Your two latest mails. > The problem that OP_Expire aims to solve is the fact that Carol could prevent > Bob from learning about the preimage in time, while still getting a chance to > use the preimage herself. OP_Expire thoroughly solves that problem by ensuring > that the preimage is either broadcast in the blockchain in a timely fashion, or > becomes useless. I respectfully disagree - There is a more general underlying issue for outdated states in multi-party off-chain constructions, where any "revoked" or "updated" consensus-valid state can be used to jam the latest off-chain agreed-on, through techniques like replacement cycling or pinning. > My suggestion of pre-signing RBF replacements, without anchor outputs, and with > all outputs rendered unspendable with 1 CSV, is clearly superior: there are > zero degrees of freedom to the attacker, other than the possibility of > increasing the fee paid or broadcasting a revoked commitment. The latter of > course risks the other party punishing the fraud. Assuming the max RBF replacement is pre-signed at 200 sats / vb, with commitment transaction of ~268 vbytes and at least one second-stage HTLC transaction of ~175 vbytes including witness size, a channel counterparty must keep at worst a fee-bumping reserve of 35 268 sats, whatever payment value. As of today, any payment under $13 has to become trimmed HTLCs. Trimmed HTLCs are coming with their own wormhole of issues, notably making them a target to be stolen by low-hashrate capabilities attackers [0]. [0] https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-May/002714.html > This does have the practical problem that a set of refund transactions will > also need to be signed for each fee variant. But, eg, signing 10x of each isn't > so burdensome. And in the future that problem could be avoided with > SIGHASH_NOINPUT, or replacing the pre-signed refund transaction mechanism with > a covenant. I think if you wish to be safe against fees griefing games between counterparties, both counterparties have to maintain their own fee-bumping reserves, which make channel usage less capital efficient, rather than being drawn from a common reserve. > Using RBF rather than CPFP with package relay also has the advantage of being > more efficient, as no blockspace needs to be consumed by the anchor outputs or > transactions spending them. Of course, there are special circumstances where > BIP125 rules can cause CPFP to be cheaper. But we can easily fix that, eg by > reducing the replacement relay fee, or by delta-encoding transaction updates. It is left as an exercise to the reader how to break the RBF approach for LN channels as proposed. > As SIGHASH_NOINPUT is desirable for LN-Symmetry, a softfork containing both it > and OP_Expire could make sense. I think there is one obvious issue of pre-signing RBF replacements combined with LN-symmetry, namely every state has to pre-commit to fee values attached and such states might spend each other in chain. So now you would need `max-rbf-replacement` * `max-theoretical-number-of-states` of fee-bumping reserves unless you can pipe fee value with some covenant magic, I think. > In existing anchor output transactions, this type of attack wouldn't work as > when broadcasting the transaction, Alice would be spending her anchor output, > which Bob can't double spend. However Bob can double-spend Alice's commitment transaction with his own commitment transaction and a CPFP, as long as it's a better ancestor feerate and absolute fee package, then double-spend his own CPFP. Which is exactly what my test is doing so I don't think your statement of saying this type of advanced replacement cycling attack wouldn't work isn't correct. Best, Antoine Le mer. 8 nov. 2023 à 02:06, Peter Todd a écrit : > On Wed, Nov 08, 2023 at 12:51:31AM +0000, Peter Todd via bitcoin-dev wrote: > > > In a post-package relay world, I think this is possible. And that > > > replacement cycling attacks are breaking future dynamic fee-bumping of > > > pre-signed transactions concerns me a lot. > > > > Well the answer here is pretty clear: v3 package relay with anchors is > broken. > > BTW a subtlety of this that may not be obvious is that in v3 package relay, > with zero value outputs, the outputs must be spent in the same package. > Thus > _unlike_ existing anchor-using transactions, there would be only one anchor > output on the commitment transaction. > > In existing anchor output transactions, this type of attack wouldn't work > as > when broadcasting the transaction, Alice would be spending her anchor > output, > which Bob can't double spend. But that doesn't work in v3, which intends to > limit UTXO growth by requiring that anchors be spent in the same package. > Thus > unlike existing anchor outputs, an anchor would be truly a OP_1 output > without > a signature, and thus belong to either Alice nor Bob uniquely. > > -- > https://petertodd.org 'peter'[:-1]@petertodd.org >