool growth, unless the > >>> "near the top of the mempool" criteria is "near the top of the next > >>> block" (which is obviously *not* incentive-compatible) > >> > >> I was defining "top of mempool" as "in the first 4 MSipa", ie. next > >> block, and assumed you'd only allow RBF if the old package wasn't in the > >> top and the replacement would be. That seems incentive compatible; more > >> than the current scheme? > > > > My point was, because of block time variance, even that criteria doesn't > hold up. If you assume a steady flow of new transactions and one or two > blocks come in "late", suddenly "top 4MWeight" isn't likely to get > confirmed until a few blocks come in "early". Given block variance within a > 12 block window, this is a relatively likely scenario. > > [ Digging through old mail. ] > > Doesn't really matter. Lightning close algorithm would be: > > 1. Give bitcoind unileratal close. > 2. Ask bitcoind what current expidited fee is (or survey your mempool). > 3. Give bitcoind child "push" tx at that total feerate. > 4. If next block doesn't contain unilateral close tx, goto 2. > > In this case, if you allow a simpified RBF where 'you can replace if > 1. feerate is higher, 2. new tx is in first 4Msipa of mempool, 3. old tx > isnt', > it works. > > It allows someone 100k of free tx spam, sure. But it's simple. > > We could further restrict it by marking the unilateral close somehow to > say "gonna be pushed" and further limiting the child tx weight (say, > 5kSipa?) in that case. > > Cheers, > Rusty. > _______________________________________________ > Lightning-dev mailing list > Lightning-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev > [-- Attachment #2: Type: text/html, Size: 4392 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [bitcoin-dev] [Lightning-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) 2019-10-24 13:49 ` Johan Torås Halseth @ 2019-10-24 21:25 ` Matt Corallo 2019-10-25 7:05 ` Johan Torås Halseth 2019-10-27 22:54 ` David A. Harding 1 sibling, 1 reply; 19+ messages in thread From: Matt Corallo @ 2019-10-24 21:25 UTC (permalink / raw) To: Johan Torås Halseth, Rusty Russell Cc: Bitcoin Protocol Discussion, lightning-dev I may be missing something, but I'm not sure how this changes anything? If you have a commitment transaction, you always need at least, and exactly, one non-CSV output per party. The fact that there is a size limitation on the transaction that spends for carve-out purposes only effects how many other inputs/outputs you can add, but somehow I doubt its ever going to be a large enough number to matter. Matt On 10/24/19 1:49 PM, Johan Torås Halseth wrote: > Reviving this old thread now that the recently released RC for bitcoind > 0.19 includes the above mentioned carve-out rule. > > In an attempt to pave the way for more robust CPFP of on-chain contracts > (Lightning commitment transactions), the carve-out rule was added in > https://github.com/bitcoin/bitcoin/pull/15681. However, having worked on > an implementation of a new commitment format for utilizing the Bring > Your Own Fees strategy using CPFP, I’m wondering if the special case > rule should have been relaxed a bit, to avoid the need for adding a 1 > CSV to all outputs (in case of Lightning this means HTLC scripts would > need to be changed to add the CSV delay). > > Instead, what about letting the rule be > > The last transaction which is added to a package of dependent > transactions in the mempool must: > * Have no more than one unconfirmed parent. > > This would of course allow adding a large transaction to each output of > the unconfirmed parent, which in effect would allow an attacker to > exceed the MAX_PACKAGE_VIRTUAL_SIZE limit in some cases. However, is > this a problem with the current mempool acceptance code in bitcoind? I > would imagine evicting transactions based on feerate when the max > mempool size is met handles this, but I’m asking since it seems like > there has been several changes to the acceptance code and eviction > policy since the limit was first introduced. > > - Johan > > > On Wed, Feb 13, 2019 at 6:57 AM Rusty Russell <rusty@rustcorp•com.au > <mailto:rusty@rustcorp•com.au>> wrote: > > Matt Corallo <lf-lists@mattcorallo•com > <mailto:lf-lists@mattcorallo•com>> writes: > >>> Thus, even if you imagine a steady-state mempool growth, unless the > >>> "near the top of the mempool" criteria is "near the top of the next > >>> block" (which is obviously *not* incentive-compatible) > >> > >> I was defining "top of mempool" as "in the first 4 MSipa", ie. next > >> block, and assumed you'd only allow RBF if the old package wasn't > in the > >> top and the replacement would be. That seems incentive > compatible; more > >> than the current scheme? > > > > My point was, because of block time variance, even that criteria > doesn't hold up. If you assume a steady flow of new transactions and > one or two blocks come in "late", suddenly "top 4MWeight" isn't > likely to get confirmed until a few blocks come in "early". Given > block variance within a 12 block window, this is a relatively likely > scenario. > > [ Digging through old mail. ] > > Doesn't really matter. Lightning close algorithm would be: > > 1. Give bitcoind unileratal close. > 2. Ask bitcoind what current expidited fee is (or survey your mempool). > 3. Give bitcoind child "push" tx at that total feerate. > 4. If next block doesn't contain unilateral close tx, goto 2. > > In this case, if you allow a simpified RBF where 'you can replace if > 1. feerate is higher, 2. new tx is in first 4Msipa of mempool, 3. > old tx isnt', > it works. > > It allows someone 100k of free tx spam, sure. But it's simple. > > We could further restrict it by marking the unilateral close somehow to > say "gonna be pushed" and further limiting the child tx weight (say, > 5kSipa?) in that case. > > Cheers, > Rusty. > _______________________________________________ > Lightning-dev mailing list > Lightning-dev@lists•linuxfoundation.org > <mailto:Lightning-dev@lists•linuxfoundation.org> > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [bitcoin-dev] [Lightning-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) 2019-10-24 21:25 ` Matt Corallo @ 2019-10-25 7:05 ` Johan Torås Halseth 2019-10-25 17:30 ` Matt Corallo 0 siblings, 1 reply; 19+ messages in thread From: Johan Torås Halseth @ 2019-10-25 7:05 UTC (permalink / raw) To: Matt Corallo; +Cc: Bitcoin Protocol Discussion, lightning-dev [-- Attachment #1: Type: text/plain, Size: 4968 bytes --] It essentially changes the rule to always allow CPFP-ing the commitment as long as there is an output available without any descendants. It changes the commitment from "you always need at least, and exactly, one non-CSV output per party. " to "you always need at least one non-CSV output per party. " I realize these limits are there for a reason though, but I'm wondering if could relax them. Also now that jeremyrubin has expressed problems with the current mempool limits. On Thu, Oct 24, 2019 at 11:25 PM Matt Corallo <lf-lists@mattcorallo•com> wrote: > I may be missing something, but I'm not sure how this changes anything? > > If you have a commitment transaction, you always need at least, and > exactly, one non-CSV output per party. The fact that there is a size > limitation on the transaction that spends for carve-out purposes only > effects how many other inputs/outputs you can add, but somehow I doubt > its ever going to be a large enough number to matter. > > Matt > > On 10/24/19 1:49 PM, Johan Torås Halseth wrote: > > Reviving this old thread now that the recently released RC for bitcoind > > 0.19 includes the above mentioned carve-out rule. > > > > In an attempt to pave the way for more robust CPFP of on-chain contracts > > (Lightning commitment transactions), the carve-out rule was added in > > https://github.com/bitcoin/bitcoin/pull/15681. However, having worked on > > an implementation of a new commitment format for utilizing the Bring > > Your Own Fees strategy using CPFP, I’m wondering if the special case > > rule should have been relaxed a bit, to avoid the need for adding a 1 > > CSV to all outputs (in case of Lightning this means HTLC scripts would > > need to be changed to add the CSV delay). > > > > Instead, what about letting the rule be > > > > The last transaction which is added to a package of dependent > > transactions in the mempool must: > > * Have no more than one unconfirmed parent. > > > > This would of course allow adding a large transaction to each output of > > the unconfirmed parent, which in effect would allow an attacker to > > exceed the MAX_PACKAGE_VIRTUAL_SIZE limit in some cases. However, is > > this a problem with the current mempool acceptance code in bitcoind? I > > would imagine evicting transactions based on feerate when the max > > mempool size is met handles this, but I’m asking since it seems like > > there has been several changes to the acceptance code and eviction > > policy since the limit was first introduced. > > > > - Johan > > > > > > On Wed, Feb 13, 2019 at 6:57 AM Rusty Russell <rusty@rustcorp•com.au > > <mailto:rusty@rustcorp•com.au>> wrote: > > > > Matt Corallo <lf-lists@mattcorallo•com > > <mailto:lf-lists@mattcorallo•com>> writes: > > >>> Thus, even if you imagine a steady-state mempool growth, unless > the > > >>> "near the top of the mempool" criteria is "near the top of the > next > > >>> block" (which is obviously *not* incentive-compatible) > > >> > > >> I was defining "top of mempool" as "in the first 4 MSipa", ie. > next > > >> block, and assumed you'd only allow RBF if the old package wasn't > > in the > > >> top and the replacement would be. That seems incentive > > compatible; more > > >> than the current scheme? > > > > > > My point was, because of block time variance, even that criteria > > doesn't hold up. If you assume a steady flow of new transactions and > > one or two blocks come in "late", suddenly "top 4MWeight" isn't > > likely to get confirmed until a few blocks come in "early". Given > > block variance within a 12 block window, this is a relatively likely > > scenario. > > > > [ Digging through old mail. ] > > > > Doesn't really matter. Lightning close algorithm would be: > > > > 1. Give bitcoind unileratal close. > > 2. Ask bitcoind what current expidited fee is (or survey your > mempool). > > 3. Give bitcoind child "push" tx at that total feerate. > > 4. If next block doesn't contain unilateral close tx, goto 2. > > > > In this case, if you allow a simpified RBF where 'you can replace if > > 1. feerate is higher, 2. new tx is in first 4Msipa of mempool, 3. > > old tx isnt', > > it works. > > > > It allows someone 100k of free tx spam, sure. But it's simple. > > > > We could further restrict it by marking the unilateral close somehow > to > > say "gonna be pushed" and further limiting the child tx weight (say, > > 5kSipa?) in that case. > > > > Cheers, > > Rusty. > > _______________________________________________ > > Lightning-dev mailing list > > Lightning-dev@lists•linuxfoundation.org > > <mailto:Lightning-dev@lists•linuxfoundation.org> > > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev > > > [-- Attachment #2: Type: text/html, Size: 6719 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [bitcoin-dev] [Lightning-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) 2019-10-25 7:05 ` Johan Torås Halseth @ 2019-10-25 17:30 ` Matt Corallo 2019-10-27 19:13 ` Jeremy 0 siblings, 1 reply; 19+ messages in thread From: Matt Corallo @ 2019-10-25 17:30 UTC (permalink / raw) To: Johan Torås Halseth; +Cc: Bitcoin Protocol Discussion, lightning-dev [-- Attachment #1: Type: text/plain, Size: 5421 bytes --] I don’te see how? Let’s imagine Party A has two spendable outputs, now they stuff the package size on one of their spendable outlets until it is right at the limit, add one more on their other output (to meet the Carve-Out), and now Party B can’t do anything. > On Oct 24, 2019, at 21:05, Johan Torås Halseth <johanth@gmail•com> wrote: > > > It essentially changes the rule to always allow CPFP-ing the commitment as long as there is an output available without any descendants. It changes the commitment from "you always need at least, and exactly, one non-CSV output per party. " to "you always need at least one non-CSV output per party. " > > I realize these limits are there for a reason though, but I'm wondering if could relax them. Also now that jeremyrubin has expressed problems with the current mempool limits. > >> On Thu, Oct 24, 2019 at 11:25 PM Matt Corallo <lf-lists@mattcorallo•com> wrote: >> I may be missing something, but I'm not sure how this changes anything? >> >> If you have a commitment transaction, you always need at least, and >> exactly, one non-CSV output per party. The fact that there is a size >> limitation on the transaction that spends for carve-out purposes only >> effects how many other inputs/outputs you can add, but somehow I doubt >> its ever going to be a large enough number to matter. >> >> Matt >> >> On 10/24/19 1:49 PM, Johan Torås Halseth wrote: >> > Reviving this old thread now that the recently released RC for bitcoind >> > 0.19 includes the above mentioned carve-out rule. >> > >> > In an attempt to pave the way for more robust CPFP of on-chain contracts >> > (Lightning commitment transactions), the carve-out rule was added in >> > https://github.com/bitcoin/bitcoin/pull/15681. However, having worked on >> > an implementation of a new commitment format for utilizing the Bring >> > Your Own Fees strategy using CPFP, I’m wondering if the special case >> > rule should have been relaxed a bit, to avoid the need for adding a 1 >> > CSV to all outputs (in case of Lightning this means HTLC scripts would >> > need to be changed to add the CSV delay). >> > >> > Instead, what about letting the rule be >> > >> > The last transaction which is added to a package of dependent >> > transactions in the mempool must: >> > * Have no more than one unconfirmed parent. >> > >> > This would of course allow adding a large transaction to each output of >> > the unconfirmed parent, which in effect would allow an attacker to >> > exceed the MAX_PACKAGE_VIRTUAL_SIZE limit in some cases. However, is >> > this a problem with the current mempool acceptance code in bitcoind? I >> > would imagine evicting transactions based on feerate when the max >> > mempool size is met handles this, but I’m asking since it seems like >> > there has been several changes to the acceptance code and eviction >> > policy since the limit was first introduced. >> > >> > - Johan >> > >> > >> > On Wed, Feb 13, 2019 at 6:57 AM Rusty Russell <rusty@rustcorp•com.au >> > <mailto:rusty@rustcorp•com.au>> wrote: >> > >> > Matt Corallo <lf-lists@mattcorallo•com >> > <mailto:lf-lists@mattcorallo•com>> writes: >> > >>> Thus, even if you imagine a steady-state mempool growth, unless the >> > >>> "near the top of the mempool" criteria is "near the top of the next >> > >>> block" (which is obviously *not* incentive-compatible) >> > >> >> > >> I was defining "top of mempool" as "in the first 4 MSipa", ie. next >> > >> block, and assumed you'd only allow RBF if the old package wasn't >> > in the >> > >> top and the replacement would be. That seems incentive >> > compatible; more >> > >> than the current scheme? >> > > >> > > My point was, because of block time variance, even that criteria >> > doesn't hold up. If you assume a steady flow of new transactions and >> > one or two blocks come in "late", suddenly "top 4MWeight" isn't >> > likely to get confirmed until a few blocks come in "early". Given >> > block variance within a 12 block window, this is a relatively likely >> > scenario. >> > >> > [ Digging through old mail. ] >> > >> > Doesn't really matter. Lightning close algorithm would be: >> > >> > 1. Give bitcoind unileratal close. >> > 2. Ask bitcoind what current expidited fee is (or survey your mempool). >> > 3. Give bitcoind child "push" tx at that total feerate. >> > 4. If next block doesn't contain unilateral close tx, goto 2. >> > >> > In this case, if you allow a simpified RBF where 'you can replace if >> > 1. feerate is higher, 2. new tx is in first 4Msipa of mempool, 3. >> > old tx isnt', >> > it works. >> > >> > It allows someone 100k of free tx spam, sure. But it's simple. >> > >> > We could further restrict it by marking the unilateral close somehow to >> > say "gonna be pushed" and further limiting the child tx weight (say, >> > 5kSipa?) in that case. >> > >> > Cheers, >> > Rusty. >> > _______________________________________________ >> > Lightning-dev mailing list >> > Lightning-dev@lists•linuxfoundation.org >> > <mailto:Lightning-dev@lists•linuxfoundation.org> >> > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev >> > [-- Attachment #2: Type: text/html, Size: 7691 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [bitcoin-dev] [Lightning-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) 2019-10-25 17:30 ` Matt Corallo @ 2019-10-27 19:13 ` Jeremy 2019-10-28 9:45 ` Johan Torås Halseth 0 siblings, 1 reply; 19+ messages in thread From: Jeremy @ 2019-10-27 19:13 UTC (permalink / raw) To: Matt Corallo; +Cc: Bitcoin Protocol Discussion, lightning-dev [-- Attachment #1: Type: text/plain, Size: 8018 bytes --] Johan, The issues with mempool limits for OP_SECURETHEBAG are related, but have distinct solutions. There are two main categories of mempool issues at stake. One is relay cost, the other is mempool walking. In terms of relay cost, if an ancestor can be replaced, it will invalidate all it's children, meaning that no one paid for that broadcasting. This can be fixed by appropriately assessing Replace By Fee update fees to encapsulate all descendants, but there are some tricky edge cases that make this non-obvious to do. The other issue is walking the mempool -- many of the algorithms we use in the mempool can be N log N or N^2 in the number of descendants. (simple example: an input chain of length N to a fan out of N outputs that are all spent, is O(N^2) to look up ancestors per-child, unless we're caching). The other sort of walking issue is where the indegree or outdegree for a transaction is high. Then when we are computing descendants or ancestors we will need to visit it multiple times. To avoid re-expanding a node, we currently cache it with a set. This uses O(N) extra memory and makes O(N Log N) (we use std::set not unordered_set) comparisons. I just opened a PR which should help with some of the walking issues by allowing us to cheaply cache which nodes we've visited on a run. It makes a lot of previously O(N log N) stuff O(N) and doesn't allocate as much new memory. See: https://github.com/bitcoin/bitcoin/pull/17268. Now, for OP_SECURETHEBAG we want a particular property that is very different from with lightning htlcs (as is). We want that an unlimited number of child OP_SECURETHEBAG txns may extend from a confirmed OP_SECURETHEBAG, and then at the leaf nodes, we want the same rule as lightning (one dangling unconfirmed to permit channels). OP_SECURETHEBAG can help with the LN issue by putting all HTLCS into a tree where they are individualized leaf nodes with a preceding CSV. Then, the above fix would ensure each HTLC always has time to close properly as they would have individualized lockpoints. This is desirable for some additional reasons and not for others, but it should "work". -- @JeremyRubin <https://twitter.com/JeremyRubin> <https://twitter.com/JeremyRubin> On Fri, Oct 25, 2019 at 10:31 AM Matt Corallo <lf-lists@mattcorallo•com> wrote: > I don’te see how? Let’s imagine Party A has two spendable outputs, now > they stuff the package size on one of their spendable outlets until it is > right at the limit, add one more on their other output (to meet the > Carve-Out), and now Party B can’t do anything. > > On Oct 24, 2019, at 21:05, Johan Torås Halseth <johanth@gmail•com> wrote: > > > It essentially changes the rule to always allow CPFP-ing the commitment as > long as there is an output available without any descendants. It changes > the commitment from "you always need at least, and exactly, one non-CSV > output per party. " to "you always need at least one non-CSV output per > party. " > > I realize these limits are there for a reason though, but I'm wondering if > could relax them. Also now that jeremyrubin has expressed problems with the > current mempool limits. > > On Thu, Oct 24, 2019 at 11:25 PM Matt Corallo <lf-lists@mattcorallo•com> > wrote: > >> I may be missing something, but I'm not sure how this changes anything? >> >> If you have a commitment transaction, you always need at least, and >> exactly, one non-CSV output per party. The fact that there is a size >> limitation on the transaction that spends for carve-out purposes only >> effects how many other inputs/outputs you can add, but somehow I doubt >> its ever going to be a large enough number to matter. >> >> Matt >> >> On 10/24/19 1:49 PM, Johan Torås Halseth wrote: >> > Reviving this old thread now that the recently released RC for bitcoind >> > 0.19 includes the above mentioned carve-out rule. >> > >> > In an attempt to pave the way for more robust CPFP of on-chain contracts >> > (Lightning commitment transactions), the carve-out rule was added in >> > https://github.com/bitcoin/bitcoin/pull/15681. However, having worked >> on >> > an implementation of a new commitment format for utilizing the Bring >> > Your Own Fees strategy using CPFP, I’m wondering if the special case >> > rule should have been relaxed a bit, to avoid the need for adding a 1 >> > CSV to all outputs (in case of Lightning this means HTLC scripts would >> > need to be changed to add the CSV delay). >> > >> > Instead, what about letting the rule be >> > >> > The last transaction which is added to a package of dependent >> > transactions in the mempool must: >> > * Have no more than one unconfirmed parent. >> > >> > This would of course allow adding a large transaction to each output of >> > the unconfirmed parent, which in effect would allow an attacker to >> > exceed the MAX_PACKAGE_VIRTUAL_SIZE limit in some cases. However, is >> > this a problem with the current mempool acceptance code in bitcoind? I >> > would imagine evicting transactions based on feerate when the max >> > mempool size is met handles this, but I’m asking since it seems like >> > there has been several changes to the acceptance code and eviction >> > policy since the limit was first introduced. >> > >> > - Johan >> > >> > >> > On Wed, Feb 13, 2019 at 6:57 AM Rusty Russell <rusty@rustcorp•com.au >> > <mailto:rusty@rustcorp•com.au>> wrote: >> > >> > Matt Corallo <lf-lists@mattcorallo•com >> > <mailto:lf-lists@mattcorallo•com>> writes: >> > >>> Thus, even if you imagine a steady-state mempool growth, unless >> the >> > >>> "near the top of the mempool" criteria is "near the top of the >> next >> > >>> block" (which is obviously *not* incentive-compatible) >> > >> >> > >> I was defining "top of mempool" as "in the first 4 MSipa", ie. >> next >> > >> block, and assumed you'd only allow RBF if the old package wasn't >> > in the >> > >> top and the replacement would be. That seems incentive >> > compatible; more >> > >> than the current scheme? >> > > >> > > My point was, because of block time variance, even that criteria >> > doesn't hold up. If you assume a steady flow of new transactions and >> > one or two blocks come in "late", suddenly "top 4MWeight" isn't >> > likely to get confirmed until a few blocks come in "early". Given >> > block variance within a 12 block window, this is a relatively likely >> > scenario. >> > >> > [ Digging through old mail. ] >> > >> > Doesn't really matter. Lightning close algorithm would be: >> > >> > 1. Give bitcoind unileratal close. >> > 2. Ask bitcoind what current expidited fee is (or survey your >> mempool). >> > 3. Give bitcoind child "push" tx at that total feerate. >> > 4. If next block doesn't contain unilateral close tx, goto 2. >> > >> > In this case, if you allow a simpified RBF where 'you can replace if >> > 1. feerate is higher, 2. new tx is in first 4Msipa of mempool, 3. >> > old tx isnt', >> > it works. >> > >> > It allows someone 100k of free tx spam, sure. But it's simple. >> > >> > We could further restrict it by marking the unilateral close >> somehow to >> > say "gonna be pushed" and further limiting the child tx weight (say, >> > 5kSipa?) in that case. >> > >> > Cheers, >> > Rusty. >> > _______________________________________________ >> > Lightning-dev mailing list >> > Lightning-dev@lists•linuxfoundation.org >> > <mailto:Lightning-dev@lists•linuxfoundation.org> >> > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev >> > >> > _______________________________________________ > Lightning-dev mailing list > Lightning-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev > [-- Attachment #2: Type: text/html, Size: 12716 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [bitcoin-dev] [Lightning-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) 2019-10-27 19:13 ` Jeremy @ 2019-10-28 9:45 ` Johan Torås Halseth 2019-10-28 17:14 ` David A. Harding 0 siblings, 1 reply; 19+ messages in thread From: Johan Torås Halseth @ 2019-10-28 9:45 UTC (permalink / raw) To: Jeremy; +Cc: Bitcoin Protocol Discussion, lightning-dev [-- Attachment #1: Type: text/plain, Size: 10563 bytes --] > > > I don’te see how? Let’s imagine Party A has two spendable outputs, now > they stuff the package size on one of their spendable outlets until it is > right at the limit, add one more on their other output (to meet the > Carve-Out), and now Party B can’t do anything. Matt: With the proposed change, party B would always be able to add a child to its output, regardless of what games party A is playing. Thanks for the explanation, Jeremy! > In terms of relay cost, if an ancestor can be replaced, it will invalidate > all it's children, meaning that no one paid for that broadcasting. This can > be fixed by appropriately assessing Replace By Fee update fees to > encapsulate all descendants, but there are some tricky edge cases that make > this non-obvious to do. Relay cost is the obvious problem with just naively removing all limits. Relaxing the current rules by allowing to add a child to each output as long as it has a single unconfirmed parent would still only allow free relay of O(size of parent) extra data (which might not be that bad? Similar to the carve-out rule we could put limits on the child size). This would be enough for the current LN use case (increasing fee of commitment tx), but not for OP_SECURETHEBAG I guess, as you need the tree of children, as you mention. I imagine walking the mempool wouldn't change much, as you would only have one extra child per output. But here I'm just speculating, as I don't know the code well enough know what the diff would look like. > OP_SECURETHEBAG can help with the LN issue by putting all HTLCS into a > tree where they are individualized leaf nodes with a preceding CSV. Then, > the above fix would ensure each HTLC always has time to close properly as > they would have individualized lockpoints. This is desirable for some > additional reasons and not for others, but it should "work". This is interesting for an LN commitment! You could really hide every output of the commitment within OP_STB, which could either allow bypassing the fee-pinning attack entirely (if the output cannot be spent unconfirmed) or adding fees to the commitment using SIGHASH_SINGLE|ANYONECANPAY. - Johan On Sun, Oct 27, 2019 at 8:13 PM Jeremy <jlrubin@mit•edu> wrote: > Johan, > > The issues with mempool limits for OP_SECURETHEBAG are related, but have > distinct solutions. > > There are two main categories of mempool issues at stake. One is relay > cost, the other is mempool walking. > > In terms of relay cost, if an ancestor can be replaced, it will invalidate > all it's children, meaning that no one paid for that broadcasting. This can > be fixed by appropriately assessing Replace By Fee update fees to > encapsulate all descendants, but there are some tricky edge cases that make > this non-obvious to do. > > The other issue is walking the mempool -- many of the algorithms we use in > the mempool can be N log N or N^2 in the number of descendants. (simple > example: an input chain of length N to a fan out of N outputs that are all > spent, is O(N^2) to look up ancestors per-child, unless we're caching). > > The other sort of walking issue is where the indegree or outdegree for a > transaction is high. Then when we are computing descendants or ancestors we > will need to visit it multiple times. To avoid re-expanding a node, we > currently cache it with a set. This uses O(N) extra memory and makes O(N > Log N) (we use std::set not unordered_set) comparisons. > > I just opened a PR which should help with some of the walking issues by > allowing us to cheaply cache which nodes we've visited on a run. It makes a > lot of previously O(N log N) stuff O(N) and doesn't allocate as much new > memory. See: https://github.com/bitcoin/bitcoin/pull/17268. > > > Now, for OP_SECURETHEBAG we want a particular property that is very > different from with lightning htlcs (as is). We want that an unlimited > number of child OP_SECURETHEBAG txns may extend from a confirmed > OP_SECURETHEBAG, and then at the leaf nodes, we want the same rule as > lightning (one dangling unconfirmed to permit channels). > > OP_SECURETHEBAG can help with the LN issue by putting all HTLCS into a > tree where they are individualized leaf nodes with a preceding CSV. Then, > the above fix would ensure each HTLC always has time to close properly as > they would have individualized lockpoints. This is desirable for some > additional reasons and not for others, but it should "work". > > > > -- > @JeremyRubin <https://twitter.com/JeremyRubin> > <https://twitter.com/JeremyRubin> > > > On Fri, Oct 25, 2019 at 10:31 AM Matt Corallo <lf-lists@mattcorallo•com> > wrote: > >> I don’te see how? Let’s imagine Party A has two spendable outputs, now >> they stuff the package size on one of their spendable outlets until it is >> right at the limit, add one more on their other output (to meet the >> Carve-Out), and now Party B can’t do anything. >> >> On Oct 24, 2019, at 21:05, Johan Torås Halseth <johanth@gmail•com> wrote: >> >> >> It essentially changes the rule to always allow CPFP-ing the commitment >> as long as there is an output available without any descendants. It changes >> the commitment from "you always need at least, and exactly, one non-CSV >> output per party. " to "you always need at least one non-CSV output per >> party. " >> >> I realize these limits are there for a reason though, but I'm wondering >> if could relax them. Also now that jeremyrubin has expressed problems with >> the current mempool limits. >> >> On Thu, Oct 24, 2019 at 11:25 PM Matt Corallo <lf-lists@mattcorallo•com> >> wrote: >> >>> I may be missing something, but I'm not sure how this changes anything? >>> >>> If you have a commitment transaction, you always need at least, and >>> exactly, one non-CSV output per party. The fact that there is a size >>> limitation on the transaction that spends for carve-out purposes only >>> effects how many other inputs/outputs you can add, but somehow I doubt >>> its ever going to be a large enough number to matter. >>> >>> Matt >>> >>> On 10/24/19 1:49 PM, Johan Torås Halseth wrote: >>> > Reviving this old thread now that the recently released RC for bitcoind >>> > 0.19 includes the above mentioned carve-out rule. >>> > >>> > In an attempt to pave the way for more robust CPFP of on-chain >>> contracts >>> > (Lightning commitment transactions), the carve-out rule was added in >>> > https://github.com/bitcoin/bitcoin/pull/15681. However, having worked >>> on >>> > an implementation of a new commitment format for utilizing the Bring >>> > Your Own Fees strategy using CPFP, I’m wondering if the special case >>> > rule should have been relaxed a bit, to avoid the need for adding a 1 >>> > CSV to all outputs (in case of Lightning this means HTLC scripts would >>> > need to be changed to add the CSV delay). >>> > >>> > Instead, what about letting the rule be >>> > >>> > The last transaction which is added to a package of dependent >>> > transactions in the mempool must: >>> > * Have no more than one unconfirmed parent. >>> > >>> > This would of course allow adding a large transaction to each output of >>> > the unconfirmed parent, which in effect would allow an attacker to >>> > exceed the MAX_PACKAGE_VIRTUAL_SIZE limit in some cases. However, is >>> > this a problem with the current mempool acceptance code in bitcoind? I >>> > would imagine evicting transactions based on feerate when the max >>> > mempool size is met handles this, but I’m asking since it seems like >>> > there has been several changes to the acceptance code and eviction >>> > policy since the limit was first introduced. >>> > >>> > - Johan >>> > >>> > >>> > On Wed, Feb 13, 2019 at 6:57 AM Rusty Russell <rusty@rustcorp•com.au >>> > <mailto:rusty@rustcorp•com.au>> wrote: >>> > >>> > Matt Corallo <lf-lists@mattcorallo•com >>> > <mailto:lf-lists@mattcorallo•com>> writes: >>> > >>> Thus, even if you imagine a steady-state mempool growth, >>> unless the >>> > >>> "near the top of the mempool" criteria is "near the top of the >>> next >>> > >>> block" (which is obviously *not* incentive-compatible) >>> > >> >>> > >> I was defining "top of mempool" as "in the first 4 MSipa", ie. >>> next >>> > >> block, and assumed you'd only allow RBF if the old package >>> wasn't >>> > in the >>> > >> top and the replacement would be. That seems incentive >>> > compatible; more >>> > >> than the current scheme? >>> > > >>> > > My point was, because of block time variance, even that criteria >>> > doesn't hold up. If you assume a steady flow of new transactions >>> and >>> > one or two blocks come in "late", suddenly "top 4MWeight" isn't >>> > likely to get confirmed until a few blocks come in "early". Given >>> > block variance within a 12 block window, this is a relatively >>> likely >>> > scenario. >>> > >>> > [ Digging through old mail. ] >>> > >>> > Doesn't really matter. Lightning close algorithm would be: >>> > >>> > 1. Give bitcoind unileratal close. >>> > 2. Ask bitcoind what current expidited fee is (or survey your >>> mempool). >>> > 3. Give bitcoind child "push" tx at that total feerate. >>> > 4. If next block doesn't contain unilateral close tx, goto 2. >>> > >>> > In this case, if you allow a simpified RBF where 'you can replace >>> if >>> > 1. feerate is higher, 2. new tx is in first 4Msipa of mempool, 3. >>> > old tx isnt', >>> > it works. >>> > >>> > It allows someone 100k of free tx spam, sure. But it's simple. >>> > >>> > We could further restrict it by marking the unilateral close >>> somehow to >>> > say "gonna be pushed" and further limiting the child tx weight >>> (say, >>> > 5kSipa?) in that case. >>> > >>> > Cheers, >>> > Rusty. >>> > _______________________________________________ >>> > Lightning-dev mailing list >>> > Lightning-dev@lists•linuxfoundation.org >>> > <mailto:Lightning-dev@lists•linuxfoundation.org> >>> > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev >>> > >>> >> _______________________________________________ >> Lightning-dev mailing list >> Lightning-dev@lists•linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev >> > [-- Attachment #2: Type: text/html, Size: 15483 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [bitcoin-dev] [Lightning-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) 2019-10-28 9:45 ` Johan Torås Halseth @ 2019-10-28 17:14 ` David A. Harding 2019-10-30 7:22 ` Johan Torås Halseth 0 siblings, 1 reply; 19+ messages in thread From: David A. Harding @ 2019-10-28 17:14 UTC (permalink / raw) To: Johan Torås Halseth; +Cc: Bitcoin Protocol Discussion, lightning-dev On Mon, Oct 28, 2019 at 10:45:39AM +0100, Johan Torås Halseth wrote: > Relay cost is the obvious problem with just naively removing all limits. > Relaxing the current rules by allowing to add a child to each output as > long as it has a single unconfirmed parent would still only allow free > relay of O(size of parent) extra data (which might not be that bad? Similar > to the carve-out rule we could put limits on the child size). A parent transaction near the limit of 100,000 vbytes could have almost 10,000 outputs paying OP_TRUE (10 vbytes per output). If the children were limited to 10,000 vbytes each (the current max carve-out size), that allows relaying 100 mega-vbytes or nearly 400 MB data size (larger than the default maximum mempool size in Bitcoin Core). As Matt noted in discussion on #lightning-dev about this issue, it's possible to increase second-child carve-out to nth-child carve-out but we'd need to be careful about choosing an appropriately low value for n. For example, BOLT2 limits the number of HTLCs to 483 on each side of the channel (so 966 + 2 outputs total), which means the worst case free relay to support the current LN protocol would be approximately: (100000 + 968 * 10000) * 4 = ~39 MB Even if the mempool was empty (as it sometimes is these days), it would only cost an attacker about 1.5 BTC to fill it at the default minimum relay feerate[1] so that they could execute this attack at the minimal cost per iteration of paying for a few hundred or a few thousand vbytes at slightly higher than the current mempool minimum fee. Instead, with the existing rules (including second-child carve-out), they'd have to iterate (39 MB / 400 kB = ~100) times more often to achieve an equivalent waste of bandwidth, costing them proportionally more in fees. So, I think these rough numbers clearly back what Matt said about us being able to raise the limits a bit if we need to, but that we have to be careful not to raise them so far that attackers can make it significantly more bandwidth expensive for people to run relaying full nodes. -Dave [1] Several developers are working on lowering the default minimum in Bitcoin Core, which would of course make this attack proportionally cheaper. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [bitcoin-dev] [Lightning-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) 2019-10-28 17:14 ` David A. Harding @ 2019-10-30 7:22 ` Johan Torås Halseth 0 siblings, 0 replies; 19+ messages in thread From: Johan Torås Halseth @ 2019-10-30 7:22 UTC (permalink / raw) To: David A. Harding; +Cc: Bitcoin Protocol Discussion, lightning-dev [-- Attachment #1: Type: text/plain, Size: 1072 bytes --] On Mon, Oct 28, 2019 at 6:16 PM David A. Harding <dave@dtrt•org> wrote: > A parent transaction near the limit of 100,000 vbytes could have almost > 10,000 outputs paying OP_TRUE (10 vbytes per output). If the children > were limited to 10,000 vbytes each (the current max carve-out size), > that allows relaying 100 mega-vbytes or nearly 400 MB data size (larger > than the default maximum mempool size in Bitcoin Core). > Thanks, Dave, I wasn't aware the limits would allow this many outputs. And as your calculation shows, this opens up the potential for free relay of large amounts of data. We could start special casing to only allow this for "LN commitment-like" transactions, but this would be application specific changes, and your calculation shows that even with the BOLT2 numbers there still exists cases with a large number of children. We are moving forward with adding a 1 block delay to all outputs to utilize the current carve-out rule, and the changes aren't that bad. See Joost's post in "[PATCH] First draft of option_simplfied_commitment" - Johan [-- Attachment #2: Type: text/html, Size: 1549 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [bitcoin-dev] [Lightning-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) 2019-10-24 13:49 ` Johan Torås Halseth 2019-10-24 21:25 ` Matt Corallo @ 2019-10-27 22:54 ` David A. Harding 1 sibling, 0 replies; 19+ messages in thread From: David A. Harding @ 2019-10-27 22:54 UTC (permalink / raw) To: Johan Torås Halseth; +Cc: Bitcoin Protocol Discussion, lightning-dev On Thu, Oct 24, 2019 at 03:49:09PM +0200, Johan Torås Halseth wrote: > [...] what about letting the rule be > > The last transaction which is added to a package of dependent > transactions in the mempool must: > * Have no more than one unconfirmed parent. > [... subsequent email ...] > I realize these limits are there for a reason though, but I'm wondering if > we could relax them. Johan, I'm not sure any of the other replies to this thread addressed your request for a reason behind the limits related to your proposal, so I thought I'd point out that---subsequent to your posting here---a document[1] was added to the Bitcoin Core developer wiki that I think describes the risk of the approach you proposed: > Free relay attack: > > - Create a low feerate transaction T. > > - Send zillions of child transactions that are slightly higher feerate > than T until mempool is full. > > - Create one small transaction with feerate just higher than T’s, and > watch T and all its children get evicted. Total fees in mempool drops > dramatically! > > - Attacker just relayed (say) 300MB of data across the whole network > but only pays small feerate on one small transaction. The document goes on to describe at a high level how Bitcoin Core attempts to mitigate this problem as well as other ways it tries to optimize the mempool in order to maximize miner profit (and so ensure that miners continue to use public transaction relay). I hope that's helpful to you and to others in both understanding the current state and in thinking about ways in which it might be improved. -Dave [1] https://github.com/bitcoin-core/bitcoin-devwiki/wiki/Mempool-and-mining Content adapted from slides by Suhas Daftuar, uploaded and formatted by Gregory Sanders and Marco Falke. ^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2019-10-30 7:23 UTC | newest] Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-11-29 19:37 [bitcoin-dev] CPFP Carve-Out for Fee-Prediction Issues in Contracting Applications (eg Lightning) Matt Corallo 2018-11-30 17:38 ` Russell O'Connor 2018-11-30 19:33 ` Matt Corallo 2018-12-02 15:08 ` Bob McElrath 2018-12-03 4:16 ` [bitcoin-dev] [Lightning-dev] " ZmnSCPxj 2018-12-04 3:33 ` Rusty Russell 2019-01-07 15:18 ` Matt Corallo 2019-01-08 5:50 ` Rusty Russell 2019-01-08 14:46 ` Matt Corallo 2019-02-13 4:22 ` Rusty Russell 2019-10-24 13:49 ` Johan Torås Halseth 2019-10-24 21:25 ` Matt Corallo 2019-10-25 7:05 ` Johan Torås Halseth 2019-10-25 17:30 ` Matt Corallo 2019-10-27 19:13 ` Jeremy 2019-10-28 9:45 ` Johan Torås Halseth 2019-10-28 17:14 ` David A. Harding 2019-10-30 7:22 ` Johan Torås Halseth 2019-10-27 22:54 ` David A. Harding
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox