From: Antoine Riard <antoine.riard@gmail•com>
To: Peter Todd <pete@petertodd•org>
Cc: Bitcoin Protocol Discussion
<bitcoin-dev@lists•linuxfoundation.org>,
security@ariard•me,
"lightning-dev\\\\@lists.linuxfoundation.org"
<lightning-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely
Date: Mon, 13 Nov 2023 02:18:16 +0000 [thread overview]
Message-ID: <CALZpt+FEwjwQQWY6TBFuWeZbqC6Ywa7eSTcpqYuQPZ6+6QBzaw@mail.gmail.com> (raw)
In-Reply-To: <ZUrtHyQBOEZTM3Bj@petertodd.org>
[-- Attachment #1: Type: text/plain, Size: 5129 bytes --]
Your two latest mails.
> The problem that OP_Expire aims to solve is the fact that Carol could
prevent
> Bob from learning about the preimage in time, while still getting a
chance to
> use the preimage herself. OP_Expire thoroughly solves that problem by
ensuring
> that the preimage is either broadcast in the blockchain in a timely
fashion, or
> becomes useless.
I respectfully disagree - There is a more general underlying issue for
outdated states in multi-party off-chain constructions, where any "revoked"
or "updated" consensus-valid state can be used to jam the latest off-chain
agreed-on, through techniques like replacement cycling or pinning.
> My suggestion of pre-signing RBF replacements, without anchor outputs,
and with
> all outputs rendered unspendable with 1 CSV, is clearly superior: there
are
> zero degrees of freedom to the attacker, other than the possibility of
> increasing the fee paid or broadcasting a revoked commitment. The latter
of
> course risks the other party punishing the fraud.
Assuming the max RBF replacement is pre-signed at 200 sats / vb, with
commitment transaction of ~268 vbytes and at least one second-stage HTLC
transaction of ~175 vbytes including witness size, a channel counterparty
must keep at worst a fee-bumping reserve of 35 268 sats, whatever payment
value. As of today, any payment under $13 has to become trimmed HTLCs.
Trimmed HTLCs are coming with their own wormhole of issues, notably making
them a target to be stolen by low-hashrate capabilities attackers [0].
[0]
https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-May/002714.html
> This does have the practical problem that a set of refund transactions
will
> also need to be signed for each fee variant. But, eg, signing 10x of each
isn't
> so burdensome. And in the future that problem could be avoided with
> SIGHASH_NOINPUT, or replacing the pre-signed refund transaction mechanism
with
> a covenant.
I think if you wish to be safe against fees griefing games between
counterparties, both counterparties have to maintain their own fee-bumping
reserves, which make channel usage less capital efficient, rather than
being drawn from a common reserve.
> Using RBF rather than CPFP with package relay also has the advantage of
being
> more efficient, as no blockspace needs to be consumed by the anchor
outputs or
> transactions spending them. Of course, there are special circumstances
where
> BIP125 rules can cause CPFP to be cheaper. But we can easily fix that, eg
by
> reducing the replacement relay fee, or by delta-encoding transaction
updates.
It is left as an exercise to the reader how to break the RBF approach for
LN channels as proposed.
> As SIGHASH_NOINPUT is desirable for LN-Symmetry, a softfork containing
both it
> and OP_Expire could make sense.
I think there is one obvious issue of pre-signing RBF replacements combined
with LN-symmetry, namely every state has to pre-commit to fee values
attached and such states might spend each other in chain. So now you would
need `max-rbf-replacement` * `max-theoretical-number-of-states` of
fee-bumping reserves unless you can pipe fee value with some covenant
magic, I think.
> In existing anchor output transactions, this type of attack wouldn't work
as
> when broadcasting the transaction, Alice would be spending her anchor
output,
> which Bob can't double spend.
However Bob can double-spend Alice's commitment transaction with his own
commitment transaction and a CPFP, as long as it's a better ancestor
feerate and absolute fee package, then double-spend his own CPFP. Which is
exactly what my test is doing so I don't think your statement of saying
this type of advanced replacement cycling attack wouldn't work isn't
correct.
Best,
Antoine
Le mer. 8 nov. 2023 à 02:06, Peter Todd <pete@petertodd•org> a écrit :
> On Wed, Nov 08, 2023 at 12:51:31AM +0000, Peter Todd via bitcoin-dev wrote:
> > > In a post-package relay world, I think this is possible. And that
> > > replacement cycling attacks are breaking future dynamic fee-bumping of
> > > pre-signed transactions concerns me a lot.
> >
> > Well the answer here is pretty clear: v3 package relay with anchors is
> broken.
>
> BTW a subtlety of this that may not be obvious is that in v3 package relay,
> with zero value outputs, the outputs must be spent in the same package.
> Thus
> _unlike_ existing anchor-using transactions, there would be only one anchor
> output on the commitment transaction.
>
> In existing anchor output transactions, this type of attack wouldn't work
> as
> when broadcasting the transaction, Alice would be spending her anchor
> output,
> which Bob can't double spend. But that doesn't work in v3, which intends to
> limit UTXO growth by requiring that anchors be spent in the same package.
> Thus
> unlike existing anchor outputs, an anchor would be truly a OP_1 output
> without
> a signature, and thus belong to either Alice nor Bob uniquely.
>
> --
> https://petertodd.org 'peter'[:-1]@petertodd.org
>
[-- Attachment #2: Type: text/html, Size: 6205 bytes --]
next prev parent reply other threads:[~2023-11-13 2:18 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-16 16:57 [bitcoin-dev] Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us" Antoine Riard
2023-10-16 19:13 ` Peter Todd
2023-10-16 22:10 ` Matt Morehouse
2023-10-17 1:11 ` Antoine Riard
2023-10-20 10:47 ` Peter Todd
2023-10-20 11:18 ` Jochen Hoenicke
2023-10-16 22:51 ` Olaoluwa Osuntokun
2023-10-17 7:21 ` [bitcoin-dev] [Lightning-dev] " ziggie1984
2023-10-17 10:34 ` ZmnSCPxj
2023-10-17 18:34 ` Antoine Riard
2023-10-20 10:31 ` Peter Todd
2023-10-20 11:03 ` Peter Todd
2023-10-20 18:35 ` Matt Morehouse
2023-10-20 21:05 ` Matt Corallo
2023-10-21 0:15 ` Peter Todd
2023-10-21 1:03 ` Matt Corallo
2023-10-21 1:25 ` Peter Todd
2023-10-21 1:55 ` Matt Corallo
2023-10-21 2:43 ` Peter Todd
2023-10-23 16:09 ` Matt Corallo
2023-10-17 17:47 ` Antoine Riard
2023-10-17 18:47 ` Antoine Riard
2023-10-18 0:17 ` Matt Corallo
2023-10-18 2:57 ` Antoine Riard
2023-10-19 8:12 ` Bastien TEINTURIER
2023-10-19 16:23 ` Matt Morehouse
2023-10-19 17:22 ` Antoine Riard
2023-10-19 17:53 ` Matt Morehouse
2023-10-19 19:33 ` Antoine Riard
2023-10-21 0:18 ` Olaoluwa Osuntokun
2023-11-17 22:36 ` Antoine Riard
2023-10-19 18:02 ` Matt Corallo
2023-10-20 6:56 ` [bitcoin-dev] " Antoine Riard
2023-10-21 20:05 ` Antoine Riard
2023-10-27 0:43 ` Peter Todd
2023-11-02 4:46 ` Antoine Riard
2023-10-21 0:09 ` [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely Peter Todd
2023-10-21 8:58 ` David A. Harding
2023-10-21 10:31 ` Peter Todd
2023-10-22 8:30 ` vjudeu
2023-10-23 11:10 ` [bitcoin-dev] [Lightning-dev] " ZmnSCPxj
2023-10-23 15:45 ` Peter Todd
2023-11-02 5:24 ` [bitcoin-dev] " Antoine Riard
2023-11-02 6:26 ` Peter Todd
2023-11-02 17:07 ` Matt Morehouse
2023-11-03 5:27 ` Antoine Riard
2023-11-03 5:25 ` Antoine Riard
2023-11-04 7:26 ` Peter Todd
2023-11-06 18:45 ` Antoine Riard
2023-11-07 11:11 ` [bitcoin-dev] [Lightning-dev] " ZmnSCPxj
2023-11-07 15:44 ` Antoine Riard
2023-11-08 0:51 ` [bitcoin-dev] " Peter Todd
2023-11-08 2:06 ` Peter Todd
2023-11-13 2:18 ` Antoine Riard [this message]
2023-11-14 19:50 ` Peter Todd
[not found] ` <CALZpt+H38cU9L8kq0mSYCDirzL39fxhdoz4pAPiS8dGJP8akKg@mail.gmail.com>
2023-11-15 17:53 ` [bitcoin-dev] Fwd: " Antoine Riard
2023-10-22 4:49 ` [bitcoin-dev] Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us" Nadav Ivgi
2023-10-23 8:49 ` David A. Harding
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALZpt+FEwjwQQWY6TBFuWeZbqC6Ywa7eSTcpqYuQPZ6+6QBzaw@mail.gmail.com \
--to=antoine.riard@gmail$(echo .)com \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
--cc=lightning-dev@lists$(echo .)linuxfoundation.org \
--cc=pete@petertodd$(echo .)org \
--cc=security@ariard$(echo .)me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox